Description
Composer is a package manager that alleviates the complexity of dependencies in PHP based projects (such as Drupal 8). This session provides an introduction to the core concepts behind package management and Composer. No previous knowledge of Composer required.
Using practical examples as guidelines attendees will learn the basics of Composer, including:
-
What composer is and the concepts of how it works.
-
How to add composer to a project and packages to a project.
-
Semantic versioning patterns for packages.
-
General Do's and Don'ts when using Composer.
Attendees will leave this session with insights and basic knowledge of Composer. Including knowledge of how it works, the value it provides to projects and how to use it on any (PHP based) project.
Annotated Slides available at https://bit.ly/Mid19Composer
Michael Miles
Director of Technology @ MIT SloanI am passionate about development and working with the latest open source technologies. I have been working in web engineering since 2003, utilizing a number of different technologies, languages and frameworks. I have been working with Drupal since 2008 and is a regular contributor to the community and project. Since 2015 I have been the lead organizer of the Boston Drupal Meetup Group, and I am an organizer of New England Drupal camp.
In my day-to-day role as Director of Web Development at MIT Sloan, I lead the development, maintenance and growth of the digital properties for the school, as well as, the development team that supports them.
welcome everyone think it's coming to
composure 101 happy be it amid camp if
you want to follow along I'd have been
like the slides its mid-nineteen
composure slides on that link are
slightly different they're annotated and
they have screen recordings so if the
commands I'm going to be going through
but you should be able to follow along
so I need to click on my sides there we
go
alright before we get started just a
little bit about myself hello my name is
Mike miles I'm actually from Boston
Massachusetts why are you in Chicago
because I love meet cam I've been
working with Drupal for 10 plus years
now I I've done everything under the Sun
when it comes to Drupal I lead the
Boston Drupal meetup I'm when the
organizers New England Drupal Camp I
which is November so you should come out
to the New England area for that and
it's in Rhode Island this year during
the day I'm the VP of Technology for a
digital marketing agency called genuine
genuine were full service digital
agencies we're not a Drupal shop we
actually our development team is across
many technologies but we do video and UX
and digital strategy and interactive
applications and a lot of great stuff
and we have offices in Boston San
Francisco New York and here in Chicago
it's my second-favorite office to come
to so I love coming to Chicago at night
I run a podcast called developing up
which is focused on the non technical
side of being a developer so anything
that has to do with having a career in
development but not having to do with
writing code so everything else you need
to know that career development
just starting season 3 next month the
new episodes so check us out
you know calm if you're interested
anywhere else you can find me online at
Mike miles 86 on drupal.org on Twitter
on Google+ why it's still around until
April 2nd I believe they're shutting it
down because nobody uses it so that's my
handle pretty much everywhere all right
how many people in here would say
they're developers
raise your hands okay what like 90% how
many people work with developers alright
maybe like 40% in the room which is
weird if you're a developer you you
don't work with yourself no judging all
right I'm a developer at art as well
I've been doing PHP development for a
long time and what I like about
developers is we're cool people and I
say that very unbiased ly but I think
developers what we're really good at is
getting a set of problems a puzzle and
making some sort of solution and
building something cool right that's
what see people nodding their heads
that's what we like a challenge
something that's the problem to solve
and if you're a PHP developer you don't
mind writing code to do this right here
a developer you write some PHP code to
solve the problem you're given you
produce an output you're like look what
I did this is great and you don't mind
writing multiple files but developers
we're not lazy but we're efficient
people and so we don't like to have to
rebuild things a lot and when we can get
over our egos we don't mind using stuff
that other people have written because
they're smarter than us so we don't mind
pulling in third-party code to add to
our own code to solve problems we don't
mind doing this
but things can start to get hairy when
you start building bigger projects in
PHP when you have third-party
dependencies that you want to utilize
but then symbols have dependencies
across dependencies developers don't
really like this part of our job reason
for this is because we're spending a lot
of time managing code and not a lot of
time writing code in solving problems so
it's a it's a big thing we don't like to
do don't get me started on security
updates because then see oh my god you
got to check all the things through all
the levels okay and so developers want
to go on the the green side of writing
custom code and do less of the red side
of maintaining third-party code that is
supposed to save you time now no matter
if you're developer or not if you work
on a company where you build a product
for your company or work for clients
everyone in this room has two things in
common on every project they've ever
worked on that's has a limited time and
a limited budget fleet that project it
could be a nationally large budget or it
could be really small and it doesn't
matter you have limited time and budget
to solve problems so the more time
developers have to spend maintaining
code in third-party code that's supposed
to solve problems for them the less time
they have less budget they have to write
the custom code that delivers some sort
of value to the project this is where
composer comes in composer is a PHP
package manager which manages that those
third-party libraries for you so you
could spend your time writing your code
and focusing on solving the problems you
have in front of you and so what I want
to talk about today is what composer is
I'm missing a slide I'm missing a slide
I want to talk about what composer is
what makes it important in how you set
up a project using a pozer some of the
typical structures you'll see I'm going
to talk about the five commands you need
to know as a developer to use composer
effectively there's a lot of commands
and composer but if you master just the
five I'm going to show you you can do
pretty much anything with composer
whether it's with Drupal or not with
Drupal anytime you're working
and maybe beyond PHP so I'll cover those
and hopefully show you that using
composer on your projects not only is it
relatively easy but it's going to save
you that time to budget so your team or
yourselves can focus on writing custom
code deliver value so a typical
structure and composer what searching my
slides while using I think I'm using the
wrong version I can using the wrong
version give me one second you get to
see all my slide decks
no you don't come a night apologies okay
this is better this is nice too let's
interview okay okay all right
that's like missing slides and stuff
okay let me skip to where I am You Know
Who I am you know what this is about you
know about developers all right typical
composer project what you'll see in this
structure is three what I call three and
a half days and this is a composer bar
file which is an executable style file
that is that the composer file it's PHP
this is I'll get I'll explain in a
moment why this is a half item why you
may or may not have it in your project I
think it's bigger to you'll have a
composer education file which is
metadata about your project and then you
will have a close about lock file which
is the file that composer generates to
keep track of all the third party
packages for you and then a vendor
directory which is where composer keeps
track and keeps all the third party code
that your projects gonna use this is the
typical structure weather no matter what
type of composer project you're working
on it's somewhat like this if you look
at true pallate you're using composer
with Drupal you're gonna see a similar
structure there's just a lot more
everything else involved a more secure
version which you'll see more often is
basically the same but that everything
else is moved into a web root so in
Drupal for example this is typically a
doctorate right so the composer items
sit above that and the reason why this
is more secure is because you're
publicly accessible code is in your web
group and so some clever attackers can't
access your composer now JSON files see
what third-party libraries you're using
hopefully find a vulnerability then
connect
your vendor directory to execute it
because it's unavailable in the web room
so typically you'll see a more secure
structure this way with all the supposed
stuff at the root level of your project
and then your actual project stuff in
some sort of web root below that so with
this typical structure to start using
composer you first need to have it
installed on your system
now the song composer is placing this
composer dot far file on your machine
again this is a PHP executable file
those are just the PHP script there's a
number of ways you can get this it's
available on any system pretty much that
can support PHP so if you're using
Windows machine if you go to get
composer or gosh composer - setup.exe
that's an executable you can download
he'll run you through setting up
composer on your Windows machine and it
will let you know if you need to install
our things on your machine if you're
using Linux UNIX or OSX
get composer network slash download
provide the download information and how
to install composer on your system now
when you're going this route and I think
you can't you can do this one windows
too you have a choice to make
where you and your team out choice to
make do you want to install composer
globally or her project this is why I
think of the dock bar file as a half
item and a composer project because it
could live in the project directory
harder to get repo for example or it
could just live globally on your system
there are pros and cons to either
approach and depends on your team if you
install it globally you only have to
install it once and you can use it
anywhere on your local machine or the
environment the server you have it setup
it doesn't matter what project you have
composer available
but then everyone is responsible for
putting composure on their own machine
alright so you're gonna end up with
people getting different versions
depending when they install it that
could lead to some discrepancies per
project the benefit of this is that when
someone pulls down your code base for
your closer project they have composer
already available
they don't have to install anything
additional in their system they just
have to be able to run PHP and execute
that composer Doubtfire file downside
about this is that you actually have to
type like six extra characters in the
terminal when you're running composer
commands it's not that big of a deal but
if you're an efficient developer you may
not want to do those extra six
characters but let's take a look at
installing composer on your system I'm
going to start with it per project and
then global so I'm just going to go to
that get composer org download link this
might be a little hard to see but
there's a box here with four PHP
commands that you literally just copy
and paste into a terminal window so I'm
going to copy this first one and I'm
going to I have a terminal here I'm in a
directory that's empty for demo purposes
so I'm going to paste this PHP command
this one is download a composer - setup
dot PHP file so let's see it here this
next command here is going to check that
file against the hash so what this is
gonna do is verify that I downloaded a
valid installer so that I didn't get
anything that's corrupt you'll see it it
said installer verified I ran this quick
check where it's check the hash for that
file if it was invalid it would delete
the file and tell me that it was a
corrupt installer and then I would have
to figure out how to start over but the
installer is verified that's great so
now I'm actually gonna ride in the setup
file
look what did I do
- peace - peace Wow alright alright
so the composer side file it's going to
check my system see if I have the
minimum requirements from composer if I
did it in big red text it would tell me
what I'm missing but as a valid
installer so then what it does is it
downloads the compose about fire file
from the poseur web site puts it in my
directory all right so there's composer
that far now the last last task is a
cleanup tasks all it is is deletes that
setup file because I don't need it
I used it what I need it for I
downloaded composer dot far and I'm good
to go
I would recommend when you're using
poser and composer recommends that you
never keep that static file in like a
repo anywhere because as composer
changes you want to get it from composer
and check it against the changing hashes
right that's typical 101 for downloading
code but now my project is ready to go
with the closer on a per project basis
so I could check this in to get and then
anyone pulling down this repo would be
able to use the same version closer I am
the way you would run composer as I type
PHP composer dot far and we're going to
see I get all these great commands like
I said there's a lot of commands here
you're only going to need to know five
will where's my mouse
yes yeah a composer all right whoo damn
I was going great okay so that's per
project if you wanted to then do it
globally follow the same steps the only
other thing you do is you're going to
move that far file into a publicly of a
system-wide accessible location so I'm
Mac for example I would say move those
are far to user local bin I'll call it
composer so I move it there my directory
is now magically empty again but now I
can just type the composer and I hope
all those composer commands in fact I
can see the out of this directory and I
can type composer I can use it there too
so I can now use composer on multiple
projects without having to have that
farm file as part of each of them those
projects so again pros and cons it
depends on what your team wants to do
I'm gonna leave it global for the rest
of this demo great so yeah if composer
installed now you want to start using
you want to start building a composer
project this is where you create your
closed about JSON file this is a
metadata if I'm Jason schema file that
contains the metadata for your project
you can write it yourself or you can use
the first minute I teach you composer in
it this is going to take you through
some helpful prompts to generate that
file just cover what that file has in it
it has information that's helpful to you
and your team and then information
that's helpful to composer so a project
name in the description that's helpful
to your team type for us it just gonna
be tech project you can use composer to
generate composer plug-ins and other
things we're going to take project you
can provide license information composer
doesn't really use that but it's great
if you're saying my project uses the new
public license so people know about it
author information an important thing
that really
who cares about is minimum stability
which I'll talk about in a moment and
then the require array which is going to
list out the third-party packages you
require so let's show let me show you
what composure and it does if you wanted
to start a composer project you would
type composer in it again this is gonna
be helpful prompt to generate that
posted our JSON file so it's going to
ask you for a package name I like to
follow the pattern of client slash
project so here I would say mid camp
slash quotes or 101 to ask for a
description this is my composure on one
demo it's gonna pull an author
information by default it'll use your
the system user that you logged in asks
so I'll just leave that as their minima
stability I recommend you leave this
blank what you can do here is tell
composer what version of packages you're
willing to download if you leave it
blank you'll assume you only want stable
packages which I recommend you do I'll
show you later on how to override that
for specific packages so I'll skip that
it's a type project great I don't care
about any licenses for a demo it's going
to start asking you do you want to start
searching for third-party packages I'm
gonna skip this for now so we're gonna
do in a separate step and it's gonna ask
for dev packages I'll skip this for now
as well but composer allows you to do is
have third-party code that your project
requires to run in third-party code that
your project only requires for your
developers so for example in Drupal this
would be drush or devel or triple
console etc so now it's going to show
you that Jason is going to generate you
can confirm yes that looks great
I'm gonna hit enter
did I not CD back in the c11 D is you
guys supposed to help me out sorry
look at all right let me let me move
this huh move closer to Jason and to c11
D all right all right all right so I
have composed it out JSON file if I open
this and sublime text you're gonna see
it's exactly what it said was going to
generate Nick great so now composer to
initialize you're actually all set to
start using proposer for your project
the next question is though how do you
start finding packages to include and
have this composer know where to find
third-party code for you this is where
repositories come in play so
repositories our locations you can
define and composer adjacent where
composer should look for third-party
packages if you don't define anything
composer is gonna by default gonna look
at packages org this is the official PHP
project package library that composer
uses you can go here right now you can
search for a plate any type of keyword
and find a PHP package that does it for
you it's great this is where all the
symfony components live this is where a
lot of like general PHP libraries like
for mailers and and logging they're all
available here but not everything is
here for example in Drupal modules and
themes are not on packages truble
maintains its own packages repository so
what you can add in your closet are JSON
file is a repositories array where you
tell it additional locations to look
into it's always gonna look at packages
they you can tell it for example I want
to look at packages drupal.org slash
eight for Drupal eight modules and
themes this would be of type composer if
it is a packages type library widgets
that's an open source framework that you
can download and setup your own or that
you can set
Enterprise one you pay for that but you
can also add anything you want as a
repository so if you have a git repo
that you use a lot where you have some
custom libraries that you reuse on your
your projects
so if copying and pasting them to each
project you can connect them as a
repository and then just use composer to
download that that library that you
built that you reuse a lot which is
great so any sort of git repo on get a
get Lab bitbucket
wherever you store it you can you can
attach it to your composer project you
can also get more advanced and have
stuff that's even protected with
passwords and stuff to get compose our
website and get Quizlet org talks more
about how to do that so great you set up
repositories you leave the default one
to use packages now you need to start
telling composer these are this is the
code I'm going to use that I don't want
to write this is a required command so
composer requires it's an update close
it up Jason proposed a lot lock and the
vendor directory so what it's going to
do is composer requires how you tell
composer I want to use this package on
my project and you can one run it one of
three ways you just say composer require
it's going to give you a bunch of
prompts to help find a package if you
know the package name you can pass it
and you'll get the latest version of
that package if you know a specific
version or a range of versions you want
to use you can pass the package name and
this version constraints that you want
and composer will do its best to find
that constraint that type of for that
version of that package so let's take a
look at all three of these so first I'm
just gonna do it with the prompts so I'm
gonna just type composer I'm in the
right directory right
composure require and so it's gonna say
all right give me a keyword to find a
package like every group good PHP
developer I'm gonna make sure I can log
into my system my project so I'm going
to search for the word log it's gonna go
do a search on packages for a keyword
blog and return me an array of 15
possible packages if none of these were
the one I wanted I go and packages find
package name and then I could tell
composer that package name let's say I
want to use monologue which is the
second item in the array very popular
library then is gonna ask me is there a
specific version of this package I want
to use I can leave that blank to get the
latest one or I can specify any sort of
semantic version number so for example
major not minor that patch so I'll say I
want version 1.2 0.0 all right then it's
gonna ask me again you wanna search for
more packages I'm just gonna do one for
now
so what composer is going to do now it's
going to update my composer JSON files
I'll show you in a moment with that
package information it's going to make a
call to packages to get project info and
it's actually going to download that
code
so we will see that right it says these
lines here installing all right so
installed monologue but before that
installed another library PS Sarlacc the
reason it did this is because monologue
has its own dependency on this other
package I as a developer didn't really
know that but I as a developer you see
composer you don't need to know that I
just told composer I want this package
hoses like okay this package means these
other things so I'm going to get them
for you it was great that saves me time
and budget to do from doing that myself
so install these two libraries and now
if we look in my directory I'm gonna see
I have dot lock file that was generated
in a vendor directory if I open up this
lock file actually before I do that if I
show you the composer JSON file you're
gonna see the require array has been
filled in with a with an item monologue
with a version that I specified so now
that's that's listed there I can commit
this to my repo so that my project knows
this is a requirement for this project
if I edit the log for the lock file this
has a lot more information in it now the
lock file you'll see it has monologue
the version I I requested it has the
requirements of PSR log and that's
version this has a lot more information
than night my JSON file the composer
lock file is generated by composer or
composer
it's how composer keeps track of
everything you should not be editing
this actually I'm going to tell you do
not edit your log file if you enter that
you're gonna have bad time but if if you
don't edit it and you keep it there what
it does is no matter how you specify
what version of a project you make
package you may want composers always
going to download a specific version a
major down minor that patch version
so then once you have the lock file you
commit back to your repository and
anyone else who's setting up your
composite project they will get that
exact same version of that package as
you you have if you don't have a lock
file they may get different versions and
I'll show you how that comes to the
plate a little bit the other thing it
generated is a vendor directory which
was looking at you see it has a bunch of
directories in itself like the monolog
PSR so this little third-party code I
don't necessarily know the structure of
this but I don't have two composers
going to keep track of this for me I'll
show you how you lose that use that
later on and the important thing with
the vendor directory though is you don't
commit it if you're using repo you don't
commit it to your repo reason for this
is it's all third-party code it's stuff
that you have no purview into or that
you have any control of and the fact the
reason why you're using composer is
because you don't want to control it you
don't want that burden on yourself if
you could as soon as you commit it in
you're committing a specific version of
code into your repository you're adding
a lot of code to your Pastore when you
can just have composer set up on all
your environments to download that code
read from your lock file for you so you
don't commit vendor and in the drupal
world if you're using you know if you're
a NOC we are a Pantheon you have to have
the vendor directory checked in you can
get around this by having like some CI
tools in place so you can generate
what's known as a build artifact to then
run the composer commands download the
code and push it up to your environments
but I recommend don't committing your
vendor directly into your your general
repo you're just gonna cut down the
amount of code you have to keep track of
all right so that's composer require on
its own
let's search with a package name
we're doing good on time right now all
right so I'm gonna say composure require
let's let's get some unit testing in
here so I'm gonna say PHP unit slash PHP
unit I know this vendor directory
package because I use a lot
so what composure is gonna do it's going
to look on packages for the latest
version of that PHP unit package since I
didn't specify a virgin so it's going to
say using version carrot 8.0 so that's
the latest version it has and you see it
downloaded a whole lot of code because
PHP unit requires a whole lot of other
libraries again I didn't have to know
anything about this composer manages it
for me so this is great so if we look
back at the JSON file
right you're just gonna see phpunit was
added with carrot 8.0 I'll explain the
carrot a moment and then if I look in
the vendor directory right it has a lot
more code in it
again those are downloaded all that for
me I don't have to check it into my repo
I don't have to keep track of it
those are all yes so far in the Ben
directory it's all the third-party
dependencies your project has so phpunit
said I have a lot of dependencies
composer download all these for it for
me
the third way to run supposed to require
is with a Bert with pessimistic version
and you can do a number of things to
tell it what versions you want now you
can be very explicit by saying major dot
minor that patch poser uses semantic
versioning so for example 1.0.1 you can
use any sort of comparison operators
however so you could say for this
package I want greater than or equal to
version 1.0 but less than version 2.0 so
I basically want the latest version of
version 1 of this package I don't want
the next significant release you can use
wildcards so you can say I'm a version
update composer give me the latest patch
version of this you can use a tilde or a
caret which is the next which marks the
next semantic release the next
significant release it's the same thing
as those comparison operators so this
one here tilde 1.2 says give me at least
version 1.2 but less than version 2 of
this package so you say a minimum
version and less than the next
significant release
and then you can if you need to past
ability flags so this happens a lot in
Drupal 8 where you want to use a module
that only has an alpha release you can
say give me version 2.0 at dev or at
alpha beta for this package this is why
I recommend on your in your JSON file
you don't say minimum stability because
it's gonna use stable code unless you
explicitly say for this one package I
want to override that and use unstable
code find that you have a lot into play
not as much not as much anymore but when
Drupal 8 first came out yet do not walk
so you can say at death so let's take a
look at using a version number with a
require command so I'm gonna say
composer require we already have unit
testing let's get some behavior testing
here at b-hat so I'll say B hat /b hat
in version 3.3.4 sometimes I compose to
hear that I want any I want version
so I want it less than version 3.4 so
composer is going to go do a check on
packages it's an update my composer
bought my JSON file with that
requirement and then it's going to
download B hat and any of the code it
requires so it downloaded a lot and it
downloaded the last install line you can
see it downloaded version 3.3.4
if I look in the JSON file let's see it
has three doctor you got star the
version strain I said so that's great
okay so
you told composer what packages your
project requires I told you not to
commit your vendor directory which has
all that third-party code how does
everyone else on your team or all your
environments get that code to use your
project this is the install command
composer install is going to read from
your lock file it's going to find all
the dependencies you add and download
all that code into a vendor directory
the vendor directory doesn't exist it's
gonna create it now there's arguments
about having your lock file checked into
your git repo you don't have to have it
there and if you don't have it when you
run composer install it's going to read
from the JSON file but since you can
have a range of constraints for packages
like dot star or you know Tilda's
depending when you run that install
command I may get one version of the
package and three weeks later you could
get a different version and we don't
want that if you have your lock file in
place the lock file always says the
major Dom miner dot patch version it
downloaded when it downloaded that code
so everyone's gonna get the same exact
version so you commit your composer that
lock file to your repo just you should
always do it and it's just gonna save
you a lot of headaches between
differences between your team members
between your environments composer
install you only run it one way with the
words composer install or a PHP composer
that far install to demo this I'm gonna
do a little thing something silly I have
the vendor directory let's remove that
alright so now I just have my DJ spy on
my lock file so it's like I am someone
on the new on the project I just
downloaded this repo I have composer
installed globally in this case I want
all that third-party code so I run
composer install
Siberia and it's gonna read from lock
file and download all those packages I
say my project requires so now if we
look and vendor vendor exists it has all
the code I'm good to go and ready to
start working on this project again that
makes it easy for anyone on your team or
any of your environments to download the
third-party code that your project
requires now since the lock file always
hat contains the major nonminor dot
patch version of a package how do you
update code right there's a security
release for a module for example this is
the proposer update command composer
update it's going to read from your dot
jason file check your stability flags or
the york's your version constraints and
it's going to then try to find the
latest version of the package that
matches that those constraints if it
finds one it's an update the lock file
and it's gonna update your vendor code
it's going to download the latest
version in that code it's gonna remove
any old dependencies or code that's not
needed or add new code that is needed
you can run update one of two ways you
just say composer update yes it does not
take the lock file yes so if it if it
finds a new version updates log file if
you just run composer update it's gonna
try to update everything that you have
in your prior or required ever race you
know for drupal if you have a lot of
modules and themes maybe you don't want
to run that so maybe you just want to
update that one pack that one module
that has security release so you can
pass the specific vendor and package
name along with it and will only update
that one package i recommend running
update if you're running like code
sprints if you're doing agile type stuff
at the very beginning of a new sprint
that gives you your host brick time to
work out any kinks that have come with
updates so you know on my Drupal project
you run security updates using composer
and being in your sprint then you have
you know two weeks three weeks however
long it is to work out those issues and
you also have one person in charge of
running this so this updates the lock
file you only want one person making
those updates and then committee
to the rest of the team so whether you
are rotating that we roll between your
team or you one person designated to do
it I recommend one person does it so
let's see how this how this works I'm
going to do it backwards I'm gonna do
the package specific one first and then
the general one to this I also have to
do something a little silly for demo
purposes so I am going to edit my
composer JSON file let's change our
constraints for behalf so I'm gonna it's
now say tilde 3.3 so this is telling
composer now the my constraints for B
hat is that I want to at least version
find me whatever latest version matches
that pattern make sure I save this so
now I can just right I can type composer
update B hat yeah
so it's going to read my composure Jason
file for my B hat constraint and then
it's going to find what the latest
version is that matches my country so it
did it found of theirs version 3.5 so it
downloads that great so now my B hat is
updated you'll see my composure that
Jason doesn't change at all because I
have you know of version strengths there
but my lock file would have been updated
in my code would have been updated so
that's that simple
and then let's check out composer update
on its own so to do this again I'm gonna
make another change to the Jason file
let's change monolog to be I'm gonna say
greater than or equal to version 1.2 0
which is the version we already have
installed but less than version 2 that's
up to data so again this is similar to
some strains I put on B hat right I
basically telling composer I want at
least version 1.2 0 but less than
version 2 so if I save this and I write
composer update with no other arguments
it's going to reach its going to go
through the list of each of my
requirements and try to see if there's a
latest version so all that you find is a
latest version of monologue that matches
my requirements you see it download a
bunch of stuff because the new version
of monologue that it downloaded which is
version 1.2 for and the second install
line there it no longer needs symphony
debug so removed that code it updated
other requirements that the new version
requires so it updated all these other
packages for me which is great
all right so that's updating packages
again I recommend doing that beginning
of a sprint or the beginning of a cycle
however you're doing it what if you want
to get rid of code that you no longer
need
I find this happening a lot when I'm
doing my Drupal development I want to
test the module I install the composer
it downloads a whole bunch of things it
doesn't work for my needs how do I get
rid of it this is the composer remove
command v command we're going to talk
about so when you type compose and
remove and there's only one way to run
it which is composed of removed package
name it's going to remove that version
constraint for your JSON file it's going
to route the code from the vendor
directory and it's going to use the lock
file to an update the lock file and
remove it it's also going to find any of
the dependencies that that package has
that become abandoned and get rid of all
of those as well it's like I said you
run it with just composer remove in the
package name so let's say we no longer
need PHP unit I'm gonna say composer
remove PHP unit slash PHP unit so again
what this is doing is reading from my
lock file and it's checking all the
dependencies that PHP unit has and
cross-checking them against all my other
requirements and seeing are these being
used anywhere else if they're not we're
gonna get rid of it is delete deletes a
whole bunch of code because it's not
needed anymore great garbage collection
for me and what we can see now is the
JSON class PHP units no longer listed to
remove it from the JSON file and then by
looking bender directory it has a lot
less code in it because it deleted all
those of the libraries for me
all right so now what composer is setup
composer require is you're telling it
what packages you want you're updating
them you're removing them if you don't
need them you don't really understand
how composer is structuring the vendor
directory so how do you start using that
code if you're not sure where it is in
the structure of it one of the things
proposed a does for you is it generates
an auto load PHP file so I show you the
vendor directory the first thing you see
is auto load PHP this is a psr-4
structured file you can you can specify
it destructure following other
structures but what it will do is it
will allow you so that if you include
this auto load file which is always in
slash event vendor slash it will
dynamically load classes as you stamp
date the objects so for example in my
custom code I can just say I require
that the vendor auto load PHP and now I
have access to any of that third-party
code I want to use so I can say all
right I'm gonna create a monologue
logger class and as soon as I extension
it that when PHP runs the auto load is
going to know that I need to include
those files and they of the required
files for me it's really cool what's
really great about Drupal 8 if you
usually make a Drupal 8 scaffolding
project or I think just couplet in
general it has its own auto load file
which will handle this for you so you
don't have to even do that require man
require line so again you don't even
know the structure of the vendor
directory your second new or final load
of PHP is and then how to instantiate
the objects for the packages you're
using which is dere packages org page to
tell you how to do or their readme files
all right so to recap because I know I
cover a lot closer manages project
dependencies for you in PHP so you don't
have to do it you can spend your time
and budget doing what developers love
solving those custom problems for your
project and delivering real value in
using code to help you do that you
install composer either per project or
globally depending on your your team's
needs but it's for commands plus moving
a file we're using a executable for
Windows again it depends on your team's
preference composer three main parts the
JSON file which has all the project and
dependency information stored in it on
the lock file which is what composer
uses for keeping track of all your
dependencies the vendor directory which
holds all that dependency code and then
the basic commands you need to know you
master these five commands you're gonna
be able to do anything in poser the
Anette command to generate the JSON file
the required command for adding
dependencies the install command for
installing the vendor code the update
command for updating packages based on
your version constraints and the remove
command to get rid of the packages and
their dependencies that you no longer
need then finally you can start using
that vendor code by just including the
auto load up PHP file into your custom
code and you're good to go so with that
I have some resources and links here so
this personally italy slash mid-nineteen
composer is again an annotated version
of these slides with screen caps of
screen recordings of all the commands I
ran and a break down what's going on so
you can check that out get composer door
is closed your website has a lot of
great information a lot of great
documents about how to do more advanced
things
and then packages org is where you can
find pretty much any PHP package that
you might want to use unless it's for
Drupal or WordPress they have their own
packages libraries but I assume everyone
here already knows how to find kupo
modules and themes on Trueblood or so
you should be good to go there I know we
didn't cover anything specific to Drupal
here but this is going to give you a
foundation start using poser in Drupal
projects if you're not already and give
you an understanding if you search for
Drupal can put google composer or the
drupal scaffolding what's going on there
some of the advanced things it's doing
so with that we're gonna have some time
for questions first I'd love to get any
feedback on this presentation so if you
go to mid camp / to 3/8 that's the note
page for this presentation also has a
link to the slides and provide feedback
and the feedback form I appreciate that
Saturday if you're around there's
contribution day now that you know how
to use composer you know what to be a
developer to start helping out with
coding because you can download the code
and work on it using poser sunday 10:00
to 4:00 or Saturday 10:00 to 4:00 and
end of presentation so after applause
questions any question yes
Drupal modules it's got a bunch of you
know Symphony dependencies that may or
may not even understand what it's doing
right and so personally and I know you
would really disturb anyone with but
just from past people experience I
always want to be the person who says
we're gonna be this alternate I never
wanted to be surprised right so so you
know I definitely like make sure when I
get a project like new modules are gonna
lock down so I can they only get updated
advice when I need to I have QA peace
reason to test it but all those other
dependencies that I don't understand you
know almost like
but I'm just gonna like out of fear like
just like not never enough dating that's
right I just never listen everybody was
running great but at some point
obviously so what would you be
recommendation like like you do it
quarterly so just for the recording the
question is if you inherit a project
that has a lot of for Drupal a lot of
coupon modules or symfony components and
you know you want to be very controlled
about when you're updating them how do
you when do you do it and how do you do
it like safely so yeah it depends again
and I always hate answering questions
but it depends uh-huh but on your
organization and your timeline so
quarterly well for Drupal if you if
there's security updates and you should
be subscribed the security newsletter
you won't update those as soon as
possible when you update those modules
they may update some of those
dependencies makes they require it for
any other just general updates you know
you could check it I don't like some of
my projects we don't check in every
sprint we check it like maybe like every
month for or when we've run out of tasks
to do it's like alright someone check
what are some other updates we need to
make switch from like beta to version
one next so that's release so it depends
when like you have the time because
you're going to want to pay it for the
things that are like under the hood the
symphony components you probably a must
you're including those on a custom
module or something you probably never
have to worry about updating those
yourself because they're being used by
code that you are updating whether it's
Drupal core or Drupal modules so you
should only be concerned with updating
the modules in Google core and that's an
update to their own dependencies and you
don't necessarily have to worry about it
that you need to submit
I need to submit the form for review
alright I don't control that someone
will put it up thank you for checking
them alright there's a bunch of
questions you required now it is quite
often ii think about in Hampi on to so
what's you what's the best way or
suggestions on how to convert that site
over to manageable oh that's quite a
question alright so the question with
record is I'm sure let's talk about that
problem um the question was what if you
inherited Jubilee a project that was
built towards beginning poser wasn't
necessarily put into place and you want
to kind of get it in there for best
practices it's going to be a challenge
I would there's number of ways to do it
one thing I would say is you can put
composer you can add composer to your
project start moving modules over one at
a time to composer they give very if you
search composer scaffold with a composer
scaffold a Drupal scaffolding project
which will when you download a module it
puts it back into the modules directory
right so just make an effort of alright
get composer set up it's not gonna do
anything because you just initialized it
and then start moving modules or themes
over one by one so that composers
managing them before you just so I mean
you could try to do it all in one go but
you're probably gonna run into have that
time with that so just like
systematically move it over develop a
timeline of how long you want to do it
do it in batches that's what I would
recommend
so let's say so so the question was what
if you have a Drupal project that has
modules that was not installed composer
you no longer need them how do you
remove those modules one disable them
right if you're not using completely
disabled in the Drupal 8 run the drums
command to disable them I think it's a
p.m. - fun install once they're disabled
on your on your site and your sites not
using them just go in and delete the
code how would you do it you know if
used rush to install the modules you
could still use trusts to remove them if
composers not managing them you don't
have to add that composer add them to
the post to remove them because poseur
knows nothing about them if you're
worried about like third-party code then
that those modules have like libraries
and places you're just gonna have to do
your due diligence and
to therapist there was one yeah so the
good thing about that not a good thing
but you could so you could delete it and
then you could install it with composer
and then use composer remove it and
depending on how the directories were
set up it should remove that abandoned
dependency I would assume but you're
better off that compose it doesn't know
about it just go ahead and yourself they
are yeah so the the question is you know
and with Drupal modules in poser you can
have one module depend on another
version of another module and are they
using it they totally are you're gonna
find some modules and Drupal with either
side the proposers say we require this
minimum version of say kind of the meta
tag module for example we need version 1
and meta tag or greater so when you try
to install that module using poser so
right so it's gonna it's gonna when you
try to install something and you have a
version that doesn't meet the
requirements that is a dependency of
your project either composer gonna try
to update it for you or it's gonna tell
you in big LED red letters that hey you
you can't install this package because
of these reasons so you can't install
this module because it requires a bigger
later version than the one you have
installed already so you have to update
that module first so it's gonna tell you
it's going to be helpful okay
question is kind of related to that as
you can do composer outdated but that
gives you the latest version of every
module every requirement not necessarily
what is going to update to and sometimes
it might be nice to say well if I
updated it would require that they would
update to this level but there's also
old this level economic slavery
colonization and take a look at yep and
then you could just say well why isn't
it going to the latest or whatever
finger they have to navigate yes yeah so
to be able to figure out and see what
it's gonna take to update I don't know
it off the top of my head but I believe
there's a flag you can pass to like
composer update that will say like test
this don't actually do it but tell me
what it's gonna change you should let
that say it's gonna update these these
other dependencies for you so you can
just kind of do like a smoke test and
see what's gonna impact I forgive it the
five is off the top of my head by
believing in them I guess you just
didn't put everything up there that
might say - we're updating these but
then you don't really you don't really
catch the difference between a whole
David and yeah what is going to do
ynette updating with us or something I
know you can do the command to say why
is it updated yeah I'll tell you why
why also I'm in I'm not a very big
expert on composure I know more than
just a little more than these five
commands so some of that stuff is beyond
me I don't know how high would cuz I'm
going to build it
that's me yet thank you I can't believe
that so there but I would not recommend
you doing that I mean well if your
bosses ask your clients asks don't spend
your time doing that spend your time
being more thorough with the custom code
you write the indirect creases face
there probably is you should come to the
boss to Drupal minutes sometimes he
shows up because he's in the Boston area
I didn't know is anyone else too still
playing Drupal 2048 alright I see people
playing 2048 in the Train stuff I can't
believe it when I built that it was such
a time suck I actually wasted like a
week of clients time writing and playing
I make test it make sure it works I can
see why composer certainly makes sense
to update or to keep libraries up today
what's the advantage of using composer
to update Drupal modules but you can
also do it through Drupal update so the
question is what's the value of using
composed of update Drupal modules and
stuff using like Drupal update the value
is if you're using composer to manage
your those modules those modules don't
live in your code base you're using
composer to download the code into it
would go into the modules directory but
using quote Drupal update you have to
have the code as part of your repository
alright so when you run update and you
try to make a commit or a pull request
that's going to show it's updating all
this third-party code that you don't
necessarily care about that you don't
want someone to sift through using
composer you just say composer update
you then you check in your lock file
that's been updated and then on your
environments you just run composer
install and it's going to update the
for you so you get rid of having to
maintain that third party code is that
the address module what about the
address unless you can install yeah
right now there's some yeah there are
modules now moving just to using
composer so that's the other thing is
that they're moving that system I think
it's a great thing to move to because
again the more of other people's code
you can remove from your control but you
can still utilize the better for you
because the less headaches you feel like
there's now that's great for backup but
does he have a smaller stuff you get
commits and only does your stuff and
then you can get push it up it's like
your repos are smaller so they're faster
and you don't have to sit throughout
there's a question in the way back you
can if the question is if there's no
lock file can you run composer install
yes when you run composer install it's
going to read from the dot JSON file
so it'll it will try to match the
version constraints that you specify and
get the latest version that matches that
constraint if you're using all semantic
versioning major down minor that patch
in your JSON file then your that's no
big deal because everyone's gonna get
the same version but if you're using any
sort of wild cards or comparison
operators and you don't have a lock file
when I run composer install and when you
run composer install potentially we're
going to get different versions of the
third-party code and that can cause
discrepancies in issues
so composure require ads the line to
your Jason file saying I require this
package and it runs the install as well
when you run install all it does is read
what you already have listed and it will
download that code so it doesn't have
anything there any other questions yes
in the way back day
okay mark
so the question is of being new to
Drupal and using the pose are there any
pitfalls to watch out for accidentally
running composer update without any
arguments is something watch out for
because it's gonna stay a lot of stuff I
think also for Drupal specifically even
though I showed you what the this basic
setup is if you're trying to set up
Drupal 8 with composer on your own and
not using like the scaffolding project
for example you're gonna have a lot more
advanced composed of things you're gonna
have to learn about how to move code in
different directories instead of the
vendor directory so for drupal and
composer I'd recommend I've said a
number of times let's check out the
drupal composer project or the drupal
closure scaffolding project which even
just clone those and they're gonna have
a very robust composer adjacent file
that will move modules into modules
directory themes in the themes directory
it's not keeping the bedroom they're
gonna handle all the headaches for you
so those would be the two things you
recommend two of you were doing like a
distribution changes
yeah for sure use one or the other
yeah
Drupal SCAF composers Kathleen I think
it might be the same thing I forget the
name of it I oh I google it every time
so so just finish a question yeah if
you're creating distribution you should
find one of those whichever one you want
oh yeah so add composer to it and use
that set up so it'll it'll give you a
nice base it's like using an install
profile almost right for your code base
what about JavaScript libraries is the
question so the great thing about
composer is you can use it beyond just
PHP so if you have let's say you're
using CK editor which is now built in
the Drupal core probably you needed us
another plugin for it you can add that
repository to your closer JSON array
like the github repo to it and then you
can say composer require CK editor slash
whatever the plug-in name is and you
know and you can tell it to move the
code into the libraries directory so you
can use composer to manage JavaScript
plugins to manage if you're using like
third-party or outside CSS and HTML like
design structures you could pull those
in as well for example at my company our
front-end team who focuses on HTML CSS
they work across net and PHP and they
filled in Twigg
so we pull in their repository extend a
set repository in the drupal our drupal
repo and we just pull it in their code
using composer
yeah custom modules you put in a git
repo
better yet custom modules you build it
contribute it focused and you put it on
troubadour and then you pull it in but
yeah you can keep your own libraries and
reap git repositories and add that as a
repository of your poseur Jason and pull
it in that way instead of copying it and
tal your projects so you can totally do
that
I built a brand-new site yesterday at my
development machine and while I was
building it it said it warned me hey
there's a new version of Drupal and that
was the second time that I was warned
that this new version of Drupal that
there was a zip file of a download from
drupal.org but when I tried to update it
from composer it said core isn't
available yet so the comment is set up a
brand new project got the message saying
there's a new version of Drupal core
available saw there is a zip file to
download it on drupal.org tried to run
composer update Drupal slash court
you're doing it an update what's the
delay I don't know what the delay is I
know there's I don't know
there's amount of time whoever talked to
the core maintains about that because it
should be relatively in sync when they
update the zip file they should be
updating Drupal core composers
information hide it up I'm sorry okay
all right got like three more minutes
any other questions these are great
questions
thank you very much means I did a great
job all right I'm around the rest of the
day and I'm around tomorrow and tonight
if you want to talk more about this or
anything else
