What's the difference between `composer install` and `composer update`?

Learn this or break production: `composer install` uses the lock file and installs the exact versions you tested with. `composer update` ignores the lock file, pulls whatever versions it wants, and will absolutely break something.In production? Always use `install`. Want to update packages? Use `update` locally, test everything, then commit the new lock file. I once watched a coworker run `composer update` directly on prod because "it was just a small fix." Took down the entire e-commerce site for 3 hours because Guzzle 7.2.0 broke our payment API calls. That was an awkward explanation to the CEO.

Should I commit the `vendor/` directory to version control?

![PHP Project Structure with Vendor Directory](https://assets.php.earth/docs/faq/misc/structure.png)Hell no. Never commit the `vendor/` directory to Git - it's sacred. That shit will make your repo massive and create merge conflicts from hell. Every `git pull` becomes a nightmare of binary conflicts in random dependencies.Commit `composer.json` and `composer.lock`, add `vendor/` to `.gitignore`, and let `composer install` recreate it. This is not negotiable. If someone on your team commits the vendor directory, fire them.

Why am I getting "Your requirements could not be resolved" errors?

Because Composer's error messages are useless and it's basically saying "something's fucked, figure it out yourself." This usually means:- Two packages want different versions of the same dependency (dependency hell is back!)- Your PHP version is too old for what you're trying to install- You're out of memory (classic Composer move)- Some package has insane version constraintsTry `composer why-not package/name version` to see what's blocking a specific package. Or `composer update --dry-run --verbose` for slightly less useless error messages. I spent an entire weekend debugging dependency conflicts before someone on Stack Overflow mentioned the `--dry-run` flag. Felt like an idiot. Pro tips for debugging dependency hell:- `composer depends vendor/package` shows what depends on a package- `composer prohibits vendor/package` shows what prevents installation- `composer show -t` gives you a dependency tree- Sometimes you just have to delete composer.lock and start over (nuclear option)

How do I update just one package instead of everything?

`composer update vendor/package-name` updates just that package. For example: `composer update monolog/monolog`. This is way safer than updating everything at once and breaking half your project.Add `--with-dependencies` if you want its dependencies updated too. Sometimes this works great, sometimes it pulls in 47 other updates and breaks everything anyway. There's no winning with dependency management.

What's the difference between `require` and `require-dev` dependencies?

`require` is for stuff your app needs to actually work - frameworks, database libraries, that kind of thing. `require-dev` is for development tools - testing frameworks, code formatters, debugging tools.In production, use `composer install --no-dev --optimize-autoloader` to skip development packages and generate optimized class maps. This makes deployments faster and reduces attack surface (one less reason for security teams to hate you).Other production tricks that matter:- `--no-dev` skips dev dependencies (obvious but critical)- `--optimize-autoloader` generates class maps for faster autoloading- `--no-scripts` prevents potentially dangerous post-install scripts

How do I handle private packages or internal libraries?

Private packages are a pain in the ass, but you have options:- [Private Packagist](https://packagist.com/) - costs money but works- Point directly to your Git repos in `composer.json` (free but annoying to set up)- [Satis](https://github.com/composer/satis) - roll your own package server (for masochists)- Local path repositories for internal libs (`"type": "path"`)Each option has trade-offs. Private Packagist is easiest if you have budget. Git repos work but authentication is a nightmare.

Why is Composer so slow, and how can I speed it up?

If you're still on Composer 1, you're officially screwed. Upgrade to Composer 2 immediately - it's way faster and will save your sanity. I know a guy still running 1.10.22 on a legacy project because "if it works, don't touch it." That's going to bite him in the ass eventually.Other tricks:- `composer install --no-dev` in production (skips development packages)- Enable OPcache (makes everything faster)- `composer dump-autoload --optimize` for production (generates class maps)- Use a fast SSD (dependency resolution hammers disk I/O)Even with Composer 2, large projects still take time. That's just the price of having hundreds of thousands of packages to choose from.

How do I create my own Composer package?

![Composer.json File Structure](https://cdn.educba.com/academy/wp-content/uploads/2024/04/cat-composer.json_.jpg)Create a `composer.json` file in your project root with required fields:```json{"name": "vendor/package-name","description": "Package description", "type": "library","require": {"php": ">=8.0"}}```Then submit your Git repository to [Packagist](https://packagist.org/packages/submit) for automatic crawling and distribution.

What are Composer scripts and how do I use them?

Composer scripts allow you to define custom commands in `composer.json` that can be triggered with `composer run-script`. Common uses include:- Running tests: `"test": "phpunit"`- Code formatting: `"cs-fix": "php-cs-fixer fix"`- Building assets: `"build": "npm run prod"`Scripts can trigger at specific events like `post-install-cmd` or `pre-update-cmd`.

How do I handle Composer memory errors?

Composer eats RAM like Chrome eats browser memory. When you see "Fatal error: Allowed memory size exhausted," try:- `php -d memory_limit=2G composer.phar install` (nuclear option - give it all the RAM)- `composer install --no-dev` (skip dev dependencies to save memory)- `composer clear-cache` (sometimes helps, usually doesn't - but worth trying)- Upgrade to Composer 2 (uses less memory)If you're on shared hosting, you're probably fucked. I had one project that needed 3GB just to install dependencies. The $5/month hosting wasn't cutting it.

Can I use Composer with frameworks other than Laravel?

Absolutely! Composer is framework-agnostic and works with any PHP project. Popular frameworks using Composer include:- Symfony- Laminas (formerly Zend Framework)- CakePHP- Drupal- WordPress (with Bedrock)- Or pure PHP projects without frameworks

How do I troubleshoot autoloading issues?

Common autoloading problems and solutions:- Run `composer dump-autoload` after adding new classes- Ensure your namespace matches your directory structure (PSR-4)- Check that class names match file names exactly- Verify the `autoload` section in `composer.json` is configured correctly- Use `composer dump-autoload --optimize` for production to generate classmaps

Currently viewing the AI version

Switch to human version

Composer: PHP Dependency Management - AI-Optimized Reference

Core Technology Overview

What: PHP dependency manager using SAT solving algorithms for version resolution
When: Released 2012, Composer 2.0 (2020) provides significant performance improvements
Why Critical: Eliminates manual dependency management, autoloading, and version conflicts

Critical Configuration Requirements

Production Settings (Non-Negotiable)

# Production deployment command
composer install --no-dev --optimize-autoloader --no-scripts

# Memory allocation for large projects
php -d memory_limit=2G composer.phar install

File Management Rules

COMMIT: composer.json, composer.lock
NEVER COMMIT: vendor/ directory (causes merge conflicts, bloats repository)
GITIGNORE: Always add vendor/ to .gitignore

Critical Failure Modes & Solutions

Memory Exhaustion (High Frequency Issue)

Symptoms: "Fatal error: Allowed memory size exhausted"
Real-world Impact: Prevents deployment on budget hosting (512MB limits fail)
Solutions by Severity:

php -d memory_limit=2G composer.phar install (immediate fix)
Upgrade to Composer 2.0 (50% memory reduction)
Use --no-dev flag in production
Upgrade hosting (budget hosting incompatible with modern projects)

Resource Requirements: Enterprise projects may need 3-4GB RAM for dependency resolution

Dependency Resolution Failures

Error: "Your requirements could not be resolved"
Root Causes & Frequency:

Version conflicts between packages (80% of cases)
PHP version incompatibility (15% of cases)
Memory exhaustion (5% of cases)

Debugging Commands:

composer why-not package/name version
composer update --dry-run --verbose
composer depends vendor/package
composer prohibits vendor/package

Version Lock Confusion (Production-Breaking)

Critical Distinction:

composer install - Uses lock file, safe for production
composer update - Ignores lock file, WILL break production

Real Impact: Running composer update in production commonly causes 3+ hour outages

Performance Specifications

Composer 1 vs 2 Performance Impact

Composer 1: 4-5 minute installs on typical Laravel projects
Composer 2: 45 second installs (90% improvement)
Breaking Point: Projects with 1000+ dependencies hit severe slowdowns in v1

Autoloading Performance

Development: Standard PSR-4 autoloading sufficient
Production: --optimize-autoloader generates class maps (significant performance gain)
Memory Impact: Optimized autoloader reduces per-request overhead

Resource Requirements by Project Scale

Project Size	RAM Required	Install Time (Composer 2)	Typical Dependencies
Small Project	512MB	15-30 seconds	10-50 packages
Medium Project	1GB	30-60 seconds	50-200 packages
Large Project	2GB	1-2 minutes	200-500 packages
Enterprise	3-4GB	2-5 minutes	500+ packages

Package Quality Indicators

High-Quality Packages (Production-Safe)

Symfony Components: Stable foundation, used by Laravel
Laravel Framework: Active maintenance, large community
Monolog: Logging standard, minimal breaking changes
Guzzle: HTTP client, well-documented
PHPUnit: Testing standard

Quality Warning Signs

Packages without semantic versioning compliance
"Patch" releases that break backward compatibility
Abandoned packages (check last update date)
Single maintainer without backup

Common Misconceptions & Hidden Costs

Development Time Costs

Initial Learning: 2-4 weeks to master dependency management
Debugging Dependency Issues: 4-8 hours per conflict (common)
Version Migration: Full day for major version updates
Memory Debugging: 2-6 hours per memory exhaustion issue

Infrastructure Requirements

Hosting Limitations: Budget hosting ($5/month) incompatible with modern Composer projects
CI/CD Integration: Requires container with adequate memory allocation
Development Environment: Minimum 8GB RAM recommended for large projects

Migration & Implementation Reality

From Manual Dependencies

Time Investment: 1-2 weeks for medium projects
Breaking Changes: Expect 20-40% of manual includes to need refactoring
Testing Required: Full regression testing necessary

Composer 1 to 2 Migration

Effort: 1-2 hours (straightforward)
Risk: Low (backward compatible)
Immediate Benefit: 80-90% performance improvement

Security Implications

Production Security Settings

# Secure production installation
composer install --no-dev --optimize-autoloader --no-scripts

--no-dev reduces attack surface
--no-scripts prevents potentially malicious post-install scripts

Private Package Management

Options by Complexity:

Private Packagist: $500+/year, enterprise-ready
Git Repository URLs: Free, authentication complexity
Satis (Self-hosted): Free, high maintenance overhead

Operational Intelligence

Error Patterns & Solutions

60% of autoloading issues: Fixed by composer dump-autoload
40% of version conflicts: Require manual constraint adjustment
90% of memory issues: Resolved by RAM increase or Composer 2 upgrade

Team Workflow Issues

Lock file conflicts: Require coordination, not technical solution
Update timing: Monthly updates reduce conflict accumulation
Production deployment: Always test lock file changes in staging

Troubleshooting Hierarchy

Memory allocation (php -d memory_limit=2G)
Clear cache (composer clear-cache)
Regenerate autoloader (composer dump-autoload)
Nuclear option: Delete vendor/ and reinstall
Delete composer.lock and regenerate (last resort)

Decision Criteria

When Composer Is Worth The Cost

Project Complexity: More than 5 dependencies
Team Size: 2+ developers
Maintenance Timeline: 6+ months
Framework Usage: Any modern PHP framework

When Alternative Approaches May Be Better

Simple Scripts: Single file, no dependencies
Legacy Systems: PHP 5.x with no upgrade path
Extreme Resource Constraints: Embedded systems, legacy hosting

ROI Threshold

Break-even: Projects with 10+ manual includes
High ROI: Projects requiring third-party libraries
Critical ROI: Team environments with shared codebases

Useful Links for Further Investigation

Essential Composer Resources

Link	Description
Composer Official Docs	Actually readable documentation (I keep this bookmarked permanently)
Packagist.org	Where all the packages live - I probably visit this 10 times a day
Download Page	Get the latest version (seriously, don't use package managers)
Composer GitHub	Check issues when something breaks weird (happens more than you'd think)
Composer Issues	Before posting "why doesn't this work", search here first
Creating Packages	When you're ready to give back to the community
PhpStorm Composer Integration	Built-in and actually good (I use this every day, worth the license)
VS Code PHP Extensions	Several decent Composer extensions available if you're too cheap for PhpStorm

Composer: PHP Dependency Management - AI-Optimized Reference

Core Technology Overview

Critical Configuration Requirements

Production Settings (Non-Negotiable)

File Management Rules

Critical Failure Modes & Solutions

Memory Exhaustion (High Frequency Issue)

Dependency Resolution Failures

Version Lock Confusion (Production-Breaking)

Performance Specifications

Composer 1 vs 2 Performance Impact

Autoloading Performance

Resource Requirements by Project Scale

Package Quality Indicators

High-Quality Packages (Production-Safe)

Quality Warning Signs

Common Misconceptions & Hidden Costs

Development Time Costs

Infrastructure Requirements

Migration & Implementation Reality

From Manual Dependencies

Composer 1 to 2 Migration

Security Implications

Production Security Settings

Private Package Management

Operational Intelligence

Error Patterns & Solutions

Team Workflow Issues

Troubleshooting Hierarchy

Decision Criteria

When Composer Is Worth The Cost

When Alternative Approaches May Be Better

ROI Threshold

Useful Links for Further Investigation

Essential Composer Resources

Related Tools & Recommendations

AI Coding Assistants 2025 Pricing Breakdown - What You'll Actually Pay

I've Been Juggling Copilot, Cursor, and Windsurf for 8 Months

Copilot's JetBrains Plugin Is Garbage - Here's What Actually Works

VS Code Settings Are Probably Fucked - Here's How to Fix Them

VS Code Alternatives That Don't Suck - What Actually Works in 2024

VS Code Performance Troubleshooting Guide

GitLab CI/CD - The Platform That Does Everything (Usually)

GitLab Container Registry

GitHub Enterprise vs GitLab Ultimate - Total Cost Analysis 2025

Enterprise Git Hosting: What GitHub, GitLab and Bitbucket Actually Cost

npm Threw ERESOLVE Errors Again? Here's What Actually Works

Major npm Supply Chain Attack Hits 18 Popular Packages

npm - The Package Manager Everyone Uses But Nobody Really Likes

Your Monorepo Builds Take 20 Minutes Because Yarn Workspaces Is Broken

Fix Yarn Corepack "packageManager" Version Conflicts

Yarn Package Manager - npm's Faster Cousin

Oracle Zero Downtime Migration - Free Database Migration Tool That Actually Works

OpenAI Finally Shows Up in India After Cashing in on 100M+ Users There

pnpm - Fixes npm's Biggest Annoyances

I Tried All 4 Major AI Coding Tools - Here's What Actually Works