Managing Dependencies

Composer is the official dependency manager for PHP. It allows to manage (download, install, upgrade, configure, and remove) the libraries a project depends on.

If you want the platform to use Composer to manage your dependencies, make sure to include both the composer.json and the composer.lock files in your codebase.

Declaring Dependencies

The dependencies required by your application must be declared in a file named composer.json, stored at the root of your codebase. The format is described in the Composer documentation.

Once your dependencies have been defined and declared, their versions must be frozen to ensure a precise version of the application will always be deployed with the same compatible set of Composer packages. This allows for better reproducibility and consistency across environments. These versions are written in a file named composer.lock, also stored at the root of your project.

Use Composer itself on your local computer (or in your CI/CD pipeline) to generate the composer.lock file:

$ composer install

To upgrade a dependency, run the following command (in the example below, we ask Composer to upgrade slim):

$ composer update slim/slim

In some circumstances, it can be convenient to add either the --ignore-platform-req= or the --ignore-platform-reqs flag to the above commands.

After each command, the composer.lock file is automatically updated. Don’t forget to commit the modifications!

Managing Private Dependencies

If you want to install a private dependency, you need to define the COMPOSER_AUTH environment variable, as specified in the Composer documentation.

For a private dependency hosted on GitHub, the COMPOSER_AUTH environment variable should contain:

  "github-oauth": {
    "": "MY-TOKEN"

MY-TOKEN must be replaced with a valid access token (OAuth token) for your GitHub account.

Such a token can be generated from your GitHub account. For more details about GitHub access tokens, please refer to their comprehensive documentation.

Specifying the Composer Version

You can select the Composer version to install by specifying it in your composer.json:

  "extra": {
    "paas": {
      "engines": {
        "composer": "2.x"

Scalingo currently supports the following versions of Composer:

  • 2.2.22 (LTS)
  • 2.6.4

Working with Composer Environments

By default, Scalingo considers that your application runs in production mode. This means that composer install automatically runs with the --no-dev flag. As a result, won’t install the development dependencies of your application, if any.

Set the COMPOSER_DEV environment variable to true if you would like to run your application with these development dependencies installed (e.g. to debug your app).

In addition to the --[no-]dev flag, the platform always runs composer install with the --prefer-dist and --optimize-autoloader flags.

Suggest edits

Managing Dependencies

©2023 Scalingo