Pragmatism in the real world

A few composer tips

I recently learned about a couple of features of composer that I thought I’d write down here so that I don’t forget them! I also had to deal with a conflict in composer.lock recently, so I’ve noted down how I solved that too.

List installed versions

To list the current versions of all installed dependencies:

composer show -i 

The output looks something like:

container-interop/container-interop 1.1.0  Promoting the interoperability of container objects...
monolog/monolog                     1.17.2 Sends your logs to files, sockets, inboxes, ...
nikic/fast-route                    v0.6.0 Fast request router for PHP
pimple/pimple                       v3.0.2 Pimple, a simple Dependency Injection Container
psr/http-message                    1.0    Common interface for HTTP messages
psr/log                             1.0.0  Common interface for logging libraries
slim/php-view                       2.0.6  Render PHP view scripts into a PSR-7 Response...
slim/slim                           3.1.0  Slim is a PHP micro framework that helps you...

Very useful for working out exactly what’s installed.

Set PHP version

To set the version of PHP that composer will use to resolve dependencies, add this to your composer.json file:

    "config": {
        "platform": {
            "php": "5.6.19"

You can now run composer update on a PHP 7 installation and it will create a composer.lock file suitable for a server running PHP 5.6.19.

Resolving a conflict in composer.lock

When you merge a feature branch into develop and get a conflict in composer.lock, I’ve found these strategies work best for me:

Just the hash

If the only conflict is in the "hash" and "content-hash" lines, then pick either choice and then run:

composer update --lock

Any other conflict

For any other conflict where you want to keep the current set of versions on develop:

  1. Retrieve the correct lock file for develop: git merge --ours
  2. Add in each new dependency in the merged composer.json that’s not in the original develop’s composer.json using
    composer require {vendor/package}

The end result is a composer.lock file with the original information from develop along with the new packages from the feature branch.