Question 235378 in PHP Question posted in
Official manual can be found here.

Php – Should you use @dev or `dev-main` in composer JSON for local packages?

TL;DR: Should I use @dev or dev-main in my composer.json for local packages?

In our project we have a central composer.json which includes all the dependencies needed including local ones – code included in the git repo but isolated out as a separate composer packages.

We have a local folder set up as a repository:

{
    "repositories": [
        {
            "type": "path",
            "url": "./app/*/*"
        }
    ]
}

I read somewhere that we should include the dependencies with the @dev syntax – e.g.

{
  "require": {
      "app/local": "@dev"
  }
}

However, this stores the current branch in the composer.lock, so when a feature branch gets merged, the lock file references a non-existent branch until the next composer update is run. Is this ok?

I like the idea of @dev as it signifies which packages are local, but I don’t like that a non-existent branch could be referenced.

Tags:

2

Answers


  1. 0

    According to The composer.json schema:

    require and require-dev additionally support stability flags
    that take the form "constraint@stability flag".
    They allow you to further restrict or expand the stability of a
    package beyond the scope of the minimum-stability setting. You can
    apply them to a constraint, or apply them to an empty constraint if
    you want to allow unstable packages of a dependency for example.

    If you are working with production build I would lock the package to certain branch and hash. In this case consider using Semantic Versioning.

    {
    "require": {
        "my/package": "1.0.0#abc123"
    }
}

    Hope this helps!

    Login or Signup to reply.
  2. 0

    You are mixing different concepts, that do have some overlap, but that ultimately mean different things.

    I like the idea of @dev as it signifies which packages are local

    This is wrong. The meaning of @dev is a "stability flag"

    The complete package link form is "[constraint][@stability flag]".

    With the syntax

    "require": {
    "foo/package": "@dev"
}

    You are simply saying:

    "I don’t care for the specific version for this package, install whatever available or dictated by other constraints; but the minimum stability for this package is "dev", instead of whatever minimum stability I had rest for the rest of the project".

    If you use:

    "require": {
    "foo/package": "dev-main"
}

    … then you are specifying an actual version constraint.
    (Additionally, since the version constraint starts with dev-, composer will automatically infer that the minimum stability for this package is @dev, so it will understand this constraint as: foo/package:dev-main@dev).

    TLDR: You should very probably use actual version constraints. Stability flags do not do what you think they do. There are cases for simply specifying a stability flag without a version constraint in your package, but that’s generally just to override the project’s minimum stability for a single required package.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search