Leveraging Composer in Existing Projects

Leveraging Composer in Existing Projects

Mark Niebergallhttps://joind.in/talk/774d7

https://joind.in/talk/774d7

About Mark Niebergall• PHP since 2005 • Masters degree in MIS • Senior Software Engineer • Drug screening project • UPHPU President • CSSLP, SSCP Certified and SME • Drones, fishing, skiing, father, husband


• Survey

- Have heard of composer?

- Are familiar with what composer is?

- Have used composer?

- Have contributed to composer?


• My experience

- Large project that has been around a while

- Some older code areas

- Various architectural styles over the years

- Various libraries within the project


• My experience

- Libraries scattered in project

- Some libraries were old

- Some libraries were even altered


• My experience

- Made the effort to clean up libraries

- Identify libraries and versions

- Created user stories

- Made the migration


• My experience

- Libraries were organized

- Visibility into libraries used

- Much easier to manage and upgrade

- Much easier to add new libraries


• Objectives

- Know why and how to use composer

- Leverage composer in your projects


• Topics

- What composer is

- Using composer

- Migrating libraries

What composer is

What composer is• Created by Nils Adermann and Jordi Boggiano in 2012

• MIT license

What composer is• https://getcomposer.org/

- Installation instructions

- Documentation

https://getcomposer.org/

What composer is• Dependency manager for PHP projects

What composer is• Tool to manage libraries used by a project

What composer is• Best practice for dependency management for PHP

projects

What composer is• Manage libraries

- Add libraries to project

- Autoload libraries

- Versioning

- Library dependencies

- Remove libraries

What composer is• Uses packagist for package information

- https://packagist.org/

- Submit packages to website

- Versions

- Dependencies

- Location

What composer is• Handles autoloading

- Automatically includes package files when needed

- Use along with other project autoloaders

‣ require_once __DIR__ . ‘/../vendor/autoload.php’;require_once __DIR__ . ‘/../src/Autoloader.php’;

What composer is

Using composer

Using composer• Installing composer

• Adding packages

• Updating packages

• Removing package


- Download phar installer file

- Run installer with php

- Move to bin

- curl -s https://getcomposer.org/installer | phpsudo mv composer.phar /usr/local/bin/composer


- Windows download https://getcomposer.org/Composer-Setup.exe

https://getcomposer.org/Composer-Setup.exe

https://getcomposer.org/Composer-Setup.exe


- php /path/to/composer.phar command

- composer command


- Command line tool

- Are some UI helpers

Using composer• composer package versioning


- * = wildcard

- ~ = up to but not including next version

- ^ = up to but not including next major version


- 4.5.2 means only 4.5.2


- 4.5.* means 4.5 and below 4.6


- ~4.5 means >= 4.5 and <5.0

- ~4.5.6 means >= 4.5.6 and < 4.6


- ^4.5 means >= 4.5.0 and < 5

- ^4.5.6 means >= 4.5.6 and < 5

- Default versioning format if not specified

Using composer• composer commands

Using composer• composer commands

- composer init

- composer require

- composer install

- composer update

- composer create-project

- composer remove

Using composer

Using composer• composer init


- Initialize a project with composer

- Creates autoloader

- Define basic settings

- Interactively install packages

- Creates composer.json file


{ "name": “mniebergall/composer", "description": "Leveraging Composer in Existing Projects", "authors": [ { "name": "Mark Niebergall", "email": “[email protected]” } ], "require": {}}

Using composer• composer require


- Add packages to a project

- Install the package plus dependencies


- Adds package to composer.json file

- Creates or updates the composer.lock file


- Package files are saved into the /vendor/ directory

- Autoloader is updated to load the package files automatically


- Only run in development environment

- Not to be used in other environments


- composer require --dev vendor/package

‣ Only installs in development with ‘install’ command

• Testing frameworks (PHPUnit, behat, etc)

• Code analysis and statistics


- composer require --dev phpunit/phpunit "require-dev": { "phpunit/phpunit": "^6.3" }


- composer require --dev fzaninotto/faker


- composer require --dev h4cc/phpqatools

‣ PHPUnit, PHP-Invoker, DbUnit, PHPLOC, PHPCPD, PHP_Depend, PHPMD, PHP_CodeSniffer, Fabien Potencier/PHP Coding Standards Fixer, Sensiolabs/Security-Checker, and Behat


- composer require group/package

‣ See packagist for group/package

‣ Find project on GitHub, read the instructions

• Most will have composer installation command

• If not there are options


- composer require group/package VERSION

- composer require ramsey/uuid

- composer require ramsey/uuid 3.7

- composer require ramsey/uuid=^2.9

- composer require ramsey/uuid ^3.7


{ "name": “mniebergall/composer", "description": "Leveraging Composer in Existing Projects", "authors": [ { "name": "Mark Niebergall", "email": “[email protected]” } ], "require": { "ramsey/uuid": “^3.7" }}

Using composer• composer install


- Installs packages as defined in composer.lock file

- If no lock file then as defined in composer.json

‣ Generates composer.lock file


- composer install --no-dev

‣ Skips require-dev packages

‣ Use this in non-development environments

• We’ll discuss deployment considerations at the end

Using composer• composer install{

- phpsp, add this to composer.json

‣ "require-dev": { "phpspec/phpspec": "^4.0"},"config": { "bin-dir": "bin"},"autoload": {"psr-0": {"": “src”}}

‣ Then run composer install

Using composer• composer update


- Updates packages to latest based on composer.json contents

- Also updates necessary dependencies

- Updates content of composer.json and composer.lock files


- composer update

‣ Update all packages

‣ Not recommended

- composer update group/package

‣ Target specific packages


- composer update group/package version

‣ composer update --dev phpunit/phpunit ^6

Using composer• composer create-project


- New project from existing package

- Clones down repo, checkout, installs dependencies


- Skeleton projects

- Often used with projects using a framework

- Zend, Laravel, and others

Using composer• composer remove


- Removing lines from composer.json will not work without a composer update


- composer remove vendor/package

- Removes entry from composer.json

- Removes entry from composer.lock

- Removes dependencies

- Removes files from vendor directory

Using composer• composer.json


- Project configuration

- Packages to be used

- Package versions

- Used to generate composer.lock file


- Can be manually updated

- Can run commands up update it

‣ composer require group/package


- Define internally hosted packages

- Environment properties

‣ PHP version for compatibility

Using composer• composer.lock


- Generated based on contents of composer.json

- Should not be manually edited

- Let composer manage contents


- Defines packages and dependencies to be installed

- composer install reads the composer.lock file

Using composer

Migrating libraries

Migrating libraries• Benefits of migrating

• How to migrate


- Cleans the codebase

- Project only includes project files


- Centralizes library (package) management

- Easier library management


- Keep libraries current

‣ Bug fixes

‣ Security patches

‣ Features

‣ Performance

Migrating libraries• How to migrate libraries


- Use source control

‣ Git (preferred)

‣ Mercurial


- Create user stories/tickets to track the progress


- Transparency with everyone impacted

‣ Development

‣ QA

‣ Project management

‣ Release team


- Identify libraries currently included in project

‣ Frameworks

‣ Tools

‣ Helpful libraries


- Identify libraries currently included in project

‣ Search for ‘@license’

‣ Tribal knowledge


- Vet libraries found

‣ Consolidation? ex: can framework do that?

‣ Secure?

‣ Altered? Run a compare? If so why?


- Vet libraries found

‣ Still needed? ex: deprecated functionality, paragonie/random_compat or PHP 7?

‣ Better library available now?

‣ Best practices?

‣ Built into PHP core? ex: NuSOAP vs PHP Soap


- Find the package on packagist

‣ Actively maintained

‣ Popularity

‣ Community acceptance

‣ Documentation


- Find the package on packagist

‣ Determine desired version

‣ Review dependencies

‣ Consider alternatives


- Review the library source

‣ Unit tests

‣ Coding standards

‣ Time to close open bugs and security issues

‣ Architecturally sound


- Steps

‣ Tests

‣ Include the library using composer

‣ Remove old library files from source control

‣ Tests


- Steps

‣ Make a pull request

• .gitignore or equivalent ignores /vendor/

• Add changed files, including composer.json and composer.lock


- Steps

‣ Make a pull request

• commit

• push

• create PR


- Steps

‣ Code reviews

• Automated tests

• Functional tests

• Peer review


- Steps

‣ Raise awareness

• QA team

• Project management

• Release team

Migrating libraries

Considerations

Considerations• Handling altered libraries

- Understand why

- Use pure versions

- Make PR to fix issues

- Document what is wrong

Considerations• Testing when updating packages

- composer update vendor/package version

- Domino effect with dependencies

Considerations• Deployment

- composer install —no-dev

- From files

‣ Azer Koçulu case of unpublishing 250+ NPM modules

Considerations• Open discussion

Considerations

Questions?• Rate on joind.in

- https://joind.in/talk/774d7

https://joind.in/talk/774d7

Sources• https://www.theregister.co.uk/2016/03/23/

npm_left_pad_chaos/

• https://getcomposer.org/

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

https://getcomposer.org/

Leveraging Composer in Existing Projects

Software

Transcript of Leveraging Composer in Existing Projects