We've just had an issue where I work, and someone launched the composer update command on a production environment, thus causing some problems.
Is there a way to prevent any composer update and allow only composer install on a specific environment ?
Related
I'm learning PHP Composer, and have run through several scenarios installing Drupal 8 with it. The most authorative method I found for doing so is at drupal.org in this article.
It suggests the following command to do the initial install:
composer create-project drupal-composer/drupal-project:8.x-dev my_site_name_dir --stability dev --no-interaction
I read up on the stability flag, wondering if I am not understanding it correctly. The most autoritative documentation I found is in this article. If I am reading and understanding things correctly, dev stability means I am willing to accept dev packages as part of my install.
Am I understanding the flag correctly? Is the assumption here that I am running a dev environment only, but for production I'll use different parameters? As far as I know, I should not be using any dev packages on production servers... they don't even get security advisories.
Would love it if someone could give me a digest on what the correct logic in approaching stability is. And, if that doesn't make it obvious as to why dev is the default recommended stability, the reason why dev is suggested.
--stability dev switch does not have any effect in this case, so I would guess this is some leftover from old days (or the result of a lack of understanding how stability flags works in composer). In composer.json of this project there is already defined this setting:
"minimum-stability": "dev",
"prefer-stable": true,
Command explicitly uses dev branch (8.x-dev), so --stability dev does not really do anything. And thanks to prefer-stable settings it does not work that bad as you may think - Composer will install dev version only for dependencies without stable releases (which seems to be only dev dependencies in this case).
But you shouldn't use this command for production installation anyway, since it installs all dev dependencies. You should probably use something like this:
composer create-project drupal-composer/drupal-project:8.x-dev my_site_name_dir --no-dev --no-interaction
or call composer install --no-dev after project initialization.
I have a new server, where multiple clients will host their webapps at. From Wordpress, to laravel, to simple html shizzle.
As you may know, Laravel requires Composer to be installed. This can be done locally, but also globaly. I am wondering (if there are any) about the pros and cons.
Of course, you can run the global installation from anywhere. But can this be a issue for other development projects on the server, or are there security for the global installation?
The disadvantage of using a globally installed composer is this
you're likely using different versions along the development pipeline
you may end up with different results
Just as an example, in a project, we had composer.phar checked in and updated regularly, but we ran into problems when the version we used was already updated to be able to use the ^ operator, however, a different binary was used during deployment, unaware of that operator, and the deployment failed.
The safest bet is to use the same version of composer.phar along the development pipeline. Alternatively, as mentioned before, keeping the globally installed composer regularly updated.
Since we usually use Makefiles in our projects, here's an example of what it looks like:
.PHONY: composer cs it test
it: cs test
composer:
composer self-update
composer validate
composer install
cs: composer
vendor/bin/php-cs-fixer fix --diff --verbose
test:
vendor/bin/phpunit --configuration=test/Unit/phpunit.xml
vendor/bin/phpunit --configuration=test/Integration/phpunit.xml
I would always suggest install globally, it will be easier for you to manage, and you could easily keep it up to date.
In the other projects they will not need to clutter their project with
composer.phar file
Normally I do install Laravel 5.1 by following this command regarding to documentation:
composer create-project laravel/laravel --prefer-dist
It works fine.
But I read in the documentation under "Via Laravel Installer" also it is possible to install via Laravel Installer, which is much faster than installing via Composer:
laravel new blog
But to use this method I need to run following command once:
composer global require "laravel/installer=~1.1"
When I do run it I get following errors many times
Deprecation Notice: Composer\Package\Version\VersionParser::parseLinks
is deprecated. Use \Composer\Package\Loader\ArrayLoader::parseLinks()
instead in
phar://C:/ProgramData/Composer/bin/composer.phar/src/Composer/Package/Version/VersionParser.php:226
after many line of same error ./composer.json has been updated appears and it continues with the same line of errors, it ends with following
Loading composer repositories with package information Updating
dependencies (including require-dev) Nothing to install or update
Generating autoload files
What is wrong with it? Any idea or solution.
My environment: Windows 10, GitBash and cmder console.
Update of composer, I did ran composer self-update also
Snapshot of console
EDIT:
Note, I can confirm after solving the issue that the installation via Laravel Installer method is faster than composer.
The Composer Assets Plugin you've installed locally is using a deprecated method of Composer. The plugin is already fixed, so run composer global update to get the latest versions with the bug fix. After it, you should be able to run the command succesfully.
If this doesn't work (as you might get the same error running the previous command), try removing the global vendor directory. When running any global Composer command, it outputs something like "Changed current directory to XXX". Remove the XXX/vendor directory and then try running the command.
In addition to #WouterJ answer.
Worst case if the steps provided by #WouterJ did not work, you could manage to uninstall and reinstall composer for windows.
When done, run composer global update to be sure to get latest updates, if there was.
Then run composer global require "laravel/installer=~1.1" and it should works.
Remember to update your windows environment path C:\Users\UserName\AppData\Roaming\Composer\vendor\bin
There's always been a note in many Readmes of composer-based projects:
Never run composer update on production server
However, there are times that we want to run composer update on PROD servers to keep current (of course after a thorough test on local server). What's the best way to do that?
You should run on local server.
composer update
Next you should test application and add composer.lock to repository. And on PROD server you should run
composer install
composer update is checking if there are any new versions of the packages available within the limits of the versions given. This will unconditionally install new packages if they are eligible. After that you have to test.
composer install will install whatever is mentioned in the lock file, and if the currently installed packages are not the ones mentioned there, they will get uninstalled or updated.
Of course you want to "update" the prod application. But to update the packages, you run composer install which will update the packages to the TESTED state in the lock file - not to an UNTESTED state because newer versions did appear after you tested.
I am happily developing a PHP app using Composer on cloudControl.
It's great how it is integrated into the deployment procedure.
However, there's no need for Composer to update on every deploy.
Is it possible to (temporarily) disable Composer, per deployment?
Thanks in advance.
I am not entirely familiar with how cloudControl integrated Composer, but ideally you run should composer update when you see fit, and then commit your composer.lock file, and they would run composer install on every deploy.
If you mean composer updating itself: right now the latest version of composer is downloaded on every push, unless you have one already. Just place the composer.phar file in your project directory and it will be used instead.