Composer 2 Development Update

Back in September 2018 we started working on a 2.0 branch for Composer. It took us a while to get there as we refactored, trying to bake in all the things we learned maintaining the project since 2011. The funding from Private Packagist subscriptions has provided us with enough time to make some big improvements.

A few weeks ago, following Composer's 9 year anniversary, we decided it was time to get more people to look at it and push the 2.0 release to the finish line. I announced that snapshot builds would now be built from 2.0-dev.

We have had quite a bit of feedback, worked on more features and got things much more stable, and now it would be great to get even more people to test it!

How can you test Composer 2?

Running composer self-update --snapshot will install the latest 2.0-dev snapshot. Run composer self-update --1 to get back to the latest 1.x stable.

If you have not looked at the changelog yet, you can have a look at the full changelog and upgrade notes. If you already read it when we first published it, below is a copy of the latest changes since the Twitter announcement.

If you are a plugin author it is especially important that you test early, and make sure your plugin is compatible hopefully before we hit the stable release to avoid people being stuck unable to update their projects using Composer 2.

Where do we go from here?

I hope to get a first alpha out in the next couple of weeks. There are still a few features and core issues we need to look at first, but the list is getting shorter. After that we will focus on stability only and I think it's already looking quite good on that front so a stable release should hopefully follow in June sometime.

Composer 2 changes since April 8th


  • Added a platform-check step when vendor/autoload.php gets initialized which checks the current PHP version/extensions match what is expected and fails hard otherwise. Can be disabled with the platform-check config option
  • Added a Composer\InstalledVersions class which is autoloaded in every project and lets you check which packages/versions are present at runtime
  • Added a composer-runtime-api virtual package which you can require (as e.g. ^2.0) to ensure things like the InstalledVersions class above are present. It will effectively force people to use Composer 2.x to install your project
  • Added support for parallel downloads of package metadata and zip files, this requires that the curl extension is present and we thus strongly recommend enabling curl
  • Added only, exclude and canonical options to all repositories, see repository priorities for details
  • Added post-file-download event to be fired after package dist files are downloaded, which lets you do additional checks on the files
  • Added --unused flag to remove command to make sure any packages which are not needed anymore get removed
  • Added --no-install flag to update, require and remove commands to disable the install step and only do the update step (composer.lock file update)
  • Added --json and --merge flags to config command to allow editing complex extra.* values by using json as input
  • Added --no-check-version to validate command to remove the warning in case the version is defined

Upgrade Notes:

  • The new platform-check feature means that Composer checks the runtime PHP version and available extensions to ensure they match the project dependencies. If a mismatch is found, it exits with error details to make sure problems are not overlooked. To avoid issues when deploying to production it is recommended to run composer check-platform-reqs with the production PHP process as part of your build or deployment process.
  • If a packages exists in a higher priority repository, it will now be entirely ignored in lower priority repositories. See repository priorities for details.
  • PEAR support (repository, downloader, etc.) has been removed