How Composer Helps the Whole Team

Andrew Taylor , Former Developer Programs Engineer Reading estimate: 3 minutes

In this article, I will be talking in the context of website projects, but the value of dependency management extends to other types of projects, as well.

What is Dependency Management?

To understand dependency management, we must first understand dependencies.

To get an idea of dependencies in a web project, let's think about creating a new Drupal 8 project. Our new Drupal 8 depends on Drupal 8 core. This means I must find the code for Drupal 8 core and add it to my project.

However, Drupal 8 core won't work without the other projects it depends on, such as Twig and numerous Symfony components. In order for Drupal to function, we must download each of the dependent projects, within the correct version constraints.

Each of those projects may depend on other projects, and so on, and we haven't even added any modules, yet!

A dependency manager, such as Composer for PHP, is a tool that helps you to manage all the dependencies in your project. In our example above, since we declared a need for Drupal 8 core, Composer will recognize that Drupal 8 depends on Twig and Symfony and download those, as well.

The Value of Dependency Management

In our introduction above, we've already seen one benefit of a dependency manager: no more manually auditing and downloading dependencies. This will certainly save time, but I want to use the rest of this article to outline other values that dependency management provides; specifically, how dependency management can help the whole team or business.

Repeatable Builds

In addition to discovering and downloading dependencies, Composer will also create a lockfile. The lockfile records all the dependencies and their specific version.

This is important because it freezes the code base at a specific point in time and allows for the project to be replicated reliably, allowing everyone on the team to have confidence when the project is deployed.

Dependency Visibility

Aside from allowing for repeatable builds, the lockfile acts as a manifest of all the dependencies that a project is using. Services, such as GitHub, can help you visualize your project dependency tree. Additionally, having a manifest of dependencies allows for insight into key areas of a project. 

Security Vulnerabilities

Detecting and patching security vulnerabilities in a project is a priority for everyone involved; nobody wants to get hacked! With a manifest of all dependencies and their versions, a project can be audited for security vulnerabilities. GitHub's security alerts is a great example.


Working on web projects, especially in the open-source space, means depending on a variety of projects, each with their own licensing.

Not adhering to a license for software included in your project, whether a direct or sub dependency, can have legal ramifications. This makes me think of the public fight between WordPress and Wix over the GPL license.

It is important for businesses to know about the licensed software their projects depend on. Without knowing what dependencies are in your code base, how can you know about their licenses?

With visibility into all dependencies of a project, discovering licensing conflicts becomes realistic. And with tools like FOSSology, it can be made easier.

If you don't know the difference between open-source licenses, nothing can replace reading the licenses and seeking legal counsel. However, if you want some guidance (not legal advice) on which license to use in your project, is a good resource.


Knowing what dependencies your project uses also allows a team to ensure the project meets all the requirements of each dependency, such as the minimum PHP version. Dependency managers, such as Composer, will even halt the installation of new dependencies, if your project does not meet the requirements. This is much better than the alternative of having the project break due to requirement mismatch.

Update Strategy

We have a manifest of all of our dependencies frozen at specific versions. Great! But, what happens when a new feature or security update is released for one of our project's dependencies?

Making use of dependency management allows teams to adopt an update strategy. The value of the strategy is that everyone on the team knows how updates are implemented, when they are implemented, and who is responsible.

The development team knows what is expected of them, the project manager can estimate when new features will ship based on the release schedule, etc.

Discoverability of Available Packages

Being able to access a plethora of existing packages can drastically reduce the implementation time and the maintenance burden of needing custom code for every aspect of a project.

Get Started with Dependency Management

Leveraging a dependency management tool like Composer for PHP can significantly streamline the set up, development and testing processes of your next web project. Check out our example D8 Composer repo, which you can scaffold with the Terminus Build Tools Plugin, for best practices to reference when getting started with Composer and Continuous Integration on Pantheon.

Discover More

Halting DDoS Attacks: Effective Strategies for Prevention

Conor Bauer
Reading estimate: 9 minutes

Staying Ahead In The Game of Distributed Denial of Service Attacks

Steve Persch
Reading estimate: 3 minutes

Learn how healthcare sites can thrive with modern development tools

Jason Yarrington
Reading estimate: 3 minutes

Try Pantheon for Free

Join thousands of developers, marketers, and agencies creating magical digital experiences with Pantheon.