Composer fundamentals — composer.json, composer.lock, vendor/
Concept
Composer is PHP's dependency manager. It solves two problems: (1) downloading and installing third-party libraries from Packagist (or other registries), and (2) autoloading all classes (yours and third-party) so you never write a require statement manually.
How Composer works:
- You declare dependencies in
composer.json. composer installreadscomposer.json, resolves all dependencies (including transitive ones), downloads them tovendor/, and writescomposer.lock(the exact resolved versions).require 'vendor/autoload.php'— one line at the entry point registers the autoloader. Every class invendor/and your ownsrc/(if configured) is then automatically available.
Packagist.org: The default Composer package registry. Over 300,000 packages. Any package on Packagist can be installed with composer require vendor/package.
Global vs project-local: Composer can be run globally (/usr/local/bin/composer) or via ./composer.phar. Per-project (in vendor/) is the standard. Never commit vendor/ — it's regenerated from composer.lock.
PHP version requirement: composer.json can specify "require": { "php": "^8.2" } — Composer enforces this when installing on a server. Use composer check-platform-reqs to verify the current PHP meets all requirements.
Code Example
# Install Composer (get from getcomposer.org — not shown here)
# Create a new project
composer init
# Prompts for package name, description, license, dependencies
# Install a package
composer require illuminate/support:^10.0
# Adds to require{} in composer.json, installs to vendor/, updates composer.lock
# Install a dev-only package (not needed in production)
composer require --dev phpunit/phpunit:^10.0
composer require --dev phpstan/phpstan:^1.0
composer require --dev laravel/pint:^1.0
# Install all dependencies (from composer.lock)
composer install
# Use this in CI/CD and production — reproducible installs
# Update dependencies to latest allowed versions
composer update
# Updates composer.lock — do this intentionally, not automatically
# Remove a package
composer remove vendor/package
# Check outdated packages
composer outdated
# Verify platform requirements
composer check-platform-reqs
# Show installed packages and versions
composer show
composer show --tree # show dependency tree
# Dump (regenerate) autoloader without installing
composer dump-autoload --optimize # production: generate classmap
# Run scripts defined in composer.json
composer run-script test
composer run-script lint<?php
// Entry point (public/index.php or bootstrap/app.php)
require __DIR__ . '/../vendor/autoload.php';
// After this, ALL classes in vendor/ and your PSR-4 mapped src/ are autoloaded
// No manual require() needed anywhere
use GuzzleHttp\Client;
$client = new Client(); // works automatically