doc/03-cli.md
You've already learned how to use the command-line interface to do some things. This chapter documents all the available commands.
To get help from the command-line, call composer or composer list
to see the complete list of commands, then --help combined with any of those
can give you more information.
As Composer uses symfony/console you can call commands by short name if it's not ambiguous.
php composer.phar dump
calls composer dump-autoload.
To install bash completions you can run composer completion bash > completion.bash.
This will create a completion.bash file in the current directory.
Then execute source completion.bash to enable it in the current terminal session.
Move and rename the completion.bash file to /etc/bash_completion.d/composer to make
it load automatically in new terminals.
The following options are available with every command:
composer.json.In the Libraries chapter we looked at how to create a
composer.json by hand. There is also an init command available to do this.
When you run the command it will interactively ask you to fill in the fields, while using some smart defaults.
php composer.phar init
foo/bar:1.0.0.minimum-stability field.composer repository or a JSON string which is similar to what the
repositories key accepts.The install command reads the composer.json file from the current
directory, resolves the dependencies, and installs them into vendor.
php composer.phar install
If there is a composer.lock file in the current directory, it will use the
exact versions from there instead of resolving them. This ensures that
everyone using the library will get the same versions of the dependencies.
If there is no composer.lock file, Composer will create one after dependency
resolution.
source
and dist. Composer uses dist by default. If you pass
--prefer-install=source (or --prefer-source) Composer will install from
source if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use source automatically for dev
versions of packages, use --prefer-install=auto. See also config.preferred-install.
Passing this flag will override the config value.--dry-run. This will simulate the
installation and show you what would happen.require-dev (this is the default behavior).require-dev. The autoloader
generation skips the autoload-dev rules. Also see COMPOSER_NO_DEV.--optimize-autoloader.--apcu-autoloader.php, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these.
See also the platform config option.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard. Appending
a + makes it only ignore the upper-bound of the requirements. For example, if a package
requires php: ^7, then the option --ignore-platform-req=php+ would allow installing on PHP 8,
but installation on PHP 5.6 would still fail.In order to get the latest versions of the dependencies and to update the
composer.lock file, you should use the update command. This command is also
aliased as upgrade as it does the same as upgrade does if you are thinking
of apt-get or similar package managers.
php composer.phar update
This will resolve all dependencies of the project and write the exact versions
into composer.lock.
If you only want to update a few packages and not all, you can list them as such:
php composer.phar update vendor/package vendor/package2
You can also use wildcards to update a bunch of packages at once:
php composer.phar update "vendor/*"
If you want to downgrade a package to a specific version without changing your
composer.json you can use --with and provide a custom version constraint:
php composer.phar update --with vendor/package:2.0.1
Note that with the above all packages will be updated. If you only want to
update the package(s) for which you provide custom constraints using --with,
you can skip --with and instead use constraints with the partial update syntax:
php composer.phar update vendor/package:2.0.1 vendor/package2:3.0.*
Note: For packages also required in your composer.json the custom constraint must be a subset of the existing constraint. The composer.json constraints still apply and the composer.json is not modified by these temporary update constraints.
source
and dist. Composer uses dist by default. If you pass
--prefer-install=source (or --prefer-source) Composer will install from
source if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use source automatically for dev
versions of packages, use --prefer-install=auto. See also config.preferred-install.
Passing this flag will override the config value.require-dev (this is the default behavior).require-dev. The autoloader generation skips the autoload-dev rules. Also see COMPOSER_NO_DEV.--optimize-autoloader.--apcu-autoloader.php, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these.
See also the platform config option.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard. Appending
a + makes it only ignore the upper-bound of the requirements. For example, if a package
requires php: ^7, then the option --ignore-platform-req=php+ would allow installing on PHP 8,
but installation on PHP 5.6 would still fail.--prefer-stable. Can also be set via the
COMPOSER_PREFER_LOWEST=1 env var.bump after performing the update. Set to dev or no-dev to only bump those dependencies.Specifying one of the words mirrors, lock, or nothing as an argument has the same effect as specifying the option --lock, for example composer update mirrors is exactly the same as composer update --lock.
The require command adds new packages to the composer.json file from
the current directory. If no file exists one will be created on the fly.
If you do not specify a package, Composer will prompt you to search for a package, and given results, provide a list of matches to require.
php composer.phar require
After adding/changing the requirements, the modified requirements will be installed or updated.
If you do not want to choose requirements interactively, you can pass them to the command.
php composer.phar require "vendor/package:2.*" vendor/package2:dev-master
If you do not specify a version constraint, composer will choose a suitable one based on the available package versions.
php composer.phar require vendor/package vendor/package2
If you do not want to install the new dependencies immediately you can call it with --no-update
require-dev.source
and dist. Composer uses dist by default. If you pass
--prefer-install=source (or --prefer-source) Composer will install from
source if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use source automatically for dev
versions of packages, use --prefer-install=auto. See also config.preferred-install.
Passing this flag will override the config value.--no-dev option. Also see COMPOSER_NO_DEV.php, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these.
See also the platform config option.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.--prefer-stable. Can also be set via the
COMPOSER_PREFER_LOWEST=1 env var.-w/-W, only perform absolutely necessary
changes to transitive dependencies. Can also be set via the COMPOSER_MINIMAL_CHANGES=1 env var.composer.json.--optimize-autoloader.--apcu-autoloader.The remove command removes packages from the composer.json file from
the current directory.
php composer.phar remove vendor/package vendor/package2
After removing the requirements, the modified requirements will be uninstalled.
require-dev.-w/-W, only perform absolutely necessary
changes to transitive dependencies. Can also be set via the COMPOSER_MINIMAL_CHANGES=1 env var.php, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these.
See also the platform config option.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.--optimize-autoloader.--apcu-autoloader.The bump command increases the lower limit of your composer.json requirements
to the currently installed versions. This helps to ensure your dependencies do not
accidentally get downgraded due to some other conflict, and can slightly improve
dependency resolution performance as it limits the amount of package versions
Composer has to look at.
Running this blindly on libraries is NOT recommended as it will narrow down
your allowed dependencies, which may cause dependency hell for your users.
Running it with --dev-only on libraries may be fine however as dev requirements
are local to the library and do not affect consumers of the package.
The reinstall command looks up installed packages by name,
uninstalls them and reinstalls them. This lets you do a clean install
of a package if you messed with its files, or if you wish to change
the installation type using --prefer-install.
php composer.phar reinstall acme/foo acme/bar
You can specify more than one package name to reinstall, or use a wildcard to select several packages at once:
php composer.phar reinstall "acme/*"
source
and dist. Composer uses dist by default. If you pass
--prefer-install=source (or --prefer-source) Composer will install from
source if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use source automatically for dev
versions of packages, use --prefer-install=auto. See also config.preferred-install.
Passing this flag will override the config value.--optimize-autoloader.--apcu-autoloader.The check-platform-reqs command checks that your PHP and extensions versions match the platform requirements of the installed packages. This can be used to verify that a production server has all the extensions needed to run a project after installing it for example.
Unlike update/install, this command will ignore config.platform settings and check the real platform packages so you can be certain you have the required platform dependencies.
The global command allows you to run other commands like install, remove, require
or update as if you were running them from the COMPOSER_HOME
directory.
This is merely a helper to manage a project stored in a central location that can hold CLI tools or Composer plugins that you want to have available everywhere.
This can be used to install CLI utilities globally. Here is an example:
php composer.phar global require friendsofphp/php-cs-fixer
Now the php-cs-fixer binary is available globally. Make sure your global
vendor binaries directory is in your $PATH
environment variable, you can get its location with the following command :
php composer.phar global config bin-dir --absolute
If you wish to update the binary later on you can run a global update:
php composer.phar global update
The search command allows you to search through the current project's package repositories. Usually this will be packagist. You pass it the terms you want to search for.
php composer.phar search monolog
You can also search for more than one term by passing multiple arguments.
url, repository, downloads and favers) are available
for Packagist.org search results and other repositories may return more or less
data.To list all of the available packages, you can use the show command.
php composer.phar show
To filter the list you can pass a package mask using wildcards.
php composer.phar show "monolog/*"
monolog/monolog 2.4.0 Sends your logs to files, sockets, inboxes, databases and various web services
If you want to see the details of a certain package, you can pass the package name.
php composer.phar show monolog/monolog
name : monolog/monolog
descrip. : Sends your logs to files, sockets, inboxes, databases and various web services
keywords : log, logging, psr-3
versions : * 1.27.1
type : library
license : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : http://github.com/Seldaek/monolog
source : [git] https://github.com/Seldaek/monolog.git 904713c5929655dc9b97288b69cfeedad610c9a1
dist : [zip] https://api.github.com/repos/Seldaek/monolog/zipball/904713c5929655dc9b97288b69cfeedad610c9a1 904713c5929655dc9b97288b69cfeedad610c9a1
names : monolog/monolog, psr/log-implementation
support
issues : https://github.com/Seldaek/monolog/issues
source : https://github.com/Seldaek/monolog/tree/1.27.1
autoload
psr-4
Monolog\ => src/Monolog
requires
php >=5.3.0
psr/log ~1.0
You can even pass the package version, which will tell you the details of that specific version.
php composer.phar show monolog/monolog 1.0.2
*). Use it with the --outdated option if you don't want to be informed about new versions of some packagesphp, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these. Use with the --outdated option.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard. Use with
the --outdated option.The outdated command shows a list of installed packages that have updates available,
including their current and latest versions. This is basically an alias for
composer show -lo.
The color coding is as such:
~): Dependency has a new version available that includes backwards compatibility breaks according to semver, so upgrade when
you can but it may involve work.composer show --latest).*). Use it if you don't want to be informed about new versions of some packagesphp, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.The browse (aliased to home) opens a package's repository URL or homepage
in your browser.
Lists all packages suggested by the currently installed set of packages. You can
optionally pass one or multiple package names in the format of vendor/package
to limit output to suggestions made by those packages only.
Use the --by-package (default) or --by-suggestion flags to group the output by
the package offering the suggestions or the suggested packages respectively.
If you only want a list of suggested package names, use --list.
require-dev packages.Discover how to help fund the maintenance of your dependencies. This lists
all funding links from the installed dependencies. Use --format=json to
get machine-readable output.
The depends command tells you which other packages depend on a certain
package. As with installation require-dev relationships are only considered
for the root package.
php composer.phar depends doctrine/lexer
doctrine/annotations 1.13.3 requires doctrine/lexer (1.*)
doctrine/common 2.13.3 requires doctrine/lexer (^1.0)
You can optionally specify a version constraint after the package to limit the search.
Add the --tree or -t flag to show a recursive tree of why the package is
depended upon, for example:
php composer.phar depends psr/log -t
psr/log 1.1.4 Common interface for logging libraries
├──composer/composer 2.4.x-dev (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/composer dev-main (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/xdebug-handler 3.0.3 (requires psr/log ^1 || ^2 || ^3)
│ ├──composer/composer 2.4.x-dev (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
│ └──composer/composer dev-main (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
└──symfony/console v5.4.11 (conflicts psr/log >=3) (circular dependency aborted here)
The prohibits command tells you which packages are blocking a given package
from being installed. Specify a version constraint to verify whether upgrades
can be performed in your project, and if not why not. See the following
example:
php composer.phar prohibits symfony/symfony 3.1
laravel/framework v5.2.16 requires symfony/var-dumper (2.8.*|3.0.*)
Note that you can also specify platform requirements, for example to check whether you can upgrade your server to PHP 8.0:
php composer.phar prohibits php 8
doctrine/cache v1.6.0 requires php (~5.5|~7.0)
doctrine/common v2.6.1 requires php (~5.5|~7.0)
doctrine/instantiator 1.0.5 requires php (>=5.3,<8.0-DEV)
As with depends you can request a recursive lookup, which will list all
packages depending on the packages that cause the conflict.
You should always run the validate command before you commit your
composer.json file (and composer.lock if applicable), and before you tag a release.
It will check if your
composer.json is valid. If a composer.lock exists, it will also check if it is up to date with the composer.json.
php composer.phar validate
composer.json use unbound or overly strict version constraints.composer.lock exists and is not up to date.composer.json is unsuitable for publishing as a package on Packagist but is otherwise valid.If you often need to modify the code of your dependencies and they are
installed from source, the status command allows you to check if you have
local changes in any of them.
php composer.phar status
With the --verbose option you get some more information about what was
changed:
php composer.phar status -v
You have changes in the following dependencies:
vendor/seld/jsonlint:
M README.mdown
To update Composer itself to the latest version, run the self-update
command. It will replace your composer.phar with the latest version.
php composer.phar self-update
If you would like to instead update to a specific release specify it:
php composer.phar self-update 2.4.0-RC1
If you have installed Composer for your entire system (see global installation),
you may have to run the command with root privileges
sudo -H composer self-update
If Composer was not installed as a PHAR, this command is not available. (This is sometimes the case when Composer was installed by an operating system package manager.)
The config command allows you to edit Composer config settings and repositories
in either the local composer.json file or the global config.json file.
Additionally it lets you edit most properties in the local composer.json.
php composer.phar config --list
config [options] [setting-key] [setting-value1] ... [setting-valueN]
setting-key is a configuration option name and setting-value1 is a
configuration value. For settings that can take an array of values (like
github-protocols), multiple setting-value arguments are allowed.
You can also edit the values of the following properties:
description, homepage, keywords, license, minimum-stability,
name, prefer-stable, type and version.
See the Config chapter for valid configuration options.
$COMPOSER_HOME/config.json by default. Without this option, this command
affects the local composer.json file or a file specified by --file.EDITOR env variable. With the --global option, this opens
the global config file.setting-key.--global
option this lists the global configuration only.--global option.*-dir config values
instead of relative.extra.* keys.extra.* keys in combination with --json.In addition to modifying the config section, the config command also supports making
changes to the repositories section by using it the following way:
php composer.phar config repositories.foo vcs https://github.com/foo/bar
If your repository requires more configuration options, you can instead pass its JSON representation :
php composer.phar config repositories.foo '{"type": "vcs", "url": "http://svn.example.org/my-project/", "trunk-path": "master"}'
In addition to modifying the config section, the config command also supports making
changes to the extra section by using it the following way:
php composer.phar config extra.foo.bar value
The dots indicate array nesting, a max depth of 3 levels is allowed though. The above
would set "extra": { "foo": { "bar": "value" } }.
If you have a complex value to add/modify, you can use the --json and --merge flags
to edit extra fields as json:
php composer.phar config --json extra.foo.bar '{"baz": true, "qux": []}'
The repo command lets you manage repositories in your composer.json. It is more powerful and recommended over using composer config repositories.* to manipulate the repositories configuration. Refer to Repositories documentation for details on the available types and configuration options.
repo [options] list
repo [options] add [repo-name] [repo-type] [url]
repo [options] add [repo-name] [json-repo-definition]
repo [options] remove [repo-name]
repo [options] set-url [repo-name] [url]
repo [options] get-url [repo-name]
repo [options] enable packagist.org
repo [options] disable packagist.org
$COMPOSER_HOME/config.json.<name>.<name>. The <name> must match an existing repository name.php composer.phar repo list
php composer.phar repo add foo vcs https://github.com/acme/foo
php composer.phar repo add bar composer https://repo.packagist.com/bar
php composer.phar repo add zips '{"type":"artifact","url":"/path/to/dir/with/zips"}'
php composer.phar repo add baz vcs https://example.org --before foo
php composer.phar repo add qux vcs https://example.org --after bar
php composer.phar repo remove foo
php composer.phar repo set-url foo https://git.example.org/acme/foo
php composer.phar repo get-url foo
php composer.phar repo disable packagist.org
php composer.phar repo enable packagist.org
You can use Composer to create new projects from an existing package. This is
the equivalent of doing a git clone/svn checkout followed by a composer install
of the vendors.
There are several applications for this:
To create a new project using Composer you can use the create-project command.
Pass it a package name, and the directory to create the project in. You can also
provide a version as a third argument, otherwise the latest version is used.
If the directory does not currently exist, it will be created during installation.
php composer.phar create-project composer/hello-world my-project
It is also possible to run the command without params in a directory with an
existing composer.json file to bootstrap a project.
By default the command checks for the packages on packagist.org.
stable.source
and dist. Composer uses dist by default. If you pass
--prefer-install=source (or --prefer-source) Composer will install from
source if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use source automatically for dev
versions of packages, use --prefer-install=auto. See also config.preferred-install.
Passing this flag will override the config value.composer repository, a path to a local packages.json file, or a
JSON string which similar to what the repositories
key accepts. You can use this multiple times to configure multiple repositories.require-dev.php, hhvm,
lib-* and ext-*) and force the installation even if the local machine does
not fulfill these.
See also the platform config option.php,
hhvm, lib-* and ext-*) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.If you need to update the autoloader because of new classes in a classmap
package for example, you can use dump-autoload to do that without having to
go through an install or update.
Additionally, it can dump an optimized autoloader that converts PSR-0/4 packages into classmap ones for performance reasons. In large applications with many classes, the autoloader can take up a substantial portion of every request's time. Using classmaps for everything is less convenient in development, but using this option you can still use PSR-0/4 for convenience and classmaps for performance.
--optimize.--apcu.install or update --no-dev state.install or update --no-dev state.php, hhvm, lib-* and ext-*
requirements and skip the platform check for these.
See also the platform config option.php, hhvm,
lib-* and ext-*) and skip the platform check for it.
Multiple requirements can be ignored via wildcard.--optimize to work.--optimize to work.Deletes all content from Composer's cache directories.
Lists the name, version and license of every package installed. Use
--format=json to get machine-readable output.
To run scripts manually you can use this command, give it the script name and optionally any required arguments.
Executes a vendored binary/script. You can execute any command and this will ensure that the Composer bin-dir is pushed on your PATH before the command runs.
If you think you found a bug, or something is behaving strangely, you might
want to run the diagnose command to perform automated checks for many common
problems.
php composer.phar diagnose
This command is used to generate a zip/tar archive for a given package in a given version. It can also be used to archive your entire project without excluded/ignored files.
php composer.phar archive vendor/package 2.0.21 --format=zip
This command is used to audit the packages you have installed for potential security issues. It checks for and lists security
vulnerability advisories using the Packagist.org api by default
or other repositories if specified in the repositories section of composer.json.
The command also detects abandoned packages.
The audit command determines if there are vulnerable or abandoned packages and returns the following exit codes based on the findings:
0 No issues;1 Vulnerable packages;2 Abandoned packages;3 Vulnerable and abandoned packages.php composer.phar audit
To get more information about a certain command, you can use help.
php composer.phar help install
Command-line completion can be enabled by running the composer completion --help command and
following the instructions.
You can set a number of environment variables that override certain settings.
Whenever possible it is recommended to specify these settings in the config
section of composer.json instead. It is worth noting that the env vars will
always take precedence over the values specified in composer.json.
By setting the COMPOSER env variable it is possible to set the filename of
composer.json to something else.
For example:
COMPOSER=composer-other.json php composer.phar install
The generated lock file will use the same name: composer-other.lock in this example.
If set to 1, this env disables the warning about running commands as root/super user. It also disables automatic clearing of sudo sessions, so you should really only set this if you use Composer as a super user at all times like in docker containers.
If set to 1, this env allows running Composer when the Xdebug extension is enabled, without restarting PHP without it.
The COMPOSER_AUTH var allows you to set up authentication as an environment variable.
The contents of the variable should be a JSON formatted object containing http-basic,
github-oauth, bitbucket-oauth, ... objects as needed,
and following the
spec from the config.
Override the bin-compat config setting.
By setting this option you can change the bin (Vendor Binaries)
directory to something other than vendor/bin.
The COMPOSER_CACHE_DIR var allows you to change the Composer cache directory,
which is also configurable via the cache-dir option.
By default, it points to C:\Users\<user>\AppData\Local\Composer (or %LOCALAPPDATA%/Composer) on Windows.
On *nix systems that follow the XDG Base
Directory Specifications,
it points to $XDG_CACHE_HOME/composer. On other *nix systems and on macOS, it points to
$COMPOSER_HOME/cache.
By setting this environmental value, you can set a path to a certificate bundle file to be used during SSL/TLS peer verification.
If set to 1, this env suppresses a warning when Composer is running with the Xdebug extension enabled.
This env var controls the discard-changes config option.
If set to 0, this env suppresses funding notices when installing.
The COMPOSER_HOME var allows you to change the Composer home directory. This
is a hidden, global (per-user on the machine) directory that is shared between
all projects.
Use composer config --global home to see the location of the home directory.
By default, it points to C:\Users\<user>\AppData\Roaming\Composer on Windows
and /Users/<user>/.composer on macOS. On *nix systems that follow the XDG Base
Directory Specifications,
it points to $XDG_CONFIG_HOME/composer. On other *nix systems, it points to
/home/<user>/.composer.
You may put a config.json file into the location which COMPOSER_HOME points
to. Composer will partially (only config and repositories keys) merge this
configuration with your project's composer.json when you run the install and
update commands.
This file allows you to set repositories and configuration for the user's projects.
In case global configuration matches local configuration, the local
configuration in the project's composer.json always wins.
Defaults to 1. If set to 0, Composer will not create .htaccess files in the
Composer home, cache, and data directories.
If set, the value is used as php's memory_limit.
If set to 1, this env changes the default path repository strategy to mirror instead
of symlink. As it is the default strategy being set it can still be overwritten by
repository options.
If set to 1, this env var will make Composer behave as if you passed the
--no-interaction flag to every command. This can be set on build boxes/CI.
This env var controls the time Composer waits for commands (such as git commands) to finish executing. The default value is 300 seconds (5 minutes).
By setting this var you can specify the version of the root package, if it
cannot be guessed from VCS info and is not present in composer.json.
By setting this var you can make Composer install the dependencies into a
directory other than vendor.
This lets you hint under which environment Composer is running, which can help Composer
work around some environment specific issues. The only value currently supported is
virtualbox, which then enables some short sleep() calls to wait for the filesystem
to have written files properly before we attempt reading them. You can set the
environment variable if you use Vagrant or VirtualBox and experience issues with files not
being found during installation even though they should be present.
See the proxy documentation for more details on how to use proxy env vars.
Set to an integer to configure how many files can be downloaded in parallel. This defaults to 12 and must be between 1 and 50. If your proxy has issues with concurrency maybe you want to lower this. Increasing it should generally not result in performance gains.
Set to an integer to configure how many processes can be executed in parallel. This defaults to 10 and must be between 1 and 50.
Set to 4 or 6 to force IPv4 or IPv6 DNS resolution. This only works when the
curl extension is used for downloads.
If set, makes the self-update command write the new Composer phar file into that path instead of overwriting itself. Useful for updating Composer on a read-only filesystem.
If set to 1, disables network access (best effort). This can be used for debugging or
to run Composer on a plane or a starship with poor connectivity.
If set to prime, GitHub VCS repositories will prime the cache, so it can then be used
fully offline with 1.
If set to 1, outputs information about events being dispatched, which can be
useful for plugin authors to identify what is firing when exactly.
Accepts a comma-seperated list of event names, e.g. post-install-cmd for which scripts execution should be skipped.
If set to 1, it is the equivalent of passing the --no-audit option to a require, update, remove or create-project command.
Set to ignore, report or fail to override the audit.abandoned
config option.
If set to 1, it is the equivalent of passing the --no-security-blocking option to a require, update, remove, install, or create-project command. This allows installing packages with security advisories or that are abandoned. It overrides the config option audit.block-insecure.
If set to 1, enables blocking of abandoned packages during dependency resolution (equivalent to setting audit.block-abandoned config to true). If set to 0, disables blocking of abandoned packages. Note that this setting does not have any effect if security blocking is generally disabled. It overrides the config option audit.block-abandoned.
If set to 1, it is the equivalent of passing the --update-no-dev option to require
or the --no-dev option to install or update. You can override this for a single
command by setting COMPOSER_NO_DEV=0.
If set to 1, it is the equivalent of passing the --prefer-stable option to
update or require.
If set to 1, it is the equivalent of passing the --prefer-lowest option to
update or require.
If set to 1, when resolving dependencies with both --prefer-stable and
--prefer-lowest enabled, dev versions are treated as more stable than
alpha/beta/RC versions in cases where no stable release exists. This is useful
to test lowest versions while still preferring branches that may contain
critical fixes over prerelease versions.
If set to 1, it is the equivalent of passing the --minimal-changes option to
update, require or remove.
If COMPOSER_IGNORE_PLATFORM_REQS set to 1, it is the equivalent of passing the --ignore-platform-reqs argument.
Otherwise, specifying a comma separated list in COMPOSER_IGNORE_PLATFORM_REQ will ignore those specific requirements.
For example, if a development workstation will never run database queries, this can be used to ignore the requirement for the database extensions to be available. If you set COMPOSER_IGNORE_PLATFORM_REQ=ext-oci8, then composer will allow packages to be installed even if the oci8 PHP extension is not enabled.
If set to 1, it is the equivalent of passing the --with-dependencies option to
update, require or remove.
If set to 1, it is the equivalent of passing the --with-all-dependencies option to
update, require or remove.
Since Composer uses symfony/console,
you can define the verbosity level.
SHELL_VERBOSITY=-1 to hide the output of Composer
(this is equivalent to using the CLI option --quiet).
Please note that this will apply to every tool that rely on symfony/console,
you can set SHELL_VERBOSITY=0 after the calls to Composer in order to restore the default verbosity level.