Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Peter Petermann:
Composer – What You Should Know
Jul 26, 2016 @ 12:56:21

Peter Petermann has shared a few of his thoughts about right and wrong things to do when using Composer in your PHP-based applications. He offers suggestions based on some of the more wide-spread (but wrong, in his opinion) practices he's seen in several projects.

Last year I wrote a piece called “a few thoughts about composer and how people use it“. In that post I had a list of things which are problematic about how composer is used. That post got widely recognized, linked an visited, but in general those issues still exist.

However lately I’ve had even more people asking questions (either on related forums, irc or even irl) about problems that stem from issue number 2: people are using composer as an installer (and sometimes Number 3 because of Number 2). In that Post I already gave a quick opinion on how workflows with composer should look like, In this post I’ll try to give a few more pointers on how to use composer without creating a mess.

He then breaks up the remainder of the post into various practices he's seen and calling out developers for doing including:

  • starting a project vs installing
  • globally installed composer packages
  • tagging and building

With each of his points he makes suggestions about what's wrong about the practice as well as some suggestions about how things could be done better.

tagged: composer opinion bad practices suggestion correct

Link: https://devedge.wordpress.com/2016/07/23/composer-what-you-should-know/

Jordi Boggiano:
Typo Squatting and Packagist
Jul 04, 2016 @ 09:38:45

In a new post to his site Jordi Boggiano, lead developer on Composer and Packagist.org, talks about typo-squatting and Packagist, a trend that has come up in other communities but - so far - not as much in the PHP ecosystem.

Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.

The thesis mentions https://packagist.org as a good example as we use vendor namespaces. [...] Despite this mitigating fact, it is still technically possible to squat the vendor name, so I wanted to take a look at our repository data and see if I could spot any bad actors.

He wrote a script on the current contents of the Packagist site to see if he could find any packages that were trying to take advantage of typosquatting. He describes what the script does and the results: a low number of issues where it mostly seemed to be user error, not malicious behavior.

tagged: typosquatting packagist results composer

Link: https://seld.be/notes/typo-squatting-and-packagist

SitePoint PHP Blog:
Composer Global Require Considered Harmful?
Jun 08, 2016 @ 09:53:05

The SitePoint PHP blog has a post about a feature Composer provides to help make tools and libraries easier to use - the ability to install things globally. In this post editor Bruno Skvorc wonders if this feature should be "considered harmful" and a bad practice.

We’ve discussed Composer best practices before, and I’ve always advocated using composer global require when installing packages that can be used across several projects – particularly command line tools. Then, the other day, I ran into this discussion. The short of it is – the majority of people now seem to feel like global require is bad practice, unless the globally installed package has zero dependencies.

The article he references offers an alternative option however: install locally to the project and just update your paths to allow for it to be easily found. This can be difficult and hard to maintain so Bruno offers a counter-suggestion, the "[consolidation/cgr]"(https://github.com/consolidation-org/cgr) tool. This tool handles the "global" install in a way that still isolates it and then automatically updates your .bash_aliases with the command and path to make it easier to use.

tagged: composer global require harmful cgr tool local project

Link: https://www.sitepoint.com/composer-global-require-considered-harmful/

Jordi Boggiano:
PHP Versions Stats - 2016.1 Edition
Jun 07, 2016 @ 14:51:35

Jordi Boggiano has posted some updated statistics around the use of the Packagist site around PHP version requirements and the relation of package downloads to PHP versions.

Last year I posted stats about PHP versions, and the year before as well, both time in November. However this year I can't wait for November as I am curious to explore the PHP7 uptake!

A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs of the last 28 days for Composer installs done by someone. Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with.

He compares the previous statistics against the ones gathered back in November 2015, both in numbers and graphs. He shows the stats for the PHP versions being used and for the PHP versions that are required. It's interesting to see that there's been a good uptick in supported versions including PHP 7.0+.

tagged: packagist statistics version composer usage requirement

Link: https://seld.be/notes/php-versions-stats-2016-1-edition

Rob Allen:
Slim 3.4.0 now provides PSR-7!
May 09, 2016 @ 09:48:10

Rob Allen has a post to his site announcing the latest release of the Slim Framework - v3.4.0 - and an update that allows for full PSR-7 support, telling Composer that the framework fully supports it now as well.

I've been neglecting Slim's PR queue recently, so this weekend I dedicated a lot of time to merging all the good work that our contributors have done. As a result, I'm delighted to release version 3.4.0! This release has a larger set of changes in it than I would have ideally liked which is a direct consequence of having gone two months between releases rather than one.

One particularly interesting addition that we have a made this release is adding a provide section to our composer.json file. [...] This means that we have informed Composer that Slim provides a valid implementation of the interfaces in psr/http-message-implementation virtual package that defines the PSR-7 interfaces.

This basically means that if you're using other libraries/tools that require a PSR-7 compatible system to work correctly, they'll detect that Slim fully supports it.

tagged: slimframework slim3 psr7 support http message implementation composer

Link: https://akrabat.com/slim-3-4-0-now-provides-psr-7/

Leonid Mamchenkov:
Adventure in composer private repositories
Apr 22, 2016 @ 09:19:44

In this new post to his site Leonid Mamchenkov talks about some of his "adventure with Composer private repositories" in some of his deployment work with CakePHP 3 applications.

As good as the Packagist is, there is often a need for a repository or a package elsewhere. Whether it’s a commercial library, or sensitive corporate code, having an ability to store it outside of public eye and handle with the same ease and the same tool as the rest of the dependencies is a very welcome feature.

[...] We are setting up similar development and deployment process, but now for CakePHP-based projects. Things are much easier, since CakePHP 3 natively supports composer for the application itself and for its plugins. But we still have the need for private repositories here and there, so we follow the same setup as we did for WordPress.

Unfortunately he was getting a RuntimeException when he was trying to pull in a plugin through the same private repository workflow. Not only had he not seen the error before but the autoloader was configured as defined and other plugins were working with the same structure. As it turns out, it was the composer.json of the main application repository that was the problem. He includes the fix he made to the configuration on a sample CakePHP 3 project, showing how to switch it to a "vcs" type for more correct handling.

tagged: composer private repository issue runtime exception composerjson configuration

Link: http://mamchenkov.net/wordpress/2016/04/21/adventure-in-composer-private-repositories/

Jordi Boggiano:
Common files in PHP packages
Apr 21, 2016 @ 09:29:15

Jordi Boggiano has a new post to his site today sharing some interesting PHP package statistics he gathered as a part of the metadata in the Composer/Packagist ecosystem.

This one started in a peculiar way. Paul M. Jones announced a new version of his Producer tool, I had a look at it and saw that it recommended having a changelog called CHANGES.md by default. [...] My first thought was to report an issue asking to change the default, but then I thought it's Paul, he will not just take my word for it, he will want hard facts. So here I am two days later. I queried GitHub's API for the file listing (only the root directory) of all PHP packages listed on packagist.org. What this let me do is look at what files are commonly present (and not), which is quite interesting to get a picture of the whole ecosystem.

He queried about 79,000 packages and found some interesting patterns in the results. These included findings like:

  • 8% have a DependencyInjection/ directory, which I believe indicates Symfony bundles
  • 3.6% have a examples/ and 3.5% a docs/ directory
  • 49% have some file or directory indicating the presence of tests (phpunit.xml & co)
  • 14% have committed their composer.lock
  • 8% show a presence of some code quality/style CI (scrutinizer, codeclimate, styleci)

There's some other interesting statistics in the post around license files, changelogs and CLI binaries too. He's also posted the full data set for anyone interested in running some of their own statistics on the results.

tagged: package statistics packagist composer data results summary

Link: https://seld.be/notes/common-files-in-php-packages

Rob Allen:
Using Eloquent in Slim Framework
Apr 07, 2016 @ 09:45:31

Rob Allen has a quick post showing how to use Eloquent in a Slim framework application to work with your database queries and functionality.

Eloquent is one of the easier ORMs to get started with, so let's look at how to use and test it within a Slim Framework application. [...] Eloquent is quite a nice implementation of the Active Record pattern. If that meets your needs, then it is easy to use within a Slim Framework application, so go for it!

He walks you through the set up of the Eloquent package via a Composer require and update your Slim configuration with the database settings. He then includes the few lines you'll need to use the "capsule" manager to integrate it with the Slim structure. He also talks about testing models and shows how to create some simple tests with PHPUnit and a bit of mocking.

tagged: slimframework eloquent database capsule composer tutorial

Link: https://akrabat.com/using-testing-eloquent-in-slim-framework/

Jordi Boggiano:
Composer goes Gold
Apr 05, 2016 @ 13:08:39

Jordi Boggiano has posted some excellent news for all of the Composer users out there - the widely popular dependency management tool has officially "gone gold" and has tagged the stable v1.0.0 version of the tool.

Five years ago today, Composer was born. In some ways it feels like yesterday, at least it doesn't feel like five years went by. In other ways it seems like a lifetime ago, and I can barely remember what it was like to write PHP code without having a whole ecosystem at my fingertips.

Jordi talks about one big change that happened recently around the "self-update" feature of the tool. He hopes that more people will use the preview or snapshot channels in their deploys/development so he can get more information about these other options before they get to stable. Finally, to mark the occasion Jordi has put a "gold" copy (on floppy disk none the less) up for sale on eBay to commemorate the release.

tagged: composer v1 stable release gold commemorate gold disk ebay

Link: https://seld.be/notes/composer-goes-gold

SitePoint PHP Blog:
Drunk with the Power of Composer Plugins
Mar 28, 2016 @ 13:54:25

The SitePoint PHP blog has a new tutorial for the Composer users out there talking about Composer plugin development and how they can add functionality to this already powerful tool.

Composer is the sharpest tool in the toolbox of the modern PHP developer. The days of manual dependency management are in the distant past, and in their place we have wonderful things like Semver. Things that help us sleep at night, because we can update our dependencies without smashing rocks together.

[...] Even though we use Composer so frequently, there’s not a lot of shared knowledge about how to extend it. [...] Yet, recent changes have made it much easier to develop Composer plugins. [...] So, today I thought we would explore the possibilities of Composer plugin development, and create a fresh bit of documentation as we go.

He walks you through the creation of a simple plugin: one that tracks users and the dependencies they require. He shows you how to create the initial plugin boilerplate and the creation of the addDependencies and activate methods. These grab the dependencies being added and send the information off to a remote site.

tagged: composer plugin tutorial dependency tracking introduction

Link: http://www.sitepoint.com/drunk-with-the-power-of-composer-plugins/