Some Composer Commands You Should Know

Posted on 5 March 2014

Here's a short list of Composer commands that you should know in addition to the usual suspects - install, update and create-project.

First of all, if you haven't installed Composer globally, move the composer.phar file from your project to the /bin folder:

sudo mv composer.phar /usr/local/bin/composer

composer require vendor/package

Instead of updating your composer.json file manually, let Composer do it for you.

You can run composer require vendor/package --dev to add it to require-dev instead.

composer install --prefer-dist --no-dev

You generally don't need to clone entire repositories of your dependencies in production environments. You don't need to install dependencies under require-dev in your composer.json file either.

composer update vendor/package

Generally, you just need to update a specific package to the latest version. Running a blanket composer update updates all your dependencies and you can run into some unexpected compatibility issues if the package versions are mostly dev-master.

Also, updating dependencies should be part of your version control workflow.

  • Commit your composer.lock file.
  • Run update commands only in your development environment and test.
  • Push your commits to other environments.
  • In other environments, only run install commands so that packages are installed from the updated composer.lock file.

composer global require vendor/package

You can install packages globally so that they are shared by all projects.

For example, you can install phpunit globally:

composer global require phpunit/phpunit:3.7.*

composer search "foo" & composer show vendor/package

You can view package information right in your terminal.

For example, if I'm looking for a API package:

composer search bitly

I get a list of results:

pnomolos/phitly v3 API wrapper

rukbat/bitly-bundle API bundle for symfony2

hashids/hashids Generate hashes like YouTube or Bitly...

hwi/oauth-bundle Support for authenticating users using both OAuth1.0a and OAuth2 in Symfony2.


The first result looks interesting, so I get more information on it:

composer show pnomolos/phitly

This shows me almost everything I need to know about the package:

name     : pnomolos/phitly

descrip. : v3 API wrapper

keywords : api, bitly, http, phitly, wrapper

versions : * dev-master, 0.1.0

type     : library

license  : BSD

source   : [git] ...

dist     : [zip] ...

names    : pnomolos/phitly



Phitly => lib/


guzzle/guzzle 3.8.*

league/oauth2-client dev-master

php >=5.3.2

composer depends vendor/package

This gives you a list of packages that depend on the package you entered.

For example, running composer depends guzzle/guzzle in your project root will give you a list of packages that depend on Guzzle, including the version.

This is relevant because Guzzle's creator posted a tweet earlier today asking people to stop using the dev-master version of Guzzle.

composer dump-autoload --optimize

Run this on your production environment for better performance. It converts PSR-0/4 to classmap, which is a faster autoloader.