Composer: an update on require-dev

Update: the install command now also defaults to --dev, read more about the rationale

Using require-dev in Composer you can declare the dependencies you need for development/testing. It works in most simple cases, but when the dev dependencies overlap with the regular ones, it can get tricky to handle. In too many cases it also tends to just fail at resolving dependencies with quite strange error messages.

Since this was quite unreliable, I set out to rework the whole feature this week-end. The patch has been merged, and it fixes six open issues which is great. The short story there is that it now does things in one pass instead of two before, so it should be faster and a lot more reliable. Also dev dependencies can now impact the non-dev ones without problems since it's all resolved at once.

Workflow changes

I took the chance to change another thing while I was at it. The update command now installs dev requirements by default. This makes sense since you should only run it on dev environments. No more update --dev, the dev flag is now implicit and if you really don't want these packages installed you can use update --no-dev instead.

The install command on the other hand remains the same. It does not install dev dependencies by default, and it will actually remove them if they were previously installed and you run it without --dev. Again this makes sense since in production you should only run install to get the last verified state (stored in composer.lock) of your dependencies installed.

I think this minor change in workflow will simplify things for most people, and I really hope it doesn't break any assumptions that were made in third party tools.

March 03, 2013 // PHP

Post a comment

Subscribe to this RSS Feed Comments

2013-03-04 09:47:47


This should be quite helpful with CI (ie. travis) setups. However the change to default that "update" is now "update --dev" will probably require some adjustments.

2013-03-04 09:48:29

Ismael Ambrosi

Big improvement! Thanks!

2013-03-04 09:54:53


cool, thanks a lot. i think it makes sense. the --dev dependencies of vendors are never resolved anyways, so you do install just dev of whatever you are currently updating.

does this mean that now the .lock file will usually also lock the dev dependencies, but "install" will not install them unless i explicitly tell --dev? that would be great for developping.

2013-03-04 10:47:57


@david: Yes that's essentially it. update installs everything, and then when it's done it will split the installed stuff in dev and non-dev requirements and store those separately in the lock file. Then install will load one or both depending on the --dev flag.

2013-03-04 10:49:57


Hello. Thanks for theses improvment.

But IMO, something is wrong: If I ran "composer update --dev" and there is no dev dependency, I got that:

The lock file does not contain require-dev information, run install without --dev or run update to install those packages.

2013-03-04 11:53:00


@Greg I don't quite see how this is possible if you ran update. If you run install yes, but then the error message is explaining what to do. In any case if you can reproduce it please report an issue on github.

2013-03-04 13:20:20


OK, I figured out what's happend. It was an "old" composer.lock. Thanks.

2013-03-04 14:30:54


Great. Thank you.

2013-03-06 00:41:21


i grew accustomed to update --dev, because that is how you keep composer from removing your deps on require-dev key.

Good job Jordi!


2013-03-20 13:18:48


Thanks a lot for that Jordi.