Composer Update Package

[Dorthea Seate]

UsePrivate Packagist if you want to share private code as a Composer package with colleagues or customers without publishing it for everyone on Packagist.org. Private Packagist allows you to manage your own private Composer repository with per-user authentication, team management and integration in version control systems.

Composer is a dependency manager. It installs packages locally. A package isessentially a directory containing something. In this case it is PHPcode, but in theory it could be anything. And it contains a packagedescription which has a name and a version. The name and the version are usedto identify the package.

In addition to the name and the version, there is useful metadata. Theinformation most relevant for installation is the source definition, whichdescribes where to get the package contents. The package data points to thecontents of the package. And there are two options here: dist and source.

When resolving dependencies, packages are looked up from repositories fromtop to bottom, and by default, as soon as a package is found in one, Composerstops looking in other repositories. Read therepository priorities article for moredetails and to see how to change this behavior.

This is also the repository type that packagist uses. To reference acomposer repository, supply the path before the packages.json file.In the case of packagist, that file is located at /packages.json, so the URL ofthe repository would be repo.packagist.org. For example.org/packages.json therepository URL would be example.org.

The notify-batch field allows you to specify a URL that will be calledevery time a user installs a package. The URL can be either an absolute path(that will use the same domain as the repository), or a fully qualified URL.

This field is new in Composer v2, and is prioritised over theprovider-includes and providers-url fields if both are present.For compatibility with both Composer v1 and v2 you ideally wantto provide both. New repository implementations may only need tosupport v2 however.

The array of versions can also optionally be minified usingComposer\MetadataMinifier\MetadataMinifier::minify() fromcomposer/metadata-minifier.If you do that, you should add a "minified": "composer/2.0" keyat the top level to indicate to Composer it must expand the versionlist back into the original data. See for an example.

Any requested package which does not exist MUST return a 404 status code,which will indicate to Composer that this package does not exist in yourrepository. Make sure the 404 response is fast to avoid blocking Composer.Avoid redirects to alternative 404 pages.

If your repository only has a small number of packages, and you want to avoidthe 404-requests, you can also specify an "available-packages" key inpackages.json which should be an array with all the package names that yourrepository contains. Alternatively you can specify an"available-package-patterns" key which is an array of package name patterns(with * matching any string, e.g. vendor/* would make Composer look upevery matching package name in this repository).

The providers-api field allows you to provide a URL template to serve allpackages which provide a given package name, but not the package which hasthat name. It must contain the placeholder %package%.

The list field allows you to return the names of packages which match agiven filter (or all names if no filter is present). It should accept anoptional ?filter=xx query param, which can contain * as wildcards matchingany substring.

The file above declares that acme/foo and acme/bar can be found in thisrepository, by loading the file referenced by providers-url, replacing%package% by the vendor namespaced package name and %hash% by thesha256 field. Those files themselves contain package definitions asdescribed above.

The repository is accessed either using cURL (Composer 2 with ext-curl enabled)or PHP streams. You can set extra options using the options parameter. ForPHP streams, you can set any valid PHP stream context option. See Contextoptions and parameters for moreinformation. When cURL is used, only a limited set of http and ssl optionscan be configured.

There are a few use cases for this. The most common one is maintaining yourown fork of a third party library. If you are using a certain library for yourproject, and you decide to change something in the library, you will want yourproject to use the patched version. If the library is on GitHub (this is thecase most of the time), you can fork it there and push your changes toyour fork. After that you update the project's composer.json. All you haveto do is add your fork as a repository and update the version constraint topoint to your custom branch. In composer.json only, you should prefix yourcustom branch name with "dev-" (without making it part of the actual branchname). For version constraint naming conventions seeLibraries for more information.

Note that you should not rename the package unless you really intend to forkit in the long term, and completely move away from the original package.Composer will correctly pick your package over the original one since thecustom repository has priority over packagist. If you want to rename thepackage, you should do so in the default (often master) branch and not in afeature branch, since the package name is taken from the default branch.

To get packages from these systems you need to have their respective clientsinstalled. That can be inconvenient. And for this reason there is specialsupport for GitHub and Bitbucket that use the APIs provided by these sites, tofetch the packages without having to install the version control system. TheVCS repository provides dists for them that fetch the packages as zips.

The VCS driver to be used is detected automatically based on the URL. However,should you need to specify one for whatever reason, you can use bitbucket,github, gitlab, perforce, fossil, git, svn or hgas the repository type instead of vcs.

If you set the no-api key to true on a github repository it will clone therepository as it would with any other git repository instead of using theGitHub API. But unlike using the git driver directly, Composer will stillattempt to use github's zip files.

Since Subversion has no native concept of branches and tags, Composer assumesby default that code is located in $url/trunk, $url/branches and$url/tags. If your repository has a different layout you can change thosevalues. For example if you used capitalized names you could configure therepository like this:

If your Subversion client is configured to store credentials by default thesecredentials will be saved for the current user and existing saved credentialsfor this server will be overwritten. To change this behavior by setting the"svn-cache-credentials" option in your repository configuration:

Basically, you define the same information that is included in the composerrepository's packages.json, but only for a single package. Again, theminimum required fields are name, version, and either of dist orsource.

Separate ecosystem: If you have a project which has its own ecosystem,and the packages aren't really reusable by the greater PHP community, youmight want to keep them separate to packagist. An example of this would beWordPress plugins.

You give it a composer.json containing repositories, typically VCS andpackage repository definitions. It will fetch all the packages that arerequired and dump a packages.json that is your composer repository.

There are some cases, when there is no ability to have one of the previouslymentioned repository types online, even the VCS one. A typical example could becross-organisation library exchange through build artifacts. Of course, mostof the time these are private. To use these archives as-is, one can use arepository of type artifact with a folder containing ZIP or TAR archives ofthose private packages:

If there are two archives with different versions of a package, they are bothimported. When an archive with a newer version is added in the artifact folderand you run update, that version will be imported as well and Composer willupdate to the latest version.

In addition to the artifact repository, you can use the path one, which allowsyou to depend on a local directory, either absolute or relative. This can beespecially useful when dealing with monolithic repositories.

If the package is a local VCS repository, the version may be inferred bythe branch or tag that is currently checked out. Otherwise, the version shouldbe explicitly defined in the package's composer.json file. If the versioncannot be resolved by these means, it is assumed to be dev-master.

The local package will be symlinked if possible, in which case the output inthe console will read Symlinking from ../../packages/my-package. If symlinkingis not possible the package will be copied. In that case, the console willoutput Mirrored from ../../packages/my-package.

Instead of default fallback strategy you can force to use symlink with"symlink": true or mirroring with "symlink": false option. Forcingmirroring can be useful when deploying or generating package from amonolithic repository.

Note: On Windows, directory symlinks are implemented using NTFS junctionsbecause they can be created by non-admin users. Mirroring will always be usedon versions below Windows 7 or if proc_open has been disabled.

I don't know of a nice way to solve this but I ran into the same problem. A package I've never heard of was warning that it was abandoned. My solution was to search the composer.lock file for the abandoned package name. It will appear in require or require-dev for the package that depends on it.

In my case it was several levels, package A depended on package B that depended on abandoned package C. Once I identified what package A was then composer show --tree package/a showed the abandoned package in the tree output

Is there a way to make it install that package i built into the computers user folder and not the one that was created on the composer machine? Not sure if its an adjustment i need to make on the user computers end or the composer setup end. Also any other tips for composer is appreciated, so far i got most of the basics figured out.

3a8082e126