What is composer

• Dependency management
  • Drupal modules
  • PHP libraries
  • 3rd party JS libraries (though npm might be better)

But Composer Sucks!

They all do, its a means to an end

Composer is slow

• They all are
• Dependency management is an NP-complete problem
  • Very hard problem in computer science
  • dependencies -> dependencies -> dependencies ...
• Composer is one of the better ones out there!

Keep all dependencies in Repo?

Yay

• deployment is easy since everything in repo
• no reliance on dependencies being 'up'
• bloated repos
• multiple ppl working on project = possible conflicts

Nay

• repos not so bloated
• conflict only really in composer.lock
• dependencies need to be 'up'
• deployment is more complex
• dependencies can 'change' if not using lock file

Useful composer commands

• composer install
• composer update
• composer why
• composer validate

composer install

• Installs dependencies in composer.json (and creates composer.lock file if not exists)
  • slow if first install and no composer.lock file
  • Installs dependencies in composer.lock
    • fast
• Generally safe as composer.lock is not updated

composer update

• Updates your dependencies
  • Updates composer.lock
• Can also limit what you update
  • composer update drupal/core:8.9.2
• Does NOT use composer.lock
  • slow

composer why

• Useful when you have conflicts
• will let you see what libraries are not compatible in the setup

composer validate

• Validates the composer.json file
  • Lets you know if your dependencies are too 'locked' down
  • If you have bad dependencies

Write your own command

• post install commands
• custom one time commands
• sync commands

Managing Drupal

• Shit show x (number of client sites you manage)
• Core
  • Distributions
  • Modules
  • PHP Libraries
  • Themes

Semantic versioning

• x.y.z
• z: patch
  • no new functionality added or functinonality removed. Only bug fixes
• y: feature
  • New functionality added. Nothing removed.
• x: version upgrade
  • functionality added/removed.

Gotchas

• See how developer releases their code
  • Following semantic versioning, you should be safe on a major release
  • Not following semantic versioning, you may need to look at their code
    • Code review time
  • Also where testing comes in handy (which I've been saying for years)