Back to PHP tutorials
Intermediate15 min read

Composer & Autoloading

Manage PHP dependencies with Composer, PSR-4 autoloading, and semantic versioning.

Composer Basics

Composer installs packages into vendor/ from packagist.org. composer.json declares requirements; composer.lock pins exact versions for reproducible installs.

Run composer install in CI and production; composer update refreshes lock within constraint ranges locally.

Autoload section maps namespaces to directories via PSR-4. Run composer dump-autoload after adding classes.

  • Commit composer.lock to version control
  • Use composer audit for security advisories
  • Prefer caret constraints ^ for compatible updates
{
  "require": { "php": "^8.2", "guzzlehttp/guzzle": "^7.8" },
  "autoload": { "psr-4": { "App\\": "src/" } }
}

PSR-4 and Class Loading

PSR-4 maps Vendor\Package\Class to path Vendor/Package/Class.php relative to autoload roots. Namespace prefixes must end with namespace separator in composer.json.

Classmap autoload suits legacy code without namespaces. Files autoload requires explicit file lists—avoid except for bootstrap.

Optimize autoloader with --optimize --classmap-authoritative in production containers.

  • Match namespace to folder structure exactly
  • Run dump-autoload -o after deploy
  • Use scripts.post-autoload-dump for code generation hooks
"autoload": {
  "psr-4": {
    "App\\": "app/",
    "Database\\Factories\\": "database/factories/"
  }
}

Publishing and Private Packages

Publish libraries by registering packages on Packagist or private Satis/Artifact repositories. Tag releases with semver git tags.

Use path repositories for local development of multiple packages monorepo-style.

Platform config php version in composer.json prevents installing on unsupported runtimes.

  • Document minimum PHP extensions in README
  • Sign releases and verify checksums for internal packages
  • Separate require-dev tools from production require

Get In Touch

Ready to discuss your next project? Drop me a message.