What's New in Composer 2.4
Composer, PHP's de-facto dependency manager. brings several new features in its upcoming Composer 2.4 release. It brings new commands such as audit and bump, support for shell completion on supported shells, suggestions to install a package with --dev flag where appropriate, improved process signal handling, and more.
Similar to previous minor version Composer 2.3, Composer 2.4 also requires PHP 7.2. Applications that use older PHP versions might have to resolve to use Composer 2.2, which is a Long-Term-Support version to ease the migration to Composer 2.x first.
New composer bump command
bump is a new command introduced in Composer 2.4 that "bumps" the package version constraints listed in the composer.json file by increasing them to the latest version within the allowed constraints.
New
composer bumpCommand in Composer 2.4 More details aboutcomposer bumpcommand with usage examples.
composer bump updates the composer.json with the new version numbers, but only within the allowed major/minor/patch limits. For example, if a composer.json file requires phpunit/phpunit package with a 9.4 version constraint, it means Composer is allowed to install phpunit/phpunit versions in the range of >= 9.4.0 >= and < 10 Running composer bump increases the lower constraint of the package to the version currently installed.
{
"require": {
- "phpunit/phpunit": "^9.4"
+ "phpunit/phpunit": "^9.5.20"
}
}composer bump command does not update platform requirements such as the PHP version of extension versions.
New composer audit command
Composer 2.4 adds a new command called composer audit, that scans the installed packages for reported security vulnerabilities. It exists with an error code if there are any packages installed with known security vulnerabilities.
Reported security vulnerabilities are obtained by Packagist by default.
New
composer auditCommand in Composer 2.4 More details aboutcomposer auditcommand with examples on various output formats.
Automatic Scans for Reported Security Vulnerabilities
In Composer 2.4, when a new package is installed, removed, or updated, Composer automatically scans the installed packages for reported vulnerabilities. This essentially the same as running the composer audit automatically after composer require, composer remove, and composer update commands.
This audit can be turned off by passing --no-audit option to require and update commands:
composer require foo/bar --no-audit
composer update --no-auditIt is also possible to configure the format of the audit as summary, plain, table, or json by passing the value to the new --audit-format flag. The --audit-format value is summary.
composer update --audit-format=tableNote that composer install command does not perform the audit by default, but it can also be enabled and configured with the --audit option:
composer install --audit --audit-format=plainCommand, Package, and Option Completion
Command completion support is extended in Composer 2.4 to support completion for Composer commands, options, and even package names. Internally, Composer's completion depends on the Symfony Console library. At the moment, support is limited to Bash.
To configure Composer completion, run composer completion with no parameters. On supported platforms, Composer prints a completion script that should be placed in the directory where the shell loads completion scripts. This setup also requires the bash-complete package installed:
For Debian/Ubuntu and similar systems
sudo apt install bash-completion
composer completion | tee /etc/bash_completion.d/composerFor Fedora/RHEL and similar systems
sudo dnf install bash-completion
composer completion | tee /etc/bash_completion.d/composerFor Windows/MacOS
Add the script output of composer completion command to the appropriate location (such as a file loaded by ~/.bashrc) where command completion scripts are loaded when Bash is initialized.
Prompts to Install Packages with --dev
Composer provides require and require-dev sections to install packages. require packages are meant to be production dependencies, while require-dev packages are for testing, CI/CD, and other development dependencies.
Since Composer 2.4, attempting to install a package tagged as dev, testing, or static analysis without the --dev flag prompts the user to install the package as a require-dev dependency instead.
This is helpful to prevent accidentally installing test frameworks, static analyzers, code quality tools, etc as production dependencies.
composer outdated command improvements
The command outdated command, which lists outdated packages from the currently installed packages, received a face-lift in Composer 2.4. It now displays direct and transitive dependencies separately:
Additionally, composer outdated command now supports a --major-only flag that only lists packages with an outdated major version. Composer already supports --patch-only and --minor-only options to filter outdated versions by patch and minor versions.
Composer 2.4 adds numerous minor improvements as well:
- Improved signal handling
When Composer receives a
SIGINT/SIGTERM/SIGHUPsignal (such asSIGINTwhen user pressesC), Composer waits for any running external processes to terminate. Composer 2.4 can show the full output of the processes before it exits. composer dump-autoloadcommand supports--strict-psrto detect and fail if there are any files that do not follow PSR-0/PSR-4 naming convention.composer radded as an alias tocomposer require.Composer\Autoload\ClassMapGeneratoris deprecated in favor of the newcomposer/class-map-generatorpackage.
Trying Out Composer 2.4
Before Composer 2.4 is officially released, it is possible to try Composer 2.4 (or the latest version at the time) by upgrading to preview or snapshot versions of Composer:
composer self-update --snapshot
