composer / getcomposer.org Goto Github PK
View Code? Open in Web Editor NEWgetcomposer.org sources
Home Page: http://getcomposer.org
License: MIT License
getcomposer.org sources
Home Page: http://getcomposer.org
License: MIT License
The documentation should make clear that dependencies in require-dev cannot overwrite any decisions resulting from resolving "require". That also means that if a "require-dev" package is incompatible with a version of a package in the "require" step, the resolution will fail with an error. This is done so that install/install -dev are consistent except for dev packages.
I noted that there quite a few instances where people have errant PHPRC variables in their Windows Environment path (from older PHP installs).
A quick note about "If the installer errors multiple times with the message Entry Point Not found for X then check your PHPRC Path in your environment variables points to your ACTUAL PHP install" would probably be helpful.
:) Many thanks
This allows to use "composer" directly instead of "php composer.phar".
A prototype .bat file can be found here:
https://gist.github.com/29323e3f69034930ccbd
This also works with composer's "self-update" command.
Having some stats on usage would be nice.
https://getcomposer.org/doc/01-basic-usage.md#package-versions
source:
`>=1.0` `>=1.0,<2.0` `>=1.0,<1.1 | >=1.2`
|
is not be escaped, so it will be parsed to table structure.
https://getcomposer.org/doc/04-schema.md#version
It doesn't mention things like this:
>2.0
1.0.x
1.x@stable
Hello guy,
I'm using PHP 7.0.19
and when I'm trying to use composer, I've got ErrorException
such php_uname() has been disabled for security reasons
and many others.
When I install Composer on the snapshot channel using the installer:
composer-install --snapshot
and then update Composer with:
composer.phar self-update
it updates to the latest stable version. I would expect to keep the channel I've used on the installer, the same way Composer keeps the channel once you've selected one on the self-update
command.
To get Composer works on Gentoo, PHP must be compilated with USE="-curlwrappers".
How do I use it, in other words?
I think it'd be really slick to have a page on the site that explains where Composer came from, when it was founded and what the original ideas/philosophy is behind it.
I looked for a Wikipedia article on Composer and I couldn't find one, maybe it's more appropriate for this type of information to be on the wikipedia, however, I'm not even sure what the history of composer is. :)
Thanks!
In building some php docker containers for drupalci, we had composer install via the automated method, but we didnt install git. Without git there were some functions that worked fine from outside the container but broke inside the container (figuring out the version of drupal from the branch name).
Anyhow, would be nice if the installer threw a warning or something that said "git's not required, but its a good idea"
Right now, I have multiple tabs open for getcomposer.org to read through the documentation. Each tab simply says "Composer" and I have no way of knowing which tab is which without clicking through each tab. This burns time that could be better spent reading the good documentation.
Please sign composer.phar with a PGP key, publish the key ID and signature, and update the documentation to encourage verifying the .phar before blindly piping to the PHP interpreter.
https://getcomposer.org/composer.phar
https://getcomposer.org/composer.phar.asc <- signature should go here
See also: https://defuse.ca/triangle-of-secure-code-delivery.htm by @defuse
this really simple patch fixes getSystemCaRootBundlePath() on OpenBSD.
--- installer.orig Thu Sep 25 15:20:30 2014
+++ installer Thu Sep 25 15:20:37 2014
@@ -783,6 +783,7 @@
'/opt/local/share/curl/curl-ca-bundle.crt', // OS X macports, curl-ca-bundle package
'/usr/local/share/curl/curl-ca-bundle.crt', // Default cURL CA bunde path (without --with-ca-bundle option)
'/usr/share/ssl/certs/ca-bundle.crt', // Really old RedHat?
+ '/etc/ssl/cert.pem', // OpenBSD
);
$found = null;
On the page: https://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#security, under the heading Security, the second example is described as (emphasis mine):
Example using HTTP over SSL using a client certificate
I think it would be much clearer to the general public if HTTP over SSL was replaced by SSL/TLS (HTTPS):
Example using SSL/TLS (HTTPS) with a client certificate
Composer/Package/Loader/ArrayLoader.php uses ctype_digit, but ctype is not a dependency (like json and phar) in web/installer
The http://getcomposer.org/versions URL is using application/octet-stream
content type instead of application/json
. This results in browser attempting to download this page instead of showing formatted JSON response.
The page responds JSON now:
{
"stable": [{"path": "/download/1.0.0/composer.phar", "version": "1.0.0", "min-php": 50300}],
"preview": [{"path": "/download/1.0.0/composer.phar", "version": "1.0.0", "min-php": 50300}],
"snapshot": [{"path": "/composer.phar", "version": "40c14709f79f9d7ea35ac969cfbd7f41beb525bb", "min-php": 50300}]
}
Hello.
Could you create a standalone component / library with the following code: https://github.com/composer/getcomposer.org/blob/master/src/controllers.php#L90-L179
I need it in another project
For now, I copy / paste this code, but it could be great to have a standalone library.
BTW, I had to add $dom->loadHtml('<?xml encoding="UTF-8">'.$body);
(https://github.com/carew/plugin-toc/blob/master/TocEventSubscriber.php#L32)
Thanks for considering this issue.
curl https | php
needs to go. This was previously reported over a year ago in #41 and nobody has taken action.
This is what you need to do:
Then continue to verify the .phar
from within the installer.
Not exactly rocket science, and not a low priority that you can really afford to keep sweeping under the rug while running off to conferences to drink beer and make lots of money while pushing an insecure solution.
I'm in a network behind a proxy, so I need to set the proxy info on my environment. I've exported HTTP_PROXY full path (including user & pass) in ~`/.bashrc. The variable is set correctly. Running next line:
$ curl -sS https://getcomposer.org/installer| php
I'm getting...
Some settings on your machine may cause stability issues with Composer.
If you encounter issues, try to change the following:
Your PHP (5.3.3) is quite old, upgrading to PHP 5.3.4 or higher is recommended.
Composer works with 5.3.2+ for most people, but there might be edge case issues.
Downloading...
Download failed: file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: Cannot connect to HTTPS server through proxy
Downloading...
Download failed: file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: Cannot connect to HTTPS server through proxy
Downloading...
Download failed: file_get_contents(https://getcomposer.org/composer.phar): failed to open stream: Cannot connect to HTTPS server through proxy
The download failed repeatedly, aborting.
But next line is successful
$ curl -sS https://getcomposer.org/installer | php -- --disable-tls
We should look at having redundant composer.org sites and include the paths in the composer.phar.
Blocked by #76 and a separate issue entirely.
This can be accomplished with openssl_verify()
and a pinned (read: hard-coded) RSA public key. Assuming the installer's signature was successfully verified with PGP, we can trust the pinned public key to be valid and therefore transitively assure the security of the .phar
I've been trying to work through the ZF2 tutorial on my WAMP server. Any composer operation which involves downloading is just failing at the packages.json level. For example here is me running the create-project composer instructions given on Zend's site. This code works on Linux, so the repo is correct and working, but just not on Windows. That "w" character changes every time and has been random utf8 characters for the most part.
E:\wamp\www>composer create-project --repository-url="https://packages.zendframe
work.com" -s dev zendframework/skeleton-application ZF2Tutorial
[Seld\JsonLint\ParsingException]
"https://packages.zendframework.com/packages.json" does not contain valid J
SON
Parse error on line 1:
w{ "packages": {
^
Expected one of: 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '['
create-project [-s|--stability="..."] [--prefer-source] [--prefer-dist] [--repos
itory-url="..."] [--dev] [--no-dev] [--no-custom-installers] [--no-scripts] [--n
o-progress] [--keep-vcs] [package] [directory] [version]
http://getcomposer.org/download/ has a list of releases that can be downloaded.
In order to determine which version should be retrieved for a particular point in time, that list should include release dates for all versions.
Note: release dates should not be taken from archive timestamps as they can change.
(17:38:51) naderman: https://github.com/composer/getcomposer.org/blob/master/views/download.html.twig#L15
(17:39:11) naderman: + https://github.com/composer/getcomposer.org/blob/master/src/app.php#L32
(17:39:22) naderman: hm guess dates will actually require more code to be added
This just started today and I am hoping that someone can help fix this or at least point me in the correct direction. I have installed composer and WAMP on a few Windows machines without issue.
I have a new Windows 7 computer. I have installed the default settings of WAMP 64 bit with Apache 2.4.
I have added the following to the httpd.conf file:
AcceptFilter http none
AcceptFilter https none
I intalled git.
I intalled composer
I used the git clone to download Laravel.
I copied the composer.phar to the laravel installation directory.
When I run the command php composer install I get the error below.
When I run the command composer install I get the error below.
When I run the command php composer.phar install I get the same error as composer install returns to me.
when I run the command composer diag I get the same error as composer install returns to me.
Does anyone have a clue what this is? I have tried to look up both errors with no results. I have tried to download the previous alpha versions of the composer.phar file and they all do the same thing. I have tested the version calls to ensure that git, composer and php are all working properly. Can someone perhaps attach their working composer.phar if the forum allows it? I have uninstalled and reinstalled composer multiple times. I have installed and reinstalled laravel multiple times as well just in case.
COPY AND PASTE FROM COMMAND LINE
c:\wamp\l4beta5>php -v
PHP 5.4.3 (cli) (built: May 15 2012 01:01:59)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans
c:\wamp\l4beta5>git --version
git version 1.8.1.msysgit.1
c:\wamp\l4beta5>composer --version
Composer version 0209bd31a0ac3aeb2a68fc81e2d03c71072bef33
c:\wamp\l4beta5>php composer install
Could not open input file: composer
c:\wamp\l4beta5>composer install
[Seld\JsonLint\ParsingException]
"c:\wamp\l4beta5\composer.phar" does not contain valid JSON
Parse error on line 1:
#!/usr/bin/env php<
^
Expected one of: 'STRING', 'NUMBER', 'NULL', 'TRUE', 'FALSE', '{', '['
install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-dev] [--no-c
ustom-installers] [--no-scripts] [--no-progress] [-v|--verbose] [-o|--optimize-a
utoloader]
For instance:
$ curl -s http://getcomposer.org/installer | php
Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:
The detect_unicode setting must be disabled.
Add the following to the end of your php.ini: detect_unicode = Off
You config file can be found here:
/etc/php.ini.default
http://getcomposer.org/doc/articles/* pages uses .md
in the URL but they are rendered as HTML so they should use .html
or none.
This affects browser extensions/plugins that create previews of .md
URLs.
Getting Bad Gateway 502 when accessing composer site.
Any other alternative when this scenario happens?
Just noticed this issue, it's not a big deal, but interesting.
When performing a GET request to https://getcomposer.org/composer.phar
, the Last-Modified
header does not reflect the actual time at which the phar version changed. For example, I get these response headers (truncated for brevity):
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Mar 2015 08:27:33 GMT
Last-Modified: Thu, 05 Mar 2015 08:20:08 GMT
But the actual version of Composer that I receive is much older:
$ composer --version
Composer version 1.0-dev (26799f4244a14050ec015323af9fa83b0a66436d) 2015-03-04 23:50:10
I assume that the last modified time of composer.phar
keeps changing because it's being updated via a scheduler/cron, rather than when a new commit is pushed.
This unfortunately means that when performing a conditional GET with the If-Modified-Since
header, I'm almost always being sent a whole new file, instead of a 304 Not Modified
response.
This issue could probably be solved in a couple of ways:
composer.phar
so that it doesn't update the file modified time unless there is an actual change.ETag
header when composer.phar
is requested.I suppose fixing it could potentially save you some bandwidth cost, too.
If you're wondering how I came across the issue, I was writing a script to easily update all of my tools (composer
, phpunit
, php-cs-fixer
, etc.), and I was taking advantage of If-Modified-Since
to download each tool only if it actually had updates. Composer was the only tool that misbehaved in this manner.
It seems "composer update nothing" is an undocumented feature.
I found several blog posts and GH issues mentioning it, but I haven't found this documented at https://getcomposer.org/doc/03-cli.md#update
Blog post example:
http://www.lornajane.net/posts/2016/handling-composer-lock-file-out-of-date-warning
GH issue example:
composer/composer#1751
I was wondering if it should not be documented as it is deprecated feature or something.
Subject.
@Seldaek wrote some blog posts about Composer on the Nelmio blog a while ago. I would be good to add a link from the composer website. Currently, some user don't understand the concept of the lock file (see the mailing-list) whereas one of the posts was dedicated to this subject (or maybe only planned and not written, I'm not sure).
In this section of the documentation: [https://getcomposer.org/doc/01-basic-usage.md#next-significant-release-tilde-operator-](Next Significant Release %28Tilde Operator%29) it is not entirely clear whether a RC release would be included.
For example if I write ~1.2.0
as a version constrain would a ~1.3.0-alpha.1
be installed? If I have a @alpha
as minimum-stability
setting of course.
In the npm
documentation this is clearly explained with a lot of examples.
In the Composer docs there is an example with ~1.2
which translates to >=1.2,<2.0
. Since 2.0
should less than 2.0-RC.1
, isn't 2.0-RC.1
release included in the ~1.2
version constraint?
The logo is very clearly a conductor, not a composer. He is holding a baton and appearing to be flailing his arms in a typical fashion during a performance, which a composer would not do while composing music. I feel this is deceiving to those with musical backgrounds and should be corrected, unless the project name can be changed.
I got a 404 http error on link https://getcomposer.org/book.pdf
getcomposer.org/blob/master/web/installer implies that it must be distributed with a LICENSE file, but it is not located in this repo.
To allow HTTP clients determine the length of the composer.phar file and display a realistic progress bar, the URL http://getcomposer.org/composer.phar should return a Content-Length
header.
I was playing around with building a composer rpm with jenkins for my own use when I came across some warnings. It's an easy fix so I'll submit a pull request.
+ curl -Ss https://getcomposer.org/installer
+ php
X-Powered-By: PHP/5.5.25
Content-type: text/html
#!/usr/bin/env php
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>21</b><br />
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>22</b><br />
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>23</b><br />
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>24</b><br />
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>25</b><br />
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>32</b><br />
<br />
<b>Warning</b>: in_array() expects parameter 2 to be array, null given in <b>-</b> on line <b>34</b><br />
<br />
<b>Warning</b>: Invalid argument supplied for foreach() in <b>-</b> on line <b>46</b><br />
All settings correct for using Composer
Downloading...
What happens if getcomposer.org gets owned someday?
Recommending a safer install method might be worth considering. Others agree:
Some settings on your machine make Composer unable to work properly.
Make sure that you fix the issues listed below and run this script again:
The suhosin.executor.include.whitelist setting is incorrect.
Add the following to the end of your php.ini
or suhosin.ini (Example path [for Debian]: /etc/php5/cli/conf.d/suhosin.ini):
suhosin.executor.include.whitelist = phar
The php.ini used by your command-line PHP is: /etc/php5/fpm/php.ini
If you can not modify the ini file, you can also run php -d option=value
to modify ini values on the fly. You can use -d multiple times.
Composer's Phar should be downloaded from a secure channel SSL/TLS
For easy copy & pasting we should put $ curl -s http://getcomposer.org/installer | php
back on the front page.
In the same direction as Issue #38 , could we revisit the branding of Composer?
Here is something to start the discussion
Shouldn't we be tagging a new release for each new version? For example, my expectation would be a tag of 1.4.2
for the latest stable release.
Downloaded the latest Windows install from the Git repo and when starting the installation it could not connect to the server to download all the necessary/dependent files... Tried to access the website from the browser and I received a server not found error. Could not find anything in my Comodo firewall that would indicate it's been blocked somehow... No other sites have been giving me issues either... Is the site down?
I think the recommended installation method should be to install Composer globally.
composer install
instead of php composer.phar install
).Some libraries often provide 'installation instructions' that are easy to copy-paste, but are made for people with local installations. That's no good for global-lovers who need to manually edit each command.
On the other side, if all commands were in form of composer (anything)
, one with local installation could just alias composer=php composer.phar
and execute these commands just as is.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.