What is dependency management in Laravel ?

Source:
https://decodeweb.in/php/php-frameworks/laravel-framework/what-is-dependency-managem
ent-in-laravel/

Dependencies are packages or ​mostly​ third party modules/plugins that

are required for your project to run. For instance, PHPUnit is an easy to
integrate, standalone testing framework so if your application needs unit
testing then you need PHPUnit, that becomes a dependency ultimately.
Dependency management solves these problems by automating and
standardizing.

Managing your dependencies manually in any programing language is

an immense pain. This is often why in most programming languages
these days you may notice that all of them have some implementation of
a ​dependency management system​ or generally a package manager.

In PHP, we use NPM i.e Node Package Manager in frontend

technologies like JavaScript, VueJS. For backend, ​Composer​ is the de
facto dependency manager.
Composer as dependency manager

According to ​getcomposer.org​’s official definition of Composer,

“Composer is not a package manager in the same sense as Yum or Apt

are. Yes, it deals with "packages" or libraries, but it manages them on a
per-project basis, installing them in a directory (e.g. vendor) inside your
project. By default it does not install anything globally. Thus, it is a
dependency manager. It does however support a "global" project for
convenience via the global command.

This idea is not new and Composer is strongly inspired by node's npm
and ruby's bundler.”

Installation of Composer
Composer is available to all major operating systems. On Windows you
should use the Composer Setup file which can be found on the ​Getting
Started​ page. For Ubuntu and Mac OSX, follow the below steps:

Step 1: ​Go to your project directory, run command:

 curl -sS ​https:​//getcomposer.org/installer | php

You will get ​composer.pha​r file in you project directory.

Step 2:​ Install Composer globally

I prefer Composer to be accessible globally so that I can run it from

anywhere in my system, thus, to install Composer globally run this
command with superuser privilege:

sudo mv composer.phar ​/usr/​local​/bin/​composer

Step 3:​ Check Composer installation

Type in terminal: ​composer

If you see something like below then consider a successful installation of

Composer dependency manager.

A brief introduction of composer.json file

If you have followed my first post on ​Laravel​, as you know Laravel is a
package of packages, means, Laravel is built of many packages
altogether in a beautiful way that newbie developers forget about its
working mechanism completely and perceive Laravel as a standalone
application which is used for development of web applications and
services, but this is not completely true because Laravel is dependent on
various third party packages.

Back on the track now, You might have come across a file in your project
directory, named as ​composer.json​.​ ​Let's check it out once again,

{
"name": ​"laravel/laravel"​,
"description": ​"The Laravel Framework."​,
"keywords": [​"framework"​, ​"laravel"​],
"license": ​"MIT"​,
"type": ​"project"​,
"require": {
"php": ​">=7.0.0"​,
"fideloper/proxy": ​"~3.3"​,
"laravel/framework": ​"5.5.*"​,
"laravel/tinker": ​"~1.0"​,
"php-junior/laravel-video-chat": ​"^1.0"
},
"require-dev": {
"filp/whoops": ​"~2.0"​,
"fzaninotto/faker": ​"~1.4"​,
"mockery/mockery": ​"~1.0"​,
"phpunit/phpunit": ​"~6.0"
},
"autoload": {
"classmap": [
​"database/seeds"​,
​"database/factories"
],
"psr-4": {
"App\\": ​"app/"
}
 },
"autoload-dev": {
"psr-4": {
"Tests\\": ​"tests/"
}
},
"extra": {
"laravel": {
"dont-discover": [
]
}
},
"scripts": {
"post-root-package-install": [
​"@php -r \"file_exists('.env') ||
copy('.env.example', '.env');\""
],
"post-create-project-cmd": [
​"@php artisan key:generate"
],
"post-autoload-dump": [

"Illuminate\\Foundation\\ComposerScripts::postAutoloadDum
p"​,
​"@php artisan package:discover"
]
},
"config": {
"preferred-install": ​"dist"​,
"sort-packages": ​true​,
"optimize-autoloader": ​true
}
}
This is a typical ​composer.json​ file, composer uses this file and another
file called ​composer.lock​, I will be coming to this also later on in this
post only, do not worry :)

What I am going to show here is the key sections of ​composer.json​ file.

require
Require section tells composer to include the mentioned ​packages
which are indispensable for the project to run on production​ i.e.
whole application is dependent on these packages.

"require"​: {
​"php"​: ​">=7.0.0"​,
​"fideloper/proxy"​: ​"~3.3"​,
​"laravel/framework"​: ​"5.5.*"​,
​"laravel/tinker"​: ​"~1.0"​,
​"php-junior/laravel-video-chat"​: ​"^1.0"
},

For instance, here project has vital dependency on​ PHP7+, laravel
framework 5.5, tinker​ etc.

require-dev
Moreover, the require-dev packages are packages that aren't necessary
for your project to work and ​shouldn't be included in the production
version of your project​.

"require-dev"​: {
​"filp/whoops"​: ​"~2.0"​,
​"fzaninotto/faker"​: ​"~1.4"​,
​"mockery/mockery"​: ​"~1.0"​,
​"phpunit/phpunit"​: ​"~6.0"
},
Typically, these are packages such as phpunit/phpunit that you would
only use during development.

If you want to dig more into it, you can find all the dependencies or ​in
general,​ packages and their sub-packages mentioned in composer.json
file in ​vendor directory​ of your Laravel project. T
​ hat is why we need
composer dependency manager in Laravel.
How to install packages using Composer in Laravel ?
Suppose, you need to install a package called ​dump-server​, that collects
all your dump call outputs, so that it does not interfere with HTTP / API
responses.

You can install the package via composer:

composer ​require​ ​--dev beyondcode/laravel-dump-server

Or just add an entry in require-dev section of ​composer.lock​, like below

"require-dev"​: {
. . .

​ beyondcode/laravel-dump-server"​: ​"^1.2"​,//see the

"
stable version in above image it is v1.2.2
},

Then run below command in terminal

composer update

Why ​composer update​ instead of c

​ omposer install​ ?

composer update

composer update​ will update your dependencies as they are specified

in ​composer.json​. For example, if you require this package as a
dependency:

"mockery/mockery": "0.9.*",

and you have actually installed the 0.9.1 version of the package, running
composer update​ will cause an upgrade of this package (for example to
0.9.2, if it's already been released)

In detail ​composer update​ will:

1. Read ​composer.json
2. Remove installed packages that are no more required in
composer.json
3. Check the availability of the latest versions of your required
packages
4. Install the latest versions of your packages
5. Update ​composer.lock​ to store the installed packages version
6. composer install

composer install

composer install​ will not update anything; it will just install all the
dependencies as specified in the​ composer.lock​ file

In detail ​composer install ​will do:

1. Check if ​composer.lock​ file exists (if not, run composer-update

and create it)
2. Read ​composer.lock​ file
3. Install the packages specified in the ​composer.lock​ file

When to do ​composer install​ and when to do ​composer update​ ?

composer update​ is mostly used in the 'development phase', to
upgrade our project packages according to what we have specified in
the ​composer.json​ file,

composer install​ is primarily used in the 'deploying phase' to install

our application on a production server or on a testing environment, using
the same dependencies stored in the ​composer.lock​ file created by
composer update.

Importance of composer lock in git

While your ​composer.json​ file is a rough guide to the dependency
versions that Composer should install, the ​composer.lock​ file is an
exact record of the dependency versions that have been installed.

See the below example:

{
"_readme": [
​"This file locks the dependencies of your project
to a known state"​,
​"Read more about it at
https://getcomposer.org/doc/01-basic-usage.md#composer-lo
ck-the-lock-file"​,
​"This file is @generated automatically"
],
"hash": ​"06e85b1eef2fa596fec9c70d523e6837"​,
"content-hash": ​"4352b38d9919370c89977a1fb30cdfd9"​,
"packages": [
{
"name": ​"aws/aws-sdk-php"​,
"version": ​"3.94.1"​,
"source": {
"type": ​"git"​,
"url":
"https://github.com/aws/aws-sdk-php.git"​,
"reference":
"759a55324d...ee783de541ce65bddd46"
},
. . .
}

You see that massive string with key as reference ? that is the actual
commit version that was put in once composer followed the directions in
your ​composer.json​ file. It additionally keeps track of all the versions of
your dependencies' dependencies. Even your dependencies'
dependencies and so on. Well, I hope you have got my point. Your entire
application dependency hierarchy can have their versions 'locked' in
your composer.lock file.

Foremost, You should commit this file so that the packages you are
using are exactly of same versions as your team pull your code locally.

Conclusion
Laravel is itself a package of packages, hence to develop our projects
smoothly among the team members dependency management becomes
a must and composer does its work under the hood, silently but
efficiently.