Composer is a tool for dependency management in PHP. Declare what libraries a project depends on and Composer will manage (install/update) them for you.

Composer is not a package manager like Yum or Apt are. Yes, it deals with “packages” or libraries, but it manages them on a per-project basis, installing them in a directory (e.g. vendor) inside your project in a JSON file called composer.json. By default, it does not install anything globally. Thus, it is a dependency manager. It does however support a “global” project for convenience via the global command.

This idea is not new and Composer is strongly inspired by Node’s npm and Ruby’s Bundler.

How Composer Works

Composer puts these three things in the root directory of a project:

  • composer.js, a file listing the dependencies specified for the project.
  • composer.lock, a file listing the specific versions of all dependencies actually downloaded and used in the project.
  • vendor, the directory where all the libraries Composer has downloaded for the project are stored.

The composer.json file along with composer.lock are the only two files needed to integrate composer into a project. composer.json describes the dependencies of a project and may contain other metadata like the project name and version among other things.

Running composer install from the project root directory resolves all dependencies listed in the composer.json file and downloads the latest version of their files into the vendor directory in the project.

When Composer has finished installing, it writes all of the packages and the exact versions of them that it downloaded to the composer.lock file, locking the project to those specific versions.

Running composer update from the project root directory will fetch the latest matching versions of all dependencies listed in composer.json, resolve and download any new files, and update the composer.lock file with the new versions.

Install Composer on MacOS

To run Composer easily on the command line it needs to be in a directory mentioned in the PATH variable. Install Composer into the home directory first, and then move it (the composer.phar file) to the /usr/local/bin directory.

  • Change to the current users home directory.
cd ~/
  • Download the installer file composer-setup.php into the current users home directory.
php -r "copy('', 'composer-setup.php');"
  • Verify the installer SHA-384.
php -r "if (hash_file('sha384', 'composer-setup.php') === '756890a4488ce9024fc62c56153228907f1545c228516cbf63f885e036d37e9a59d27d63f46af1d4d07ee0f76181c7d3') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
  • Run the installer. The script will check some php.ini settings, warn you if they are set incorrectly, and then download the latest composer.phar into the current directory.
php composer-setup.php
  • Remove the installer file composer-setup.php.
php -r "unlink('composer-setup.php');"
  • Move the composer.phar file to the /usr/local/bin directory and rename it to simply composer.
mv composer.phar /usr/local/bin/composer
  • Run composer to test installation.
  / ____/___  ____ ___  ____  ____  ________  _____
 / /   / __ \/ __ `__ \/ __ \/ __ \/ ___/ _ \/ ___/
/ /___/ /_/ / / / / / / /_/ / /_/ (__  )  __/ /
\____/\____/_/ /_/ /_/ .___/\____/____/\___/_/
Composer version 2.0.12 2021-04-01 10:14:59


Packagist is the main Composer repository, a place where you can get packages. Packagist aims to be the central repository that everybody uses. This means that you can automatically require any package that is available there, without further specifying where Composer should look for the package.

Any open source project is encouraged to publish their packages on A library does not need to be on to be used by Composer, but it enables discovery and adoption by other developers more quickly.

Start a New Project

To start a brand new project with Composer use the require command in Terminal from the project root directory to install the first package dependency for the project. Using require on the command line to get the first package will automatically create the composer.json and composer.lock files, as well as the vendor directory (containing the downloaded package files).

The new composer.json file can then be manually edited and updated.

Using the require command again in the root of the project to get another package will automatically update the composer.json and composer.lock files.

  • Create a directory to hold the project.
mdkdir my_app
  • Change to the root directory of your project.
cd my_app
  • From the root directory of your project install the Amazon Web Services SDK dependency into the project:
composer require aws/aws-sdk-php

After running the require command, Composer downloads the files for the AWS SDK as well as any dependencies it may have. Composer will create three things in your project root directory:


  • Ignore the vendor directory in version control. All third part code can be downloaded by Composer directly on the server where the project is deployed, simplifying the repository.
  • Track both the composer.json and composer.lock files for the project in version control.