Peter Petermanncomposer – what you should know (23.7.2016, 22:47 UTC)

composer – what you should know.

Last year I wrote a piece called “a few thoughts about composer and how poeple use it“. In that post I had a list of things which are problematic about how composer is used.

That post got widely recognized, linked an visited, but in general those issues still exist.

However lately I’ve had even more people asking questions (either on related forums, irc or even irl) about problems that stem from issue number 2: people are using composer as an installer (and sometimes Number 3 because of Number 2).

In that Post I already gave a quick opinion on how workflows with composer should look like, In this post i’ll try to give a few more pointers on how to use composer without creating a mess.

starting a project vs installing

I’ve seen create-project abused as an installer quite a few times, and it seems conveniant and simple to do that – as create-project + a hand full of scripts can easy do an initial install of a project. That is not what it is made for.

Now you might be wondering “why not? its only stupid if it doesn’t work!” – the thing is that this solution is one that usually leads to the question “is there a way to have composer update the create-project stuff??” very shortly after. No there is not and there shouldn’t be one.

So what is create-project for, if not to install your awesome web app on someones server? It is made so you can kickstart new projects by using skeletons that set up a basic project for you, usually adding all the things that might need updating at some point as dependencies, minus the code for your own project.

I wrote an a post on building project skeletons for binpress a few years ago, so if you are a framework builder, or if you have the need to build a custom project skeleton for you, your company, check it out.

You might find ways to make create-project work for you as an installer besides the no-real-update-path (i’ve seen people build quite elaborate scripts, and only have files that overwrite files from dependencies in their project-package), but the truth is, you will have a lot of effort, with not too much gain.

I mentioned it in the toughts-about post: composer is not a tool to run on live machines, (despite that environment checking thing that might make you think it is), and in professional environments, where servers are configured and or behind a firewall, so they are not allowed to pull data from everywhere your install simply won’t work. (The same goes for shared hosting where users might not even have access to a command line).

adding packages to a project

Now this is no starter-tutorial for composer, so I won’t go into how semver restrictions should look (rule of thumb: as tight as necessary, as lose as possible).

What I’d like to get of my chest here is: dear php devs, start thinking about what you add as composer dependencies. Your common day to day tools (like phpcs, phpunit and so on are no dependencies of your project. If you really really must (that is if you have a good reason)) add them as a dev-depepency (require-dev), but even that in a lot of cases doesn’t make sense (and this is a sin I’ve comitted too). Believe me when I say there is no joy when you end up having version constraint conflicts because several of your dependencies insist on installing phpunit in different versions.

Another rule of thumb: the only thing that you should require is dependencies that are necessary to be there when you will run the app in the live environment – things that are only necessary on your dev environment (mockups, debugbars etc) belong in your require-dev, tools that you use over multiple projects (such as phpunit) should be installed on your dev (and ci) environment globally, not with the project.

globally installed composer packages

You might not know this, but composer allows you to install packages globally. STOP don’t get excited about this, whatever it is you are planing to use this for, if its not a composer plugin you are most likely wrong.

Take for example Laravel: Its tutorial tells you to do composer global require laravel/installer which will install 8(!) packages, including such commonly used ones as symfony/process or guzzlehttp/psr7. Why is this a bad thing? Well, in my stack I have quite a few tools, and many of them use quite common packages, which would lead to regular occurences of having to use old tools because one tool is blocking

Truncated by Planet PHP, read more at the original (another 7570 bytes)

Remi ColletNew "remi-php71" repository (23.7.2016, 13:47 UTC)

I've just open the remi-php71 repository for Fedora ≥ 23 and Enterprise Linux ≥ 6.

Current version is PHP 7.1.0beta1 with about 75 extensions which are already compatible.

emblem-important-4-24.pngThis repository provides developement versions which are not suitable for production usage.

The repository configuration is provided by the latest version of the remi-release package:

  • remi-release-23-4.fc23.remi
  • remi-release-24-2.fc24.remi
  • remi-release-6.8-1.el6.remi
  • remi-release-7.2-1.el7.remi

emblem-notice-24.pngAs for other remi's repositories, it is disabled by default, so the update is an administrator choice.

E.g. to update the PHP system version:

yum --enablerepo=remi update remi-release
yum --enablerepo=remi-php71 update php\*

emblem-important-2-24.pngAs some extensions are not yet available, the update may fail, in this case you have to remove not yet compatible extensions, or wait for their update.

PHP 7.1 as Software Collection stay in "remi-safe" as there is no conflicts with the base packages.

SitePoint PHPIs Laravel Good Enough to Power a Custom Google Drive UI? (22.7.2016, 17:13 UTC)

In this tutorial, we’re going to build an app that talks to the Google Drive API. It will have file search, upload, download and delete features. If you want to follow along, you can clone the repo from Github. Creating a New Google Project The first thing that we need to do when working with […]

Continue reading %Is Laravel Good Enough to Power a Custom Google Drive UI?%

Voices of the ElePHPantInterview with Robert McFrazier (22.7.2016, 09:00 UTC) Link
PHP ClassesPHP and JavaScript Innovation Award Report July 2016 Edition - April 2016 nominees (22.7.2016, 05:34 UTC)
By Manuel Lemos
This is the July edition of the Innovation Award podcast hangout recorded by Manuel Lemos and Arturs Sosins to comment on the outstanding features of all the past month nominees and winners PHP and JavaScript packages, the prizes that the authors earned, starting with the nominees from the month of April 2016.

Listen to the podcast, or watch the hangout video to learn why the nominated packages were considered to be innovative, as well the current rankings of the Innovation Award Championship by author and by country.
PHP ClassesIs Your PHP Application Vulnerable to the HTTPoxy Security Exploit? (21.7.2016, 07:30 UTC)
By Manuel Lemos
Recently it was disclosed a security vulnerability called HTTPoxy in Web applications of different languages can be used to perform serious man-in-the-middle attacks (MITM) and disclose sensitive information.

Read this article to learn what is the HTTPoxy vulnerability and how to check if your Web applications are vulnerable.
PHP: Hypertext PreprocessorPHP 7.1.0 Beta 1 Released (21.7.2016, 00:00 UTC)
The PHP development team announces the immediate availability of PHP 7.1.0 Beta 1. This release is the first beta for 7.1.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! PHP 7.1.0 Beta 1 builds on previous releases with: Asynchronous Signal Handling (without ticks) in ext/pcntl. Additional Context in pcntl_signal Handler For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.1.0 Beta 1 please visit the download page, Windows sources and binaries can be found on The second beta will be released on the 8th of August. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
PHP: Hypertext PreprocessorPHP 5.5.38 is released (21.7.2016, 00:00 UTC)
The PHP development team announces the immediate availability of PHP 5.5.38. This is a security release that fixes some security related bugs. All PHP 5.5 users are encouraged to upgrade to this version.For source downloads of PHP 5.5.38 please visit our downloads page, Windows source and binaries can be found on The list of changes is recorded in the ChangeLog. Note that according to our release schedule, PHP 5.5.38 is the last release of the PHP 5.5 branch. There may be additional release if we discover important security issues that warrant it, otherwise this release will be the final one in the PHP 5.5 branch. If your PHP installation is based on PHP 5.5, it may be a good time to start making the plans for the upgrade to PHP 5.6 or PHP 7.0.
PHP: Hypertext PreprocessorPHP 5.6.24 is released (21.7.2016, 00:00 UTC)
The PHP development team announces the immediate availability of PHP 5.6.24. This is a security release. Several security bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version. For source downloads of PHP 5.6.24 please visit our downloads page, Windows source and binaries can be found on The list of changes is recorded in the ChangeLog.
SitePoint PHPTesting Your Tests? Who Watches the Watchmen? (20.7.2016, 17:00 UTC)

Regardless of whether you’re working for a big corporation, a startup, or just for yourself, unit testing is not only helpful, but often indispensable. We use unit tests to test our code, but what happens if our tests are wrong or incomplete? What can we use to test our tests? Who watches the watchmen? Enter […]

Continue reading %Testing Your Tests? Who Watches the Watchmen?%

LinksRSS 0.92   RDF 1.
Atom Feed   100% Popoon
PHP5 powered   PEAR
ButtonsPlanet PHP   Planet PHP
Planet PHP