Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Jordi Boggiano:
Typo Squatting and Packagist
Jul 04, 2016 @ 09:38:45

In a new post to his site Jordi Boggiano, lead developer on Composer and Packagist.org, talks about typo-squatting and Packagist, a trend that has come up in other communities but - so far - not as much in the PHP ecosystem.

Earlier this month an article was published summarizing Nikolai Philipp Tschacher's thesis about typosquatting. In short typosquatting is a way to attack users of a package manager by registering a package with a name similar to a popular package, hoping that someone will accidentally typo the name and end up installing your version of it that contains malware.

The thesis mentions https://packagist.org as a good example as we use vendor namespaces. [...] Despite this mitigating fact, it is still technically possible to squat the vendor name, so I wanted to take a look at our repository data and see if I could spot any bad actors.

He wrote a script on the current contents of the Packagist site to see if he could find any packages that were trying to take advantage of typosquatting. He describes what the script does and the results: a low number of issues where it mostly seemed to be user error, not malicious behavior.

tagged: typosquatting packagist results composer

Link: https://seld.be/notes/typo-squatting-and-packagist

Jordi Boggiano:
PHP Versions Stats - 2016.1 Edition
Jun 07, 2016 @ 14:51:35

Jordi Boggiano has posted some updated statistics around the use of the Packagist site around PHP version requirements and the relation of package downloads to PHP versions.

Last year I posted stats about PHP versions, and the year before as well, both time in November. However this year I can't wait for November as I am curious to explore the PHP7 uptake!

A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. I look in the packagist.org logs of the last 28 days for Composer installs done by someone. Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with.

He compares the previous statistics against the ones gathered back in November 2015, both in numbers and graphs. He shows the stats for the PHP versions being used and for the PHP versions that are required. It's interesting to see that there's been a good uptick in supported versions including PHP 7.0+.

tagged: packagist statistics version composer usage requirement

Link: https://seld.be/notes/php-versions-stats-2016-1-edition

Freek Van der Herten:
Getting package statistics from Packagist
May 23, 2016 @ 10:18:07

In a post to his site Freek Van der Herten shows you how to gather information from the Packagist website about the number of times that your packages have been downloaded.

At my work I’m currently creating a new dashboard. That’s a fancy term for an html page sprinkled with some Vue magic that will be displayed on tv screen at the wall of our office. I won’t say much about the dashboard itself on this post, but I’ll make sure to write something on that in the near future.

One of the things I want to display on our dashboard is how many times our packages get downloaded (yeah it’s a vanity project, sorry about that :-)). To make this real easy our intern Jolita and I cooked up a new package called packagist-api. It uses the packagist api to fetch data about published packages.

They include an example of the package in use, fetching the list of packages for the "spatie" vendor and getting the details by package name. The results include more information than just the download count as well (including current version, maintainers and the basic description). The post ends with an example of filtering out the downloads counts and putting them into a collection for later use.

tagged: package statistics packagist library results tutorial

Link: https://murze.be/2016/05/getting-package-statistics-packagist/

Jordi Boggiano:
Common files in PHP packages
Apr 21, 2016 @ 09:29:15

Jordi Boggiano has a new post to his site today sharing some interesting PHP package statistics he gathered as a part of the metadata in the Composer/Packagist ecosystem.

This one started in a peculiar way. Paul M. Jones announced a new version of his Producer tool, I had a look at it and saw that it recommended having a changelog called CHANGES.md by default. [...] My first thought was to report an issue asking to change the default, but then I thought it's Paul, he will not just take my word for it, he will want hard facts. So here I am two days later. I queried GitHub's API for the file listing (only the root directory) of all PHP packages listed on packagist.org. What this let me do is look at what files are commonly present (and not), which is quite interesting to get a picture of the whole ecosystem.

He queried about 79,000 packages and found some interesting patterns in the results. These included findings like:

  • 8% have a DependencyInjection/ directory, which I believe indicates Symfony bundles
  • 3.6% have a examples/ and 3.5% a docs/ directory
  • 49% have some file or directory indicating the presence of tests (phpunit.xml & co)
  • 14% have committed their composer.lock
  • 8% show a presence of some code quality/style CI (scrutinizer, codeclimate, styleci)

There's some other interesting statistics in the post around license files, changelogs and CLI binaries too. He's also posted the full data set for anyone interested in running some of their own statistics on the results.

tagged: package statistics packagist composer data results summary

Link: https://seld.be/notes/common-files-in-php-packages

Jordi Boggiano:
PHP Versions Stats - 2015 Edition
Nov 23, 2015 @ 13:17:54

It's come to "that time of year" again and Jordi Boggiano has posted the latest update in his series of PHP usage statistics. In this summary he looks at the PHP versions installed based on the packagist.org logs for developers using Composer.

It's that time of the year again, where I figure it's time to update my yearly data on PHP version usage. Last year's post showed 5.5 as the main winner and 5.3 declining rapidly. Let's see what 2015 brought.

[...] A quick note on methodology, because all these stats are imperfect as they just sample some subset of the PHP user base. [...] Composer sends the PHP version it is running with in its User-Agent header, so I can use that to see which PHP versions people are using Composer with. Of course this data set is probably biased towards development machines and CI servers and as such it should also be taken with a grain of salt.

He first compares the statics for his 2015 searches against the 2014 stats and shows the differences in usage for PHP versions 5.3.3 up to 5.6.0. Fortunately, the results show a rise in the usage of PHP 5.5 and a decline in all others...but it's not too much of a difference (2-3% range). Pie graphs are also included to help visualize these differences. He also includes some statistics on what PHP versions are required by certain packages for the ones listed on Packagist with increases starting with 5.4 and the largest advance for 5.5.

tagged: usage statistics version comparison yearly packagist composer required

Link: http://seld.be/notes/php-versions-stats-2015-edition

Cullit.com:
How to create a PSR-4 PHP package
Sep 09, 2015 @ 10:55:01

In a tutorial posted to the Cullit.com site Philip Brown shows you how to create a PSR-4 compliant package that can be installed quickly and easily through Composer. The PSR-4 standard is a part of the set of standards defined by the PHP Framework Interoperability Group (PHP-FIG) to help make it easier to work with libraries and tools across frameworks and platforms. The PSR-4 standard replaces the slightly more complex PSR-0 to define a pattern for autoloading files.

A couple of weeks ago I wrote a tutorial on the general principles behind building PHP packages. In that article I mentioned the PSR-4 standard for creating PHP packages. In this tutorial I’m going to walk you through setting up the structure of a PHP package. By having an agreed upon structure for PHP packages we make our code a lot more interchangeable and reusable for the greater Open Source community.

He starts with the basics, creating a simple "nacho" directory in a git repository and introducing Composer (and the composer.json) briefly. He also talks about the "dotfiles" that are included with the use of Composer including a sample Travis-CI configuration. He then gets into the code and shows how to use namespaces, relate them to the directory names for autoloading and even writing a simple test or two. From there he talks about documentation and, finally, pushing the package up to GitHub and adding it to Packagist for others to download.

tagged: psr4 package composer packagist autoload tutorial beginner

Link: http://culttt.com/2014/05/07/create-psr-4-php-package/

Community News:
PHPPackages.org
Jun 17, 2015 @ 11:48:32

A new community resource, built on top of the excellent Composer and Packagist technology that's popular in today's PHP development world, has been released and provides more context about libraries and provides a "rank" for each one - PHPPackages.org.

PHPPackages.org was built to solve the following problems: [it] defines popularity rank for php packages, provide a space for discussion and [helps to] discover which packages use a specific package.

The About page has more information about the site, how they calculate the "popularity" metric, what the various icons mean and what kinds of things you can do on the site. It's a great resource, especially for those wondering who is using their packages and to discover new packages that are more widely used. It has a lot of the same information that the Packagist site contains but that little extra bit of data is quite useful.

tagged: phppackages composer packagist metadata library package popularity

Link: https://phppackages.org/

Community News:
Packagist.org Gets a Makeover
Jun 16, 2015 @ 11:55:42

If you're a Composer user by now you've noticed a major overhaul that's happened to the Packagist.org website in the last few days. They've made a major improvement to how the site looks and have added some fun new functionality to help make finding packages easier.

According to the Laravel News site, updates include a change in the recommended install method, the addition of more GitHub metadata and the inclusion of the project's README file. The site will also allow you to sort (ascending and descending) by the number of stars the repository has as well as the number of downloads.

The site still includes all of the information it dod before too including version listings, details about what the package requires, license information and links to more information and the actual repository. Check out the new look and see what you think. Packagist is also an Open Source project so if you find an issue, be sure to either report it to the project or get in, fix it yourself and make the pull request to submit it.

tagged: packagist composer makeover functionality update website

Link: http://packagist.org

Pádraic Brady:
Self-Updating PHARs: Stable phar-updater packages now available
Jun 03, 2015 @ 08:28:12

Pádraic Brady has a new post to his site today talking about creating self-updating phars in PHP using his package created based on previous recommendations.

In all seriousness, phar-updater is my implementation of recommendations I made in a previous blog post around self-updating PHAR files. Those recommendations were, predictably for me, largely concerned with self-updating from a security perspective. Implementing it brought ease of use and flexible integration to the fore also. It can be surprising what a little extra work, testing and packaging can accomplish for reuse compared to throwing code into one file and calling it a day. It’s been integrated into Humbug with nary an issue.

The package makes it simple to integrate the self-update functionality into your existing phar package deployment including updating running versions, enforcement of TLS connections and allows for configuration of updates based on version numbers. You can see his own example in his Humbug package's "SelfUpdate" class.

tagged: phar selfupdate package pharupdater packagist composer

Link: http://blog.astrumfutura.com/2015/06/self-updating-phars-stable-phar-updater-packages-now-available/

ServerGrove Blog:
Satis: building your own Composer repository
Apr 30, 2015 @ 11:26:53

Composer has definitely made a huge impact on how PHP packages and libraries are integrated into other applications. Sometimes, though, it makes more sense for you to keep your code internal to the organization rather than have it public where Composer can install it. In this case, using some thing like Satis (a self-hosted Packagist-ish server) makes more sense.

We all love Composer. It changed dramatically the way we build PHP applications, based on small and reusable components, but this creates new challenges, especially when we have a single point of failure (SPO). With Satis, the deployment process can be made robust by adding redundancy in all potential SPOFs (Packagist and GitHub). Let’s see how it works.

They start with a brief look at how Composer works for those not familiar, making the connection with Packagist and ultimately the public repository. In the context of the "single point of failure" they talk about Packagist being down and it preventing the install (or deployment!) of your application. Satis is prefect to help prevent this. The article then shows how to install Satis (via Composer, naturally) and how to set up the configuration file to define the repositories. The server is then built and can be run using the built-in PHP server on the port of your choice. They include a screenshot of the end result and a quick example of how to use it via your project's Composer configuration.

tagged: satis tutorial packagist composer local server install configure repository

Link: http://blog.servergrove.com/2015/04/29/satis-building-composer-repository/