It seems "composer update nothing" is an undocumented feature.
I found several blog posts and GH issues mentioning it, but I haven't found this documented at https://getcomposer.org/doc/03-cli.md#update

Blog post example:
http://www.lornajane.net/posts/2016/handling-composer-lock-file-out-of-date-warning

GH issue example:
composer/composer#1751

I was wondering if it should not be documented as it is deprecated feature or something.

The logo is very clearly a conductor, not a composer. He is holding a baton and appearing to be flailing his arms in a typical fashion during a performance, which a composer would not do while composing music. I feel this is deceiving to those with musical backgrounds and should be corrected, unless the project name can be changed.

For instance:

$ curl -s http://getcomposer.org/installer | php

!/usr/bin/env php

Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:

The detect_unicode setting must be disabled.
Add the following to the end of your php.ini: detect_unicode = Off

You config file can be found here:
/etc/php.ini.default

How do I use it, in other words?

When I install Composer on the snapshot channel using the installer:

composer-install --snapshot

and then update Composer with:

composer.phar self-update

it updates to the latest stable version. I would expect to keep the channel I've used on the installer, the same way Composer keeps the channel once you've selected one on the self-update command.

Subject.

Right now, I have multiple tabs open for getcomposer.org to read through the documentation. Each tab simply says "Composer" and I have no way of knowing which tab is which without clicking through each tab. This burns time that could be better spent reading the good documentation.

this really simple patch fixes getSystemCaRootBundlePath() on OpenBSD.

--- installer.orig      Thu Sep 25 15:20:30 2014
+++ installer   Thu Sep 25 15:20:37 2014
@@ -783,6 +783,7 @@
             '/opt/local/share/curl/curl-ca-bundle.crt', // OS X macports, curl-ca-bundle package
             '/usr/local/share/curl/curl-ca-bundle.crt', // Default cURL CA bunde path (without --with-ca-bundle option)
             '/usr/share/ssl/certs/ca-bundle.crt', // Really old RedHat?
+            '/etc/ssl/cert.pem', // OpenBSD
         );

         $found = null;

Having some stats on usage would be nice.

Shouldn't we be tagging a new release for each new version? For example, my expectation would be a tag of 1.4.2 for the latest stable release.

getcomposer.org/blob/master/web/installer implies that it must be distributed with a LICENSE file, but it is not located in this repo.

I think the recommended installation method should be to install Composer globally.

1. It's the only working option on Windows.
2. That's what other package managers do (e.g. npm and gem).
3. This provides better command lines (composer install instead of php composer.phar install).

Problem

Some libraries often provide 'installation instructions' that are easy to copy-paste, but are made for people with local installations. That's no good for global-lovers who need to manually edit each command.

On the other side, if all commands were in form of composer (anything), one with local installation could just alias composer=php composer.phar and execute these commands just as is.

Hello.

Could you create a standalone component / library with the following code: https://github.com/composer/getcomposer.org/blob/master/src/controllers.php#L90-L179

I need it in another project

For now, I copy / paste this code, but it could be great to have a standalone library.

BTW, I had to add $dom->loadHtml('<?xml encoding="UTF-8">'.$body); (https://github.com/carew/plugin-toc/blob/master/TocEventSubscriber.php#L32)

Thanks for considering this issue.

Please sign composer.phar with a PGP key, publish the key ID and signature, and update the documentation to encourage verifying the .phar before blindly piping to the PHP interpreter.

https://getcomposer.org/composer.phar
https://getcomposer.org/composer.phar.asc <- signature should go here

See also: https://defuse.ca/triangle-of-secure-code-delivery.htm by @defuse

On the page: https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#security, under the heading Security, the second example is described as (emphasis mine):

Example using HTTP over SSL using a client certificate

I think it would be much clearer to the general public if HTTP over SSL was replaced by SSL/TLS (HTTPS):

Example using SSL/TLS (HTTPS) with a client certificate

I was playing around with building a composer rpm with jenkins for my own use when I came across some warnings. It's an easy fix so I'll submit a pull request.

+ curl -Ss https://getcomposer.org/installer
+ php
X-Powered-By: PHP/5.5.25
Content-type: text/html

#!/usr/bin/env php
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>21</b><br />
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>22</b><br />
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>23</b><br />
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>24</b><br />
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>25</b><br />
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>32</b><br />
<br />
<b>Warning</b>:  in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>34</b><br />
<br />
<b>Warning</b>:  Invalid argument supplied for foreach() in <b>-</b> on line <b>46</b><br />
All settings correct for using Composer
Downloading...

I noted that there quite a few instances where people have errant PHPRC variables in their Windows Environment path (from older PHP installs).

A quick note about "If the installer errors multiple times with the message Entry Point Not found for X then check your PHPRC Path in your environment variables points to your ACTUAL PHP install" would probably be helpful.

:) Many thanks

The http://getcomposer.org/versions URL is using application/octet-stream content type instead of application/json. This results in browser attempting to download this page instead of showing formatted JSON response.

The page responds JSON now:

{
    "stable": [{"path": "/download/1.0.0/composer.phar", "version": "1.0.0", "min-php": 50300}],
    "preview": [{"path": "/download/1.0.0/composer.phar", "version": "1.0.0", "min-php": 50300}],
    "snapshot": [{"path": "/composer.phar", "version": "40c14709f79f9d7ea35ac969cfbd7f41beb525bb", "min-php": 50300}]
}

Composer/Package/Loader/ArrayLoader.php uses ctype_digit, but ctype is not a dependency (like json and phar) in web/installer

The documentation should make clear that dependencies in require-dev cannot overwrite any decisions resulting from resolving "require". That also means that if a "require-dev" package is incompatible with a version of a package in the "require" step, the resolution will fail with an error. This is done so that install/install -dev are consistent except for dev packages.

I've been trying to work through the ZF2 tutorial on my WAMP server. Any composer operation which involves downloading is just failing at the packages.json level. For example here is me running the create-project composer instructions given on Zend's site. This code works on Linux, so the repo is correct and working, but just not on Windows. That "w" character changes every time and has been random utf8 characters for the most part.

E:\wamp\www>composer create-project --repository-url="https://packages.zendframe
work.com" -s dev zendframework/skeleton-application ZF2Tutorial

[Seld\JsonLint\ParsingException]
"https://packages.zendframework.com/packages.json" does not contain valid J
SON
Parse error on line 1:
w{ "packages": {
^
Expected one of: 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '['

create-project [-s|--stability="..."] [--prefer-source] [--prefer-dist] [--repos
itory-url="..."] [--dev] [--no-dev] [--no-custom-installers] [--no-scripts] [--n
o-progress] [--keep-vcs] [package] [directory] [version]

We should look at having redundant composer.org sites and include the paths in the composer.phar.

I'm in a network behind a proxy, so I need to set the proxy info on my environment. I've exported HTTP_PROXY full path (including user & pass) in ~`/.bashrc. The variable is set correctly. Running next line:

$ curl -sS https://getcomposer.org/installer| php

I'm getting...

Some settings on your machine may cause stability issues with Composer.
If you encounter issues, try to change the following:

Your PHP (5.3.3) is quite old, upgrading to PHP 5.3.4 or higher is recommended.
Composer works with 5.3.2+ for most people, but there might be edge case issues.

Downloading...
Download failed: file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: Cannot connect to HTTPS server through proxy
Downloading...
Download failed: file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: Cannot connect to HTTPS server through proxy
Downloading...
Download failed: file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: Cannot connect to HTTPS server through proxy
The download failed repeatedly, aborting.

But next line is successful

$ curl -sS https://getcomposer.org/installer | php -- --disable-tls

This allows to use "composer" directly instead of "php composer.phar".

A prototype .bat file can be found here:
https://gist.github.com/29323e3f69034930ccbd

This also works with composer's "self-update" command.

To allow HTTP clients determine the length of the composer.phar file and display a realistic progress bar, the URL http://getcomposer.org/composer.phar should return a Content-Length header.

I think it'd be really slick to have a page on the site that explains where Composer came from, when it was founded and what the original ideas/philosophy is behind it.

I looked for a Wikipedia article on Composer and I couldn't find one, maybe it's more appropriate for this type of information to be on the wikipedia, however, I'm not even sure what the history of composer is. :)

Thanks!

For easy copy & pasting we should put $ curl -s http://getcomposer.org/installer | php back on the front page.

To get Composer works on Gentoo, PHP must be compilated with USE="-curlwrappers".

Blocked by #76 and a separate issue entirely.

This can be accomplished with openssl_verify() and a pinned (read: hard-coded) RSA public key. Assuming the installer's signature was successfully verified with PGP, we can trust the pinned public key to be valid and therefore transitively assure the security of the .phar

Just noticed this issue, it's not a big deal, but interesting.

When performing a GET request to https://getcomposer.org/composer.phar, the Last-Modified header does not reflect the actual time at which the phar version changed. For example, I get these response headers (truncated for brevity):

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Mar 2015 08:27:33 GMT
Last-Modified: Thu, 05 Mar 2015 08:20:08 GMT

But the actual version of Composer that I receive is much older:

$ composer --version
Composer version 1.0-dev (26799f4244a14050ec015323af9fa83b0a66436d) 2015-03-04 23:50:10

I assume that the last modified time of composer.phar keeps changing because it's being updated via a scheduler/cron, rather than when a new commit is pushed.

This unfortunately means that when performing a conditional GET with the If-Modified-Since header, I'm almost always being sent a whole new file, instead of a 304 Not Modified response.

This issue could probably be solved in a couple of ways:

1. Change whatever is updating composer.phar so that it doesn't update the file modified time unless there is an actual change.
2. Supply an ETag header when composer.phar is requested.

I suppose fixing it could potentially save you some bandwidth cost, too.

If you're wondering how I came across the issue, I was writing a script to easily update all of my tools (composer, phpunit, php-cs-fixer, etc.), and I was taking advantage of If-Modified-Since to download each tool only if it actually had updates. Composer was the only tool that misbehaved in this manner.

In building some php docker containers for drupalci, we had composer install via the automated method, but we didnt install git. Without git there were some functions that worked fine from outside the container but broke inside the container (figuring out the version of drupal from the branch name).

Anyhow, would be nice if the installer threw a warning or something that said "git's not required, but its a good idea"

I got a 404 http error on link https://getcomposer.org/book.pdf

https://getcomposer.org/doc/01-basic-usage.md#package-versions

source:

`>=1.0` `>=1.0,<2.0` `>=1.0,<1.1 | >=1.2`

| is not be escaped, so it will be parsed to table structure.

@Seldaek wrote some blog posts about Composer on the Nelmio blog a while ago. I would be good to add a link from the composer website. Currently, some user don't understand the concept of the lock file (see the mailing-list) whereas one of the posts was dedicated to this subject (or maybe only planned and not written, I'm not sure).

Composer's Phar should be downloaded from a secure channel SSL/TLS

httpS://getcomposer.org/installer

This just started today and I am hoping that someone can help fix this or at least point me in the correct direction. I have installed composer and WAMP on a few Windows machines without issue.
I have a new Windows 7 computer. I have installed the default settings of WAMP 64 bit with Apache 2.4.
I have added the following to the httpd.conf file:
AcceptFilter http none
AcceptFilter https none

I intalled git.
I intalled composer
I used the git clone to download Laravel.
I copied the composer.phar to the laravel installation directory.
When I run the command php composer install I get the error below.
When I run the command composer install I get the error below.
When I run the command php composer.phar install I get the same error as composer install returns to me.
when I run the command composer diag I get the same error as composer install returns to me.

Does anyone have a clue what this is? I have tried to look up both errors with no results. I have tried to download the previous alpha versions of the composer.phar file and they all do the same thing. I have tested the version calls to ensure that git, composer and php are all working properly. Can someone perhaps attach their working composer.phar if the forum allows it? I have uninstalled and reinstalled composer multiple times. I have installed and reinstalled laravel multiple times as well just in case.

COPY AND PASTE FROM COMMAND LINE
c:\wamp\l4beta5>php -v
PHP 5.4.3 (cli) (built: May 15 2012 01:01:59)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans

c:\wamp\l4beta5>git --version
git version 1.8.1.msysgit.1

c:\wamp\l4beta5>composer --version
Composer version 0209bd31a0ac3aeb2a68fc81e2d03c71072bef33

c:\wamp\l4beta5>php composer install
Could not open input file: composer

c:\wamp\l4beta5>composer install

[Seld\JsonLint\ParsingException]
"c:\wamp\l4beta5\composer.phar" does not contain valid JSON
Parse error on line 1:
#!/usr/bin/env php<
^
Expected one of: 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '['

install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-c
ustom-installers] [--no-scripts] [--no-progress] [-v|--verbose] [-o|--optimize-a
utoloader]

I copy the docs file under the /doc directory, and modify .md content into Chinese.

while using the browser debugging, it's unreadable code.

In the same direction as Issue #38 , could we revisit the branding of Composer?

Here is something to start the discussion

Downloaded the latest Windows install from the Git repo and when starting the installation it could not connect to the server to download all the necessary/dependent files... Tried to access the website from the browser and I received a server not found error. Could not find anything in my Comodo firewall that would indicate it's been blocked somehow... No other sites have been giving me issues either... Is the site down?

In this section of the documentation: [https://getcomposer.org/doc/01-basic-usage.md#next-significant-release-tilde-operator-](Next Significant Release %28Tilde Operator%29) it is not entirely clear whether a RC release would be included.

For example if I write ~1.2.0 as a version constrain would a ~1.3.0-alpha.1 be installed? If I have a @alpha as minimum-stability setting of course.

In the npm documentation this is clearly explained with a lot of examples.

In the Composer docs there is an example with ~1.2 which translates to >=1.2,<2.0. Since 2.0 should less than 2.0-RC.1, isn't 2.0-RC.1 release included in the ~1.2 version constraint?

https://getcomposer.org/doc/04-schema.md#version

It doesn't mention things like this:

• >2.0
• 1.0.x
• 1.x@stable

http://getcomposer.org/doc/articles/* pages uses .md in the URL but they are rendered as HTML so they should use .html or none.

This affects browser extensions/plugins that create previews of .md URLs.

Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:

The suhosin.executor.include.whitelist setting is incorrect.
Add the following to the end of your php.ini or suhosin.ini (Example path [for Debian]: /etc/php5/cli/conf.d/suhosin.ini):
suhosin.executor.include.whitelist = phar

The php.ini used by your command-line PHP is: /etc/php5/fpm/php.ini
If you can not modify the ini file, you can also run php -d option=value to modify ini values on the fly. You can use -d multiple times.

What happens if getcomposer.org gets owned someday?

Recommending a safer install method might be worth considering. Others agree:

• http://beryllium.ca/?p=765
• https://news.ycombinator.com/item?id=4212920

curl https | php needs to go. This was previously reported over a year ago in #41 and nobody has taken action.

This is what you need to do:

1. Generate an RSA/DSA/Ed25519/whatever asymmetric key pair.
2. Keep your private key safe.
3. Sign your installer.
4. Publish your public key.
5. Publish amended install instructions that verify the signature before any code is run.

Then continue to verify the .phar from within the installer.

Not exactly rocket science, and not a low priority that you can really afford to keep sweeping under the rug while running off to conferences to drink beer and make lots of money while pushing an insecure solution.

http://getcomposer.org/download/ has a list of releases that can be downloaded.

In order to determine which version should be retrieved for a particular point in time, that list should include release dates for all versions.

Note: release dates should not be taken from archive timestamps as they can change.

(17:38:51) naderman: https://github.com/composer/getcomposer.org/blob/master/views/download.html.twig#L15
(17:39:11) naderman: + https://github.com/composer/getcomposer.org/blob/master/src/app.php#L32
(17:39:22) naderman: hm guess dates will actually require more code to be added

Hello guy,

I'm using PHP 7.0.19 and when I'm trying to use composer, I've got ErrorException such php_uname() has been disabled for security reasons and many others.

Getting Bad Gateway 502 when accessing composer site.
Any other alternative when this scenario happens?