Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Sculpin Blog:
Deprecating Phar Distribution and Embedded Composer
Sep 02, 2016 @ 12:18:29

On the Sculpin blog Beau Simensen has posted an update about a change in how the project will be released in the future, most notably deprecating the phar release and switching to an embedded Composer installation.

If you are currently using a globally installed phar distribution for Sculpin you should migrate to a per-project Composer installed version of Sculpin as soon as you can. [...] Any plans for Sculpin 3 would have required reworking the phar build and distribution process

In typical programmer fashion, I let myself get bogged down in the details of eventually needing to deploy Sculpin 3 phar builds rather than working on Sculpin 3. What little time I had to spend on Sculpin last year was sunk on solving this problem. [...] The last officially available Sculpin phar is not compatible with PHP 7.

He talks about his earlier goals to make v3 of Sculpin PHP 7-only but, in the process of the work to get to that point, several roadblocks came up preventing it. He talks about self-updating phars and finally realizing that, for the good of the project, a move to the embedded Composer setup is the best method for keeping dependencies in sync. He ends the post with the steps you'll need to take to migrate from the phar release to the managed version and an example commit of how the Sculpin site itself was migrated.

tagged: sculpin static generator project phar embedded composer update

Link: https://blog.sculpin.io/2016/08/31/deprecating-phar-distribution-and-embedded-composer

SitePoint PHP Blog:
Local Composer for Everyone! A Conference-Friendly Satis Setup
Aug 30, 2016 @ 11:13:30

On the SitePoint PHP blog editor Bruno Skvorc has posted a tutorial showing you how to set up the Packagist alternative, Satis, in a local network configuration instead of requiring users to still access the external web.

While preparing my technical materials for WebSummerCamp, I realized my workshop would rely on a fairly stable internet connection, as we’d have a lot of ground to cover and a lot of packages to install. Rather than rely on the gods of live demos, or pre-installing everything and ruining the experience, I picked another route.

In this post, I’ll show you how to set up a local Satis instance and have it host the packages over the network it’s currently on, so that everyone who’s also connected to it can put the address into composer.json as a custom repository source, and retrieve all packages from your machine locally – no internet connection required!

He then shows you how to set up the system on a Homestead Improved VM locally, cloning Satis inside of it. He includes an example of the configuration of his required packages and how to build the local repository using this setup. Then, using the built-in PHP web server, he shows the result of the setup and how to access it from other machines. Finally, a few updates are required to the user's composer.json to use the local versions instead of the normal remote connection for the package downloads.

tagged: composer satis local network tutorial setup configuration example

Link: https://www.sitepoint.com/local-composer-for-everyone-a-conference-friendly-satis-setup/

Matthew Weier O'Phinney:
Using Composer to Autoload ZF Modules
Aug 18, 2016 @ 09:50:11

Matthew Weier O'Phinney has a new post to his site showing you how to can use Composer to autoload Zend Framework modules right along with the rest of the ZF components.

One aspect of Zend Framework 3, we paid particular focus on was leveraging the Composer ecosystem. We now provide a number of Composer plugins for handling things such as initial project installation, registering installed modules with the application, and more. It's the "more" I particularly want to talk about.

With ZF2, we were able to realize the ability to install third-party modules into existing applications, enabling a module ecosystem. [...] For the v3 release, we wanted to solve this if we could. We were able to do so via a Composer plugin, zend-component-installer.

This allows ZF module authors to add details into the "extra" section of their Composer configuration, making it so the plugin understands how to load the module automatically. They've also created a package to help do the same for Apigility applications and lets you remove any calls to "getAutoloaderConfig" in your modules.

tagged: zendframework autoload composer zf3 apigility configuration extra package

Link: https://mwop.net/blog/2016-08-17-zf-composer-autoloading.html

Building a CMS: phpPress
Aug 17, 2016 @ 10:20:38

On the TutsPlus.com site there's a new tutorial posted walking you through the [creation of a flat file CMS] in PHP. It's a simple Slim framework based application that allows the creation of basic pages with a header, footer and sidebar (as well as handling 404s and errors).

In the past tutorials, I have shown you how to create a flat file system content management system (CMS) using Go, Node.js, and Ruby.

In this tutorial, I am going to take the same design model and build a server using PHP. Since PHP isn’t a server by itself, but is usually paired with the Apache web server, I will show you how to set up the Apache web server inside a Vagrant virtual system.

He starts by helping you get the necessary libraries installed via Composer including the parsedown, lightcandy and Slim framework packages. From there it's into the code making:

  • the front controller to define routes and set up an error handler
  • defining the different templates (header, footer, etc)
  • definition of "shortcodes"
  • handling page processing (rendering the content into output)

The tutorial finishes off with the details on getting the server up and running: creating a Vagrant instance with Apache and PHP 5 installed and working together and serving code from a shared folder.

tagged: contentmanagementsystem cms flatfile tutorial phppress composer package

Link: http://code.tutsplus.com/tutorials/building-a-cms-phppress--cms-26536

Peter Petermann:
Composer – What You Should Know
Jul 26, 2016 @ 12:56:21

Peter Petermann has shared a few of his thoughts about right and wrong things to do when using Composer in your PHP-based applications. He offers suggestions based on some of the more wide-spread (but wrong, in his opinion) practices he's seen in several projects.

Last year I wrote a piece called “a few thoughts about composer and how people use it“. In that post I had a list of things which are problematic about how composer is used. That post got widely recognized, linked an visited, but in general those issues still exist.

However lately I’ve had even more people asking questions (either on related forums, irc or even irl) about problems that stem from issue number 2: people are using composer as an installer (and sometimes Number 3 because of Number 2). In that Post I already gave a quick opinion on how workflows with composer should look like, In this post I’ll try to give a few more pointers on how to use composer without creating a mess.

He then breaks up the remainder of the post into various practices he's seen and calling out developers for doing including:

  • starting a project vs installing
  • globally installed composer packages
  • tagging and building

With each of his points he makes suggestions about what's wrong about the practice as well as some suggestions about how things could be done better.

tagged: composer opinion bad practices suggestion correct

Link: https://devedge.wordpress.com/2016/07/23/composer-what-you-should-know/

Jordi Boggiano:
Typo Squatting and Packagist
Jul 04, 2016 @ 09:38:45

In a new post to his site Jordi Boggiano, lead developer on Composer and Packagist.org, talks about typo-squatting and Packagist, a trend that has come up in other communities but - so far - not as much in the PHP ecosystem.

Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.

The thesis mentions https://packagist.org as a good example as we use vendor namespaces. [...] Despite this mitigating fact, it is still technically possible to squat the vendor name, so I wanted to take a look at our repository data and see if I could spot any bad actors.

He wrote a script on the current contents of the Packagist site to see if he could find any packages that were trying to take advantage of typosquatting. He describes what the script does and the results: a low number of issues where it mostly seemed to be user error, not malicious behavior.

tagged: typosquatting packagist results composer

Link: https://seld.be/notes/typo-squatting-and-packagist

SitePoint PHP Blog:
Composer Global Require Considered Harmful?
Jun 08, 2016 @ 09:53:05

The SitePoint PHP blog has a post about a feature Composer provides to help make tools and libraries easier to use - the ability to install things globally. In this post editor Bruno Skvorc wonders if this feature should be "considered harmful" and a bad practice.

We’ve discussed Composer best practices before, and I’ve always advocated using composer global require when installing packages that can be used across several projects – particularly command line tools. Then, the other day, I ran into this discussion. The short of it is – the majority of people now seem to feel like global require is bad practice, unless the globally installed package has zero dependencies.

The article he references offers an alternative option however: install locally to the project and just update your paths to allow for it to be easily found. This can be difficult and hard to maintain so Bruno offers a counter-suggestion, the "[consolidation/cgr]"(https://github.com/consolidation-org/cgr) tool. This tool handles the "global" install in a way that still isolates it and then automatically updates your .bash_aliases with the command and path to make it easier to use.

tagged: composer global require harmful cgr tool local project

Link: https://www.sitepoint.com/composer-global-require-considered-harmful/

Jordi Boggiano:
PHP Versions Stats - 2016.1 Edition
Jun 07, 2016 @ 14:51:35

Jordi Boggiano has posted some updated statistics around the use of the Packagist site around PHP version requirements and the relation of package downloads to PHP versions.

Last year I posted stats about PHP versions, and the year before as well, both time in November. However this year I can't wait for November as I am curious to explore the PHP7 uptake!

A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs of the last 28 days for Composer installs done by someone. Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with.

He compares the previous statistics against the ones gathered back in November 2015, both in numbers and graphs. He shows the stats for the PHP versions being used and for the PHP versions that are required. It's interesting to see that there's been a good uptick in supported versions including PHP 7.0+.

tagged: packagist statistics version composer usage requirement

Link: https://seld.be/notes/php-versions-stats-2016-1-edition

Rob Allen:
Slim 3.4.0 now provides PSR-7!
May 09, 2016 @ 09:48:10

Rob Allen has a post to his site announcing the latest release of the Slim Framework - v3.4.0 - and an update that allows for full PSR-7 support, telling Composer that the framework fully supports it now as well.

I've been neglecting Slim's PR queue recently, so this weekend I dedicated a lot of time to merging all the good work that our contributors have done. As a result, I'm delighted to release version 3.4.0! This release has a larger set of changes in it than I would have ideally liked which is a direct consequence of having gone two months between releases rather than one.

One particularly interesting addition that we have a made this release is adding a provide section to our composer.json file. [...] This means that we have informed Composer that Slim provides a valid implementation of the interfaces in psr/http-message-implementation virtual package that defines the PSR-7 interfaces.

This basically means that if you're using other libraries/tools that require a PSR-7 compatible system to work correctly, they'll detect that Slim fully supports it.

tagged: slimframework slim3 psr7 support http message implementation composer

Link: https://akrabat.com/slim-3-4-0-now-provides-psr-7/

Leonid Mamchenkov:
Adventure in composer private repositories
Apr 22, 2016 @ 09:19:44

In this new post to his site Leonid Mamchenkov talks about some of his "adventure with Composer private repositories" in some of his deployment work with CakePHP 3 applications.

As good as the Packagist is, there is often a need for a repository or a package elsewhere. Whether it’s a commercial library, or sensitive corporate code, having an ability to store it outside of public eye and handle with the same ease and the same tool as the rest of the dependencies is a very welcome feature.

[...] We are setting up similar development and deployment process, but now for CakePHP-based projects. Things are much easier, since CakePHP 3 natively supports composer for the application itself and for its plugins. But we still have the need for private repositories here and there, so we follow the same setup as we did for WordPress.

Unfortunately he was getting a RuntimeException when he was trying to pull in a plugin through the same private repository workflow. Not only had he not seen the error before but the autoloader was configured as defined and other plugins were working with the same structure. As it turns out, it was the composer.json of the main application repository that was the problem. He includes the fix he made to the configuration on a sample CakePHP 3 project, showing how to switch it to a "vcs" type for more correct handling.

tagged: composer private repository issue runtime exception composerjson configuration

Link: http://mamchenkov.net/wordpress/2016/04/21/adventure-in-composer-private-repositories/