# Composer — Dependency Manager for PHP

> Practical guide to Composer — the dependency manager for PHP: install packages, manage versions and optimize autoloading.

Source: https://www.jpkc.com/db/en/cheatsheets/build-languages/composer/

<!-- PROSE:intro -->
Composer is the central dependency manager in the PHP world – it installs libraries, keeps their versions under control and generates the autoloading so you can use classes without writing manual `require` lines. Through Packagist, the central package registry, a few commands pull anything from Guzzle to the entire Laravel framework into your project. This guide walks you through everyday work: setting up a project, requiring and updating packages, steering versions with constraints and optimizing the autoloader for production.
<!-- PROSE:intro:end -->

## Project Setup

`composer init` — Interactively create a new composer.json file in the current directory.

```bash
composer init
```

`composer init --name=<vendor>/<package>` — Create a new composer.json with a predefined package name.

```bash
composer init --name=acme/my-project
```

`composer create-project <package> <directory>` — Create a new project from an existing package (like cloning + install).

```bash
composer create-project laravel/laravel my-app
```

`composer create-project <package> <directory> <version>` — Create a new project from a specific version of a package.

```bash
composer create-project laravel/laravel my-app "11.*"
```

## Installing Packages

`composer install` — Install all dependencies defined in composer.lock (or composer.json if no lock file exists).

```bash
composer install
```

`composer install --no-dev` — Install only production dependencies, skip require-dev packages.

```bash
composer install --no-dev
```

`composer install --optimize-autoloader` — Install dependencies and generate an optimized class map for autoloading.

```bash
composer install --optimize-autoloader
```

`composer install --no-scripts` — Install dependencies without executing any scripts defined in composer.json.

```bash
composer install --no-scripts
```

`composer install --dry-run` — Simulate the install without actually modifying anything.

```bash
composer install --dry-run
```

## Requiring Packages

`composer require <package>` — Add a package to require and install it.

```bash
composer require guzzlehttp/guzzle
```

`composer require <package>:<version>` — Require a specific version or version constraint of a package.

```bash
composer require guzzlehttp/guzzle:^7.0
```

`composer require --dev <package>` — Add a package as a development dependency (require-dev).

```bash
composer require --dev phpunit/phpunit
```

`composer require <package> --with-all-dependencies` — Allow all dependencies (including already installed) to be updated when requiring.

```bash
composer require symfony/console --with-all-dependencies
```

`composer require <package> -W` — Short form of --with-all-dependencies.

```bash
composer require laravel/framework -W
```

## Updating Packages

`composer update` — Update all dependencies to the latest versions matching composer.json constraints.

```bash
composer update
```

`composer update <package>` — Update a single package to its latest allowed version.

```bash
composer update guzzlehttp/guzzle
```

`composer update <package1> <package2>` — Update multiple specific packages at once.

```bash
composer update symfony/console symfony/http-foundation
```

`composer update --with-all-dependencies` — Also update dependencies of the packages being updated.

```bash
composer update --with-all-dependencies
```

`composer update --no-dev` — Update only production dependencies.

```bash
composer update --no-dev
```

`composer update --dry-run` — Preview what would be updated without actually making changes.

```bash
composer update --dry-run
```

`composer update --prefer-lowest` — Update to the lowest possible versions matching constraints. Useful for testing compatibility.

```bash
composer update --prefer-lowest
```

## Removing Packages

`composer remove <package>` — Remove a package from require and uninstall it.

```bash
composer remove guzzlehttp/guzzle
```

`composer remove --dev <package>` — Remove a package from require-dev.

```bash
composer remove --dev phpunit/phpunit
```

`composer remove <package> --no-update` — Remove a package from composer.json without updating the lock file.

```bash
composer remove monolog/monolog --no-update
```

## Information & Search

`composer show` — List all installed packages with their versions.

```bash
composer show
```

`composer show <package>` — Show detailed information about a specific installed package.

```bash
composer show guzzlehttp/guzzle
```

`composer show --tree` — Show installed packages as a dependency tree.

```bash
composer show --tree
```

`composer show --outdated` — List installed packages that have newer versions available.

```bash
composer show --outdated
```

`composer show --direct` — Show only directly required packages (not transitive dependencies).

```bash
composer show --direct
```

`composer search <keyword>` — Search for packages on Packagist by keyword.

```bash
composer search markdown parser
```

`composer depends <package>` — Show which packages depend on a given package (reverse dependency lookup).

```bash
composer depends psr/log
```

`composer why <package>` — Alias for depends. Show why a package is installed.

```bash
composer why symfony/polyfill-mbstring
```

`composer why-not <package> <version>` — Show why a package cannot be updated to a specific version.

```bash
composer why-not laravel/framework 11.0
```

## Lock File & Autoloader

`composer dump-autoload` — Regenerate the autoloader files without installing or updating packages.

```bash
composer dump-autoload
```

`composer dump-autoload --optimize` — Generate an optimized autoloader with a class map for better performance.

```bash
composer dump-autoload --optimize
```

`composer dump-autoload --classmap-authoritative` — Only use class map for autoloading. Fastest but won't find new classes automatically.

```bash
composer dump-autoload --classmap-authoritative
```

`composer validate` — Validate the composer.json and composer.lock files for errors.

```bash
composer validate
```

`composer validate --strict` — Validate with strict checks. Returns non-zero exit code on warnings too.

```bash
composer validate --strict
```

## Version Constraints

`composer require <package>:^<version>` — Caret constraint. Allow updates that don't change the leftmost non-zero digit (recommended).

```bash
composer require guzzlehttp/guzzle:^7.5
```

`composer require <package>:~<version>` — Tilde constraint. Allow updates to the last specified digit only.

```bash
composer require monolog/monolog:~2.0
```

`composer require <package>:<exact_version>` — Require an exact version. No updates allowed.

```bash
composer require phpunit/phpunit:10.5.3
```

`composer require <package>:">=<min> <<max>"` — Use a version range with comparison operators.

```bash
composer require monolog/monolog:">=2.0 <3.0"
```

`composer require <package>:*` — Wildcard constraint. Allow any version (not recommended for production).

```bash
composer require acme/internal-lib:*
```

`composer require <package>:dev-<branch>` — Require a specific branch (development version) of a package.

```bash
composer require acme/lib:dev-main
```

## Scripts & Hooks

`composer run-script <script>` — Run a script defined in the scripts section of composer.json.

```bash
composer run-script test
```

`composer run <script>` — Short alias for run-script.

```bash
composer run lint
```

`composer run-script --list` — List all available scripts defined in composer.json.

```bash
composer run-script --list
```

`composer exec <binary>` — Execute a binary from the vendor/bin directory.

```bash
composer exec phpunit -- --filter=MyTest
```

## Global Packages

`composer global require <package>` — Install a package globally (available system-wide).

```bash
composer global require laravel/installer
```

`composer global show` — List all globally installed packages.

```bash
composer global show
```

`composer global update` — Update all globally installed packages.

```bash
composer global update
```

`composer global remove <package>` — Remove a globally installed package.

```bash
composer global remove laravel/installer
```

## Cache & Diagnostics

`composer clear-cache` — Clear the internal package cache.

```bash
composer clear-cache
```

`composer diagnose` — Run diagnostic checks for common issues (connectivity, permissions, etc.).

```bash
composer diagnose
```

`composer self-update` — Update Composer itself to the latest version.

```bash
composer self-update
```

`composer self-update --rollback` — Rollback to the previously installed version of Composer.

```bash
composer self-update --rollback
```

`composer config --list` — List all current configuration values.

```bash
composer config --list
```

`composer config --global home` — Show the Composer home directory path.

```bash
composer config --global home
```

## Repositories & Platforms

`composer config repositories.<name> vcs <url>` — Add a VCS (Git) repository as a package source.

```bash
composer config repositories.my-lib vcs https://github.com/acme/my-lib.git
```

`composer config repositories.<name> path <path>` — Add a local path repository for development.

```bash
composer config repositories.local-lib path ../my-lib
```

`composer config repositories.<name> '{"type": "composer", "url": "<url>"}'` — Add a private Composer repository (e.g. Private Packagist, Satis).

```bash
composer config repositories.private '{"type": "composer", "url": "https://packages.example.com"}'
```

`composer config platform.php <version>` — Fake the PHP version for dependency resolution (useful for deployment targeting).

```bash
composer config platform.php 8.2.0
```

<!-- PROSE:outro -->
## Conclusion

Composer takes the tedium out of managing PHP dependencies – and the key to reproducible builds is the `composer.lock` file. Keep the distinction clear: `composer update` re-resolves versions and rewrites the lock file, while `composer install` installs exactly the versions pinned there. In production you should therefore almost always run only `install` and leave `update` to local development. For deployments, reach for `--no-dev` and an optimized autoloader (`-o` or `--optimize-autoloader`) so no testing tools and no needless overhead end up on the server. Bear in mind that Composer scripts and plugins execute arbitrary code – with untrusted packages, `--no-scripts` is a sensible safeguard, and `secure-http` (the default) should stay enabled so packages are only ever fetched over HTTPS.

## Further Reading

- [Composer documentation](https://getcomposer.org/doc/) – official guide and command reference
- [Packagist](https://packagist.org/) – the central package registry for PHP
- [Versions and constraints](https://getcomposer.org/doc/articles/versions.md) – in-depth explanation of version constraints
<!-- PROSE:outro:end -->

## Related Commands

- [artisan](https://www.jpkc.com/db/en/cheatsheets/build-languages/artisan/) – command-line tool for the Laravel framework
- [cargo](https://www.jpkc.com/db/en/cheatsheets/build-languages/cargo/) – package and build manager for Rust
- [drush](https://www.jpkc.com/db/en/cheatsheets/build-languages/drush/) – command-line shell for Drupal