How to install and use Composer on Debian 8


Composer is a popular dependency management tool for PHP, built primarily to make it easy to install and update project dependencies. It will check which other packages of a particular project depends on it and install them for you using the appropriate versions as required by the project.

This tutorial will show you how to install and how to get started with composer on a Debian 8 server.


For this tutorial you will need:

  • One Debian 8 server with a non-root sudo user as shown in the initial server setup with Debian 8.

Step 1 – Installing Dependencies

Before downloading and installing Composer, we need to make sure that our server has all the required dependencies installed.

First, you need to update your package manager cache.

sudo apt-get update

Now, let’s install the dependencies. We need curl in order to download the composer and php5-cli, a PHP package to install and run. The composer uses git, source control system to load the project dependencies. You can install all three of these packages right away with this command:

sudo apt-get install curl php5-cli git

Now that the main dependencies are installed, let’s go ahead and install Composer itself.

Step 2 – Downloading and Installing Composer

We will follow the instructions as written in the composer’s official documentation with a slight modification to install Composer globally in /usr/local/bin… This will allow every user on the server to use Composer.

Download the installer to the directory /tmp

php -r "copy('', '/tmp/composer-setup.php');"

Visit the page composer’s pubkeys and copy the SHA-384 line at the top. Then run the following command, replacing the line sha_384_string

php -r "if (hash_file('SHA384', '/tmp/composer-setup.php') === 'sha_384_string') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('/tmp/composer-setup.php'); } echo PHP_EOL;"

This command checks the hash of the uploaded file with the correct hash from the composer’s site. If it matches, it will write that installer checked… If it doesn’t match, it will print installer corrupted, in this case you should double check that you copied the SHA-384 string correctly.

Next, we’ll install Composer. In order to set it globally within /usr/local/bin, we will use the flag --install-dir; --filename tells the installer the name of the composer executable. Here’s how to do it in one command:

sudo php /tmp/composer-setup.php --install-dir=/usr/local/bin --filename=composer

You will see a message like the following:


All settings correct for using Composer

Composer (version 1.3.2) successfully installed to: /usr/local/bin/composer
Use it: php /usr/local/bin/composer

You can verify that Composer was installed correctly by checking its version.

composer --version

You should see the version that was installed. At the time of this writing, the Composer version is as follows:

Composer version 1.3.2 2017-01-27 18:23:41

Finally, you can safely remove the installation script as you no longer need it.

rm /tmp/composer-setup.php

Composer is now up and running, waiting for your project to use it. In the next section, you will generate a file composer.jsonwhich includes the PHP libraries your project depends on.

Step 3 – Generating the composer.json file

In order to use Composer for a project, you need the file composer.json… File composer.json tells Composer which dependencies it needs to download for your project, and which versions of each package are allowed to install. This is important to keep your project consistent and to avoid installing unstable versions that could potentially lead to backward compatibility issues.

You don’t need to manually create this file; it’s easy to run into syntax errors if you do. The composer will automatically generate the file composer.json when adding a dependency to a project using the command require… Additional dependencies can also be added in the same way, without having to manually edit this file.

The process of using Composer to install a dependent package in a project usually involves the following steps:

  • Determine which libraries the application needs
  • Checking suitable open source libraries for, the official repository for Composer
  • Choosing the package you want to depend on
  • Running composer require, including dependency in file composer.json and installing the package

We’ll see how this works in practice with a simple demo application.

The purpose of this application is to turn this sentence into a slug, which is a URL-friendly string. This is used to convert page titles to URL paths (as the final URL for this tutorial).

Let’s start by creating a directory for the project. We will call him slugify :

cd ~

mkdir slugify

cd slugify

Next, let’s look for the libraries we should be using.

When looking for packages on Packagist

Next, we will search Packagist for a package to help generate the slug. If you are looking for “slug“, you will see a list of packages. On the right side of each package listed, you will see two numbers: the number at the top, how many times the package has been installed, and the number at the bottom shows how many times the package has been starred on GitHub.

Generally speaking, packages with more installations and stars tend to be more stable because many people use them. It is also important to check the package description to ensure that the package is indeed what you are looking for.

What we need is a simple string to slug converter. As an example here, we will use the package cocur/slugify… Seems to be a good package because it has a reasonable number of installs and stars.

You will notice that packages on Packagist have a vendor name and a package name. Each package has a unique identifier (namespaces) in the same format GitHub uses for its repositories: vendor/package… The library we want to install uses the namespace cocur/slugify… The namespace is what we need in order to require a package in our project.

Now that we have defined the library we want to add it to the file composer.json

Package requirement

We can run composer require, to include the library as a dependency and also generate the file composer.json for the project:

composer require cocur/slugify


Using version ^2.3 for cocur/slugify
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Installing cocur/slugify (v2.3) Downloading: 100%         
Writing lock file
Generating autoload files

As you can see from the output, the composer has automatically decided which version of the package should be used. If you look at your project directory now, it will contain two new files: composer.json and composer.lock, and the directory /vendor:

ls -l


total 12
-rw-r--r-- 1 sammy sammy   59 Feb  1 13:43 composer.json
-rw-r--r-- 1 sammy sammy 2896 Feb  1 13:43 composer.lock
drwxr-xr-x 4 sammy sammy 4096 Feb  1 13:43 vendor

Файл composer.lock is used to keep track of which versions of each package are installed, and will make sure the same versions are used if someone clones your project and installs its dependencies. Catalog /vendorwhere the project dependencies are located. Catalog /vendor should not be committed in a version control system; you only need to include files composer.json and composer.lock

Note: When installing a project that already contains a composer.json file, you need to run the composer installation to download the project dependencies.

You may notice that the file composer.lock contains specific information about the PHP version dependency of our project libraries. Composer uses a special syntax to restrict libraries to specific versions. Let’s see how it works.

Understanding version restrictions

If you check the contents of your file composer.jsonthen you will see something like this:

cat composer.json


    "require": {
        "cocur/slugify": "^2.3"

There is an insert character, ^before the version number. Composer supports several different constraints and formats for specifying the required version of a package, in order to provide flexibility while keeping the project stable. The carriage operator is used in an auto-generated file composer.json и is the recommended operator for maximum compatibility, after semantic versioning. In this case, it determines 1.3 as the minimum compatible version and also allows upgrades to any future version below 2.0 … You can read more details on major versions at Composer version documentation

So far we have seen how to add and restrict PHP libraries in our project needs Composer using the file composer.json… The next step is to use these libraries inside our application. For this purpose, composer gives the file autoload.phpwhich facilitates the process of loading external libraries.

Step 4 – Enabling the autoload script

Composer provides an autoload script that you can include in your project to get it bootstrapped for free. This makes it much easier to work with dependencies and define your own namespaces. The only thing you need to do is include the file vendor/autoload.php in your scripts before any instance class.

Let’s go back to the slugify example application. Use nano or your favorite text editor to create a script test.phpwhere we will use the library cocur/slugify

nano test.php


require __DIR__ . '/vendor/autoload.php';

use CocurSlugifySlugify;

$slugify = new Slugify();

echo $slugify->slugify('Hello World, this is a long sentence and I need to make a slug from it!');

You can run the script on the command line with:

php test.php

This should produce an output:



You will completely customize composer, but read on to find out how to save preferences.

Step 5 – Updating Composer and Project Dependencies (Optional)

To update Composer you can use the built-in command self-update… Since composer is installed globally, you need to run the command with superuser privileges.

sudo -H composer self-update

You can update one or more specific libraries by listing them specifically in composer update

composer update namespace/package

If you want to update all your project dependencies, run the command update

composer update

This will check for new versions of the libraries you need in your project. If a new version is found and it will be compatible with the version of the restriction defined in the file composer.json, it will replace the previous version installed. File composer.lock will be updated to reflect these changes.


Composer is a powerful tool, every PHP developer should have the necessary programs in their bundle. In addition to providing an easy and reliable way to manage project dependencies, it also sets a new de facto standard for sharing and discovering community generated PHP packages.

In this tutorial, we briefly covered the basics of Composer: how to install it, how to create a project and find packages for it, and how to save it. To find out more, you can explore official Composer documentation