Composer — Dependency Manager for PHP

Composer is the central dependency manager in the PHP world – it installs libraries, keeps their versions under control and generates the autoloading so you can use classes without writing manual require lines. Through Packagist, the central package registry, a few commands pull anything from Guzzle to the entire Laravel framework into your project. This guide walks you through everyday work: setting up a project, requiring and updating packages, steering versions with constraints and optimizing the autoloader for production.

Project Setup

composer init — Interactively create a new composer.json file in the current directory.

composer init

composer init --name=<vendor>/<package> — Create a new composer.json with a predefined package name.

composer init --name=acme/my-project

composer create-project <package> <directory> — Create a new project from an existing package (like cloning + install).

composer create-project laravel/laravel my-app

composer create-project <package> <directory> <version> — Create a new project from a specific version of a package.

composer create-project laravel/laravel my-app "11.*"

Installing Packages

composer install — Install all dependencies defined in composer.lock (or composer.json if no lock file exists).

composer install

composer install --no-dev — Install only production dependencies, skip require-dev packages.

composer install --no-dev

composer install --optimize-autoloader — Install dependencies and generate an optimized class map for autoloading.

composer install --optimize-autoloader

composer install --no-scripts — Install dependencies without executing any scripts defined in composer.json.

composer install --no-scripts

composer install --dry-run — Simulate the install without actually modifying anything.

composer install --dry-run

Requiring Packages

composer require <package> — Add a package to require and install it.

composer require guzzlehttp/guzzle

composer require <package>:<version> — Require a specific version or version constraint of a package.

composer require guzzlehttp/guzzle:^7.0

composer require --dev <package> — Add a package as a development dependency (require-dev).

composer require --dev phpunit/phpunit

composer require <package> --with-all-dependencies — Allow all dependencies (including already installed) to be updated when requiring.

composer require symfony/console --with-all-dependencies

composer require <package> -W — Short form of --with-all-dependencies.

composer require laravel/framework -W

Updating Packages

composer update — Update all dependencies to the latest versions matching composer.json constraints.

composer update

composer update <package> — Update a single package to its latest allowed version.

composer update guzzlehttp/guzzle

composer update <package1> <package2> — Update multiple specific packages at once.

composer update symfony/console symfony/http-foundation

composer update --with-all-dependencies — Also update dependencies of the packages being updated.

composer update --with-all-dependencies

composer update --no-dev — Update only production dependencies.

composer update --no-dev

composer update --dry-run — Preview what would be updated without actually making changes.

composer update --dry-run

composer update --prefer-lowest — Update to the lowest possible versions matching constraints. Useful for testing compatibility.

composer update --prefer-lowest

Removing Packages

composer remove <package> — Remove a package from require and uninstall it.

composer remove guzzlehttp/guzzle

composer remove --dev <package> — Remove a package from require-dev.

composer remove --dev phpunit/phpunit

composer remove <package> --no-update — Remove a package from composer.json without updating the lock file.

composer remove monolog/monolog --no-update

Information & Search

composer show — List all installed packages with their versions.

composer show

composer show <package> — Show detailed information about a specific installed package.

composer show guzzlehttp/guzzle

composer show --tree — Show installed packages as a dependency tree.

composer show --tree

composer show --outdated — List installed packages that have newer versions available.

composer show --outdated

composer show --direct — Show only directly required packages (not transitive dependencies).

composer show --direct

composer search <keyword> — Search for packages on Packagist by keyword.

composer search markdown parser

composer depends <package> — Show which packages depend on a given package (reverse dependency lookup).

composer depends psr/log

composer why <package> — Alias for depends. Show why a package is installed.

composer why symfony/polyfill-mbstring

composer why-not <package> <version> — Show why a package cannot be updated to a specific version.

composer why-not laravel/framework 11.0

Lock File & Autoloader

composer dump-autoload — Regenerate the autoloader files without installing or updating packages.

composer dump-autoload

composer dump-autoload --optimize — Generate an optimized autoloader with a class map for better performance.

composer dump-autoload --optimize

composer dump-autoload --classmap-authoritative — Only use class map for autoloading. Fastest but won't find new classes automatically.

composer dump-autoload --classmap-authoritative

composer validate — Validate the composer.json and composer.lock files for errors.

composer validate

composer validate --strict — Validate with strict checks. Returns non-zero exit code on warnings too.

composer validate --strict

Version Constraints

composer require <package>:^<version> — Caret constraint. Allow updates that don't change the leftmost non-zero digit (recommended).

composer require guzzlehttp/guzzle:^7.5

composer require <package>:~<version> — Tilde constraint. Allow updates to the last specified digit only.

composer require monolog/monolog:~2.0

composer require <package>:<exact_version> — Require an exact version. No updates allowed.

composer require phpunit/phpunit:10.5.3

composer require <package>:">=<min> <<max>" — Use a version range with comparison operators.

composer require monolog/monolog:">=2.0 <3.0"

composer require <package>:* — Wildcard constraint. Allow any version (not recommended for production).

composer require acme/internal-lib:*

composer require <package>:dev-<branch> — Require a specific branch (development version) of a package.

composer require acme/lib:dev-main

Scripts & Hooks

composer run-script <script> — Run a script defined in the scripts section of composer.json.

composer run-script test

composer run <script> — Short alias for run-script.

composer run lint

composer run-script --list — List all available scripts defined in composer.json.

composer run-script --list

composer exec <binary> — Execute a binary from the vendor/bin directory.

composer exec phpunit -- --filter=MyTest

Global Packages

composer global require <package> — Install a package globally (available system-wide).

composer global require laravel/installer

composer global show — List all globally installed packages.

composer global show

composer global update — Update all globally installed packages.

composer global update

composer global remove <package> — Remove a globally installed package.

composer global remove laravel/installer

Cache & Diagnostics

composer clear-cache — Clear the internal package cache.

composer clear-cache

composer diagnose — Run diagnostic checks for common issues (connectivity, permissions, etc.).

composer diagnose

composer self-update — Update Composer itself to the latest version.

composer self-update

composer self-update --rollback — Rollback to the previously installed version of Composer.

composer self-update --rollback

composer config --list — List all current configuration values.

composer config --list

composer config --global home — Show the Composer home directory path.

composer config --global home

Repositories & Platforms

composer config repositories.<name> vcs <url> — Add a VCS (Git) repository as a package source.

composer config repositories.my-lib vcs https://github.com/acme/my-lib.git

composer config repositories.<name> path <path> — Add a local path repository for development.

composer config repositories.local-lib path ../my-lib

composer config repositories.<name> '{"type": "composer", "url": "<url>"}' — Add a private Composer repository (e.g. Private Packagist, Satis).

composer config repositories.private '{"type": "composer", "url": "https://packages.example.com"}'

composer config platform.php <version> — Fake the PHP version for dependency resolution (useful for deployment targeting).

composer config platform.php 8.2.0

Conclusion

Composer takes the tedium out of managing PHP dependencies – and the key to reproducible builds is the composer.lock file. Keep the distinction clear: composer update re-resolves versions and rewrites the lock file, while composer install installs exactly the versions pinned there. In production you should therefore almost always run only install and leave update to local development. For deployments, reach for --no-dev and an optimized autoloader (-o or --optimize-autoloader) so no testing tools and no needless overhead end up on the server. Bear in mind that Composer scripts and plugins execute arbitrary code – with untrusted packages, --no-scripts is a sensible safeguard, and secure-http (the default) should stay enabled so packages are only ever fetched over HTTPS.

Further Reading

• Composer documentation – official guide and command reference
• Packagist – the central package registry for PHP
• Versions and constraints – in-depth explanation of version constraints

Related Commands

• artisan – command-line tool for the Laravel framework
• cargo – package and build manager for Rust
• drush – command-line shell for Drupal