In a recent post to his site Marc Morera discusses the topic of package dependencies in PHP applications. While a lot of the concepts and terms he use are more related to Symfony-based applications, the concepts are good and could apply anywhere.
I’m part of this group of people that consider themselves addicts to open source. [...] want to expose my personal experiences about what I learned over the time by leading an open source project, several small open source bundles and PHP libraries, and I want to do it by explaining how we should take care of our Symfony bundles or PHP component dependencies.
He starts by pointing out that he's talking about framework-agnostic packages and their dependencies here (but his own experience is, again, Symfony-centric). He talks about identifying true dependencies through both
use statements and
composer.json configurations. He points out that the tricky part comes when your dependencies have dependencies and conflicts that may come up because of these relationships. He also talks about another way to identify dependencies (through adapter use) and package versioning problems. He then gets into talking about Symfony bundle dependencies specifically and links to a tool that can help you map out your required packages. He ends the post with a look at development dependencies and the idea of "trust" in the open source software you use.