What's New in Composer 2.4

Published On28 Jul 2022

What's new in Composer 2.4

Composer, PHP's de-facto dependency manager. brings several new features in its upcoming Composer 2.4 release. It brings new commands such as audit and bump, support for shell completion on supported shells, suggestions to install a package with --dev flag where appropriate, improved process signal handling, and more.

Similar to previous minor version Composer 2.3, Composer 2.4 also requires PHP 7.2. Applications that use older PHP versions might have to resolve to use Composer 2.2, which is a Long-Term-Support version to ease the migration to Composer 2.x first.

New composer bump command

bump is a new command introduced in Composer 2.4 that "bumps" the package version constraints listed in the composer.json file by increasing them to the latest version within the allowed constraints.

New composer bump Command in Composer 2.4
More details about composer bump command with usage examples.

composer bump updates the composer.json with the new version numbers, but only within the allowed major/minor/patch limits. For example, if a composer.json file requires phpunit/phpunit package with a ^9.4 version constraint, it means Composer is allowed to install phpunit/phpunit versions in the range of >= 9.4.0 >= and < 10 Running composer bump increases the lower constraint of the package to the version currently installed.

    "require": {
-        "phpunit/phpunit": "^9.4"
+        "phpunit/phpunit": "^9.5.20"

composer bump command does not update platform requirements such as the PHP version of extension versions.

New composer audit command

Composer 2.4 adds a new command called composer audit, that scans the installed packages for reported security vulnerabilities. It exists with an error code if there are any packages installed with known security vulnerabilities.

Reported security vulnerabilities are obtained by Packagist by default.

Composer `audit` command output
`composer audit` command output

New composer audit Command in Composer 2.4
More details about composer audit command with examples on various output formats.

Automatic Scans for Reported Security Vulnerabilities

In Composer 2.4, when a new package is installed, removed, or updated, Composer automatically scans the installed packages for reported vulnerabilities. This essentially the same as running the composer audit automatically after composer require, composer remove, and composer update commands.

Composer showing a warning on `composer update` command if there are known vulnerabilities in the list of installed packages
Composer showing a warning on `composer update` command if there are known vulnerabilities in the list of installed packages

This audit can be turned off by passing --no-audit option to require and update commands:

composer require foo/bar --no-audit
composer update --no-audit

It is also possible to configure the format of the audit as summary, plain, table, or json by passing the value to the new --audit-format flag. The --audit-format value is summary.

composer update --audit-format=table

Note that composer install command does not perform the audit by default, but it can also be enabled and configured with the --audit option:

composer install --audit --audit-format=plain

Command, Package, and Option Completion

Command completion support is extended in Composer 2.4 to support completion for Composer commands, options, and even package names. Internally, Composer's completion depends on the Symfony Console library. At the moment, support is limited to Bash.

To configure Composer completion, run composer completion with no parameters. On supported platforms, Composer prints a completion script that should be placed in the directory where the shell loads completion scripts. This setup also requires the bash-complete package installed:

For Debian/Ubuntu and similar systems

sudo apt install bash-completion
composer completion | tee /etc/bash_completion.d/composer

For Fedora/RHEL and similar systems

sudo dnf install bash-completion
composer completion | tee /etc/bash_completion.d/composer

For Windows/MacOS
Add the script output of composer completion command to the appropriate location (such as a file loaded by ~/.bashrc) where command completion scripts are loaded when Bash is initialized.

Prompts to Install Packages with --dev

Composer provides require and require-dev sections to install packages. require packages are meant to be production dependencies, while require-dev packages are for testing, CI/CD, and other development dependencies.

Since Composer 2.4, attempting to install a package tagged as dev, testing, or static analysis without the --dev flag prompts the user to install the package as a require-dev dependency instead.

This is helpful to prevent accidentally installing test frameworks, static analyzers, code quality tools, etc as production dependencies.

Prompts to Install Packages in require-dev
When installing `phpunit/phpunit` (tagged with `testing` keyword), Composer prompts to install the package under `require-dev`

composer outdated command improvements

The command outdated command, which lists outdated packages from the currently installed packages, received a face-lift in Composer 2.4. It now displays direct and transitive dependencies separately:

composer-outdated command displaying direct and transitive dependencies separately
`composer outdated` command displaying direct and transitive dependencies separately

Additionally, composer outdated command now supports a --major-only flag that only lists packages with an outdated major version. Composer already supports --patch-only and --minor-only options to filter outdated versions by patch and minor versions.

Composer 2.4 adds numerous minor improvements as well:

  • Improved signal handling
    When Composer receives a SIGINT/SIGTERM/SIGHUP signal (such as SIGINT when user presses ^C), Composer waits for any running external processes to terminate. Composer 2.4 can show the full output of the processes before it exits.
  • composer dump-autoload command supports --strict-psr to detect and fail if there are any files that do not follow PSR-0/PSR-4 naming convention.
  • composer r added as an alias to composer require.
  • Composer\Autoload\ClassMapGenerator is deprecated in favor of the new composer/class-map-generator package.

Trying Out Composer 2.4

Before Composer 2.4 is officially released, it is possible to try Composer 2.4 (or the latest version at the time) by upgrading to preview or snapshot versions of Composer:

composer self-update --snapshot

Recent Articles on PHP.Watch

All ArticlesFeed 
How to fix `mysql_native_password` not loaded errors on MySQL 8.4

How to fix mysql_native_password not loaded errors on MySQL 8.4

How to fix the SQLSTATE[HY000] [1524] Plugin 'mysql_native_password' is not loaded errors caused in MySQL 8.4 no longer enabling the mysql_native_password plugin by default.
How to fix PHP Curl HTTPS Certificate Authority issues on Windows

How to fix PHP Curl HTTPS Certificate Authority issues on Windows

On Windows, HTTPS requests made with the Curl extension can fail because Curl has no root certificate list to validate the server certificates. This article discusses the secure and effective solutions, and highlights bad advice that can leave PHP applications insecure.
AEGIS Encryption with PHP Sodium Extension

AEGIS Encryption with PHP Sodium Extension

The Sodium extension in PHP 8.4 now supports AEGIS-128L and AEGIS256 Authenticated Encryption ciphers. They are significantly faster than AES-GCM and CHACHA20-POLY1305. This article benchmarks them and explains how to securely encrypt and decrypt data using AEGIS-128L and AEGIS256 on PHP.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.