156

I'm beginning using composer, I know so little about it and have a little experience with web application development.

I just walk through Nettuts+ Tutorial, so I have basic question about composer.

{
  "require": {
    "laravel/framework": "4.0.*",
    "way/generators": "dev-master",
    "twitter/bootstrap": "dev-master",
    "conarwelsh/mustache-l4": "dev-master"
  },
  "require-dev": {
    "phpunit/phpunit": "3.7.*",
    "mockery/mockery": "0.7.*"
  },
  "autoload": {
    "classmap": [
      "app/commands",
      "app/controllers",
      "app/models",
      "app/database/migrations",
      "app/database/seeds",
      "app/tests/TestCase.php"
    ]
  },
  "scripts": {
    "post-update-cmd": "php artisan optimize"
  },
  "minimum-stability": "dev"
}
  1. Whatever appears in "require-dev" part, will only be downloaded and installed with composer install --dev?
  2. I read some of composer's documentation but still don't understand what is the reason we have "require-dev" part? Is it because of we want to get specific version of the package rather always getting the latest stable version?
localheinz
  • 9,179
  • 2
  • 33
  • 44
Artisan
  • 4,042
  • 13
  • 37
  • 61
  • 1
    Related: https://stackoverflow.com/q/16679589/82216 –  May 22 '18 at 17:01
  • Does this answer your question? [What are the differences between composer update and composer install?](https://stackoverflow.com/questions/33052195/what-are-the-differences-between-composer-update-and-composer-install) – slier Dec 29 '22 at 04:54

6 Answers6

212

Different Environments

Typically, software will run in different environments:

  • development
  • testing
  • staging
  • production

Different Dependencies in Different Environments

The dependencies which are declared in the require section of composer.json are typically dependencies which are required for running an application or a package in

  • staging
  • production

environments, whereas the dependencies declared in the require-dev section are typically dependencies which are required in

  • developing
  • testing

environments.

For example, in addition to the packages used for actually running an application, packages might be needed for developing the software, such as:

  • friendsofphp/php-cs-fixer (to detect and fix coding style issues)
  • squizlabs/php_codesniffer (to detect and fix coding style issues)
  • phpunit/phpunit (to drive the development using tests)
  • etc.

Deployment

Now, in development and testing environments, you would typically run

$ composer install

to install both production and development dependencies.

However, in staging and production environments, you only want to install dependencies which are required for running the application, and as part of the deployment process, you would typically run

$ composer install --no-dev

to install only production dependencies.

Semantics

In other words, the sections

  • require
  • require-dev

indicate to composer which packages should be installed when you run

$ composer install

or

$ composer install --no-dev

That is all.

Note Development dependencies of packages your application or package depend on will never be installed

For reference, see:

localheinz
  • 9,179
  • 2
  • 33
  • 44
  • Do I understand correctly, that it doesn't matter at all if I "deploy" by uploading the whole `vendor` folder via FTP? – pilat Mar 06 '18 at 08:47
  • 2
    @pilat You can, but make sure to install with `—no-dev`. Also, FTP will probably be quite slow. – localheinz Mar 06 '18 at 08:50
  • How about dependencies that you need to build your application, only? So, in a build and deploy pipeline, I would like to install them for building and then removing them again before deploying. E.g. for minification, or turning LESS/SASS into css. How would you do that? – Richard Kiefer Nov 28 '19 at 11:49
  • 1
    @RichardKiefer Some people use https://phar.io, others check in PHARs, yet others use Docker images, and also some people use a separate `composer.json` - see for example https://github.com/FriendsOfPHP/PHP-CS-Fixer/tree/2.16/dev-tools. – localheinz Nov 30 '19 at 00:06
63

  1. According to composer's manual:

    require-dev (root-only)

    Lists packages required for developing this package, or running tests, etc. The dev requirements of the root package are installed by default. Both install or update support the --no-dev option that prevents dev dependencies from being installed.

    So running composer install will also download the development dependencies.

  2. The reason is actually quite simple. When contributing to a specific library you may want to run test suites or other develop tools (e.g. symfony). But if you install this library to a project, those development dependencies may not be required: not every project requires a test runner.

Jeff Puckett
  • 37,464
  • 17
  • 118
  • 167
Florent
  • 12,310
  • 10
  • 49
  • 58
22

From the composer site (it's clear enough)

require#

Lists packages required by this package. The package will not be installed unless those requirements can be met.

require-dev (root-only)#

Lists packages required for developing this package, or running tests, etc. The dev requirements of the root package are installed by default. Both install or update support the --no-dev option that prevents dev dependencies from being installed.

Using require-dev in Composer you can declare the dependencies you need for development/testing the project but don't need in production. When you upload the project to your production server (using git) require-dev part would be ignored.

Also check this answer posted by the author and this post as well.

Community
  • 1
  • 1
The Alpha
  • 143,660
  • 29
  • 287
  • 307
  • 3
    Please explain me why "way/generators": "dev-master" is in the "require" section?, I wouldn't need it in the production anymore. – Artisan Oct 01 '13 at 19:24
  • 1
    This is a total guess, but the only thing I can think of is that because way/generators gets added as a service provider, if it's missing within the production environment, Laravel won't work. – Daniel Hollands Dec 21 '13 at 19:57
  • 2
    The part *The dev requirements of the root package are installed by default* clearly states that the depencies from require-dev are installed, even on the production server. – Gemmu Feb 19 '15 at 07:04
  • 3
    The idea is that you'd use the --no-dev flag on production. – John Pancoast Apr 21 '15 at 17:51
4

require section This section contains the packages/dependencies which are better candidates to be installed/required in the production environment.

require-dev section: This section contains the packages/dependencies which can be used by the developer to test her code (or to experiment on her local machine and she doesn't want these packages to be installed on the production environment).

Community
  • 1
  • 1
Khuram
  • 1,820
  • 1
  • 26
  • 33
2

General rule is that you want packages from require-dev section only in development (dev) environments, for example local environment.

Packages in require-dev section are packages which help you debug app, run tests etc.

At staging and production environment you probably want only packages from require section.

But anyway you can run composer install --no-dev and composer update --no-dev on any environment, command will install only packages from required section not from require-dev, but probably you want to run this only at staging and production environments not on local.

Theoretically you can put all packages in require section and nothing will happened, but you don't want developing packages at production environment because of the following reasons :

  1. speed
  2. potential of expose some debuging info
  3. etc

Some good candidates for require-dev are : 

"filp/whoops": "^2.0",
"fzaninotto/faker": "^1.4",
"mockery/mockery": "^1.0",
"nunomaduro/collision": "^2.0",
"phpunit/phpunit": "^7.0"

you can see what above packages are doing and you will see why you don't need them on production.

See more here : https://getcomposer.org/doc/04-schema.md

fico7489
  • 7,931
  • 7
  • 55
  • 89
1

Note the require-dev (root-only) !

which means that the require-dev section is only valid when your package is the root of the entire project. I.e. if you run composer update from your package folder.

If you develop a plugin for some main project, that has it's own composer.json, then your require-dev section will be completely ignored! If you need your developement dependencies, you have to move your require-dev to composer.json in main project.

Orkan
  • 76
  • 4
  • Thanks and that is exactly the answer that I was looking for. In short, it require-dev dependencies to be installed if you are DEVELOPING the library that you are installing, not your project, i.e. if your project is or is not in production and you install a library, then it doesn't install require-dev. Now, if you install a project instead of a library, then require-dev is used. – magallanes Mar 12 '23 at 11:27