What is meant by dependencies in PHP

Using the Composer development / production switch, how can I correctly deploy?

Composer has the ability to load multiple dependencies only during development so that the tools are not installed in production (on the live server). This is very handy (in theory) for scripts that only make sense in development, like tests, fake data tools, debuggers, etc.

The way to go is to add an extra block with the tools you'll need in dev:

and then (theoretically) load these dependencies over

Problem & Question:

Composer changed the behavior of and dramatically in 2013. Dependencies are now installed by default (!). You can also create a composer.json with a block and do a replica.

The most accepted way of providing is to push the composer. Lock you (which includes your current Composer setup), then run one on the production server. This will also install the development material.

What is the correct way to provide this without the -dev dependencies to to install?

Note: I'm trying to do a canonical Q / A here to illustrate the weird Composer deployment. Feel free to edit this question.



There is a good reason I think Composer uses the flag by default (when installing and nowadays update). Most of the time, Composer runs in scenarios where this is desired:

The basic workflow for Composer is as follows:

  • A new project is started:, json and lock files are committed to VCS.
  • Other developers start working on the project: checking out VCS and.
  • A developer adds dependencies: add if you want the package in section (and commit).
  • Others go with: (cash register and).
  • A developer wants newer versions of dependencies: (and commit).
  • Others go with: (cash register and).
  • Project is provided:

As you can see, the flag is used (far) more than the flag in use, especially as the number of developers working on the project increases.

Production deployment

What's the correct way to deploy this without installing the "dev" dependencies?

Well the and file should be passed to VCS. Don't skip as it contains important information about package versions that should be used.

If you're doing a production deployment, you can pass the flag to Composer:

The file may contain information about development packages. It does not matter. The flag ensures that these development packages are not installed.

When I say "production deployment" I mean a deployment that is targeted for use in production. I'm not arguing about whether to do a on a production server or on a staging server where things can be checked. That is not the scope of this answer. I'm just pointing out how to do it without installing "dev" dependencies.


The flag can also be desirable in production (it generates a class map that speeds up automatic loading in your application):

Or when auto provisioning is complete:

If your code base supports it, you could swap for. More information here

Actually, I would strongly recommend against installing dependencies on the production server.

I recommend checking out the code on a deployment machine, installing dependencies as needed (this includes NOT installing development dependencies when the code goes into production), and then moving all of the files to the target machine.


  • With shared hosting, you might not be able to access a command line
  • Even if you did, PHP may be restricted there in terms of commands, memory, or network access
  • Repository CLI tools (git, svn) will likely not be installed. This would fail if your lock file recorded a dependency to check out a particular commit, instead of downloading that commit as a ZIP (you used --prefer-source or composer, no other way to get that version)
  • If your production machine looks more like a small test server (think of an Amazon EC2 microinstance), you probably don't even have enough memory installed to run
  • While Composer is trying not to solve any problems, how do you find it to end up with a partially broken production website because it was unable to load random dependencies during the Composers installation phase?

Long story short, use Composer in an environment you can control. Your development machine is qualified because you already have all of the features required to run Composer.

What's the right way to deploy this without installing the -dev dependencies?

The command to use is

This works in any environment, be it on the production server itself, or on a staging machine, or on the development machine doing one final check to see if a development request for the real software is being misused.

The command does not install or uninstall the development requirements declared in the composer.lock file.

If you don't mind deploying development software components on a production server, running it would do the same job but simply increase the number of bytes shifted and also create a larger autoloader declaration.

Now is activated by default, for local development you can do without the option.

If you plan to deploy to production, you need to make sure that there are no packages that they came from.

You can do this with

Once you've tested locally, you can deploy everything to production and install it based on that. You need the option here again, otherwise the composer says "The lock file does not contain required development information" .

Note: Be careful of anything that can lead to differences between developer and production! I generally try to avoid require-dev wherever possible, since including dev tools isn't a huge hassle.

On production servers, I call on, and during deployment, two vendors will have dirs.

An HTTP cookie causes my system to select the new provider and after testing I completely atomically / instantly toggle between them to disable the old provider directory for any future requests. A few days later I delete the previous directory.

This avoids problems caused by filesystem caches that I use in Apache / PHP, and also allows active PHP code to continue to use the previous manufacturer directory.

Despite other recommendations that speak against it, I personally run on the server as this is faster than rsync in my staging area (a VM on my laptop).

I use . You should read the documents for each document to verify that it is appropriate for your environment.

I think it is better to automate the process:

Add the composer.lock file to your Git repository and make sure you have Use composer.phar install --no-dev when sharing, but dev machine you can use any composer command without hesitation. This does not go into production. Production bases its dependencies on the lock file.

On the server, check out that particular version or label and run any tests before replacing the app. If the tests are successful, continue with the deployment.

If the test depends on development dependencies, since Composer does not have a test area dependency, a not very elegant solution could run the test with the development dependencies ( composer.phar install ), remove the manufacturer library and composer.phar install to execute. -no-dev again, this uses cached dependencies so is faster. However, this is a hack if you know the concept of areas in other build tools

Automate that and forget the rest, have a beer :-)

PS .: As in the following comment on @Sven, it is not a good idea not to check out the composer.lock file, as this will make the Composer installation work as a Composer update.

You can do this automation with http://deployer.org/. It's a simple tool.

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from.

By continuing, you consent to our use of cookies and other tracking technologies and affirm you're at least 16 years old or have consent from a parent or guardian.

You can read details in our Cookie policy and Privacy policy.