Composer & Dependency Management
Composer is the dependency manager for PHP — the equivalent of npm for Node.js or pip for Python. Every Laravel project is built on top of Composer. It manages all your project's third-party packages, autoloads your classes, and ensures version compatibility across dependencies. Understanding Composer is essential because Laravel itself is installed via Composer, and every package you add to your project (authentication, payments, image processing) flows through it.
How Composer Works
Composer reads your composer.json file, resolves dependencies (including transitive ones), downloads packages to the vendor/ directory, and generates an autoloader. The composer.lock file pins exact versions so every developer on your team gets identical dependencies — this prevents 'works on my machine' bugs. Key commands: composer require vendor/package (add a dependency), composer install (install from lock file), composer update (update dependencies), composer dump-autoload (regenerate autoloader). Composer uses Packagist (packagist.org) as its default package repository — it hosts 350,000+ PHP packages.
Blade compiles to plain PHP — zero overhead
Essential Composer Commands for Laravel
composer create-project laravel/laravel my-app
# Creates a new Laravel project with all dependencies
composer require laravel/sanctum
# Adds a package to your project
composer require --dev phpunit/phpunit
# Adds a development-only dependency
composer install
# Installs dependencies from composer.lock (use in CI/CD)
composer update
# Updates all packages to latest allowed versions
composer dump-autoload -o
# Regenerates optimized autoloader (production)Understanding composer.json vs composer.lock
- composer.json defines your project's dependencies with version constraints (^10.0 means >=10.0.0 and <11.0.0). It's the 'wish list' — what you want installed
- composer.lock records the exact versions that were actually installed. It's the 'receipt' — what IS installed. Always commit this file to version control
- composer install reads the lock file and installs exact versions. Use this in CI/CD pipelines and production deployments for reproducible builds
- composer update reads composer.json, resolves latest versions within constraints, updates the lock file, and installs. Use during development when you want to upgrade
- Never run composer update in production — it may introduce breaking changes. Always run composer install from the committed lock file
Tip
Tip
Practice Composer Dependency Management in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
Practice Task
Note
Practice Task — (1) Write a working example of Composer Dependency Management from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with Composer Dependency Management is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready laravel code.
Key Takeaways
- Composer is the dependency manager for PHP — the equivalent of npm for Node.
- composer.json defines your project's dependencies with version constraints (^10.0 means >=10.0.0 and <11.0.0). It's the 'wish list' — what you want installed
- composer.lock records the exact versions that were actually installed. It's the 'receipt' — what IS installed. Always commit this file to version control
- composer install reads the lock file and installs exact versions. Use this in CI/CD pipelines and production deployments for reproducible builds