ℹ️ Skipped - page is already crawled
| Filter | Status | Condition | Details |
|---|---|---|---|
| HTTP status | PASS | download_http_code = 200 | HTTP 200 |
| Age cutoff | PASS | download_stamp > now() - 6 MONTH | 0 months ago |
| History drop | PASS | isNull(history_drop_reason) | No drop reason |
| Spam/ban | PASS | fh_dont_index != 1 AND ml_spam_score = 0 | ml_spam_score=0 |
| Canonical | PASS | meta_canonical IS NULL OR = '' OR = src_unparsed | Not set |
| Property | Value |
|---|---|
| URL | https://getcomposer.org/doc/03-cli.md |
| Last Crawled | 2026-04-06 17:29:55 (2 hours ago) |
| First Indexed | 2013-08-08 19:31:27 (12 years ago) |
| HTTP Status Code | 200 |
| Meta Title | Command-line interface / Commands - Composer |
| Meta Description | A Dependency Manager for PHP |
| Meta Canonical | null |
| Boilerpipe Text | Bash Completions
Global Options
Process Exit Codes
init
install / i
update / u / upgrade
require / r
remove / rm / uninstall
bump
reinstall
check-platform-reqs
global
search
show / info
outdated
browse / home
suggests
fund
depends / why
prohibits / why-not
validate
status
self-update / selfupdate
config
Usage
Modifying Repositories
Modifying Extra Values
repository / repo
Usage
Examples
create-project
dump-autoload / dumpautoload
clear-cache / clearcache / cc
licenses
run-script / run
exec
diagnose
archive
audit
help
Command-line completion
Environment variables
COMPOSER
COMPOSER_ALLOW_SUPERUSER
COMPOSER_ALLOW_XDEBUG
COMPOSER_AUTH
COMPOSER_BIN_COMPAT
COMPOSER_BIN_DIR
COMPOSER_CACHE_DIR
COMPOSER_CAFILE
COMPOSER_DISABLE_XDEBUG_WARN
COMPOSER_DISCARD_CHANGES
COMPOSER_FUND
COMPOSER_HOME
COMPOSER_HOME/config.json
COMPOSER_HTACCESS_PROTECT
COMPOSER_MEMORY_LIMIT
COMPOSER_MIRROR_PATH_REPOS
COMPOSER_NO_INTERACTION
COMPOSER_PROCESS_TIMEOUT
COMPOSER_ROOT_VERSION
COMPOSER_VENDOR_DIR
COMPOSER_RUNTIME_ENV
http_proxy or HTTP_PROXY
HTTP_PROXY_REQUEST_FULLURI
HTTPS_PROXY_REQUEST_FULLURI
no_proxy or NO_PROXY
COMPOSER_MAX_PARALLEL_HTTP
COMPOSER_MAX_PARALLEL_PROCESSES
COMPOSER_IPRESOLVE
COMPOSER_SELF_UPDATE_TARGET
COMPOSER_DISABLE_NETWORK
COMPOSER_DEBUG_EVENTS
COMPOSER_SKIP_SCRIPTS
COMPOSER_NO_AUDIT
COMPOSER_AUDIT_ABANDONED
COMPOSER_FILTER
COMPOSER_NO_SECURITY_BLOCKING
COMPOSER_SECURITY_BLOCKING_ABANDONED
COMPOSER_NO_DEV
COMPOSER_PREFER_STABLE
COMPOSER_PREFER_LOWEST
COMPOSER_PREFER_DEV_OVER_PRERELEASE
COMPOSER_SOURCE_FALLBACK
COMPOSER_MINIMAL_CHANGES
COMPOSER_IGNORE_PLATFORM_REQ or COMPOSER_IGNORE_PLATFORM_REQS
COMPOSER_WITH_DEPENDENCIES
COMPOSER_WITH_ALL_DEPENDENCIES
SHELL_VERBOSITY
You've already learned how to use the command-line interface to do some
things. This chapter documents all the available commands.
To get help from the command-line, call
composer
or
composer list
to see the complete list of commands, then
--help
combined with any of those
can give you more information.
As Composer uses
symfony/console
you can call commands by short name if it's not ambiguous.
php composer.phar dump
calls
composer dump-autoload
.
Bash Completions
#
To install bash completions you can run
composer completion bash > completion.bash
.
This will create a
completion.bash
file in the current directory.
Then execute
source completion.bash
to enable it in the current terminal session.
Move and rename the
completion.bash
file to
/etc/bash_completion.d/composer
to make
it load automatically in new terminals.
Global Options
#
The following options are available with every command:
--verbose (-v):
Increase verbosity of messages.
--help (-h):
Display help information.
--quiet (-q):
Do not output any message.
--no-interaction (-n):
Do not ask any interactive question.
--no-plugins:
Disables plugins.
--no-scripts:
Skips execution of scripts defined in
composer.json
.
--no-cache:
Disables the use of the cache directory. Same as setting the COMPOSER_CACHE_DIR
env var to /dev/null (or NUL on Windows).
--working-dir (-d):
If specified, use the given directory as working directory.
--profile:
Display timing and memory usage information
--ansi:
Force ANSI output.
--no-ansi:
Disable ANSI output.
--version (-V):
Display this application version.
Process Exit Codes
#
0:
OK
1:
Generic/unknown error code
2:
Dependency solving error code
init
#
In the
Libraries
chapter we looked at how to create a
composer.json
by hand. There is also an
init
command available to do this.
When you run the command it will interactively ask you to fill in the fields,
while using some smart defaults.
php composer.phar init
Options
--name:
Name of the package.
--description:
Description of the package.
--author:
Author name of the package.
--type:
Type of package.
--homepage:
Homepage of the package.
--require:
Package to require with a version constraint. Should be
in format
foo/bar:1.0.0
.
--require-dev:
Development requirements, see
--require
.
--stability (-s):
Value for the
minimum-stability
field.
--license (-l):
License of package.
--repository:
Provide one (or more) custom repositories. They will be stored
in the generated composer.json, and used for auto-completion when prompting for
the list of requires. Every repository can be either an HTTP URL pointing
to a
composer
repository or a JSON string which is similar to what the
repositories
key accepts.
--autoload (-a):
Add a PSR-4 autoload mapping to the composer.json. Automatically maps your package's namespace to the provided directory. (Expects a relative path, e.g. src/) See also
PSR-4 autoload
.
install / i
#
The
install
command reads the
composer.json
file from the current
directory, resolves the dependencies, and installs them into
vendor
.
php composer.phar install
If there is a
composer.lock
file in the current directory, it will use the
exact versions from there instead of resolving them. This ensures that
everyone using the library will get the same versions of the dependencies.
If there is no
composer.lock
file, Composer will create one after dependency
resolution.
Options
--prefer-install:
There are two ways of downloading a package:
source
and
dist
. Composer uses
dist
by default. If you pass
--prefer-install=source
(or
--prefer-source
) Composer will install from
source
if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use
source
automatically for dev
versions of packages, use
--prefer-install=auto
. See also
config.preferred-install
.
Passing this flag will override the config value.
--source-fallback / --no-source-fallback:
Override the
config.source-fallback
setting. When disabled, Composer will not fall back to an alternative download source
(e.g., from dist to source or vice versa) if the preferred one fails. Also see
COMPOSER_SOURCE_FALLBACK
.
--dry-run:
If you want to run through an installation without actually
installing a package, you can use
--dry-run
. This will simulate the
installation and show you what would happen.
--download-only:
Download only, do not install packages.
--dev:
Install packages listed in
require-dev
(this is the default behavior).
--no-dev:
Skip installing packages listed in
require-dev
. The autoloader
generation skips the
autoload-dev
rules. Also see
COMPOSER_NO_DEV
.
--no-autoloader:
Skips autoloader generation.
--no-progress:
Removes the progress display that can mess with some
terminals or scripts which don't handle backspace characters.
--audit:
Run an audit after installation is complete.
--audit-format:
Audit output format. Must be "table", "plain", "json", or "summary" (default).
--no-security-blocking:
Allows installing packages with security advisories or that are abandoned.
Also see
COMPOSER_NO_SECURITY_BLOCKING
.
Only applies when no lock file is present - for installs from a lock file Composer never blocks
vulnerable packages.
--optimize-autoloader (-o):
Convert PSR-0/4 autoloading to classmap to get a faster
autoloader. This is recommended especially for production, but can take
a bit of time to run so it is currently not done by default.
--classmap-authoritative (-a):
Autoload classes from the classmap only.
Implicitly enables
--optimize-autoloader
.
--strict-psr-autoloader:
Return a failed exit code (6) if PSR-4 or PSR-0 mapping errors
are present in the current project (dependencies excluded). Requires
--optimize-autoloader
to work.
--apcu-autoloader:
Use APCu to cache found/not-found classes.
--apcu-autoloader-prefix:
Use a custom prefix for the APCu autoloader cache.
Implicitly enables
--apcu-autoloader
.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these.
See also the
platform
config option.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard. Appending
a
+
makes it only ignore the upper-bound of the requirements. For example, if a package
requires
php: ^7
, then the option
--ignore-platform-req=php+
would allow installing on PHP 8,
but installation on PHP 5.6 would still fail.
update / u / upgrade
#
In order to get the latest versions of the dependencies and to update the
composer.lock
file, you should use the
update
command. This command is also
aliased as
upgrade
as it does the same as
upgrade
does if you are thinking
of
apt-get
or similar package managers.
php composer.phar update
This will resolve all dependencies of the project and write the exact versions
into
composer.lock
.
If you only want to update a few packages and not all, you can list them as such:
php composer.phar update vendor/package vendor/package2
You can also use wildcards to update a bunch of packages at once:
php composer.phar update "vendor/*"
If you want to downgrade a package to a specific version without changing your
composer.json you can use
--with
and provide a custom version constraint:
php composer.phar update --with vendor/package:2.0.1
Note that with the above all packages will be updated. If you only want to
update the package(s) for which you provide custom constraints using
--with
,
you can skip
--with
and instead use constraints with the partial update syntax:
php composer.phar update vendor/package:2.0.1 vendor/package2:3.0.*
Note:
For packages also required in your composer.json the custom constraint
must be a subset of the existing constraint. The composer.json constraints still
apply and the composer.json is not modified by these temporary update constraints.
Options
--prefer-install:
There are two ways of downloading a package:
source
and
dist
. Composer uses
dist
by default. If you pass
--prefer-install=source
(or
--prefer-source
) Composer will install from
source
if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use
source
automatically for dev
versions of packages, use
--prefer-install=auto
. See also
config.preferred-install
.
Passing this flag will override the config value.
--source-fallback / --no-source-fallback:
Override the
config.source-fallback
setting. When disabled, Composer will not fall back to an alternative download source
(e.g., from dist to source or vice versa) if the preferred one fails. Also see
COMPOSER_SOURCE_FALLBACK
.
--dry-run:
Simulate the command without actually doing anything.
--dev:
Install packages listed in
require-dev
(this is the default behavior).
--no-dev:
Skip installing packages listed in
require-dev
. The autoloader generation skips the
autoload-dev
rules. Also see
COMPOSER_NO_DEV
.
--no-install:
Does not run the install step after updating the composer.lock file.
--no-audit:
Does not run the audit steps after updating the composer.lock file. Also see
COMPOSER_NO_AUDIT
.
--audit-format:
Audit output format. Must be "table", "plain", "json", or "summary" (default).
--no-security-blocking:
Allows installing packages with security advisories or that are abandoned. Also see
COMPOSER_NO_SECURITY_BLOCKING
.
--lock:
Overwrites the lock file hash to suppress warning about the lock file being out of
date without updating package versions. Package metadata like mirrors and URLs are updated if
they changed.
--with:
Temporary version constraint to add, e.g. foo/bar:1.0.0 or foo/bar=1.0.0
--no-autoloader:
Skips autoloader generation.
--no-progress:
Removes the progress display that can mess with some
terminals or scripts which don't handle backspace characters.
--with-dependencies (-w):
Update also dependencies of packages in the argument list, except those which are root requirements. Can also be set via the COMPOSER_WITH_DEPENDENCIES=1 env var.
--with-all-dependencies (-W):
Update also dependencies of packages in the argument list, including those which are root requirements. Can also be set via the COMPOSER_WITH_ALL_DEPENDENCIES=1 env var.
--optimize-autoloader (-o):
Convert PSR-0/4 autoloading to classmap to get a faster
autoloader. This is recommended especially for production, but can take
a bit of time to run, so it is currently not done by default.
--classmap-authoritative (-a):
Autoload classes from the classmap only.
Implicitly enables
--optimize-autoloader
.
--strict-psr-autoloader:
Return a failed exit code (6) if PSR-4 or PSR-0 mapping errors
are present in the current project (dependencies excluded). Requires
--optimize-autoloader
to work.
--apcu-autoloader:
Use APCu to cache found/not-found classes.
--apcu-autoloader-prefix:
Use a custom prefix for the APCu autoloader cache.
Implicitly enables
--apcu-autoloader
.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these.
See also the
platform
config option.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard. Appending
a
+
makes it only ignore the upper-bound of the requirements. For example, if a package
requires
php: ^7
, then the option
--ignore-platform-req=php+
would allow installing on PHP 8,
but installation on PHP 5.6 would still fail.
--prefer-stable:
Prefer stable versions of dependencies. Can also be set via the
COMPOSER_PREFER_STABLE=1 env var.
--prefer-lowest:
Prefer lowest versions of dependencies. Useful for testing minimal
versions of requirements, generally used with
--prefer-stable
. Can also be set via the
COMPOSER_PREFER_LOWEST=1 env var.
--minimal-changes (-m):
Only perform absolutely necessary changes to dependencies.
If packages cannot be kept at their currently locked version they are updated. For partial
updates the allow-listed packages are always updated fully. Can also be set via
the COMPOSER_MINIMAL_CHANGES=1 env var.
--patch-only:
Only allow patch version updates for currently installed dependencies.
--interactive:
Interactive interface with autocompletion to select the packages to update.
--root-reqs:
Restricts the update to your first degree dependencies.
--bump-after-update:
Runs
bump
after performing the update. Set to
dev
or
no-dev
to only bump those dependencies.
Specifying one of the words
mirrors
,
lock
, or
nothing
as an argument has the same effect as specifying the option
--lock
, for example
composer update mirrors
is exactly the same as
composer update --lock
.
require / r
#
The
require
command adds new packages to the
composer.json
file from
the current directory. If no file exists one will be created on the fly.
If you do not specify a package, Composer will prompt you to search for a package, and given
results, provide a list of matches to require.
php composer.phar require
After adding/changing the requirements, the modified requirements will be
installed or updated.
If you do not want to choose requirements interactively, you can pass them
to the command.
php composer.phar require "vendor/package:2.*" vendor/package2:dev-master
If you do not specify a version constraint, composer will choose a suitable one based
on the available package versions.
php composer.phar require vendor/package vendor/package2
If you do not want to install the new dependencies immediately you can call it with --no-update
Options
--dev:
Add packages to
require-dev
.
--dry-run:
Simulate the command without actually doing anything.
--prefer-install:
There are two ways of downloading a package:
source
and
dist
. Composer uses
dist
by default. If you pass
--prefer-install=source
(or
--prefer-source
) Composer will install from
source
if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use
source
automatically for dev
versions of packages, use
--prefer-install=auto
. See also
config.preferred-install
.
Passing this flag will override the config value.
--source-fallback / --no-source-fallback:
Override the
config.source-fallback
setting. When disabled, Composer will not fall back to an alternative download source
(e.g., from dist to source or vice versa) if the preferred one fails. Also see
COMPOSER_SOURCE_FALLBACK
.
--no-progress:
Removes the progress display that can mess with some
terminals or scripts which don't handle backspace characters.
--no-update:
Disables the automatic update of the dependencies (implies --no-install).
--no-install:
Does not run the install step after updating the composer.lock file.
--no-audit:
Does not run the audit steps after updating the composer.lock file. Also see
COMPOSER_NO_AUDIT
.
--audit-format:
Audit output format. Must be "table", "plain", "json", or "summary" (default).
--no-security-blocking:
Allows installing packages with security advisories or that are abandoned. Also see
COMPOSER_NO_SECURITY_BLOCKING
.
--update-no-dev:
Run the dependency update with the
--no-dev
option. Also see
COMPOSER_NO_DEV
.
--update-with-dependencies (-w):
Also update dependencies of the newly required packages, except those that are root requirements. Can also be set via the COMPOSER_WITH_DEPENDENCIES=1 env var.
--update-with-all-dependencies (-W):
Also update dependencies of the newly required packages, including those that are root requirements. Can also be set via the COMPOSER_WITH_ALL_DEPENDENCIES=1 env var.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these.
See also the
platform
config option.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.
--prefer-stable:
Prefer stable versions of dependencies. Can also be set via the
COMPOSER_PREFER_STABLE=1 env var.
--prefer-lowest:
Prefer lowest versions of dependencies. Useful for testing minimal
versions of requirements, generally used with
--prefer-stable
. Can also be set via the
COMPOSER_PREFER_LOWEST=1 env var.
--minimal-changes (-m):
During an update with
-w
/
-W
, only perform absolutely necessary
changes to transitive dependencies. Can also be set via the COMPOSER_MINIMAL_CHANGES=1 env var.
--sort-packages:
Keep packages sorted in
composer.json
.
--optimize-autoloader (-o):
Convert PSR-0/4 autoloading to classmap to
get a faster autoloader. This is recommended especially for production, but
can take a bit of time to run, so it is currently not done by default.
--classmap-authoritative (-a):
Autoload classes from the classmap only.
Implicitly enables
--optimize-autoloader
.
--apcu-autoloader:
Use APCu to cache found/not-found classes.
--apcu-autoloader-prefix:
Use a custom prefix for the APCu autoloader cache.
Implicitly enables
--apcu-autoloader
.
remove / rm / uninstall
#
The
remove
command removes packages from the
composer.json
file from
the current directory.
php composer.phar remove vendor/package vendor/package2
After removing the requirements, the modified requirements will be
uninstalled.
Options
--unused:
Remove unused packages that are not a direct or indirect dependency (anymore).
--dev:
Remove packages from
require-dev
.
--dry-run:
Simulate the command without actually doing anything.
--no-progress:
Removes the progress display that can mess with some
terminals or scripts which don't handle backspace characters.
--no-update:
Disables the automatic update of the dependencies (implies --no-install).
--no-install:
Does not run the install step after updating the composer.lock file.
--no-audit:
Does not run the audit steps after installation is complete. Also see
COMPOSER_NO_AUDIT
.
--audit-format:
Audit output format. Must be "table", "plain", "json", or "summary" (default).
--no-security-blocking:
Allows installing packages with security advisories or that are abandoned. Also see
COMPOSER_NO_SECURITY_BLOCKING
.
--update-no-dev:
Run the dependency update with the --no-dev option. Also see
COMPOSER_NO_DEV
.
--update-with-dependencies (-w):
Also update dependencies of the removed packages. Can also be set via the COMPOSER_WITH_DEPENDENCIES=1 env var.
(Deprecated, is now default behavior)
--update-with-all-dependencies (-W):
Allows all inherited dependencies to be updated,
including those that are root requirements. Can also be set via the COMPOSER_WITH_ALL_DEPENDENCIES=1 env var.
--minimal-changes (-m):
During an update with
-w
/
-W
, only perform absolutely necessary
changes to transitive dependencies. Can also be set via the COMPOSER_MINIMAL_CHANGES=1 env var.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these.
See also the
platform
config option.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.
--optimize-autoloader (-o):
Convert PSR-0/4 autoloading to classmap to
get a faster autoloader. This is recommended especially for production, but
can take a bit of time to run so it is currently not done by default.
--classmap-authoritative (-a):
Autoload classes from the classmap only.
Implicitly enables
--optimize-autoloader
.
--apcu-autoloader:
Use APCu to cache found/not-found classes.
--apcu-autoloader-prefix:
Use a custom prefix for the APCu autoloader cache.
Implicitly enables
--apcu-autoloader
.
bump
#
The
bump
command increases the lower limit of your composer.json requirements
to the currently installed versions. This helps to ensure your dependencies do not
accidentally get downgraded due to some other conflict, and can slightly improve
dependency resolution performance as it limits the amount of package versions
Composer has to look at.
Running this blindly on libraries is
NOT
recommended as it will narrow down
your allowed dependencies, which may cause dependency hell for your users.
Running it with
--dev-only
on libraries may be fine however as dev requirements
are local to the library and do not affect consumers of the package.
Options
--dev-only:
Only bump requirements in "require-dev".
--no-dev-only:
Only bump requirements in "require".
--dry-run:
Outputs the packages to bump, but will not execute anything.
reinstall
#
The
reinstall
command looks up installed packages by name,
uninstalls them and reinstalls them. This lets you do a clean install
of a package if you messed with its files, or if you wish to change
the installation type using --prefer-install.
php composer.phar reinstall acme/foo acme/bar
You can specify more than one package name to reinstall, or use a
wildcard to select several packages at once:
php composer.phar reinstall "acme/*"
Options
--prefer-install:
There are two ways of downloading a package:
source
and
dist
. Composer uses
dist
by default. If you pass
--prefer-install=source
(or
--prefer-source
) Composer will install from
source
if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use
source
automatically for dev
versions of packages, use
--prefer-install=auto
. See also
config.preferred-install
.
Passing this flag will override the config value.
--source-fallback / --no-source-fallback:
Override the
config.source-fallback
setting. When disabled, Composer will not fall back to an alternative download source
(e.g., from dist to source or vice versa) if the preferred one fails. Also see
COMPOSER_SOURCE_FALLBACK
.
--no-autoloader:
Skips autoloader generation.
--no-progress:
Removes the progress display that can mess with some
terminals or scripts which don't handle backspace characters.
--optimize-autoloader (-o):
Convert PSR-0/4 autoloading to classmap to get a faster
autoloader. This is recommended especially for production, but can take
a bit of time to run so it is currently not done by default.
--classmap-authoritative (-a):
Autoload classes from the classmap only.
Implicitly enables
--optimize-autoloader
.
--apcu-autoloader:
Use APCu to cache found/not-found classes.
--apcu-autoloader-prefix:
Use a custom prefix for the APCu autoloader cache.
Implicitly enables
--apcu-autoloader
.
--ignore-platform-reqs:
ignore all platform requirements. This only
has an effect in the context of the autoloader generation for the
reinstall command.
--ignore-platform-req:
ignore a specific platform requirement. This only
has an effect in the context of the autoloader generation for the
reinstall command. Multiple requirements can be ignored via wildcard.
check-platform-reqs
#
The check-platform-reqs command checks that your PHP and extensions versions
match the platform requirements of the installed packages. This can be used
to verify that a production server has all the extensions needed to run a
project after installing it for example.
Unlike update/install, this command will ignore config.platform settings and
check the real platform packages so you can be certain you have the required
platform dependencies.
Options
--lock:
Checks requirements only from the lock file, not from installed packages.
--no-dev:
Disables checking of require-dev packages requirements.
--format (-f):
Format of the output: text (default) or json
global
#
The global command allows you to run other commands like
install
,
remove
,
require
or
update
as if you were running them from the
COMPOSER_HOME
directory.
This is merely a helper to manage a project stored in a central location that
can hold CLI tools or Composer plugins that you want to have available everywhere.
This can be used to install CLI utilities globally. Here is an example:
php composer.phar global require friendsofphp/php-cs-fixer
Now the
php-cs-fixer
binary is available globally. Make sure your global
vendor binaries
directory is in your
$PATH
environment variable, you can get its location with the following command :
php composer.phar global config bin-dir --absolute
If you wish to update the binary later on you can run a global update:
php composer.phar global update
search
#
The search command allows you to search through the current project's package
repositories. Usually this will be packagist. You pass it the terms you want
to search for.
php composer.phar search monolog
You can also search for more than one term by passing multiple arguments.
Options
--only-name (-N):
Search only in package names.
--only-vendor (-O):
Search only for vendor / organization names, returns only "vendor"
as a result.
--type (-t):
Search for a specific package type.
--format (-f):
Lets you pick between text (default) or json output format.
Note that in the json, only the name and description keys are guaranteed to be
present. The rest (
url
,
repository
,
downloads
and
favers
) are available
for Packagist.org search results and other repositories may return more or less
data.
show / info
#
To list all of the available packages, you can use the
show
command.
php composer.phar show
To filter the list you can pass a package mask using wildcards.
php composer.phar show "monolog/*"
monolog/monolog 2.4.0 Sends your logs to files, sockets, inboxes, databases and various web services
If you want to see the details of a certain package, you can pass the package
name.
php composer.phar show monolog/monolog
name : monolog/monolog
descrip. : Sends your logs to files, sockets, inboxes, databases and various web services
keywords : log, logging, psr-3
versions : * 1.27.1
type : library
license : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : http://github.com/Seldaek/monolog
source : [git] https://github.com/Seldaek/monolog.git 904713c5929655dc9b97288b69cfeedad610c9a1
dist : [zip] https://api.github.com/repos/Seldaek/monolog/zipball/904713c5929655dc9b97288b69cfeedad610c9a1 904713c5929655dc9b97288b69cfeedad610c9a1
names : monolog/monolog, psr/log-implementation
support
issues : https://github.com/Seldaek/monolog/issues
source : https://github.com/Seldaek/monolog/tree/1.27.1
autoload
psr-4
Monolog\ => src/Monolog
requires
php >=5.3.0
psr/log ~1.0
You can even pass the package version, which will tell you the details of that
specific version.
php composer.phar show monolog/monolog 1.0.2
Options
--all:
List all packages available in all your repositories.
--installed (-i):
List the packages that are installed (this is enabled by default, and deprecated).
--locked:
List the locked packages from composer.lock.
--platform (-p):
List only platform packages (php & extensions).
--available (-a):
List available packages only.
--self (-s):
List the root package info.
--name-only (-N):
List package names only.
--path (-P):
List package paths.
--tree (-t):
List your dependencies as a tree. If you pass a package name it will show the dependency tree for that package.
--latest (-l):
List all installed packages including their latest version.
--outdated (-o):
Implies --latest, but this lists
only
packages that have a newer version available.
--ignore:
Ignore specified package(s). Can contain wildcards (
*
). Use it with the --outdated option if you don't want to be informed about new versions of some packages
--no-dev:
Filters dev dependencies from the package list.
--major-only (-M):
Use with --latest or --outdated. Only shows packages that have major SemVer-compatible updates.
--minor-only (-m):
Use with --latest or --outdated. Only shows packages that have minor SemVer-compatible updates.
--patch-only:
Use with --latest or --outdated. Only shows packages that have patch-level SemVer-compatible updates.
--sort-by-age (-A):
Displays the installed version's age, and sorts packages oldest first. Use with the --latest or --outdated option.
--direct (-D):
Restricts the list of packages to your direct dependencies.
--strict:
Return a non-zero exit code when there are outdated packages.
--format (-f):
Lets you pick between text (default) or json output format.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these. Use with the --outdated option.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard. Use with
the --outdated option.
outdated
#
The
outdated
command shows a list of installed packages that have updates available,
including their current and latest versions. This is basically an alias for
composer show -lo
.
The color coding is as such:
green (=)
: Dependency is in the latest version and is up to date.
yellow (
~
)
: Dependency has a new version available that includes backwards compatibility breaks according to semver, so upgrade when
you can but it may involve work.
red (!)
: Dependency has a new version that is semver-compatible and you should upgrade it.
Options
--all (-a):
Show all packages, not just outdated (alias for
composer show --latest
).
--direct (-D):
Restricts the list of packages to your direct dependencies.
--strict:
Returns non-zero exit code if any package is outdated.
--ignore:
Ignore specified package(s). Can contain wildcards (
*
). Use it if you don't want to be informed about new versions of some packages
--major-only (-M):
Only shows packages that have major SemVer-compatible updates.
--minor-only (-m):
Only shows packages that have minor SemVer-compatible updates.
--patch-only (-p):
Only shows packages that have patch-level SemVer-compatible updates.
--sort-by-age (-A):
Displays the installed version's age, and sorts packages oldest first.
--format (-f):
Lets you pick between text (default) or json output format.
--no-dev:
Do not show outdated dev dependencies.
--locked:
Shows updates for packages from the lock file, regardless of what is currently in vendor dir.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.
browse / home
#
The
browse
(aliased to
home
) opens a package's repository URL or homepage
in your browser.
Options
--homepage (-H):
Open the homepage instead of the repository URL.
--show (-s):
Only show the homepage or repository URL.
suggests
#
Lists all packages suggested by the currently installed set of packages. You can
optionally pass one or multiple package names in the format of
vendor/package
to limit output to suggestions made by those packages only.
Use the
--by-package
(default) or
--by-suggestion
flags to group the output by
the package offering the suggestions or the suggested packages respectively.
If you only want a list of suggested package names, use
--list
.
Options
--by-package:
Groups output by suggesting package (default).
--by-suggestion:
Groups output by suggested package.
--all:
Show suggestions from all dependencies, including transitive ones (by
default only direct dependencies' suggestions are shown).
--list:
Show only list of suggested package names.
--no-dev:
Excludes suggestions from
require-dev
packages.
fund
#
Discover how to help fund the maintenance of your dependencies. This lists
all funding links from the installed dependencies. Use
--format=json
to
get machine-readable output.
Options
--format (-f):
Lets you pick between text (default) or json output format.
depends / why
#
The
depends
command tells you which other packages depend on a certain
package. As with installation
require-dev
relationships are only considered
for the root package.
php composer.phar depends doctrine/lexer
doctrine/annotations 1.13.3 requires doctrine/lexer (1.*)
doctrine/common 2.13.3 requires doctrine/lexer (^1.0)
You can optionally specify a version constraint after the package to limit the
search.
Add the
--tree
or
-t
flag to show a recursive tree of why the package is
depended upon, for example:
php composer.phar depends psr/log -t
psr/log 1.1.4 Common interface for logging libraries
├──composer/composer 2.4.x-dev (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/composer dev-main (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/xdebug-handler 3.0.3 (requires psr/log ^1 || ^2 || ^3)
│ ├──composer/composer 2.4.x-dev (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
│ └──composer/composer dev-main (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
└──symfony/console v5.4.11 (conflicts psr/log >=3) (circular dependency aborted here)
Options
--recursive (-r):
Recursively resolves up to the root package.
--tree (-t):
Prints the results as a nested tree, implies -r.
prohibits / why-not
#
The
prohibits
command tells you which packages are blocking a given package
from being installed. Specify a version constraint to verify whether upgrades
can be performed in your project, and if not why not. See the following
example:
php composer.phar prohibits symfony/symfony 3.1
laravel/framework v5.2.16 requires symfony/var-dumper (2.8.*|3.0.*)
Note that you can also specify platform requirements, for example to check
whether you can upgrade your server to PHP 8.0:
php composer.phar prohibits php 8
doctrine/cache v1.6.0 requires php (~5.5|~7.0)
doctrine/common v2.6.1 requires php (~5.5|~7.0)
doctrine/instantiator 1.0.5 requires php (>=5.3,<8.0-DEV)
As with
depends
you can request a recursive lookup, which will list all
packages depending on the packages that cause the conflict.
Options
--recursive (-r):
Recursively resolves up to the root package.
--tree (-t):
Prints the results as a nested tree, implies -r.
validate
#
You should always run the
validate
command before you commit your
composer.json
file (and
composer.lock
if applicable
), and before you tag a release.
It will check if your
composer.json
is valid. If a
composer.lock
exists, it will also check if it is up to date with the
composer.json
.
php composer.phar validate
Options
--no-check-all:
Do not emit a warning if requirements in
composer.json
use unbound or overly strict version constraints.
--no-check-lock:
Do not emit an error if
composer.lock
exists and is not up to date.
--check-lock
Check if lock file is up to date (even when
config.lock
is false)
--no-check-publish:
Do not emit an error if
composer.json
is unsuitable for publishing as a package on Packagist but is otherwise valid.
--no-check-version:
Do not emit an error if the version field is present.
--with-dependencies:
Also validate the composer.json of all installed dependencies.
--strict:
Return a non-zero exit code for warnings as well as errors.
status
#
If you often need to modify the code of your dependencies and they are
installed from source, the
status
command allows you to check if you have
local changes in any of them.
php composer.phar status
With the
--verbose
option you get some more information about what was
changed:
php composer.phar status -v
You have changes in the following dependencies:
vendor/seld/jsonlint:
M README.mdown
self-update / selfupdate
#
To update Composer itself to the latest version, run the
self-update
command. It will replace your
composer.phar
with the latest version.
php composer.phar self-update
If you would like to instead update to a specific release specify it:
php composer.phar self-update 2.4.0-RC1
If you have installed Composer for your entire system (see
global installation
),
you may have to run the command with
root
privileges
sudo -H composer self-update
If Composer was not installed as a PHAR, this command is not available.
(This is sometimes the case when Composer was installed by an operating system package manager.)
Options
--rollback (-r):
Rollback to the last version you had installed.
--clean-backups:
Delete old backups during an update. This makes the
current version of Composer the only backup available after the update.
--no-progress:
Do not output download progress.
--update-keys:
Prompt user for a key update.
--stable:
Force an update to the stable channel.
--preview:
Force an update to the preview channel.
--snapshot:
Force an update to the snapshot channel.
--1:
Force an update to the stable channel, but only use 1.x versions
--2:
Force an update to the stable channel, but only use 2.x versions
--set-channel-only:
Only store the channel as the default one and then exit
config
#
The
config
command allows you to edit Composer config settings and repositories
in either the local
composer.json
file or the global
config.json
file.
Additionally it lets you edit most properties in the local
composer.json
.
php composer.phar config --list
Usage
#
config [options] [setting-key] [setting-value1] ... [setting-valueN]
setting-key
is a configuration option name and
setting-value1
is a
configuration value. For settings that can take an array of values (like
github-protocols
), multiple setting-value arguments are allowed.
You can also edit the values of the following properties:
description
,
homepage
,
keywords
,
license
,
minimum-stability
,
name
,
prefer-stable
,
type
and
version
.
See the
Config
chapter for valid configuration options.
Options
--global (-g):
Operate on the global config file located at
$COMPOSER_HOME/config.json
by default. Without this option, this command
affects the local composer.json file or a file specified by
--file
.
--editor (-e):
Open the local composer.json file using in a text editor as
defined by the
EDITOR
env variable. With the
--global
option, this opens
the global config file.
--auth (-a):
Affect auth config file (only used for --editor).
--unset:
Remove the configuration element named by
setting-key
.
--list (-l):
Show the list of current config variables. With the
--global
option this lists the global configuration only.
--file="..." (-f):
Operate on a specific file instead of composer.json. Note
that this cannot be used in conjunction with the
--global
option.
--absolute:
Returns absolute paths when fetching
*-dir
config values
instead of relative.
--json:
JSON decode the setting value, to be used with
extra.*
keys.
--merge:
Merge the setting value with the current value, to be used with
extra.*
keys in combination with
--json
.
--append:
When adding a repository, append it (lowest priority) to the existing ones instead of prepending it (highest priority).
--source:
Display where the config value is loaded from.
Modifying Repositories
#
In addition to modifying the config section, the
config
command also supports making
changes to the repositories section by using it the following way:
php composer.phar config repositories.foo vcs https://github.com/foo/bar
If your repository requires more configuration options, you can instead pass its JSON representation :
php composer.phar config repositories.foo '{"type": "vcs", "url": "http://svn.example.org/my-project/", "trunk-path": "master"}'
In addition to modifying the config section, the
config
command also supports making
changes to the extra section by using it the following way:
php composer.phar config extra.foo.bar value
The dots indicate array nesting, a max depth of 3 levels is allowed though. The above
would set
"extra": { "foo": { "bar": "value" } }
.
If you have a complex value to add/modify, you can use the
--json
and
--merge
flags
to edit extra fields as json:
php composer.phar config --json extra.foo.bar '{"baz": true, "qux": []}'
repository / repo
#
The
repo
command lets you manage repositories in your
composer.json
. It is more powerful and recommended over using
composer config repositories.*
to manipulate the repositories configuration. Refer to
Repositories
documentation for details on the available types and configuration options.
Usage
#
repo [options] list
repo [options] add [repo-name] [repo-type] [url]
repo [options] add [repo-name] [json-repo-definition]
repo [options] remove [repo-name]
repo [options] set-url [repo-name] [url]
repo [options] get-url [repo-name]
repo [options] enable packagist.org
repo [options] disable packagist.org
Options
--global (-g):
to modify the global
$COMPOSER_HOME/config.json
.
--file (-f):
to modify a specific file instead of composer.json.
--append:
to add a repository with lower priority (by default repositories are prepended and have thus higher priority than existing ones).
--before
:
to insert the new repository before an existing repository named
<name>
.
--after
:
to insert the new repository after an existing repository named
<name>
. The
<name>
must match an existing repository name.
Examples
#
php composer.phar repo list
php composer.phar repo add foo vcs https://github.com/acme/foo
php composer.phar repo add bar composer https://repo.packagist.com/bar
php composer.phar repo add zips '{"type":"artifact","url":"/path/to/dir/with/zips"}'
php composer.phar repo add baz vcs https://example.org --before foo
php composer.phar repo add qux vcs https://example.org --after bar
php composer.phar repo remove foo
php composer.phar repo set-url foo https://git.example.org/acme/foo
php composer.phar repo get-url foo
php composer.phar repo disable packagist.org
php composer.phar repo enable packagist.org
create-project
#
You can use Composer to create new projects from an existing package. This is
the equivalent of doing a git clone/svn checkout followed by a
composer install
of the vendors.
There are several applications for this:
You can deploy application packages.
You can check out any package and start developing on patches for example.
Projects with multiple developers can use this feature to bootstrap the
initial application for development.
To create a new project using Composer you can use the
create-project
command.
Pass it a package name, and the directory to create the project in. You can also
provide a version as a third argument, otherwise the latest version is used.
If the directory does not currently exist, it will be created during installation.
php composer.phar create-project composer/hello-world my-project
It is also possible to run the command without params in a directory with an
existing
composer.json
file to bootstrap a project.
By default the command checks for the packages on packagist.org.
Options
--stability (-s):
Minimum stability of package. Defaults to
stable
.
--prefer-install:
There are two ways of downloading a package:
source
and
dist
. Composer uses
dist
by default. If you pass
--prefer-install=source
(or
--prefer-source
) Composer will install from
source
if there is one. This is useful if you want to make a bugfix to a
project and get a local git clone of the dependency directly.
To get the legacy behavior where Composer use
source
automatically for dev
versions of packages, use
--prefer-install=auto
. See also
config.preferred-install
.
Passing this flag will override the config value.
--source-fallback / --no-source-fallback:
Override the
config.source-fallback
setting. When disabled, Composer will not fall back to an alternative download source
(e.g., from dist to source or vice versa) if the preferred one fails. Also see
COMPOSER_SOURCE_FALLBACK
.
--repository:
Provide a custom repository to search for the package,
which will be used instead of packagist. Can be either an HTTP URL pointing
to a
composer
repository, a path to a local
packages.json
file, or a
JSON string which similar to what the
repositories
key accepts. You can use this multiple times to configure multiple repositories.
--add-repository:
Add the custom repository in the composer.json. If a lock
file is present, it will be deleted and an update will be run instead of an install.
--dev:
Install packages listed in
require-dev
.
--no-dev:
Disables installation of require-dev packages.
--no-scripts:
Disables the execution of the scripts defined in the root
package.
--no-progress:
Removes the progress display that can mess with some
terminals or scripts which don't handle backspace characters.
--no-secure-http:
Disable the secure-http config option temporarily while
installing the root package. Use at your own risk. Using this flag is a bad
idea.
--keep-vcs:
Skip the deletion of the VCS metadata for the created
project. This is mostly useful if you run the command in non-interactive
mode.
--remove-vcs:
Force-remove the VCS metadata without prompting.
--no-install:
Disables installation of the vendors.
--no-audit:
Does not run the audit steps after installation is complete. Also see
COMPOSER_NO_AUDIT
.
--audit-format:
Audit output format. Must be "table", "plain", "json", or "summary" (default).
--no-security-blocking:
Allows installing packages with security advisories or that are abandoned. Also see
COMPOSER_NO_SECURITY_BLOCKING
.
--ignore-platform-reqs:
ignore all platform requirements (
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine does
not fulfill these.
See also the
platform
config option.
--ignore-platform-req:
ignore a specific platform requirement(
php
,
hhvm
,
lib-*
and
ext-*
) and force the installation even if the local machine
does not fulfill it. Multiple requirements can be ignored via wildcard.
--require:
Require additional package(s) to be added to composer.json after
installing the project. If a lock file is present it will be deleted and an
update will be run instead of install. Can be specified multiple times for
multiple packages. Should be in format
foo/bar:1.0.0
format if you want to
specify a constraint.
--ask:
Ask the user to provide a target directory for the new project.
dump-autoload / dumpautoload
#
If you need to update the autoloader because of new classes in a classmap
package for example, you can use
dump-autoload
to do that without having to
go through an install or update.
Additionally, it can dump an optimized autoloader that converts PSR-0/4 packages
into classmap ones for performance reasons. In large applications with many
classes, the autoloader can take up a substantial portion of every request's
time. Using classmaps for everything is less convenient in development, but
using this option you can still use PSR-0/4 for convenience and classmaps for
performance.
Options
--optimize (-o):
Convert PSR-0/4 autoloading to classmap to get a faster
autoloader. This is recommended especially for production, but can take
a bit of time to run, so it is currently not done by default.
--classmap-authoritative (-a):
Autoload classes from the classmap only.
Implicitly enables
--optimize
.
--apcu:
Use APCu to cache found/not-found classes.
--apcu-prefix:
Use a custom prefix for the APCu autoloader cache.
Implicitly enables
--apcu
.
--dry-run:
Outputs the operations but will not execute anything.
--no-dev:
Disables autoload-dev rules. Composer will by default infer this
automatically according to the last
install
or
update
--no-dev
state.
--dev:
Enables autoload-dev rules. Composer will by default infer this
automatically according to the last
install
or
update
--no-dev
state.
--ignore-platform-reqs:
ignore all
php
,
hhvm
,
lib-*
and
ext-*
requirements and skip the
platform check
for these.
See also the
platform
config option.
--ignore-platform-req:
ignore a specific platform requirement (
php
,
hhvm
,
lib-*
and
ext-*
) and skip the
platform check
for it.
Multiple requirements can be ignored via wildcard.
--strict-psr:
Return a failed exit code (1) if PSR-4 or PSR-0 mapping errors
are present in the current project (dependencies excluded). Requires
--optimize
to work.
--strict-ambiguous:
Return a failed exit code (2) if the same class is found
in multiple files. Requires
--optimize
to work.
clear-cache / clearcache / cc
#
Deletes all content from Composer's cache directories.
Options
--gc:
Only run garbage collection, not a full cache clear
licenses
#
Lists the name, version and license of every package installed. Use
--format=json
to get machine-readable output.
Options
--locked:
List licenses from the lock file, regardless of what is currently in vendor dir.
--format:
Format of the output: text, json or summary (default: "text").
--no-dev:
Remove dev dependencies from the output.
run-script / run
#
To run
scripts
manually you can use this command,
give it the script name and optionally any required arguments.
Options
--timeout:
Set the script timeout in seconds, or 0 for no timeout.
--dev:
Sets the dev mode.
--no-dev:
Disable dev mode.
--list (-l):
List user defined scripts.
exec
#
Executes a vendored binary/script. You can execute any command and this will
ensure that the Composer bin-dir is pushed on your PATH before the command
runs.
Options
--list (-l):
List the available Composer binaries.
diagnose
#
If you think you found a bug, or something is behaving strangely, you might
want to run the
diagnose
command to perform automated checks for many common
problems.
php composer.phar diagnose
archive
#
This command is used to generate a zip/tar archive for a given package in a
given version. It can also be used to archive your entire project without
excluded/ignored files.
php composer.phar archive vendor/package 2.0.21 --format=zip
Options
--format (-f):
Format of the resulting archive: tar, tar.gz, tar.bz2
or zip (default: "tar").
--dir:
Write the archive to this directory (default: ".")
--file:
Write the archive with the given file name.
audit
#
This command is used to audit the packages you have installed for potential security issues. It checks for and lists security
vulnerability advisories using the
Packagist.org api
by default
or other repositories if specified in the
repositories
section of
composer.json
.
The command also detects abandoned packages.
The audit command determines if there are vulnerable, abandoned, or filtered packages and returns the following exit codes based on
the findings:
0
No issues;
1
Vulnerable packages;
2
Abandoned packages;
3
Vulnerable and abandoned packages.
4
Filtered packages.
5
Vulnerable and filtered packages.
6
Abandoned and filtered packages.
7
Vulnerable, abandoned, and filtered packages.
php composer.phar audit
Options
--no-dev:
Disables auditing of require-dev packages.
--format (-f):
Audit output format. Must be "table" (default), "plain", "json", or "summary".
--locked:
Audit packages from the lock file, regardless of what is currently in vendor dir.
--abandoned:
Behavior on abandoned packages. Must be "ignore", "report",
or "fail". See also
config.audit.abandoned
. Passing this
flag will override the config value and the environment variable.
--ignore-severity:
Ignore advisories of a certain severity level. Can be passed one or more
time to ignore multiple severities.
--filtered:
Behavior on filtered packages. Must be "ignore", "report",
or "fail". See also
config.audit.filtered
. Passing this
flag will override the config value.
help
#
To get more information about a certain command, you can use
help
.
php composer.phar help install
Command-line completion
#
Command-line completion can be enabled by running the
composer completion --help
command and
following the instructions.
Environment variables
#
You can set a number of environment variables that override certain settings.
Whenever possible it is recommended to specify these settings in the
config
section of
composer.json
instead. It is worth noting that the env vars will
always take precedence over the values specified in
composer.json
.
COMPOSER
#
By setting the
COMPOSER
env variable it is possible to set the filename of
composer.json
to something else.
For example:
COMPOSER=composer-other.json php composer.phar install
The generated lock file will use the same name:
composer-other.lock
in this example.
COMPOSER_ALLOW_SUPERUSER
#
If set to 1, this env disables the warning about running commands as root/super user.
It also disables automatic clearing of sudo sessions, so you should really only set this
if you use Composer as a super user at all times like in docker containers.
COMPOSER_ALLOW_XDEBUG
#
If set to 1, this env allows running Composer when the Xdebug extension is enabled, without restarting PHP without it.
COMPOSER_AUTH
#
The
COMPOSER_AUTH
var allows you to set up authentication as an environment variable.
The contents of the variable should be a JSON formatted object containing
http-basic,
github-oauth, bitbucket-oauth, ... objects as needed
,
and following the
spec from the config
.
COMPOSER_BIN_COMPAT
#
Override the
bin-compat
config setting.
COMPOSER_BIN_DIR
#
By setting this option you can change the
bin
(
Vendor Binaries
)
directory to something other than
vendor/bin
.
COMPOSER_CACHE_DIR
#
The
COMPOSER_CACHE_DIR
var allows you to change the Composer cache directory,
which is also configurable via the
cache-dir
option.
By default, it points to
C:\Users\<user>\AppData\Local\Composer
(or
%LOCALAPPDATA%/Composer
) on Windows.
On *nix systems that follow the
XDG Base
Directory Specifications
,
it points to
$XDG_CACHE_HOME/composer
. On other *nix systems and on macOS, it points to
$COMPOSER_HOME/cache
.
COMPOSER_CAFILE
#
By setting this environmental value, you can set a path to a certificate bundle
file to be used during SSL/TLS peer verification.
COMPOSER_DISABLE_XDEBUG_WARN
#
If set to 1, this env suppresses a warning when Composer is running with the Xdebug extension enabled.
COMPOSER_DISCARD_CHANGES
#
This env var controls the
discard-changes
config option.
COMPOSER_FUND
#
If set to 0, this env suppresses funding notices when installing.
COMPOSER_HOME
#
The
COMPOSER_HOME
var allows you to change the Composer home directory. This
is a hidden, global (per-user on the machine) directory that is shared between
all projects.
Use
composer config --global home
to see the location of the home directory.
By default, it points to
C:\Users\<user>\AppData\Roaming\Composer
on Windows
and
/Users/<user>/.composer
on macOS. On *nix systems that follow the
XDG Base
Directory Specifications
,
it points to
$XDG_CONFIG_HOME/composer
. On other *nix systems, it points to
/home/<user>/.composer
.
COMPOSER_HOME/config.json
#
You may put a
config.json
file into the location which
COMPOSER_HOME
points
to. Composer will partially (only
config
and
repositories
keys) merge this
configuration with your project's
composer.json
when you run the
install
and
update
commands.
This file allows you to set
repositories
and
configuration
for the user's projects.
In case global configuration matches
local
configuration, the
local
configuration in the project's
composer.json
always wins.
COMPOSER_HTACCESS_PROTECT
#
Defaults to
1
. If set to
0
, Composer will not create
.htaccess
files in the
Composer home, cache, and data directories.
COMPOSER_MEMORY_LIMIT
#
If set, the value is used as php's memory_limit.
COMPOSER_MIRROR_PATH_REPOS
#
If set to 1, this env changes the default path repository strategy to
mirror
instead
of
symlink
. As it is the default strategy being set it can still be overwritten by
repository options.
COMPOSER_NO_INTERACTION
#
If set to 1, this env var will make Composer behave as if you passed the
--no-interaction
flag to every command. This can be set on build boxes/CI.
COMPOSER_PROCESS_TIMEOUT
#
This env var controls the time Composer waits for commands (such as git
commands) to finish executing. The default value is 300 seconds (5 minutes).
COMPOSER_ROOT_VERSION
#
By setting this var you can specify the version of the root package, if it
cannot be guessed from VCS info and is not present in
composer.json
.
COMPOSER_VENDOR_DIR
#
By setting this var you can make Composer install the dependencies into a
directory other than
vendor
.
COMPOSER_RUNTIME_ENV
#
This lets you hint under which environment Composer is running, which can help Composer
work around some environment specific issues. The only value currently supported is
virtualbox
, which then enables some short
sleep()
calls to wait for the filesystem
to have written files properly before we attempt reading them. You can set the
environment variable if you use Vagrant or VirtualBox and experience issues with files not
being found during installation even though they should be present.
http_proxy or HTTP_PROXY
#
HTTP_PROXY_REQUEST_FULLURI
#
HTTPS_PROXY_REQUEST_FULLURI
#
no_proxy or NO_PROXY
#
See the
proxy documentation
for more details
on how to use proxy env vars.
COMPOSER_MAX_PARALLEL_HTTP
#
Set to an integer to configure how many files can be downloaded in parallel. This
defaults to 12 and must be between 1 and 50. If your proxy has issues with
concurrency maybe you want to lower this. Increasing it should generally not result
in performance gains.
COMPOSER_MAX_PARALLEL_PROCESSES
#
Set to an integer to configure how many processes can be executed in parallel.
This defaults to 10 and must be between 1 and 50.
COMPOSER_IPRESOLVE
#
Set to
4
or
6
to force IPv4 or IPv6 DNS resolution. This only works when the
curl extension is used for downloads.
COMPOSER_SELF_UPDATE_TARGET
#
If set, makes the self-update command write the new Composer phar file into that path instead of overwriting itself. Useful for updating Composer on a read-only filesystem.
COMPOSER_DISABLE_NETWORK
#
If set to
1
, disables network access (best effort). This can be used for debugging or
to run Composer on a plane or a starship with poor connectivity.
If set to
prime
, GitHub VCS repositories will prime the cache, so it can then be used
fully offline with
1
.
COMPOSER_DEBUG_EVENTS
#
If set to
1
, outputs information about events being dispatched, which can be
useful for plugin authors to identify what is firing when exactly.
COMPOSER_SKIP_SCRIPTS
#
Accepts a comma-seperated list of event names, e.g.
post-install-cmd
for which scripts execution should be skipped.
COMPOSER_NO_AUDIT
#
If set to
1
, it is the equivalent of passing the
--no-audit
option to a
require
,
update
,
remove
or
create-project
command.
COMPOSER_AUDIT_ABANDONED
#
Set to
ignore
,
report
or
fail
to override the
audit.abandoned
config option.
COMPOSER_FILTER
#
Set to
0
to disable filters on updates and audit, or
1
to enable them. Setting this to
1
will use the filter configuration in the composer.json.
If you want to override the config value, use
composer config filter 1
instead.
COMPOSER_NO_SECURITY_BLOCKING
#
If set to
1
, it is the equivalent of passing the
--no-security-blocking
option to a
require
,
update
,
remove
,
install
, or
create-project
command. This allows installing packages with security advisories or that are abandoned. It overrides the config option
audit.block-insecure
.
COMPOSER_SECURITY_BLOCKING_ABANDONED
#
If set to
1
, enables blocking of abandoned packages during dependency resolution (equivalent to setting
audit.block-abandoned
config to
true
). If set to
0
, disables blocking of abandoned packages. Note that this setting does not have any effect if security blocking is generally disabled. It overrides the config option
audit.block-abandoned
.
COMPOSER_NO_DEV
#
If set to
1
, it is the equivalent of passing the
--update-no-dev
option to
require
or the
--no-dev
option to
install
or
update
. You can override this for a single
command by setting
COMPOSER_NO_DEV=0
.
COMPOSER_PREFER_STABLE
#
If set to
1
, it is the equivalent of passing the
--prefer-stable
option to
update
or
require
.
COMPOSER_PREFER_LOWEST
#
If set to
1
, it is the equivalent of passing the
--prefer-lowest
option to
update
or
require
.
COMPOSER_PREFER_DEV_OVER_PRERELEASE
#
If set to
1
, when resolving dependencies with both
--prefer-stable
and
--prefer-lowest
enabled, dev versions are treated as more stable than
alpha/beta/RC versions in cases where no stable release exists. This is useful
to test lowest versions while still preferring branches that may contain
critical fixes over prerelease versions.
COMPOSER_SOURCE_FALLBACK
#
If set to
0
, Composer will not fall back to an alternative download source when the
preferred one fails. Equivalent to passing
--no-source-fallback
. See also
config.source-fallback
.
COMPOSER_MINIMAL_CHANGES
#
If set to
1
, it is the equivalent of passing the
--minimal-changes
option to
update
,
require
or
remove
.
COMPOSER_IGNORE_PLATFORM_REQ or COMPOSER_IGNORE_PLATFORM_REQS
#
If
COMPOSER_IGNORE_PLATFORM_REQS
set to
1
, it is the equivalent of passing the
--ignore-platform-reqs
argument.
Otherwise, specifying a comma separated list in
COMPOSER_IGNORE_PLATFORM_REQ
will ignore those specific requirements.
For example, if a development workstation will never run database queries, this can be used to ignore the requirement for the database extensions to be available. If you set
COMPOSER_IGNORE_PLATFORM_REQ=ext-oci8
, then composer will allow packages to be installed even if the
oci8
PHP extension is not enabled.
COMPOSER_WITH_DEPENDENCIES
#
If set to
1
, it is the equivalent of passing the
--with-dependencies
option to
update
,
require
or
remove
.
COMPOSER_WITH_ALL_DEPENDENCIES
#
If set to
1
, it is the equivalent of passing the
--with-all-dependencies
option to
update
,
require
or
remove
.
SHELL_VERBOSITY
#
Since Composer uses
symfony/console
,
you can define the
verbosity level
.
SHELL_VERBOSITY=-1
to hide the output of Composer
(this is equivalent to using the CLI option
--quiet
).
Please note that this will apply to every tool that rely on
symfony/console
,
you can set
SHELL_VERBOSITY=0
after the calls to Composer in order to restore the default verbosity level.
←
Libraries
|
Schema
→
Found a typo? Something is wrong in this documentation?
Fork and edit
it! |
| Markdown | [Home](https://getcomposer.org/ "Go back to the homepage")[Getting Started](https://getcomposer.org/doc/00-intro.md "Getting started with Composer")[Download](https://getcomposer.org/download/ "Go the the Download page to see how to download Composer")[Documentation](https://getcomposer.org/doc/ "View the Composer documentation")[Browse Packages](https://packagist.org/ "Browse Composer packages on packagist.org (external link to Packagist.org)")
- [Bash Completions](https://getcomposer.org/doc/03-cli.md#bash-completions)
- [Global Options](https://getcomposer.org/doc/03-cli.md#global-options)
- [Process Exit Codes](https://getcomposer.org/doc/03-cli.md#process-exit-codes)
- [init](https://getcomposer.org/doc/03-cli.md#init)
- [install / i](https://getcomposer.org/doc/03-cli.md#install-i)
- [update / u / upgrade](https://getcomposer.org/doc/03-cli.md#update-u-upgrade)
- [require / r](https://getcomposer.org/doc/03-cli.md#require-r)
- [remove / rm / uninstall](https://getcomposer.org/doc/03-cli.md#remove-rm-uninstall)
- [bump](https://getcomposer.org/doc/03-cli.md#bump)
- [reinstall](https://getcomposer.org/doc/03-cli.md#reinstall)
- [check-platform-reqs](https://getcomposer.org/doc/03-cli.md#check-platform-reqs)
- [global](https://getcomposer.org/doc/03-cli.md#global)
- [search](https://getcomposer.org/doc/03-cli.md#search)
- [show / info](https://getcomposer.org/doc/03-cli.md#show-info)
- [outdated](https://getcomposer.org/doc/03-cli.md#outdated)
- [browse / home](https://getcomposer.org/doc/03-cli.md#browse-home)
- [suggests](https://getcomposer.org/doc/03-cli.md#suggests)
- [fund](https://getcomposer.org/doc/03-cli.md#fund)
- [depends / why](https://getcomposer.org/doc/03-cli.md#depends-why)
- [prohibits / why-not](https://getcomposer.org/doc/03-cli.md#prohibits-why-not)
- [validate](https://getcomposer.org/doc/03-cli.md#validate)
- [status](https://getcomposer.org/doc/03-cli.md#status)
- [self-update / selfupdate](https://getcomposer.org/doc/03-cli.md#self-update-selfupdate)
- [config](https://getcomposer.org/doc/03-cli.md#config)
- [Usage](https://getcomposer.org/doc/03-cli.md#usage)
- [Modifying Repositories](https://getcomposer.org/doc/03-cli.md#modifying-repositories)
- [Modifying Extra Values](https://getcomposer.org/doc/03-cli.md#modifying-extra-values)
- [repository / repo](https://getcomposer.org/doc/03-cli.md#repository-repo)
- [Usage](https://getcomposer.org/doc/03-cli.md#usage-2)
- [Examples](https://getcomposer.org/doc/03-cli.md#examples)
- [create-project](https://getcomposer.org/doc/03-cli.md#create-project)
- [dump-autoload / dumpautoload](https://getcomposer.org/doc/03-cli.md#dump-autoload-dumpautoload)
- [clear-cache / clearcache / cc](https://getcomposer.org/doc/03-cli.md#clear-cache-clearcache-cc)
- [licenses](https://getcomposer.org/doc/03-cli.md#licenses)
- [run-script / run](https://getcomposer.org/doc/03-cli.md#run-script-run)
- [exec](https://getcomposer.org/doc/03-cli.md#exec)
- [diagnose](https://getcomposer.org/doc/03-cli.md#diagnose)
- [archive](https://getcomposer.org/doc/03-cli.md#archive)
- [audit](https://getcomposer.org/doc/03-cli.md#audit)
- [help](https://getcomposer.org/doc/03-cli.md#help)
- [Command-line completion](https://getcomposer.org/doc/03-cli.md#command-line-completion)
- [Environment variables](https://getcomposer.org/doc/03-cli.md#environment-variables)
- [COMPOSER](https://getcomposer.org/doc/03-cli.md#composer)
- [COMPOSER\_ALLOW\_SUPERUSER](https://getcomposer.org/doc/03-cli.md#composer-allow-superuser)
- [COMPOSER\_ALLOW\_XDEBUG](https://getcomposer.org/doc/03-cli.md#composer-allow-xdebug)
- [COMPOSER\_AUTH](https://getcomposer.org/doc/03-cli.md#composer-auth)
- [COMPOSER\_BIN\_COMPAT](https://getcomposer.org/doc/03-cli.md#composer-bin-compat)
- [COMPOSER\_BIN\_DIR](https://getcomposer.org/doc/03-cli.md#composer-bin-dir)
- [COMPOSER\_CACHE\_DIR](https://getcomposer.org/doc/03-cli.md#composer-cache-dir)
- [COMPOSER\_CAFILE](https://getcomposer.org/doc/03-cli.md#composer-cafile)
- [COMPOSER\_DISABLE\_XDEBUG\_WARN](https://getcomposer.org/doc/03-cli.md#composer-disable-xdebug-warn)
- [COMPOSER\_DISCARD\_CHANGES](https://getcomposer.org/doc/03-cli.md#composer-discard-changes)
- [COMPOSER\_FUND](https://getcomposer.org/doc/03-cli.md#composer-fund)
- [COMPOSER\_HOME](https://getcomposer.org/doc/03-cli.md#composer-home)
- [COMPOSER\_HOME/config.json](https://getcomposer.org/doc/03-cli.md#composer-home-config-json)
- [COMPOSER\_HTACCESS\_PROTECT](https://getcomposer.org/doc/03-cli.md#composer-htaccess-protect)
- [COMPOSER\_MEMORY\_LIMIT](https://getcomposer.org/doc/03-cli.md#composer-memory-limit)
- [COMPOSER\_MIRROR\_PATH\_REPOS](https://getcomposer.org/doc/03-cli.md#composer-mirror-path-repos)
- [COMPOSER\_NO\_INTERACTION](https://getcomposer.org/doc/03-cli.md#composer-no-interaction)
- [COMPOSER\_PROCESS\_TIMEOUT](https://getcomposer.org/doc/03-cli.md#composer-process-timeout)
- [COMPOSER\_ROOT\_VERSION](https://getcomposer.org/doc/03-cli.md#composer-root-version)
- [COMPOSER\_VENDOR\_DIR](https://getcomposer.org/doc/03-cli.md#composer-vendor-dir)
- [COMPOSER\_RUNTIME\_ENV](https://getcomposer.org/doc/03-cli.md#composer-runtime-env)
- [http\_proxy or HTTP\_PROXY](https://getcomposer.org/doc/03-cli.md#http-proxy-or-http-proxy)
- [HTTP\_PROXY\_REQUEST\_FULLURI](https://getcomposer.org/doc/03-cli.md#http-proxy-request-fulluri)
- [HTTPS\_PROXY\_REQUEST\_FULLURI](https://getcomposer.org/doc/03-cli.md#https-proxy-request-fulluri)
- [no\_proxy or NO\_PROXY](https://getcomposer.org/doc/03-cli.md#no-proxy-or-no-proxy)
- [COMPOSER\_MAX\_PARALLEL\_HTTP](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-http)
- [COMPOSER\_MAX\_PARALLEL\_PROCESSES](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-processes)
- [COMPOSER\_IPRESOLVE](https://getcomposer.org/doc/03-cli.md#composer-ipresolve)
- [COMPOSER\_SELF\_UPDATE\_TARGET](https://getcomposer.org/doc/03-cli.md#composer-self-update-target)
- [COMPOSER\_DISABLE\_NETWORK](https://getcomposer.org/doc/03-cli.md#composer-disable-network)
- [COMPOSER\_DEBUG\_EVENTS](https://getcomposer.org/doc/03-cli.md#composer-debug-events)
- [COMPOSER\_SKIP\_SCRIPTS](https://getcomposer.org/doc/03-cli.md#composer-skip-scripts)
- [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit)
- [COMPOSER\_AUDIT\_ABANDONED](https://getcomposer.org/doc/03-cli.md#composer-audit-abandoned)
- [COMPOSER\_FILTER](https://getcomposer.org/doc/03-cli.md#composer-filter)
- [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking)
- [COMPOSER\_SECURITY\_BLOCKING\_ABANDONED](https://getcomposer.org/doc/03-cli.md#composer-security-blocking-abandoned)
- [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev)
- [COMPOSER\_PREFER\_STABLE](https://getcomposer.org/doc/03-cli.md#composer-prefer-stable)
- [COMPOSER\_PREFER\_LOWEST](https://getcomposer.org/doc/03-cli.md#composer-prefer-lowest)
- [COMPOSER\_PREFER\_DEV\_OVER\_PRERELEASE](https://getcomposer.org/doc/03-cli.md#composer-prefer-dev-over-prerelease)
- [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback)
- [COMPOSER\_MINIMAL\_CHANGES](https://getcomposer.org/doc/03-cli.md#composer-minimal-changes)
- [COMPOSER\_IGNORE\_PLATFORM\_REQ or COMPOSER\_IGNORE\_PLATFORM\_REQS](https://getcomposer.org/doc/03-cli.md#composer-ignore-platform-req-or-composer-ignore-platform-reqs)
- [COMPOSER\_WITH\_DEPENDENCIES](https://getcomposer.org/doc/03-cli.md#composer-with-dependencies)
- [COMPOSER\_WITH\_ALL\_DEPENDENCIES](https://getcomposer.org/doc/03-cli.md#composer-with-all-dependencies)
- [SHELL\_VERBOSITY](https://getcomposer.org/doc/03-cli.md#shell-verbosity)
# Command-line interface / Commands[\#](https://getcomposer.org/doc/03-cli.md#command-line-interface-commands)
You've already learned how to use the command-line interface to do some things. This chapter documents all the available commands.
To get help from the command-line, call `composer` or `composer list` to see the complete list of commands, then `--help` combined with any of those can give you more information.
As Composer uses [symfony/console](https://github.com/symfony/console) you can call commands by short name if it's not ambiguous.
```
php composer.phar dump
```
calls `composer dump-autoload`.
## Bash Completions[\#](https://getcomposer.org/doc/03-cli.md#bash-completions)
To install bash completions you can run `composer completion bash > completion.bash`. This will create a `completion.bash` file in the current directory.
Then execute `source completion.bash` to enable it in the current terminal session.
Move and rename the `completion.bash` file to `/etc/bash_completion.d/composer` to make it load automatically in new terminals.
## Global Options[\#](https://getcomposer.org/doc/03-cli.md#global-options)
The following options are available with every command:
- **\--verbose (-v):** Increase verbosity of messages.
- **\--help (-h):** Display help information.
- **\--quiet (-q):** Do not output any message.
- **\--no-interaction (-n):** Do not ask any interactive question.
- **\--no-plugins:** Disables plugins.
- **\--no-scripts:** Skips execution of scripts defined in `composer.json`.
- **\--no-cache:** Disables the use of the cache directory. Same as setting the COMPOSER\_CACHE\_DIR env var to /dev/null (or NUL on Windows).
- **\--working-dir (-d):** If specified, use the given directory as working directory.
- **\--profile:** Display timing and memory usage information
- **\--ansi:** Force ANSI output.
- **\--no-ansi:** Disable ANSI output.
- **\--version (-V):** Display this application version.
## Process Exit Codes[\#](https://getcomposer.org/doc/03-cli.md#process-exit-codes)
- **0:** OK
- **1:** Generic/unknown error code
- **2:** Dependency solving error code
## init[\#](https://getcomposer.org/doc/03-cli.md#init)
In the [Libraries](https://getcomposer.org/doc/02-libraries.md) chapter we looked at how to create a `composer.json` by hand. There is also an `init` command available to do this.
When you run the command it will interactively ask you to fill in the fields, while using some smart defaults.
```
php composer.phar init
```
### Options
- **\--name:** Name of the package.
- **\--description:** Description of the package.
- **\--author:** Author name of the package.
- **\--type:** Type of package.
- **\--homepage:** Homepage of the package.
- **\--require:** Package to require with a version constraint. Should be in format `foo/bar:1.0.0`.
- **\--require-dev:** Development requirements, see **\--require**.
- **\--stability (-s):** Value for the `minimum-stability` field.
- **\--license (-l):** License of package.
- **\--repository:** Provide one (or more) custom repositories. They will be stored in the generated composer.json, and used for auto-completion when prompting for the list of requires. Every repository can be either an HTTP URL pointing to a `composer` repository or a JSON string which is similar to what the [repositories](https://getcomposer.org/doc/04-schema.md#repositories) key accepts.
- **\--autoload (-a):** Add a PSR-4 autoload mapping to the composer.json. Automatically maps your package's namespace to the provided directory. (Expects a relative path, e.g. src/) See also [PSR-4 autoload](https://getcomposer.org/doc/04-schema.md#psr-4).
## install / i[\#](https://getcomposer.org/doc/03-cli.md#install-i)
The `install` command reads the `composer.json` file from the current directory, resolves the dependencies, and installs them into `vendor`.
```
php composer.phar install
```
If there is a `composer.lock` file in the current directory, it will use the exact versions from there instead of resolving them. This ensures that everyone using the library will get the same versions of the dependencies.
If there is no `composer.lock` file, Composer will create one after dependency resolution.
### Options
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--dry-run:** If you want to run through an installation without actually installing a package, you can use `--dry-run`. This will simulate the installation and show you what would happen.
- **\--download-only:** Download only, do not install packages.
- **\--dev:** Install packages listed in `require-dev` (this is the default behavior).
- **\--no-dev:** Skip installing packages listed in `require-dev`. The autoloader generation skips the `autoload-dev` rules. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--no-autoloader:** Skips autoloader generation.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--audit:** Run an audit after installation is complete.
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking). Only applies when no lock file is present - for installs from a lock file Composer never blocks vulnerable packages.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--strict-psr-autoloader:** Return a failed exit code (6) if PSR-4 or PSR-0 mapping errors are present in the current project (dependencies excluded). Requires `--optimize-autoloader` to work.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard. Appending a `+` makes it only ignore the upper-bound of the requirements. For example, if a package requires `php: ^7`, then the option `--ignore-platform-req=php+` would allow installing on PHP 8, but installation on PHP 5.6 would still fail.
## update / u / upgrade[\#](https://getcomposer.org/doc/03-cli.md#update-u-upgrade)
In order to get the latest versions of the dependencies and to update the `composer.lock` file, you should use the `update` command. This command is also aliased as `upgrade` as it does the same as `upgrade` does if you are thinking of `apt-get` or similar package managers.
```
php composer.phar update
```
This will resolve all dependencies of the project and write the exact versions into `composer.lock`.
If you only want to update a few packages and not all, you can list them as such:
```
php composer.phar update vendor/package vendor/package2
```
You can also use wildcards to update a bunch of packages at once:
```
php composer.phar update "vendor/*"
```
If you want to downgrade a package to a specific version without changing your composer.json you can use `--with` and provide a custom version constraint:
```
php composer.phar update --with vendor/package:2.0.1
```
Note that with the above all packages will be updated. If you only want to update the package(s) for which you provide custom constraints using `--with`, you can skip `--with` and instead use constraints with the partial update syntax:
```
php composer.phar update vendor/package:2.0.1 vendor/package2:3.0.*
```
> **Note:** For packages also required in your composer.json the custom constraint must be a subset of the existing constraint. The composer.json constraints still apply and the composer.json is not modified by these temporary update constraints.
### Options
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--dry-run:** Simulate the command without actually doing anything.
- **\--dev:** Install packages listed in `require-dev` (this is the default behavior).
- **\--no-dev:** Skip installing packages listed in `require-dev`. The autoloader generation skips the `autoload-dev` rules. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--no-install:** Does not run the install step after updating the composer.lock file.
- **\--no-audit:** Does not run the audit steps after updating the composer.lock file. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--lock:** Overwrites the lock file hash to suppress warning about the lock file being out of date without updating package versions. Package metadata like mirrors and URLs are updated if they changed.
- **\--with:** Temporary version constraint to add, e.g. foo/bar:1.0.0 or foo/bar=1.0.0
- **\--no-autoloader:** Skips autoloader generation.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--with-dependencies (-w):** Update also dependencies of packages in the argument list, except those which are root requirements. Can also be set via the COMPOSER\_WITH\_DEPENDENCIES=1 env var.
- **\--with-all-dependencies (-W):** Update also dependencies of packages in the argument list, including those which are root requirements. Can also be set via the COMPOSER\_WITH\_ALL\_DEPENDENCIES=1 env var.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run, so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--strict-psr-autoloader:** Return a failed exit code (6) if PSR-4 or PSR-0 mapping errors are present in the current project (dependencies excluded). Requires `--optimize-autoloader` to work.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard. Appending a `+` makes it only ignore the upper-bound of the requirements. For example, if a package requires `php: ^7`, then the option `--ignore-platform-req=php+` would allow installing on PHP 8, but installation on PHP 5.6 would still fail.
- **\--prefer-stable:** Prefer stable versions of dependencies. Can also be set via the COMPOSER\_PREFER\_STABLE=1 env var.
- **\--prefer-lowest:** Prefer lowest versions of dependencies. Useful for testing minimal versions of requirements, generally used with `--prefer-stable`. Can also be set via the COMPOSER\_PREFER\_LOWEST=1 env var.
- **\--minimal-changes (-m):** Only perform absolutely necessary changes to dependencies. If packages cannot be kept at their currently locked version they are updated. For partial updates the allow-listed packages are always updated fully. Can also be set via the COMPOSER\_MINIMAL\_CHANGES=1 env var.
- **\--patch-only:** Only allow patch version updates for currently installed dependencies.
- **\--interactive:** Interactive interface with autocompletion to select the packages to update.
- **\--root-reqs:** Restricts the update to your first degree dependencies.
- **\--bump-after-update:** Runs `bump` after performing the update. Set to `dev` or `no-dev` to only bump those dependencies.
Specifying one of the words `mirrors`, `lock`, or `nothing` as an argument has the same effect as specifying the option `--lock`, for example `composer update mirrors` is exactly the same as `composer update --lock`.
## require / r[\#](https://getcomposer.org/doc/03-cli.md#require-r)
The `require` command adds new packages to the `composer.json` file from the current directory. If no file exists one will be created on the fly.
If you do not specify a package, Composer will prompt you to search for a package, and given results, provide a list of matches to require.
```
php composer.phar require
```
After adding/changing the requirements, the modified requirements will be installed or updated.
If you do not want to choose requirements interactively, you can pass them to the command.
```
php composer.phar require "vendor/package:2.*" vendor/package2:dev-master
```
If you do not specify a version constraint, composer will choose a suitable one based on the available package versions.
```
php composer.phar require vendor/package vendor/package2
```
If you do not want to install the new dependencies immediately you can call it with --no-update
### Options
- **\--dev:** Add packages to `require-dev`.
- **\--dry-run:** Simulate the command without actually doing anything.
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--no-update:** Disables the automatic update of the dependencies (implies --no-install).
- **\--no-install:** Does not run the install step after updating the composer.lock file.
- **\--no-audit:** Does not run the audit steps after updating the composer.lock file. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--update-no-dev:** Run the dependency update with the `--no-dev` option. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--update-with-dependencies (-w):** Also update dependencies of the newly required packages, except those that are root requirements. Can also be set via the COMPOSER\_WITH\_DEPENDENCIES=1 env var.
- **\--update-with-all-dependencies (-W):** Also update dependencies of the newly required packages, including those that are root requirements. Can also be set via the COMPOSER\_WITH\_ALL\_DEPENDENCIES=1 env var.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
- **\--prefer-stable:** Prefer stable versions of dependencies. Can also be set via the COMPOSER\_PREFER\_STABLE=1 env var.
- **\--prefer-lowest:** Prefer lowest versions of dependencies. Useful for testing minimal versions of requirements, generally used with `--prefer-stable`. Can also be set via the COMPOSER\_PREFER\_LOWEST=1 env var.
- **\--minimal-changes (-m):** During an update with `-w`/`-W`, only perform absolutely necessary changes to transitive dependencies. Can also be set via the COMPOSER\_MINIMAL\_CHANGES=1 env var.
- **\--sort-packages:** Keep packages sorted in `composer.json`.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run, so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
## remove / rm / uninstall[\#](https://getcomposer.org/doc/03-cli.md#remove-rm-uninstall)
The `remove` command removes packages from the `composer.json` file from the current directory.
```
php composer.phar remove vendor/package vendor/package2
```
After removing the requirements, the modified requirements will be uninstalled.
### Options
- **\--unused:** Remove unused packages that are not a direct or indirect dependency (anymore).
- **\--dev:** Remove packages from `require-dev`.
- **\--dry-run:** Simulate the command without actually doing anything.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--no-update:** Disables the automatic update of the dependencies (implies --no-install).
- **\--no-install:** Does not run the install step after updating the composer.lock file.
- **\--no-audit:** Does not run the audit steps after installation is complete. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--update-no-dev:** Run the dependency update with the --no-dev option. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--update-with-dependencies (-w):** Also update dependencies of the removed packages. Can also be set via the COMPOSER\_WITH\_DEPENDENCIES=1 env var. (Deprecated, is now default behavior)
- **\--update-with-all-dependencies (-W):** Allows all inherited dependencies to be updated, including those that are root requirements. Can also be set via the COMPOSER\_WITH\_ALL\_DEPENDENCIES=1 env var.
- **\--minimal-changes (-m):** During an update with `-w`/`-W`, only perform absolutely necessary changes to transitive dependencies. Can also be set via the COMPOSER\_MINIMAL\_CHANGES=1 env var.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
## bump[\#](https://getcomposer.org/doc/03-cli.md#bump)
The `bump` command increases the lower limit of your composer.json requirements to the currently installed versions. This helps to ensure your dependencies do not accidentally get downgraded due to some other conflict, and can slightly improve dependency resolution performance as it limits the amount of package versions Composer has to look at.
Running this blindly on libraries is **NOT** recommended as it will narrow down your allowed dependencies, which may cause dependency hell for your users. Running it with `--dev-only` on libraries may be fine however as dev requirements are local to the library and do not affect consumers of the package.
### Options
- **\--dev-only:** Only bump requirements in "require-dev".
- **\--no-dev-only:** Only bump requirements in "require".
- **\--dry-run:** Outputs the packages to bump, but will not execute anything.
## reinstall[\#](https://getcomposer.org/doc/03-cli.md#reinstall)
The `reinstall` command looks up installed packages by name, uninstalls them and reinstalls them. This lets you do a clean install of a package if you messed with its files, or if you wish to change the installation type using --prefer-install.
```
php composer.phar reinstall acme/foo acme/bar
```
You can specify more than one package name to reinstall, or use a wildcard to select several packages at once:
```
php composer.phar reinstall "acme/*"
```
### Options
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--no-autoloader:** Skips autoloader generation.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
- **\--ignore-platform-reqs:** ignore all platform requirements. This only has an effect in the context of the autoloader generation for the reinstall command.
- **\--ignore-platform-req:** ignore a specific platform requirement. This only has an effect in the context of the autoloader generation for the reinstall command. Multiple requirements can be ignored via wildcard.
## check-platform-reqs[\#](https://getcomposer.org/doc/03-cli.md#check-platform-reqs)
The check-platform-reqs command checks that your PHP and extensions versions match the platform requirements of the installed packages. This can be used to verify that a production server has all the extensions needed to run a project after installing it for example.
Unlike update/install, this command will ignore config.platform settings and check the real platform packages so you can be certain you have the required platform dependencies.
### Options
- **\--lock:** Checks requirements only from the lock file, not from installed packages.
- **\--no-dev:** Disables checking of require-dev packages requirements.
- **\--format (-f):** Format of the output: text (default) or json
## global[\#](https://getcomposer.org/doc/03-cli.md#global)
The global command allows you to run other commands like `install`, `remove`, `require` or `update` as if you were running them from the [COMPOSER\_HOME](https://getcomposer.org/doc/03-cli.md#composer-home) directory.
This is merely a helper to manage a project stored in a central location that can hold CLI tools or Composer plugins that you want to have available everywhere.
This can be used to install CLI utilities globally. Here is an example:
```
php composer.phar global require friendsofphp/php-cs-fixer
```
Now the `php-cs-fixer` binary is available globally. Make sure your global [vendor binaries](https://getcomposer.org/doc/articles/vendor-binaries.md) directory is in your `$PATH` environment variable, you can get its location with the following command :
```
php composer.phar global config bin-dir --absolute
```
If you wish to update the binary later on you can run a global update:
```
php composer.phar global update
```
## search[\#](https://getcomposer.org/doc/03-cli.md#search)
The search command allows you to search through the current project's package repositories. Usually this will be packagist. You pass it the terms you want to search for.
```
php composer.phar search monolog
```
You can also search for more than one term by passing multiple arguments.
### Options
- **\--only-name (-N):** Search only in package names.
- **\--only-vendor (-O):** Search only for vendor / organization names, returns only "vendor" as a result.
- **\--type (-t):** Search for a specific package type.
- **\--format (-f):** Lets you pick between text (default) or json output format. Note that in the json, only the name and description keys are guaranteed to be present. The rest (`url`, `repository`, `downloads` and `favers`) are available for Packagist.org search results and other repositories may return more or less data.
## show / info[\#](https://getcomposer.org/doc/03-cli.md#show-info)
To list all of the available packages, you can use the `show` command.
```
php composer.phar show
```
To filter the list you can pass a package mask using wildcards.
```
php composer.phar show "monolog/*"
```
```
monolog/monolog 2.4.0 Sends your logs to files, sockets, inboxes, databases and various web services
```
If you want to see the details of a certain package, you can pass the package name.
```
php composer.phar show monolog/monolog
```
```
name : monolog/monolog
descrip. : Sends your logs to files, sockets, inboxes, databases and various web services
keywords : log, logging, psr-3
versions : * 1.27.1
type : library
license : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : http://github.com/Seldaek/monolog
source : [git] https://github.com/Seldaek/monolog.git 904713c5929655dc9b97288b69cfeedad610c9a1
dist : [zip] https://api.github.com/repos/Seldaek/monolog/zipball/904713c5929655dc9b97288b69cfeedad610c9a1 904713c5929655dc9b97288b69cfeedad610c9a1
names : monolog/monolog, psr/log-implementation
support
issues : https://github.com/Seldaek/monolog/issues
source : https://github.com/Seldaek/monolog/tree/1.27.1
autoload
psr-4
Monolog\ => src/Monolog
requires
php >=5.3.0
psr/log ~1.0
```
You can even pass the package version, which will tell you the details of that specific version.
```
php composer.phar show monolog/monolog 1.0.2
```
### Options
- **\--all:** List all packages available in all your repositories.
- **\--installed (-i):** List the packages that are installed (this is enabled by default, and deprecated).
- **\--locked:** List the locked packages from composer.lock.
- **\--platform (-p):** List only platform packages (php & extensions).
- **\--available (-a):** List available packages only.
- **\--self (-s):** List the root package info.
- **\--name-only (-N):** List package names only.
- **\--path (-P):** List package paths.
- **\--tree (-t):** List your dependencies as a tree. If you pass a package name it will show the dependency tree for that package.
- **\--latest (-l):** List all installed packages including their latest version.
- **\--outdated (-o):** Implies --latest, but this lists *only* packages that have a newer version available.
- **\--ignore:** Ignore specified package(s). Can contain wildcards (`*`). Use it with the --outdated option if you don't want to be informed about new versions of some packages
- **\--no-dev:** Filters dev dependencies from the package list.
- **\--major-only (-M):** Use with --latest or --outdated. Only shows packages that have major SemVer-compatible updates.
- **\--minor-only (-m):** Use with --latest or --outdated. Only shows packages that have minor SemVer-compatible updates.
- **\--patch-only:** Use with --latest or --outdated. Only shows packages that have patch-level SemVer-compatible updates.
- **\--sort-by-age (-A):** Displays the installed version's age, and sorts packages oldest first. Use with the --latest or --outdated option.
- **\--direct (-D):** Restricts the list of packages to your direct dependencies.
- **\--strict:** Return a non-zero exit code when there are outdated packages.
- **\--format (-f):** Lets you pick between text (default) or json output format.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. Use with the --outdated option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard. Use with the --outdated option.
## outdated[\#](https://getcomposer.org/doc/03-cli.md#outdated)
The `outdated` command shows a list of installed packages that have updates available, including their current and latest versions. This is basically an alias for `composer show -lo`.
The color coding is as such:
- **green (=)**: Dependency is in the latest version and is up to date.
- **yellow (`~`)**: Dependency has a new version available that includes backwards compatibility breaks according to semver, so upgrade when you can but it may involve work.
- **red (!)**: Dependency has a new version that is semver-compatible and you should upgrade it.
### Options
- **\--all (-a):** Show all packages, not just outdated (alias for `composer show --latest`).
- **\--direct (-D):** Restricts the list of packages to your direct dependencies.
- **\--strict:** Returns non-zero exit code if any package is outdated.
- **\--ignore:** Ignore specified package(s). Can contain wildcards (`*`). Use it if you don't want to be informed about new versions of some packages
- **\--major-only (-M):** Only shows packages that have major SemVer-compatible updates.
- **\--minor-only (-m):** Only shows packages that have minor SemVer-compatible updates.
- **\--patch-only (-p):** Only shows packages that have patch-level SemVer-compatible updates.
- **\--sort-by-age (-A):** Displays the installed version's age, and sorts packages oldest first.
- **\--format (-f):** Lets you pick between text (default) or json output format.
- **\--no-dev:** Do not show outdated dev dependencies.
- **\--locked:** Shows updates for packages from the lock file, regardless of what is currently in vendor dir.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
## browse / home[\#](https://getcomposer.org/doc/03-cli.md#browse-home)
The `browse` (aliased to `home`) opens a package's repository URL or homepage in your browser.
### Options
- **\--homepage (-H):** Open the homepage instead of the repository URL.
- **\--show (-s):** Only show the homepage or repository URL.
## suggests[\#](https://getcomposer.org/doc/03-cli.md#suggests)
Lists all packages suggested by the currently installed set of packages. You can optionally pass one or multiple package names in the format of `vendor/package` to limit output to suggestions made by those packages only.
Use the `--by-package` (default) or `--by-suggestion` flags to group the output by the package offering the suggestions or the suggested packages respectively.
If you only want a list of suggested package names, use `--list`.
### Options
- **\--by-package:** Groups output by suggesting package (default).
- **\--by-suggestion:** Groups output by suggested package.
- **\--all:** Show suggestions from all dependencies, including transitive ones (by default only direct dependencies' suggestions are shown).
- **\--list:** Show only list of suggested package names.
- **\--no-dev:** Excludes suggestions from `require-dev` packages.
## fund[\#](https://getcomposer.org/doc/03-cli.md#fund)
Discover how to help fund the maintenance of your dependencies. This lists all funding links from the installed dependencies. Use `--format=json` to get machine-readable output.
### Options
- **\--format (-f):** Lets you pick between text (default) or json output format.
## depends / why[\#](https://getcomposer.org/doc/03-cli.md#depends-why)
The `depends` command tells you which other packages depend on a certain package. As with installation `require-dev` relationships are only considered for the root package.
```
php composer.phar depends doctrine/lexer
```
```
doctrine/annotations 1.13.3 requires doctrine/lexer (1.*)
doctrine/common 2.13.3 requires doctrine/lexer (^1.0)
```
You can optionally specify a version constraint after the package to limit the search.
Add the `--tree` or `-t` flag to show a recursive tree of why the package is depended upon, for example:
```
php composer.phar depends psr/log -t
```
```
psr/log 1.1.4 Common interface for logging libraries
├──composer/composer 2.4.x-dev (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/composer dev-main (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/xdebug-handler 3.0.3 (requires psr/log ^1 || ^2 || ^3)
│ ├──composer/composer 2.4.x-dev (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
│ └──composer/composer dev-main (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
└──symfony/console v5.4.11 (conflicts psr/log >=3) (circular dependency aborted here)
```
### Options
- **\--recursive (-r):** Recursively resolves up to the root package.
- **\--tree (-t):** Prints the results as a nested tree, implies -r.
## prohibits / why-not[\#](https://getcomposer.org/doc/03-cli.md#prohibits-why-not)
The `prohibits` command tells you which packages are blocking a given package from being installed. Specify a version constraint to verify whether upgrades can be performed in your project, and if not why not. See the following example:
```
php composer.phar prohibits symfony/symfony 3.1
```
```
laravel/framework v5.2.16 requires symfony/var-dumper (2.8.*|3.0.*)
```
Note that you can also specify platform requirements, for example to check whether you can upgrade your server to PHP 8.0:
```
php composer.phar prohibits php 8
```
```
doctrine/cache v1.6.0 requires php (~5.5|~7.0)
doctrine/common v2.6.1 requires php (~5.5|~7.0)
doctrine/instantiator 1.0.5 requires php (>=5.3,<8.0-DEV)
```
As with `depends` you can request a recursive lookup, which will list all packages depending on the packages that cause the conflict.
### Options
- **\--recursive (-r):** Recursively resolves up to the root package.
- **\--tree (-t):** Prints the results as a nested tree, implies -r.
## validate[\#](https://getcomposer.org/doc/03-cli.md#validate)
You should always run the `validate` command before you commit your `composer.json` file (and `composer.lock` [if applicable](https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control)), and before you tag a release.
It will check if your `composer.json` is valid. If a `composer.lock` exists, it will also check if it is up to date with the `composer.json`.
```
php composer.phar validate
```
### Options
- **\--no-check-all:** Do not emit a warning if requirements in `composer.json` use unbound or overly strict version constraints.
- **\--no-check-lock:** Do not emit an error if `composer.lock` exists and is not up to date.
- **\--check-lock** Check if lock file is up to date (even when [config.lock](https://getcomposer.org/doc/06-config.md#lock) is false)
- **\--no-check-publish:** Do not emit an error if `composer.json` is unsuitable for publishing as a package on Packagist but is otherwise valid.
- **\--no-check-version:** Do not emit an error if the version field is present.
- **\--with-dependencies:** Also validate the composer.json of all installed dependencies.
- **\--strict:** Return a non-zero exit code for warnings as well as errors.
## status[\#](https://getcomposer.org/doc/03-cli.md#status)
If you often need to modify the code of your dependencies and they are installed from source, the `status` command allows you to check if you have local changes in any of them.
```
php composer.phar status
```
With the `--verbose` option you get some more information about what was changed:
```
php composer.phar status -v
```
```
You have changes in the following dependencies:
vendor/seld/jsonlint:
M README.mdown
```
## self-update / selfupdate[\#](https://getcomposer.org/doc/03-cli.md#self-update-selfupdate)
To update Composer itself to the latest version, run the `self-update` command. It will replace your `composer.phar` with the latest version.
```
php composer.phar self-update
```
If you would like to instead update to a specific release specify it:
```
php composer.phar self-update 2.4.0-RC1
```
If you have installed Composer for your entire system (see [global installation](https://getcomposer.org/doc/00-intro.md#globally)), you may have to run the command with `root` privileges
```
sudo -H composer self-update
```
If Composer was not installed as a PHAR, this command is not available. (This is sometimes the case when Composer was installed by an operating system package manager.)
### Options
- **\--rollback (-r):** Rollback to the last version you had installed.
- **\--clean-backups:** Delete old backups during an update. This makes the current version of Composer the only backup available after the update.
- **\--no-progress:** Do not output download progress.
- **\--update-keys:** Prompt user for a key update.
- **\--stable:** Force an update to the stable channel.
- **\--preview:** Force an update to the preview channel.
- **\--snapshot:** Force an update to the snapshot channel.
- **\--1:** Force an update to the stable channel, but only use 1.x versions
- **\--2:** Force an update to the stable channel, but only use 2.x versions
- **\--set-channel-only:** Only store the channel as the default one and then exit
## config[\#](https://getcomposer.org/doc/03-cli.md#config)
The `config` command allows you to edit Composer config settings and repositories in either the local `composer.json` file or the global `config.json` file.
Additionally it lets you edit most properties in the local `composer.json`.
```
php composer.phar config --list
```
### Usage[\#](https://getcomposer.org/doc/03-cli.md#usage)
`config [options] [setting-key] [setting-value1] ... [setting-valueN]`
`setting-key` is a configuration option name and `setting-value1` is a configuration value. For settings that can take an array of values (like `github-protocols`), multiple setting-value arguments are allowed.
You can also edit the values of the following properties:
`description`, `homepage`, `keywords`, `license`, `minimum-stability`, `name`, `prefer-stable`, `type` and `version`.
See the [Config](https://getcomposer.org/doc/06-config.md) chapter for valid configuration options.
### Options
- **\--global (-g):** Operate on the global config file located at `$COMPOSER_HOME/config.json` by default. Without this option, this command affects the local composer.json file or a file specified by `--file`.
- **\--editor (-e):** Open the local composer.json file using in a text editor as defined by the `EDITOR` env variable. With the `--global` option, this opens the global config file.
- **\--auth (-a):** Affect auth config file (only used for --editor).
- **\--unset:** Remove the configuration element named by `setting-key`.
- **\--list (-l):** Show the list of current config variables. With the `--global` option this lists the global configuration only.
- **\--file="..." (-f):** Operate on a specific file instead of composer.json. Note that this cannot be used in conjunction with the `--global` option.
- **\--absolute:** Returns absolute paths when fetching `*-dir` config values instead of relative.
- **\--json:** JSON decode the setting value, to be used with `extra.*` keys.
- **\--merge:** Merge the setting value with the current value, to be used with `extra.*` keys in combination with `--json`.
- **\--append:** When adding a repository, append it (lowest priority) to the existing ones instead of prepending it (highest priority).
- **\--source:** Display where the config value is loaded from.
### Modifying Repositories[\#](https://getcomposer.org/doc/03-cli.md#modifying-repositories)
In addition to modifying the config section, the `config` command also supports making changes to the repositories section by using it the following way:
```
php composer.phar config repositories.foo vcs https://github.com/foo/bar
```
If your repository requires more configuration options, you can instead pass its JSON representation :
```
php composer.phar config repositories.foo '{"type": "vcs", "url": "http://svn.example.org/my-project/", "trunk-path": "master"}'
```
### Modifying Extra Values[\#](https://getcomposer.org/doc/03-cli.md#modifying-extra-values)
In addition to modifying the config section, the `config` command also supports making changes to the extra section by using it the following way:
```
php composer.phar config extra.foo.bar value
```
The dots indicate array nesting, a max depth of 3 levels is allowed though. The above would set `"extra": { "foo": { "bar": "value" } }`.
If you have a complex value to add/modify, you can use the `--json` and `--merge` flags to edit extra fields as json:
```
php composer.phar config --json extra.foo.bar '{"baz": true, "qux": []}'
```
## repository / repo[\#](https://getcomposer.org/doc/03-cli.md#repository-repo)
The `repo` command lets you manage repositories in your `composer.json`. It is more powerful and recommended over using `composer config repositories.*` to manipulate the repositories configuration. Refer to [Repositories](https://getcomposer.org/doc/05-repositories.md) documentation for details on the available types and configuration options.
### Usage[\#](https://getcomposer.org/doc/03-cli.md#usage-2)
```
repo [options] list
repo [options] add [repo-name] [repo-type] [url]
repo [options] add [repo-name] [json-repo-definition]
repo [options] remove [repo-name]
repo [options] set-url [repo-name] [url]
repo [options] get-url [repo-name]
repo [options] enable packagist.org
repo [options] disable packagist.org
```
### Options
- **\--global (-g):** to modify the global `$COMPOSER_HOME/config.json`.
- **\--file (-f):** to modify a specific file instead of composer.json.
- **\--append:** to add a repository with lower priority (by default repositories are prepended and have thus higher priority than existing ones).
- **\--before :** to insert the new repository before an existing repository named `<name>`.
- **\--after :** to insert the new repository after an existing repository named `<name>`. The `<name>` must match an existing repository name.
### Examples[\#](https://getcomposer.org/doc/03-cli.md#examples)
```
php composer.phar repo list
php composer.phar repo add foo vcs https://github.com/acme/foo
php composer.phar repo add bar composer https://repo.packagist.com/bar
php composer.phar repo add zips '{"type":"artifact","url":"/path/to/dir/with/zips"}'
php composer.phar repo add baz vcs https://example.org --before foo
php composer.phar repo add qux vcs https://example.org --after bar
php composer.phar repo remove foo
php composer.phar repo set-url foo https://git.example.org/acme/foo
php composer.phar repo get-url foo
php composer.phar repo disable packagist.org
php composer.phar repo enable packagist.org
```
## create-project[\#](https://getcomposer.org/doc/03-cli.md#create-project)
You can use Composer to create new projects from an existing package. This is the equivalent of doing a git clone/svn checkout followed by a `composer install` of the vendors.
There are several applications for this:
1. You can deploy application packages.
2. You can check out any package and start developing on patches for example.
3. Projects with multiple developers can use this feature to bootstrap the initial application for development.
To create a new project using Composer you can use the `create-project` command. Pass it a package name, and the directory to create the project in. You can also provide a version as a third argument, otherwise the latest version is used.
If the directory does not currently exist, it will be created during installation.
```
php composer.phar create-project composer/hello-world my-project
```
It is also possible to run the command without params in a directory with an existing `composer.json` file to bootstrap a project.
By default the command checks for the packages on packagist.org.
### Options
- **\--stability (-s):** Minimum stability of package. Defaults to `stable`.
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--repository:** Provide a custom repository to search for the package, which will be used instead of packagist. Can be either an HTTP URL pointing to a `composer` repository, a path to a local `packages.json` file, or a JSON string which similar to what the [repositories](https://getcomposer.org/doc/04-schema.md#repositories) key accepts. You can use this multiple times to configure multiple repositories.
- **\--add-repository:** Add the custom repository in the composer.json. If a lock file is present, it will be deleted and an update will be run instead of an install.
- **\--dev:** Install packages listed in `require-dev`.
- **\--no-dev:** Disables installation of require-dev packages.
- **\--no-scripts:** Disables the execution of the scripts defined in the root package.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--no-secure-http:** Disable the secure-http config option temporarily while installing the root package. Use at your own risk. Using this flag is a bad idea.
- **\--keep-vcs:** Skip the deletion of the VCS metadata for the created project. This is mostly useful if you run the command in non-interactive mode.
- **\--remove-vcs:** Force-remove the VCS metadata without prompting.
- **\--no-install:** Disables installation of the vendors.
- **\--no-audit:** Does not run the audit steps after installation is complete. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
- **\--require:** Require additional package(s) to be added to composer.json after installing the project. If a lock file is present it will be deleted and an update will be run instead of install. Can be specified multiple times for multiple packages. Should be in format `foo/bar:1.0.0` format if you want to specify a constraint.
- **\--ask:** Ask the user to provide a target directory for the new project.
## dump-autoload / dumpautoload[\#](https://getcomposer.org/doc/03-cli.md#dump-autoload-dumpautoload)
If you need to update the autoloader because of new classes in a classmap package for example, you can use `dump-autoload` to do that without having to go through an install or update.
Additionally, it can dump an optimized autoloader that converts PSR-0/4 packages into classmap ones for performance reasons. In large applications with many classes, the autoloader can take up a substantial portion of every request's time. Using classmaps for everything is less convenient in development, but using this option you can still use PSR-0/4 for convenience and classmaps for performance.
### Options
- **\--optimize (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run, so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize`.
- **\--apcu:** Use APCu to cache found/not-found classes.
- **\--apcu-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu`.
- **\--dry-run:** Outputs the operations but will not execute anything.
- **\--no-dev:** Disables autoload-dev rules. Composer will by default infer this automatically according to the last `install` or `update` `--no-dev` state.
- **\--dev:** Enables autoload-dev rules. Composer will by default infer this automatically according to the last `install` or `update` `--no-dev` state.
- **\--ignore-platform-reqs:** ignore all `php`, `hhvm`, `lib-*` and `ext-*` requirements and skip the [platform check](https://getcomposer.org/doc/07-runtime.md#platform-check) for these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement (`php`, `hhvm`, `lib-*` and `ext-*`) and skip the [platform check](https://getcomposer.org/doc/07-runtime.md#platform-check) for it. Multiple requirements can be ignored via wildcard.
- **\--strict-psr:** Return a failed exit code (1) if PSR-4 or PSR-0 mapping errors are present in the current project (dependencies excluded). Requires `--optimize` to work.
- **\--strict-ambiguous:** Return a failed exit code (2) if the same class is found in multiple files. Requires `--optimize` to work.
## clear-cache / clearcache / cc[\#](https://getcomposer.org/doc/03-cli.md#clear-cache-clearcache-cc)
Deletes all content from Composer's cache directories.
### Options
- **\--gc:** Only run garbage collection, not a full cache clear
## licenses[\#](https://getcomposer.org/doc/03-cli.md#licenses)
Lists the name, version and license of every package installed. Use `--format=json` to get machine-readable output.
### Options
- **\--locked:** List licenses from the lock file, regardless of what is currently in vendor dir.
- **\--format:** Format of the output: text, json or summary (default: "text").
- **\--no-dev:** Remove dev dependencies from the output.
## run-script / run[\#](https://getcomposer.org/doc/03-cli.md#run-script-run)
To run [scripts](https://getcomposer.org/doc/articles/scripts.md) manually you can use this command, give it the script name and optionally any required arguments.
### Options
- **\--timeout:** Set the script timeout in seconds, or 0 for no timeout.
- **\--dev:** Sets the dev mode.
- **\--no-dev:** Disable dev mode.
- **\--list (-l):** List user defined scripts.
## exec[\#](https://getcomposer.org/doc/03-cli.md#exec)
Executes a vendored binary/script. You can execute any command and this will ensure that the Composer bin-dir is pushed on your PATH before the command runs.
### Options
- **\--list (-l):** List the available Composer binaries.
## diagnose[\#](https://getcomposer.org/doc/03-cli.md#diagnose)
If you think you found a bug, or something is behaving strangely, you might want to run the `diagnose` command to perform automated checks for many common problems.
```
php composer.phar diagnose
```
## archive[\#](https://getcomposer.org/doc/03-cli.md#archive)
This command is used to generate a zip/tar archive for a given package in a given version. It can also be used to archive your entire project without excluded/ignored files.
```
php composer.phar archive vendor/package 2.0.21 --format=zip
```
### Options
- **\--format (-f):** Format of the resulting archive: tar, tar.gz, tar.bz2 or zip (default: "tar").
- **\--dir:** Write the archive to this directory (default: ".")
- **\--file:** Write the archive with the given file name.
## audit[\#](https://getcomposer.org/doc/03-cli.md#audit)
This command is used to audit the packages you have installed for potential security issues. It checks for and lists security vulnerability advisories using the [Packagist.org api](https://packagist.org/apidoc#list-security-advisories) by default or other repositories if specified in the `repositories` section of `composer.json`. The command also detects abandoned packages.
The audit command determines if there are vulnerable, abandoned, or filtered packages and returns the following exit codes based on the findings:
- `0` No issues;
- `1` Vulnerable packages;
- `2` Abandoned packages;
- `3` Vulnerable and abandoned packages.
- `4` Filtered packages.
- `5` Vulnerable and filtered packages.
- `6` Abandoned and filtered packages.
- `7` Vulnerable, abandoned, and filtered packages.
```
php composer.phar audit
```
### Options
- **\--no-dev:** Disables auditing of require-dev packages.
- **\--format (-f):** Audit output format. Must be "table" (default), "plain", "json", or "summary".
- **\--locked:** Audit packages from the lock file, regardless of what is currently in vendor dir.
- **\--abandoned:** Behavior on abandoned packages. Must be "ignore", "report", or "fail". See also [config.audit.abandoned](https://getcomposer.org/doc/06-config.md#abandoned). Passing this flag will override the config value and the environment variable.
- **\--ignore-severity:** Ignore advisories of a certain severity level. Can be passed one or more time to ignore multiple severities.
- **\--filtered:** Behavior on filtered packages. Must be "ignore", "report", or "fail". See also [config.audit.filtered](https://getcomposer.org/doc/06-config.md#filtered). Passing this flag will override the config value.
## help[\#](https://getcomposer.org/doc/03-cli.md#help)
To get more information about a certain command, you can use `help`.
```
php composer.phar help install
```
## Command-line completion[\#](https://getcomposer.org/doc/03-cli.md#command-line-completion)
Command-line completion can be enabled by running the `composer completion --help` command and following the instructions.
## Environment variables[\#](https://getcomposer.org/doc/03-cli.md#environment-variables)
You can set a number of environment variables that override certain settings. Whenever possible it is recommended to specify these settings in the `config` section of `composer.json` instead. It is worth noting that the env vars will always take precedence over the values specified in `composer.json`.
### COMPOSER[\#](https://getcomposer.org/doc/03-cli.md#composer)
By setting the `COMPOSER` env variable it is possible to set the filename of `composer.json` to something else.
For example:
```
COMPOSER=composer-other.json php composer.phar install
```
The generated lock file will use the same name: `composer-other.lock` in this example.
### COMPOSER\_ALLOW\_SUPERUSER[\#](https://getcomposer.org/doc/03-cli.md#composer-allow-superuser)
If set to 1, this env disables the warning about running commands as root/super user. It also disables automatic clearing of sudo sessions, so you should really only set this if you use Composer as a super user at all times like in docker containers.
### COMPOSER\_ALLOW\_XDEBUG[\#](https://getcomposer.org/doc/03-cli.md#composer-allow-xdebug)
If set to 1, this env allows running Composer when the Xdebug extension is enabled, without restarting PHP without it.
### COMPOSER\_AUTH[\#](https://getcomposer.org/doc/03-cli.md#composer-auth)
The `COMPOSER_AUTH` var allows you to set up authentication as an environment variable. The contents of the variable should be a JSON formatted object containing [http-basic, github-oauth, bitbucket-oauth, ... objects as needed](https://getcomposer.org/doc/articles/authentication-for-private-packages.md), and following the [spec from the config](https://getcomposer.org/doc/06-config.md).
### COMPOSER\_BIN\_COMPAT[\#](https://getcomposer.org/doc/03-cli.md#composer-bin-compat)
Override the [`bin-compat`](https://getcomposer.org/doc/06-config.md#bin-compat) config setting.
### COMPOSER\_BIN\_DIR[\#](https://getcomposer.org/doc/03-cli.md#composer-bin-dir)
By setting this option you can change the `bin` ([Vendor Binaries](https://getcomposer.org/doc/articles/vendor-binaries.md)) directory to something other than `vendor/bin`.
### COMPOSER\_CACHE\_DIR[\#](https://getcomposer.org/doc/03-cli.md#composer-cache-dir)
The `COMPOSER_CACHE_DIR` var allows you to change the Composer cache directory, which is also configurable via the [`cache-dir`](https://getcomposer.org/doc/06-config.md#cache-dir) option.
By default, it points to `C:\Users\<user>\AppData\Local\Composer` (or `%LOCALAPPDATA%/Composer`) on Windows. On \*nix systems that follow the [XDG Base Directory Specifications](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html), it points to `$XDG_CACHE_HOME/composer`. On other \*nix systems and on macOS, it points to `$COMPOSER_HOME/cache`.
### COMPOSER\_CAFILE[\#](https://getcomposer.org/doc/03-cli.md#composer-cafile)
By setting this environmental value, you can set a path to a certificate bundle file to be used during SSL/TLS peer verification.
### COMPOSER\_DISABLE\_XDEBUG\_WARN[\#](https://getcomposer.org/doc/03-cli.md#composer-disable-xdebug-warn)
If set to 1, this env suppresses a warning when Composer is running with the Xdebug extension enabled.
### COMPOSER\_DISCARD\_CHANGES[\#](https://getcomposer.org/doc/03-cli.md#composer-discard-changes)
This env var controls the [`discard-changes`](https://getcomposer.org/doc/06-config.md#discard-changes) config option.
### COMPOSER\_FUND[\#](https://getcomposer.org/doc/03-cli.md#composer-fund)
If set to 0, this env suppresses funding notices when installing.
### COMPOSER\_HOME[\#](https://getcomposer.org/doc/03-cli.md#composer-home)
The `COMPOSER_HOME` var allows you to change the Composer home directory. This is a hidden, global (per-user on the machine) directory that is shared between all projects.
Use `composer config --global home` to see the location of the home directory.
By default, it points to `C:\Users\<user>\AppData\Roaming\Composer` on Windows and `/Users/<user>/.composer` on macOS. On \*nix systems that follow the [XDG Base Directory Specifications](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html), it points to `$XDG_CONFIG_HOME/composer`. On other \*nix systems, it points to `/home/<user>/.composer`.
#### COMPOSER\_HOME/config.json[\#](https://getcomposer.org/doc/03-cli.md#composer-home-config-json)
You may put a `config.json` file into the location which `COMPOSER_HOME` points to. Composer will partially (only `config` and `repositories` keys) merge this configuration with your project's `composer.json` when you run the `install` and `update` commands.
This file allows you to set [repositories](https://getcomposer.org/doc/05-repositories.md) and [configuration](https://getcomposer.org/doc/06-config.md) for the user's projects.
In case global configuration matches *local* configuration, the *local* configuration in the project's `composer.json` always wins.
### COMPOSER\_HTACCESS\_PROTECT[\#](https://getcomposer.org/doc/03-cli.md#composer-htaccess-protect)
Defaults to `1`. If set to `0`, Composer will not create `.htaccess` files in the Composer home, cache, and data directories.
### COMPOSER\_MEMORY\_LIMIT[\#](https://getcomposer.org/doc/03-cli.md#composer-memory-limit)
If set, the value is used as php's memory\_limit.
### COMPOSER\_MIRROR\_PATH\_REPOS[\#](https://getcomposer.org/doc/03-cli.md#composer-mirror-path-repos)
If set to 1, this env changes the default path repository strategy to `mirror` instead of `symlink`. As it is the default strategy being set it can still be overwritten by repository options.
### COMPOSER\_NO\_INTERACTION[\#](https://getcomposer.org/doc/03-cli.md#composer-no-interaction)
If set to 1, this env var will make Composer behave as if you passed the `--no-interaction` flag to every command. This can be set on build boxes/CI.
### COMPOSER\_PROCESS\_TIMEOUT[\#](https://getcomposer.org/doc/03-cli.md#composer-process-timeout)
This env var controls the time Composer waits for commands (such as git commands) to finish executing. The default value is 300 seconds (5 minutes).
### COMPOSER\_ROOT\_VERSION[\#](https://getcomposer.org/doc/03-cli.md#composer-root-version)
By setting this var you can specify the version of the root package, if it cannot be guessed from VCS info and is not present in `composer.json`.
### COMPOSER\_VENDOR\_DIR[\#](https://getcomposer.org/doc/03-cli.md#composer-vendor-dir)
By setting this var you can make Composer install the dependencies into a directory other than `vendor`.
### COMPOSER\_RUNTIME\_ENV[\#](https://getcomposer.org/doc/03-cli.md#composer-runtime-env)
This lets you hint under which environment Composer is running, which can help Composer work around some environment specific issues. The only value currently supported is `virtualbox`, which then enables some short `sleep()` calls to wait for the filesystem to have written files properly before we attempt reading them. You can set the environment variable if you use Vagrant or VirtualBox and experience issues with files not being found during installation even though they should be present.
### http\_proxy or HTTP\_PROXY[\#](https://getcomposer.org/doc/03-cli.md#http-proxy-or-http-proxy)
### HTTP\_PROXY\_REQUEST\_FULLURI[\#](https://getcomposer.org/doc/03-cli.md#http-proxy-request-fulluri)
### HTTPS\_PROXY\_REQUEST\_FULLURI[\#](https://getcomposer.org/doc/03-cli.md#https-proxy-request-fulluri)
### no\_proxy or NO\_PROXY[\#](https://getcomposer.org/doc/03-cli.md#no-proxy-or-no-proxy)
See the [proxy documentation](https://getcomposer.org/doc/faqs/how-to-use-composer-behind-a-proxy.md) for more details on how to use proxy env vars.
### COMPOSER\_MAX\_PARALLEL\_HTTP[\#](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-http)
Set to an integer to configure how many files can be downloaded in parallel. This defaults to 12 and must be between 1 and 50. If your proxy has issues with concurrency maybe you want to lower this. Increasing it should generally not result in performance gains.
### COMPOSER\_MAX\_PARALLEL\_PROCESSES[\#](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-processes)
Set to an integer to configure how many processes can be executed in parallel. This defaults to 10 and must be between 1 and 50.
### COMPOSER\_IPRESOLVE[\#](https://getcomposer.org/doc/03-cli.md#composer-ipresolve)
Set to `4` or `6` to force IPv4 or IPv6 DNS resolution. This only works when the curl extension is used for downloads.
### COMPOSER\_SELF\_UPDATE\_TARGET[\#](https://getcomposer.org/doc/03-cli.md#composer-self-update-target)
If set, makes the self-update command write the new Composer phar file into that path instead of overwriting itself. Useful for updating Composer on a read-only filesystem.
### COMPOSER\_DISABLE\_NETWORK[\#](https://getcomposer.org/doc/03-cli.md#composer-disable-network)
If set to `1`, disables network access (best effort). This can be used for debugging or to run Composer on a plane or a starship with poor connectivity.
If set to `prime`, GitHub VCS repositories will prime the cache, so it can then be used fully offline with `1`.
### COMPOSER\_DEBUG\_EVENTS[\#](https://getcomposer.org/doc/03-cli.md#composer-debug-events)
If set to `1`, outputs information about events being dispatched, which can be useful for plugin authors to identify what is firing when exactly.
### COMPOSER\_SKIP\_SCRIPTS[\#](https://getcomposer.org/doc/03-cli.md#composer-skip-scripts)
Accepts a comma-seperated list of event names, e.g. `post-install-cmd` for which scripts execution should be skipped.
### COMPOSER\_NO\_AUDIT[\#](https://getcomposer.org/doc/03-cli.md#composer-no-audit)
If set to `1`, it is the equivalent of passing the `--no-audit` option to a `require`, `update`, `remove` or `create-project` command.
### COMPOSER\_AUDIT\_ABANDONED[\#](https://getcomposer.org/doc/03-cli.md#composer-audit-abandoned)
Set to `ignore`, `report` or `fail` to override the [audit.abandoned](https://getcomposer.org/doc/06-config.md#abandoned) config option.
### COMPOSER\_FILTER[\#](https://getcomposer.org/doc/03-cli.md#composer-filter)
Set to `0` to disable filters on updates and audit, or `1` to enable them. Setting this to `1` will use the filter configuration in the composer.json. If you want to override the config value, use `composer config filter 1` instead.
### COMPOSER\_NO\_SECURITY\_BLOCKING[\#](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking)
If set to `1`, it is the equivalent of passing the `--no-security-blocking` option to a `require`, `update`, `remove`, `install`, or `create-project` command. This allows installing packages with security advisories or that are abandoned. It overrides the config option [audit.block-insecure](https://getcomposer.org/doc/06-config.md#block-insecure).
### COMPOSER\_SECURITY\_BLOCKING\_ABANDONED[\#](https://getcomposer.org/doc/03-cli.md#composer-security-blocking-abandoned)
If set to `1`, enables blocking of abandoned packages during dependency resolution (equivalent to setting `audit.block-abandoned` config to `true`). If set to `0`, disables blocking of abandoned packages. Note that this setting does not have any effect if security blocking is generally disabled. It overrides the config option [audit.block-abandoned](https://getcomposer.org/doc/06-config.md#block-abandoned).
### COMPOSER\_NO\_DEV[\#](https://getcomposer.org/doc/03-cli.md#composer-no-dev)
If set to `1`, it is the equivalent of passing the `--update-no-dev` option to `require` or the `--no-dev` option to `install` or `update`. You can override this for a single command by setting `COMPOSER_NO_DEV=0`.
### COMPOSER\_PREFER\_STABLE[\#](https://getcomposer.org/doc/03-cli.md#composer-prefer-stable)
If set to `1`, it is the equivalent of passing the `--prefer-stable` option to `update` or `require`.
### COMPOSER\_PREFER\_LOWEST[\#](https://getcomposer.org/doc/03-cli.md#composer-prefer-lowest)
If set to `1`, it is the equivalent of passing the `--prefer-lowest` option to `update` or `require`.
### COMPOSER\_PREFER\_DEV\_OVER\_PRERELEASE[\#](https://getcomposer.org/doc/03-cli.md#composer-prefer-dev-over-prerelease)
If set to `1`, when resolving dependencies with both `--prefer-stable` and `--prefer-lowest` enabled, dev versions are treated as more stable than alpha/beta/RC versions in cases where no stable release exists. This is useful to test lowest versions while still preferring branches that may contain critical fixes over prerelease versions.
### COMPOSER\_SOURCE\_FALLBACK[\#](https://getcomposer.org/doc/03-cli.md#composer-source-fallback)
If set to `0`, Composer will not fall back to an alternative download source when the preferred one fails. Equivalent to passing `--no-source-fallback`. See also [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback).
### COMPOSER\_MINIMAL\_CHANGES[\#](https://getcomposer.org/doc/03-cli.md#composer-minimal-changes)
If set to `1`, it is the equivalent of passing the `--minimal-changes` option to `update`, `require` or `remove`.
### COMPOSER\_IGNORE\_PLATFORM\_REQ or COMPOSER\_IGNORE\_PLATFORM\_REQS[\#](https://getcomposer.org/doc/03-cli.md#composer-ignore-platform-req-or-composer-ignore-platform-reqs)
If `COMPOSER_IGNORE_PLATFORM_REQS` set to `1`, it is the equivalent of passing the `--ignore-platform-reqs` argument. Otherwise, specifying a comma separated list in `COMPOSER_IGNORE_PLATFORM_REQ` will ignore those specific requirements.
For example, if a development workstation will never run database queries, this can be used to ignore the requirement for the database extensions to be available. If you set `COMPOSER_IGNORE_PLATFORM_REQ=ext-oci8`, then composer will allow packages to be installed even if the `oci8` PHP extension is not enabled.
### COMPOSER\_WITH\_DEPENDENCIES[\#](https://getcomposer.org/doc/03-cli.md#composer-with-dependencies)
If set to `1`, it is the equivalent of passing the `--with-dependencies` option to `update`, `require` or `remove`.
### COMPOSER\_WITH\_ALL\_DEPENDENCIES[\#](https://getcomposer.org/doc/03-cli.md#composer-with-all-dependencies)
If set to `1`, it is the equivalent of passing the `--with-all-dependencies` option to `update`, `require` or `remove`.
### SHELL\_VERBOSITY[\#](https://getcomposer.org/doc/03-cli.md#shell-verbosity)
Since Composer uses [symfony/console](https://github.com/symfony/console), you can define the [verbosity level](https://symfony.com/doc/current/console/verbosity.html). `SHELL_VERBOSITY=-1` to hide the output of Composer (this is equivalent to using the CLI option `--quiet`). Please note that this will apply to every tool that rely on `symfony/console`, you can set `SHELL_VERBOSITY=0` after the calls to Composer in order to restore the default verbosity level.
← [Libraries](https://getcomposer.org/doc/02-libraries.md) \| [Schema](https://getcomposer.org/doc/04-schema.md) →
Found a typo? Something is wrong in this documentation? [Fork and edit](https://github.com/composer/composer/edit/main/doc/03-cli.md "Go to the docs to fork and propose updates (external link)") it\!
Composer and all content on this site are released under the [MIT license](https://github.com/composer/composer/blob/main/LICENSE "View the MIT license (external link to GitHub.com)"). |
| Readable Markdown | - [Bash Completions](https://getcomposer.org/doc/03-cli.md#bash-completions)
- [Global Options](https://getcomposer.org/doc/03-cli.md#global-options)
- [Process Exit Codes](https://getcomposer.org/doc/03-cli.md#process-exit-codes)
- [init](https://getcomposer.org/doc/03-cli.md#init)
- [install / i](https://getcomposer.org/doc/03-cli.md#install-i)
- [update / u / upgrade](https://getcomposer.org/doc/03-cli.md#update-u-upgrade)
- [require / r](https://getcomposer.org/doc/03-cli.md#require-r)
- [remove / rm / uninstall](https://getcomposer.org/doc/03-cli.md#remove-rm-uninstall)
- [bump](https://getcomposer.org/doc/03-cli.md#bump)
- [reinstall](https://getcomposer.org/doc/03-cli.md#reinstall)
- [check-platform-reqs](https://getcomposer.org/doc/03-cli.md#check-platform-reqs)
- [global](https://getcomposer.org/doc/03-cli.md#global)
- [search](https://getcomposer.org/doc/03-cli.md#search)
- [show / info](https://getcomposer.org/doc/03-cli.md#show-info)
- [outdated](https://getcomposer.org/doc/03-cli.md#outdated)
- [browse / home](https://getcomposer.org/doc/03-cli.md#browse-home)
- [suggests](https://getcomposer.org/doc/03-cli.md#suggests)
- [fund](https://getcomposer.org/doc/03-cli.md#fund)
- [depends / why](https://getcomposer.org/doc/03-cli.md#depends-why)
- [prohibits / why-not](https://getcomposer.org/doc/03-cli.md#prohibits-why-not)
- [validate](https://getcomposer.org/doc/03-cli.md#validate)
- [status](https://getcomposer.org/doc/03-cli.md#status)
- [self-update / selfupdate](https://getcomposer.org/doc/03-cli.md#self-update-selfupdate)
- [config](https://getcomposer.org/doc/03-cli.md#config)
- [Usage](https://getcomposer.org/doc/03-cli.md#usage)
- [Modifying Repositories](https://getcomposer.org/doc/03-cli.md#modifying-repositories)
- [Modifying Extra Values](https://getcomposer.org/doc/03-cli.md#modifying-extra-values)
- [repository / repo](https://getcomposer.org/doc/03-cli.md#repository-repo)
- [Usage](https://getcomposer.org/doc/03-cli.md#usage-2)
- [Examples](https://getcomposer.org/doc/03-cli.md#examples)
- [create-project](https://getcomposer.org/doc/03-cli.md#create-project)
- [dump-autoload / dumpautoload](https://getcomposer.org/doc/03-cli.md#dump-autoload-dumpautoload)
- [clear-cache / clearcache / cc](https://getcomposer.org/doc/03-cli.md#clear-cache-clearcache-cc)
- [licenses](https://getcomposer.org/doc/03-cli.md#licenses)
- [run-script / run](https://getcomposer.org/doc/03-cli.md#run-script-run)
- [exec](https://getcomposer.org/doc/03-cli.md#exec)
- [diagnose](https://getcomposer.org/doc/03-cli.md#diagnose)
- [archive](https://getcomposer.org/doc/03-cli.md#archive)
- [audit](https://getcomposer.org/doc/03-cli.md#audit)
- [help](https://getcomposer.org/doc/03-cli.md#help)
- [Command-line completion](https://getcomposer.org/doc/03-cli.md#command-line-completion)
- [Environment variables](https://getcomposer.org/doc/03-cli.md#environment-variables)
- [COMPOSER](https://getcomposer.org/doc/03-cli.md#composer)
- [COMPOSER\_ALLOW\_SUPERUSER](https://getcomposer.org/doc/03-cli.md#composer-allow-superuser)
- [COMPOSER\_ALLOW\_XDEBUG](https://getcomposer.org/doc/03-cli.md#composer-allow-xdebug)
- [COMPOSER\_AUTH](https://getcomposer.org/doc/03-cli.md#composer-auth)
- [COMPOSER\_BIN\_COMPAT](https://getcomposer.org/doc/03-cli.md#composer-bin-compat)
- [COMPOSER\_BIN\_DIR](https://getcomposer.org/doc/03-cli.md#composer-bin-dir)
- [COMPOSER\_CACHE\_DIR](https://getcomposer.org/doc/03-cli.md#composer-cache-dir)
- [COMPOSER\_CAFILE](https://getcomposer.org/doc/03-cli.md#composer-cafile)
- [COMPOSER\_DISABLE\_XDEBUG\_WARN](https://getcomposer.org/doc/03-cli.md#composer-disable-xdebug-warn)
- [COMPOSER\_DISCARD\_CHANGES](https://getcomposer.org/doc/03-cli.md#composer-discard-changes)
- [COMPOSER\_FUND](https://getcomposer.org/doc/03-cli.md#composer-fund)
- [COMPOSER\_HOME](https://getcomposer.org/doc/03-cli.md#composer-home)
- [COMPOSER\_HOME/config.json](https://getcomposer.org/doc/03-cli.md#composer-home-config-json)
- [COMPOSER\_HTACCESS\_PROTECT](https://getcomposer.org/doc/03-cli.md#composer-htaccess-protect)
- [COMPOSER\_MEMORY\_LIMIT](https://getcomposer.org/doc/03-cli.md#composer-memory-limit)
- [COMPOSER\_MIRROR\_PATH\_REPOS](https://getcomposer.org/doc/03-cli.md#composer-mirror-path-repos)
- [COMPOSER\_NO\_INTERACTION](https://getcomposer.org/doc/03-cli.md#composer-no-interaction)
- [COMPOSER\_PROCESS\_TIMEOUT](https://getcomposer.org/doc/03-cli.md#composer-process-timeout)
- [COMPOSER\_ROOT\_VERSION](https://getcomposer.org/doc/03-cli.md#composer-root-version)
- [COMPOSER\_VENDOR\_DIR](https://getcomposer.org/doc/03-cli.md#composer-vendor-dir)
- [COMPOSER\_RUNTIME\_ENV](https://getcomposer.org/doc/03-cli.md#composer-runtime-env)
- [http\_proxy or HTTP\_PROXY](https://getcomposer.org/doc/03-cli.md#http-proxy-or-http-proxy)
- [HTTP\_PROXY\_REQUEST\_FULLURI](https://getcomposer.org/doc/03-cli.md#http-proxy-request-fulluri)
- [HTTPS\_PROXY\_REQUEST\_FULLURI](https://getcomposer.org/doc/03-cli.md#https-proxy-request-fulluri)
- [no\_proxy or NO\_PROXY](https://getcomposer.org/doc/03-cli.md#no-proxy-or-no-proxy)
- [COMPOSER\_MAX\_PARALLEL\_HTTP](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-http)
- [COMPOSER\_MAX\_PARALLEL\_PROCESSES](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-processes)
- [COMPOSER\_IPRESOLVE](https://getcomposer.org/doc/03-cli.md#composer-ipresolve)
- [COMPOSER\_SELF\_UPDATE\_TARGET](https://getcomposer.org/doc/03-cli.md#composer-self-update-target)
- [COMPOSER\_DISABLE\_NETWORK](https://getcomposer.org/doc/03-cli.md#composer-disable-network)
- [COMPOSER\_DEBUG\_EVENTS](https://getcomposer.org/doc/03-cli.md#composer-debug-events)
- [COMPOSER\_SKIP\_SCRIPTS](https://getcomposer.org/doc/03-cli.md#composer-skip-scripts)
- [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit)
- [COMPOSER\_AUDIT\_ABANDONED](https://getcomposer.org/doc/03-cli.md#composer-audit-abandoned)
- [COMPOSER\_FILTER](https://getcomposer.org/doc/03-cli.md#composer-filter)
- [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking)
- [COMPOSER\_SECURITY\_BLOCKING\_ABANDONED](https://getcomposer.org/doc/03-cli.md#composer-security-blocking-abandoned)
- [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev)
- [COMPOSER\_PREFER\_STABLE](https://getcomposer.org/doc/03-cli.md#composer-prefer-stable)
- [COMPOSER\_PREFER\_LOWEST](https://getcomposer.org/doc/03-cli.md#composer-prefer-lowest)
- [COMPOSER\_PREFER\_DEV\_OVER\_PRERELEASE](https://getcomposer.org/doc/03-cli.md#composer-prefer-dev-over-prerelease)
- [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback)
- [COMPOSER\_MINIMAL\_CHANGES](https://getcomposer.org/doc/03-cli.md#composer-minimal-changes)
- [COMPOSER\_IGNORE\_PLATFORM\_REQ or COMPOSER\_IGNORE\_PLATFORM\_REQS](https://getcomposer.org/doc/03-cli.md#composer-ignore-platform-req-or-composer-ignore-platform-reqs)
- [COMPOSER\_WITH\_DEPENDENCIES](https://getcomposer.org/doc/03-cli.md#composer-with-dependencies)
- [COMPOSER\_WITH\_ALL\_DEPENDENCIES](https://getcomposer.org/doc/03-cli.md#composer-with-all-dependencies)
- [SHELL\_VERBOSITY](https://getcomposer.org/doc/03-cli.md#shell-verbosity)
You've already learned how to use the command-line interface to do some things. This chapter documents all the available commands.
To get help from the command-line, call `composer` or `composer list` to see the complete list of commands, then `--help` combined with any of those can give you more information.
As Composer uses [symfony/console](https://github.com/symfony/console) you can call commands by short name if it's not ambiguous.
```
php composer.phar dump
```
calls `composer dump-autoload`.
## Bash Completions[\#](https://getcomposer.org/doc/03-cli.md#bash-completions)
To install bash completions you can run `composer completion bash > completion.bash`. This will create a `completion.bash` file in the current directory.
Then execute `source completion.bash` to enable it in the current terminal session.
Move and rename the `completion.bash` file to `/etc/bash_completion.d/composer` to make it load automatically in new terminals.
## Global Options[\#](https://getcomposer.org/doc/03-cli.md#global-options)
The following options are available with every command:
- **\--verbose (-v):** Increase verbosity of messages.
- **\--help (-h):** Display help information.
- **\--quiet (-q):** Do not output any message.
- **\--no-interaction (-n):** Do not ask any interactive question.
- **\--no-plugins:** Disables plugins.
- **\--no-scripts:** Skips execution of scripts defined in `composer.json`.
- **\--no-cache:** Disables the use of the cache directory. Same as setting the COMPOSER\_CACHE\_DIR env var to /dev/null (or NUL on Windows).
- **\--working-dir (-d):** If specified, use the given directory as working directory.
- **\--profile:** Display timing and memory usage information
- **\--ansi:** Force ANSI output.
- **\--no-ansi:** Disable ANSI output.
- **\--version (-V):** Display this application version.
## Process Exit Codes[\#](https://getcomposer.org/doc/03-cli.md#process-exit-codes)
- **0:** OK
- **1:** Generic/unknown error code
- **2:** Dependency solving error code
## init[\#](https://getcomposer.org/doc/03-cli.md#init)
In the [Libraries](https://getcomposer.org/doc/02-libraries.md) chapter we looked at how to create a `composer.json` by hand. There is also an `init` command available to do this.
When you run the command it will interactively ask you to fill in the fields, while using some smart defaults.
```
php composer.phar init
```
### Options
- **\--name:** Name of the package.
- **\--description:** Description of the package.
- **\--author:** Author name of the package.
- **\--type:** Type of package.
- **\--homepage:** Homepage of the package.
- **\--require:** Package to require with a version constraint. Should be in format `foo/bar:1.0.0`.
- **\--require-dev:** Development requirements, see **\--require**.
- **\--stability (-s):** Value for the `minimum-stability` field.
- **\--license (-l):** License of package.
- **\--repository:** Provide one (or more) custom repositories. They will be stored in the generated composer.json, and used for auto-completion when prompting for the list of requires. Every repository can be either an HTTP URL pointing to a `composer` repository or a JSON string which is similar to what the [repositories](https://getcomposer.org/doc/04-schema.md#repositories) key accepts.
- **\--autoload (-a):** Add a PSR-4 autoload mapping to the composer.json. Automatically maps your package's namespace to the provided directory. (Expects a relative path, e.g. src/) See also [PSR-4 autoload](https://getcomposer.org/doc/04-schema.md#psr-4).
## install / i[\#](https://getcomposer.org/doc/03-cli.md#install-i)
The `install` command reads the `composer.json` file from the current directory, resolves the dependencies, and installs them into `vendor`.
```
php composer.phar install
```
If there is a `composer.lock` file in the current directory, it will use the exact versions from there instead of resolving them. This ensures that everyone using the library will get the same versions of the dependencies.
If there is no `composer.lock` file, Composer will create one after dependency resolution.
### Options
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--dry-run:** If you want to run through an installation without actually installing a package, you can use `--dry-run`. This will simulate the installation and show you what would happen.
- **\--download-only:** Download only, do not install packages.
- **\--dev:** Install packages listed in `require-dev` (this is the default behavior).
- **\--no-dev:** Skip installing packages listed in `require-dev`. The autoloader generation skips the `autoload-dev` rules. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--no-autoloader:** Skips autoloader generation.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--audit:** Run an audit after installation is complete.
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking). Only applies when no lock file is present - for installs from a lock file Composer never blocks vulnerable packages.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--strict-psr-autoloader:** Return a failed exit code (6) if PSR-4 or PSR-0 mapping errors are present in the current project (dependencies excluded). Requires `--optimize-autoloader` to work.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard. Appending a `+` makes it only ignore the upper-bound of the requirements. For example, if a package requires `php: ^7`, then the option `--ignore-platform-req=php+` would allow installing on PHP 8, but installation on PHP 5.6 would still fail.
## update / u / upgrade[\#](https://getcomposer.org/doc/03-cli.md#update-u-upgrade)
In order to get the latest versions of the dependencies and to update the `composer.lock` file, you should use the `update` command. This command is also aliased as `upgrade` as it does the same as `upgrade` does if you are thinking of `apt-get` or similar package managers.
```
php composer.phar update
```
This will resolve all dependencies of the project and write the exact versions into `composer.lock`.
If you only want to update a few packages and not all, you can list them as such:
```
php composer.phar update vendor/package vendor/package2
```
You can also use wildcards to update a bunch of packages at once:
```
php composer.phar update "vendor/*"
```
If you want to downgrade a package to a specific version without changing your composer.json you can use `--with` and provide a custom version constraint:
```
php composer.phar update --with vendor/package:2.0.1
```
Note that with the above all packages will be updated. If you only want to update the package(s) for which you provide custom constraints using `--with`, you can skip `--with` and instead use constraints with the partial update syntax:
```
php composer.phar update vendor/package:2.0.1 vendor/package2:3.0.*
```
> **Note:** For packages also required in your composer.json the custom constraint must be a subset of the existing constraint. The composer.json constraints still apply and the composer.json is not modified by these temporary update constraints.
### Options
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--dry-run:** Simulate the command without actually doing anything.
- **\--dev:** Install packages listed in `require-dev` (this is the default behavior).
- **\--no-dev:** Skip installing packages listed in `require-dev`. The autoloader generation skips the `autoload-dev` rules. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--no-install:** Does not run the install step after updating the composer.lock file.
- **\--no-audit:** Does not run the audit steps after updating the composer.lock file. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--lock:** Overwrites the lock file hash to suppress warning about the lock file being out of date without updating package versions. Package metadata like mirrors and URLs are updated if they changed.
- **\--with:** Temporary version constraint to add, e.g. foo/bar:1.0.0 or foo/bar=1.0.0
- **\--no-autoloader:** Skips autoloader generation.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--with-dependencies (-w):** Update also dependencies of packages in the argument list, except those which are root requirements. Can also be set via the COMPOSER\_WITH\_DEPENDENCIES=1 env var.
- **\--with-all-dependencies (-W):** Update also dependencies of packages in the argument list, including those which are root requirements. Can also be set via the COMPOSER\_WITH\_ALL\_DEPENDENCIES=1 env var.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run, so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--strict-psr-autoloader:** Return a failed exit code (6) if PSR-4 or PSR-0 mapping errors are present in the current project (dependencies excluded). Requires `--optimize-autoloader` to work.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard. Appending a `+` makes it only ignore the upper-bound of the requirements. For example, if a package requires `php: ^7`, then the option `--ignore-platform-req=php+` would allow installing on PHP 8, but installation on PHP 5.6 would still fail.
- **\--prefer-stable:** Prefer stable versions of dependencies. Can also be set via the COMPOSER\_PREFER\_STABLE=1 env var.
- **\--prefer-lowest:** Prefer lowest versions of dependencies. Useful for testing minimal versions of requirements, generally used with `--prefer-stable`. Can also be set via the COMPOSER\_PREFER\_LOWEST=1 env var.
- **\--minimal-changes (-m):** Only perform absolutely necessary changes to dependencies. If packages cannot be kept at their currently locked version they are updated. For partial updates the allow-listed packages are always updated fully. Can also be set via the COMPOSER\_MINIMAL\_CHANGES=1 env var.
- **\--patch-only:** Only allow patch version updates for currently installed dependencies.
- **\--interactive:** Interactive interface with autocompletion to select the packages to update.
- **\--root-reqs:** Restricts the update to your first degree dependencies.
- **\--bump-after-update:** Runs `bump` after performing the update. Set to `dev` or `no-dev` to only bump those dependencies.
Specifying one of the words `mirrors`, `lock`, or `nothing` as an argument has the same effect as specifying the option `--lock`, for example `composer update mirrors` is exactly the same as `composer update --lock`.
## require / r[\#](https://getcomposer.org/doc/03-cli.md#require-r)
The `require` command adds new packages to the `composer.json` file from the current directory. If no file exists one will be created on the fly.
If you do not specify a package, Composer will prompt you to search for a package, and given results, provide a list of matches to require.
```
php composer.phar require
```
After adding/changing the requirements, the modified requirements will be installed or updated.
If you do not want to choose requirements interactively, you can pass them to the command.
```
php composer.phar require "vendor/package:2.*" vendor/package2:dev-master
```
If you do not specify a version constraint, composer will choose a suitable one based on the available package versions.
```
php composer.phar require vendor/package vendor/package2
```
If you do not want to install the new dependencies immediately you can call it with --no-update
### Options
- **\--dev:** Add packages to `require-dev`.
- **\--dry-run:** Simulate the command without actually doing anything.
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--no-update:** Disables the automatic update of the dependencies (implies --no-install).
- **\--no-install:** Does not run the install step after updating the composer.lock file.
- **\--no-audit:** Does not run the audit steps after updating the composer.lock file. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--update-no-dev:** Run the dependency update with the `--no-dev` option. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--update-with-dependencies (-w):** Also update dependencies of the newly required packages, except those that are root requirements. Can also be set via the COMPOSER\_WITH\_DEPENDENCIES=1 env var.
- **\--update-with-all-dependencies (-W):** Also update dependencies of the newly required packages, including those that are root requirements. Can also be set via the COMPOSER\_WITH\_ALL\_DEPENDENCIES=1 env var.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
- **\--prefer-stable:** Prefer stable versions of dependencies. Can also be set via the COMPOSER\_PREFER\_STABLE=1 env var.
- **\--prefer-lowest:** Prefer lowest versions of dependencies. Useful for testing minimal versions of requirements, generally used with `--prefer-stable`. Can also be set via the COMPOSER\_PREFER\_LOWEST=1 env var.
- **\--minimal-changes (-m):** During an update with `-w`/`-W`, only perform absolutely necessary changes to transitive dependencies. Can also be set via the COMPOSER\_MINIMAL\_CHANGES=1 env var.
- **\--sort-packages:** Keep packages sorted in `composer.json`.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run, so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
## remove / rm / uninstall[\#](https://getcomposer.org/doc/03-cli.md#remove-rm-uninstall)
The `remove` command removes packages from the `composer.json` file from the current directory.
```
php composer.phar remove vendor/package vendor/package2
```
After removing the requirements, the modified requirements will be uninstalled.
### Options
- **\--unused:** Remove unused packages that are not a direct or indirect dependency (anymore).
- **\--dev:** Remove packages from `require-dev`.
- **\--dry-run:** Simulate the command without actually doing anything.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--no-update:** Disables the automatic update of the dependencies (implies --no-install).
- **\--no-install:** Does not run the install step after updating the composer.lock file.
- **\--no-audit:** Does not run the audit steps after installation is complete. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--update-no-dev:** Run the dependency update with the --no-dev option. Also see [COMPOSER\_NO\_DEV](https://getcomposer.org/doc/03-cli.md#composer-no-dev).
- **\--update-with-dependencies (-w):** Also update dependencies of the removed packages. Can also be set via the COMPOSER\_WITH\_DEPENDENCIES=1 env var. (Deprecated, is now default behavior)
- **\--update-with-all-dependencies (-W):** Allows all inherited dependencies to be updated, including those that are root requirements. Can also be set via the COMPOSER\_WITH\_ALL\_DEPENDENCIES=1 env var.
- **\--minimal-changes (-m):** During an update with `-w`/`-W`, only perform absolutely necessary changes to transitive dependencies. Can also be set via the COMPOSER\_MINIMAL\_CHANGES=1 env var.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
## bump[\#](https://getcomposer.org/doc/03-cli.md#bump)
The `bump` command increases the lower limit of your composer.json requirements to the currently installed versions. This helps to ensure your dependencies do not accidentally get downgraded due to some other conflict, and can slightly improve dependency resolution performance as it limits the amount of package versions Composer has to look at.
Running this blindly on libraries is **NOT** recommended as it will narrow down your allowed dependencies, which may cause dependency hell for your users. Running it with `--dev-only` on libraries may be fine however as dev requirements are local to the library and do not affect consumers of the package.
### Options
- **\--dev-only:** Only bump requirements in "require-dev".
- **\--no-dev-only:** Only bump requirements in "require".
- **\--dry-run:** Outputs the packages to bump, but will not execute anything.
## reinstall[\#](https://getcomposer.org/doc/03-cli.md#reinstall)
The `reinstall` command looks up installed packages by name, uninstalls them and reinstalls them. This lets you do a clean install of a package if you messed with its files, or if you wish to change the installation type using --prefer-install.
```
php composer.phar reinstall acme/foo acme/bar
```
You can specify more than one package name to reinstall, or use a wildcard to select several packages at once:
```
php composer.phar reinstall "acme/*"
```
### Options
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--no-autoloader:** Skips autoloader generation.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.
- **\--apcu-autoloader:** Use APCu to cache found/not-found classes.
- **\--apcu-autoloader-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu-autoloader`.
- **\--ignore-platform-reqs:** ignore all platform requirements. This only has an effect in the context of the autoloader generation for the reinstall command.
- **\--ignore-platform-req:** ignore a specific platform requirement. This only has an effect in the context of the autoloader generation for the reinstall command. Multiple requirements can be ignored via wildcard.
## check-platform-reqs[\#](https://getcomposer.org/doc/03-cli.md#check-platform-reqs)
The check-platform-reqs command checks that your PHP and extensions versions match the platform requirements of the installed packages. This can be used to verify that a production server has all the extensions needed to run a project after installing it for example.
Unlike update/install, this command will ignore config.platform settings and check the real platform packages so you can be certain you have the required platform dependencies.
### Options
- **\--lock:** Checks requirements only from the lock file, not from installed packages.
- **\--no-dev:** Disables checking of require-dev packages requirements.
- **\--format (-f):** Format of the output: text (default) or json
## global[\#](https://getcomposer.org/doc/03-cli.md#global)
The global command allows you to run other commands like `install`, `remove`, `require` or `update` as if you were running them from the [COMPOSER\_HOME](https://getcomposer.org/doc/03-cli.md#composer-home) directory.
This is merely a helper to manage a project stored in a central location that can hold CLI tools or Composer plugins that you want to have available everywhere.
This can be used to install CLI utilities globally. Here is an example:
```
php composer.phar global require friendsofphp/php-cs-fixer
```
Now the `php-cs-fixer` binary is available globally. Make sure your global [vendor binaries](https://getcomposer.org/doc/articles/vendor-binaries.md) directory is in your `$PATH` environment variable, you can get its location with the following command :
```
php composer.phar global config bin-dir --absolute
```
If you wish to update the binary later on you can run a global update:
```
php composer.phar global update
```
## search[\#](https://getcomposer.org/doc/03-cli.md#search)
The search command allows you to search through the current project's package repositories. Usually this will be packagist. You pass it the terms you want to search for.
```
php composer.phar search monolog
```
You can also search for more than one term by passing multiple arguments.
### Options
- **\--only-name (-N):** Search only in package names.
- **\--only-vendor (-O):** Search only for vendor / organization names, returns only "vendor" as a result.
- **\--type (-t):** Search for a specific package type.
- **\--format (-f):** Lets you pick between text (default) or json output format. Note that in the json, only the name and description keys are guaranteed to be present. The rest (`url`, `repository`, `downloads` and `favers`) are available for Packagist.org search results and other repositories may return more or less data.
## show / info[\#](https://getcomposer.org/doc/03-cli.md#show-info)
To list all of the available packages, you can use the `show` command.
```
php composer.phar show
```
To filter the list you can pass a package mask using wildcards.
```
php composer.phar show "monolog/*"
```
```
monolog/monolog 2.4.0 Sends your logs to files, sockets, inboxes, databases and various web services
```
If you want to see the details of a certain package, you can pass the package name.
```
php composer.phar show monolog/monolog
```
```
name : monolog/monolog
descrip. : Sends your logs to files, sockets, inboxes, databases and various web services
keywords : log, logging, psr-3
versions : * 1.27.1
type : library
license : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
homepage : http://github.com/Seldaek/monolog
source : [git] https://github.com/Seldaek/monolog.git 904713c5929655dc9b97288b69cfeedad610c9a1
dist : [zip] https://api.github.com/repos/Seldaek/monolog/zipball/904713c5929655dc9b97288b69cfeedad610c9a1 904713c5929655dc9b97288b69cfeedad610c9a1
names : monolog/monolog, psr/log-implementation
support
issues : https://github.com/Seldaek/monolog/issues
source : https://github.com/Seldaek/monolog/tree/1.27.1
autoload
psr-4
Monolog\ => src/Monolog
requires
php >=5.3.0
psr/log ~1.0
```
You can even pass the package version, which will tell you the details of that specific version.
```
php composer.phar show monolog/monolog 1.0.2
```
### Options
- **\--all:** List all packages available in all your repositories.
- **\--installed (-i):** List the packages that are installed (this is enabled by default, and deprecated).
- **\--locked:** List the locked packages from composer.lock.
- **\--platform (-p):** List only platform packages (php & extensions).
- **\--available (-a):** List available packages only.
- **\--self (-s):** List the root package info.
- **\--name-only (-N):** List package names only.
- **\--path (-P):** List package paths.
- **\--tree (-t):** List your dependencies as a tree. If you pass a package name it will show the dependency tree for that package.
- **\--latest (-l):** List all installed packages including their latest version.
- **\--outdated (-o):** Implies --latest, but this lists *only* packages that have a newer version available.
- **\--ignore:** Ignore specified package(s). Can contain wildcards (`*`). Use it with the --outdated option if you don't want to be informed about new versions of some packages
- **\--no-dev:** Filters dev dependencies from the package list.
- **\--major-only (-M):** Use with --latest or --outdated. Only shows packages that have major SemVer-compatible updates.
- **\--minor-only (-m):** Use with --latest or --outdated. Only shows packages that have minor SemVer-compatible updates.
- **\--patch-only:** Use with --latest or --outdated. Only shows packages that have patch-level SemVer-compatible updates.
- **\--sort-by-age (-A):** Displays the installed version's age, and sorts packages oldest first. Use with the --latest or --outdated option.
- **\--direct (-D):** Restricts the list of packages to your direct dependencies.
- **\--strict:** Return a non-zero exit code when there are outdated packages.
- **\--format (-f):** Lets you pick between text (default) or json output format.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. Use with the --outdated option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard. Use with the --outdated option.
## outdated[\#](https://getcomposer.org/doc/03-cli.md#outdated)
The `outdated` command shows a list of installed packages that have updates available, including their current and latest versions. This is basically an alias for `composer show -lo`.
The color coding is as such:
- **green (=)**: Dependency is in the latest version and is up to date.
- **yellow (`~`)**: Dependency has a new version available that includes backwards compatibility breaks according to semver, so upgrade when you can but it may involve work.
- **red (!)**: Dependency has a new version that is semver-compatible and you should upgrade it.
### Options
- **\--all (-a):** Show all packages, not just outdated (alias for `composer show --latest`).
- **\--direct (-D):** Restricts the list of packages to your direct dependencies.
- **\--strict:** Returns non-zero exit code if any package is outdated.
- **\--ignore:** Ignore specified package(s). Can contain wildcards (`*`). Use it if you don't want to be informed about new versions of some packages
- **\--major-only (-M):** Only shows packages that have major SemVer-compatible updates.
- **\--minor-only (-m):** Only shows packages that have minor SemVer-compatible updates.
- **\--patch-only (-p):** Only shows packages that have patch-level SemVer-compatible updates.
- **\--sort-by-age (-A):** Displays the installed version's age, and sorts packages oldest first.
- **\--format (-f):** Lets you pick between text (default) or json output format.
- **\--no-dev:** Do not show outdated dev dependencies.
- **\--locked:** Shows updates for packages from the lock file, regardless of what is currently in vendor dir.
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
## browse / home[\#](https://getcomposer.org/doc/03-cli.md#browse-home)
The `browse` (aliased to `home`) opens a package's repository URL or homepage in your browser.
### Options
- **\--homepage (-H):** Open the homepage instead of the repository URL.
- **\--show (-s):** Only show the homepage or repository URL.
## suggests[\#](https://getcomposer.org/doc/03-cli.md#suggests)
Lists all packages suggested by the currently installed set of packages. You can optionally pass one or multiple package names in the format of `vendor/package` to limit output to suggestions made by those packages only.
Use the `--by-package` (default) or `--by-suggestion` flags to group the output by the package offering the suggestions or the suggested packages respectively.
If you only want a list of suggested package names, use `--list`.
### Options
- **\--by-package:** Groups output by suggesting package (default).
- **\--by-suggestion:** Groups output by suggested package.
- **\--all:** Show suggestions from all dependencies, including transitive ones (by default only direct dependencies' suggestions are shown).
- **\--list:** Show only list of suggested package names.
- **\--no-dev:** Excludes suggestions from `require-dev` packages.
## fund[\#](https://getcomposer.org/doc/03-cli.md#fund)
Discover how to help fund the maintenance of your dependencies. This lists all funding links from the installed dependencies. Use `--format=json` to get machine-readable output.
### Options
- **\--format (-f):** Lets you pick between text (default) or json output format.
## depends / why[\#](https://getcomposer.org/doc/03-cli.md#depends-why)
The `depends` command tells you which other packages depend on a certain package. As with installation `require-dev` relationships are only considered for the root package.
```
php composer.phar depends doctrine/lexer
```
```
doctrine/annotations 1.13.3 requires doctrine/lexer (1.*)
doctrine/common 2.13.3 requires doctrine/lexer (^1.0)
```
You can optionally specify a version constraint after the package to limit the search.
Add the `--tree` or `-t` flag to show a recursive tree of why the package is depended upon, for example:
```
php composer.phar depends psr/log -t
```
```
psr/log 1.1.4 Common interface for logging libraries
├──composer/composer 2.4.x-dev (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/composer dev-main (requires psr/log ^1.0 || ^2.0 || ^3.0)
├──composer/xdebug-handler 3.0.3 (requires psr/log ^1 || ^2 || ^3)
│ ├──composer/composer 2.4.x-dev (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
│ └──composer/composer dev-main (requires composer/xdebug-handler ^2.0.2 || ^3.0.3)
└──symfony/console v5.4.11 (conflicts psr/log >=3) (circular dependency aborted here)
```
### Options
- **\--recursive (-r):** Recursively resolves up to the root package.
- **\--tree (-t):** Prints the results as a nested tree, implies -r.
## prohibits / why-not[\#](https://getcomposer.org/doc/03-cli.md#prohibits-why-not)
The `prohibits` command tells you which packages are blocking a given package from being installed. Specify a version constraint to verify whether upgrades can be performed in your project, and if not why not. See the following example:
```
php composer.phar prohibits symfony/symfony 3.1
```
```
laravel/framework v5.2.16 requires symfony/var-dumper (2.8.*|3.0.*)
```
Note that you can also specify platform requirements, for example to check whether you can upgrade your server to PHP 8.0:
```
php composer.phar prohibits php 8
```
```
doctrine/cache v1.6.0 requires php (~5.5|~7.0)
doctrine/common v2.6.1 requires php (~5.5|~7.0)
doctrine/instantiator 1.0.5 requires php (>=5.3,<8.0-DEV)
```
As with `depends` you can request a recursive lookup, which will list all packages depending on the packages that cause the conflict.
### Options
- **\--recursive (-r):** Recursively resolves up to the root package.
- **\--tree (-t):** Prints the results as a nested tree, implies -r.
## validate[\#](https://getcomposer.org/doc/03-cli.md#validate)
You should always run the `validate` command before you commit your `composer.json` file (and `composer.lock` [if applicable](https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control)), and before you tag a release.
It will check if your `composer.json` is valid. If a `composer.lock` exists, it will also check if it is up to date with the `composer.json`.
```
php composer.phar validate
```
### Options
- **\--no-check-all:** Do not emit a warning if requirements in `composer.json` use unbound or overly strict version constraints.
- **\--no-check-lock:** Do not emit an error if `composer.lock` exists and is not up to date.
- **\--check-lock** Check if lock file is up to date (even when [config.lock](https://getcomposer.org/doc/06-config.md#lock) is false)
- **\--no-check-publish:** Do not emit an error if `composer.json` is unsuitable for publishing as a package on Packagist but is otherwise valid.
- **\--no-check-version:** Do not emit an error if the version field is present.
- **\--with-dependencies:** Also validate the composer.json of all installed dependencies.
- **\--strict:** Return a non-zero exit code for warnings as well as errors.
## status[\#](https://getcomposer.org/doc/03-cli.md#status)
If you often need to modify the code of your dependencies and they are installed from source, the `status` command allows you to check if you have local changes in any of them.
```
php composer.phar status
```
With the `--verbose` option you get some more information about what was changed:
```
php composer.phar status -v
```
```
You have changes in the following dependencies:
vendor/seld/jsonlint:
M README.mdown
```
## self-update / selfupdate[\#](https://getcomposer.org/doc/03-cli.md#self-update-selfupdate)
To update Composer itself to the latest version, run the `self-update` command. It will replace your `composer.phar` with the latest version.
```
php composer.phar self-update
```
If you would like to instead update to a specific release specify it:
```
php composer.phar self-update 2.4.0-RC1
```
If you have installed Composer for your entire system (see [global installation](https://getcomposer.org/doc/00-intro.md#globally)), you may have to run the command with `root` privileges
```
sudo -H composer self-update
```
If Composer was not installed as a PHAR, this command is not available. (This is sometimes the case when Composer was installed by an operating system package manager.)
### Options
- **\--rollback (-r):** Rollback to the last version you had installed.
- **\--clean-backups:** Delete old backups during an update. This makes the current version of Composer the only backup available after the update.
- **\--no-progress:** Do not output download progress.
- **\--update-keys:** Prompt user for a key update.
- **\--stable:** Force an update to the stable channel.
- **\--preview:** Force an update to the preview channel.
- **\--snapshot:** Force an update to the snapshot channel.
- **\--1:** Force an update to the stable channel, but only use 1.x versions
- **\--2:** Force an update to the stable channel, but only use 2.x versions
- **\--set-channel-only:** Only store the channel as the default one and then exit
## config[\#](https://getcomposer.org/doc/03-cli.md#config)
The `config` command allows you to edit Composer config settings and repositories in either the local `composer.json` file or the global `config.json` file.
Additionally it lets you edit most properties in the local `composer.json`.
```
php composer.phar config --list
```
### Usage[\#](https://getcomposer.org/doc/03-cli.md#usage)
`config [options] [setting-key] [setting-value1] ... [setting-valueN]`
`setting-key` is a configuration option name and `setting-value1` is a configuration value. For settings that can take an array of values (like `github-protocols`), multiple setting-value arguments are allowed.
You can also edit the values of the following properties:
`description`, `homepage`, `keywords`, `license`, `minimum-stability`, `name`, `prefer-stable`, `type` and `version`.
See the [Config](https://getcomposer.org/doc/06-config.md) chapter for valid configuration options.
### Options
- **\--global (-g):** Operate on the global config file located at `$COMPOSER_HOME/config.json` by default. Without this option, this command affects the local composer.json file or a file specified by `--file`.
- **\--editor (-e):** Open the local composer.json file using in a text editor as defined by the `EDITOR` env variable. With the `--global` option, this opens the global config file.
- **\--auth (-a):** Affect auth config file (only used for --editor).
- **\--unset:** Remove the configuration element named by `setting-key`.
- **\--list (-l):** Show the list of current config variables. With the `--global` option this lists the global configuration only.
- **\--file="..." (-f):** Operate on a specific file instead of composer.json. Note that this cannot be used in conjunction with the `--global` option.
- **\--absolute:** Returns absolute paths when fetching `*-dir` config values instead of relative.
- **\--json:** JSON decode the setting value, to be used with `extra.*` keys.
- **\--merge:** Merge the setting value with the current value, to be used with `extra.*` keys in combination with `--json`.
- **\--append:** When adding a repository, append it (lowest priority) to the existing ones instead of prepending it (highest priority).
- **\--source:** Display where the config value is loaded from.
### Modifying Repositories[\#](https://getcomposer.org/doc/03-cli.md#modifying-repositories)
In addition to modifying the config section, the `config` command also supports making changes to the repositories section by using it the following way:
```
php composer.phar config repositories.foo vcs https://github.com/foo/bar
```
If your repository requires more configuration options, you can instead pass its JSON representation :
```
php composer.phar config repositories.foo '{"type": "vcs", "url": "http://svn.example.org/my-project/", "trunk-path": "master"}'
```
In addition to modifying the config section, the `config` command also supports making changes to the extra section by using it the following way:
```
php composer.phar config extra.foo.bar value
```
The dots indicate array nesting, a max depth of 3 levels is allowed though. The above would set `"extra": { "foo": { "bar": "value" } }`.
If you have a complex value to add/modify, you can use the `--json` and `--merge` flags to edit extra fields as json:
```
php composer.phar config --json extra.foo.bar '{"baz": true, "qux": []}'
```
## repository / repo[\#](https://getcomposer.org/doc/03-cli.md#repository-repo)
The `repo` command lets you manage repositories in your `composer.json`. It is more powerful and recommended over using `composer config repositories.*` to manipulate the repositories configuration. Refer to [Repositories](https://getcomposer.org/doc/05-repositories.md) documentation for details on the available types and configuration options.
### Usage[\#](https://getcomposer.org/doc/03-cli.md#usage-2)
```
repo [options] list
repo [options] add [repo-name] [repo-type] [url]
repo [options] add [repo-name] [json-repo-definition]
repo [options] remove [repo-name]
repo [options] set-url [repo-name] [url]
repo [options] get-url [repo-name]
repo [options] enable packagist.org
repo [options] disable packagist.org
```
### Options
- **\--global (-g):** to modify the global `$COMPOSER_HOME/config.json`.
- **\--file (-f):** to modify a specific file instead of composer.json.
- **\--append:** to add a repository with lower priority (by default repositories are prepended and have thus higher priority than existing ones).
- **\--before :** to insert the new repository before an existing repository named `<name>`.
- **\--after :** to insert the new repository after an existing repository named `<name>`. The `<name>` must match an existing repository name.
### Examples[\#](https://getcomposer.org/doc/03-cli.md#examples)
```
php composer.phar repo list
php composer.phar repo add foo vcs https://github.com/acme/foo
php composer.phar repo add bar composer https://repo.packagist.com/bar
php composer.phar repo add zips '{"type":"artifact","url":"/path/to/dir/with/zips"}'
php composer.phar repo add baz vcs https://example.org --before foo
php composer.phar repo add qux vcs https://example.org --after bar
php composer.phar repo remove foo
php composer.phar repo set-url foo https://git.example.org/acme/foo
php composer.phar repo get-url foo
php composer.phar repo disable packagist.org
php composer.phar repo enable packagist.org
```
## create-project[\#](https://getcomposer.org/doc/03-cli.md#create-project)
You can use Composer to create new projects from an existing package. This is the equivalent of doing a git clone/svn checkout followed by a `composer install` of the vendors.
There are several applications for this:
1. You can deploy application packages.
2. You can check out any package and start developing on patches for example.
3. Projects with multiple developers can use this feature to bootstrap the initial application for development.
To create a new project using Composer you can use the `create-project` command. Pass it a package name, and the directory to create the project in. You can also provide a version as a third argument, otherwise the latest version is used.
If the directory does not currently exist, it will be created during installation.
```
php composer.phar create-project composer/hello-world my-project
```
It is also possible to run the command without params in a directory with an existing `composer.json` file to bootstrap a project.
By default the command checks for the packages on packagist.org.
### Options
- **\--stability (-s):** Minimum stability of package. Defaults to `stable`.
- **\--prefer-install:** There are two ways of downloading a package: `source` and `dist`. Composer uses `dist` by default. If you pass `--prefer-install=source` (or `--prefer-source`) Composer will install from `source` if there is one. This is useful if you want to make a bugfix to a project and get a local git clone of the dependency directly. To get the legacy behavior where Composer use `source` automatically for dev versions of packages, use `--prefer-install=auto`. See also [config.preferred-install](https://getcomposer.org/doc/06-config.md#preferred-install). Passing this flag will override the config value.
- **\--source-fallback / --no-source-fallback:** Override the [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback) setting. When disabled, Composer will not fall back to an alternative download source (e.g., from dist to source or vice versa) if the preferred one fails. Also see [COMPOSER\_SOURCE\_FALLBACK](https://getcomposer.org/doc/03-cli.md#composer-source-fallback).
- **\--repository:** Provide a custom repository to search for the package, which will be used instead of packagist. Can be either an HTTP URL pointing to a `composer` repository, a path to a local `packages.json` file, or a JSON string which similar to what the [repositories](https://getcomposer.org/doc/04-schema.md#repositories) key accepts. You can use this multiple times to configure multiple repositories.
- **\--add-repository:** Add the custom repository in the composer.json. If a lock file is present, it will be deleted and an update will be run instead of an install.
- **\--dev:** Install packages listed in `require-dev`.
- **\--no-dev:** Disables installation of require-dev packages.
- **\--no-scripts:** Disables the execution of the scripts defined in the root package.
- **\--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
- **\--no-secure-http:** Disable the secure-http config option temporarily while installing the root package. Use at your own risk. Using this flag is a bad idea.
- **\--keep-vcs:** Skip the deletion of the VCS metadata for the created project. This is mostly useful if you run the command in non-interactive mode.
- **\--remove-vcs:** Force-remove the VCS metadata without prompting.
- **\--no-install:** Disables installation of the vendors.
- **\--no-audit:** Does not run the audit steps after installation is complete. Also see [COMPOSER\_NO\_AUDIT](https://getcomposer.org/doc/03-cli.md#composer-no-audit).
- **\--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default).
- **\--no-security-blocking:** Allows installing packages with security advisories or that are abandoned. Also see [COMPOSER\_NO\_SECURITY\_BLOCKING](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking).
- **\--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement(`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill it. Multiple requirements can be ignored via wildcard.
- **\--require:** Require additional package(s) to be added to composer.json after installing the project. If a lock file is present it will be deleted and an update will be run instead of install. Can be specified multiple times for multiple packages. Should be in format `foo/bar:1.0.0` format if you want to specify a constraint.
- **\--ask:** Ask the user to provide a target directory for the new project.
## dump-autoload / dumpautoload[\#](https://getcomposer.org/doc/03-cli.md#dump-autoload-dumpautoload)
If you need to update the autoloader because of new classes in a classmap package for example, you can use `dump-autoload` to do that without having to go through an install or update.
Additionally, it can dump an optimized autoloader that converts PSR-0/4 packages into classmap ones for performance reasons. In large applications with many classes, the autoloader can take up a substantial portion of every request's time. Using classmaps for everything is less convenient in development, but using this option you can still use PSR-0/4 for convenience and classmaps for performance.
### Options
- **\--optimize (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run, so it is currently not done by default.
- **\--classmap-authoritative (-a):** Autoload classes from the classmap only. Implicitly enables `--optimize`.
- **\--apcu:** Use APCu to cache found/not-found classes.
- **\--apcu-prefix:** Use a custom prefix for the APCu autoloader cache. Implicitly enables `--apcu`.
- **\--dry-run:** Outputs the operations but will not execute anything.
- **\--no-dev:** Disables autoload-dev rules. Composer will by default infer this automatically according to the last `install` or `update` `--no-dev` state.
- **\--dev:** Enables autoload-dev rules. Composer will by default infer this automatically according to the last `install` or `update` `--no-dev` state.
- **\--ignore-platform-reqs:** ignore all `php`, `hhvm`, `lib-*` and `ext-*` requirements and skip the [platform check](https://getcomposer.org/doc/07-runtime.md#platform-check) for these. See also the [`platform`](https://getcomposer.org/doc/06-config.md#platform) config option.
- **\--ignore-platform-req:** ignore a specific platform requirement (`php`, `hhvm`, `lib-*` and `ext-*`) and skip the [platform check](https://getcomposer.org/doc/07-runtime.md#platform-check) for it. Multiple requirements can be ignored via wildcard.
- **\--strict-psr:** Return a failed exit code (1) if PSR-4 or PSR-0 mapping errors are present in the current project (dependencies excluded). Requires `--optimize` to work.
- **\--strict-ambiguous:** Return a failed exit code (2) if the same class is found in multiple files. Requires `--optimize` to work.
## clear-cache / clearcache / cc[\#](https://getcomposer.org/doc/03-cli.md#clear-cache-clearcache-cc)
Deletes all content from Composer's cache directories.
### Options
- **\--gc:** Only run garbage collection, not a full cache clear
## licenses[\#](https://getcomposer.org/doc/03-cli.md#licenses)
Lists the name, version and license of every package installed. Use `--format=json` to get machine-readable output.
### Options
- **\--locked:** List licenses from the lock file, regardless of what is currently in vendor dir.
- **\--format:** Format of the output: text, json or summary (default: "text").
- **\--no-dev:** Remove dev dependencies from the output.
## run-script / run[\#](https://getcomposer.org/doc/03-cli.md#run-script-run)
To run [scripts](https://getcomposer.org/doc/articles/scripts.md) manually you can use this command, give it the script name and optionally any required arguments.
### Options
- **\--timeout:** Set the script timeout in seconds, or 0 for no timeout.
- **\--dev:** Sets the dev mode.
- **\--no-dev:** Disable dev mode.
- **\--list (-l):** List user defined scripts.
## exec[\#](https://getcomposer.org/doc/03-cli.md#exec)
Executes a vendored binary/script. You can execute any command and this will ensure that the Composer bin-dir is pushed on your PATH before the command runs.
### Options
- **\--list (-l):** List the available Composer binaries.
## diagnose[\#](https://getcomposer.org/doc/03-cli.md#diagnose)
If you think you found a bug, or something is behaving strangely, you might want to run the `diagnose` command to perform automated checks for many common problems.
```
php composer.phar diagnose
```
## archive[\#](https://getcomposer.org/doc/03-cli.md#archive)
This command is used to generate a zip/tar archive for a given package in a given version. It can also be used to archive your entire project without excluded/ignored files.
```
php composer.phar archive vendor/package 2.0.21 --format=zip
```
### Options
- **\--format (-f):** Format of the resulting archive: tar, tar.gz, tar.bz2 or zip (default: "tar").
- **\--dir:** Write the archive to this directory (default: ".")
- **\--file:** Write the archive with the given file name.
## audit[\#](https://getcomposer.org/doc/03-cli.md#audit)
This command is used to audit the packages you have installed for potential security issues. It checks for and lists security vulnerability advisories using the [Packagist.org api](https://packagist.org/apidoc#list-security-advisories) by default or other repositories if specified in the `repositories` section of `composer.json`. The command also detects abandoned packages.
The audit command determines if there are vulnerable, abandoned, or filtered packages and returns the following exit codes based on the findings:
- `0` No issues;
- `1` Vulnerable packages;
- `2` Abandoned packages;
- `3` Vulnerable and abandoned packages.
- `4` Filtered packages.
- `5` Vulnerable and filtered packages.
- `6` Abandoned and filtered packages.
- `7` Vulnerable, abandoned, and filtered packages.
```
php composer.phar audit
```
### Options
- **\--no-dev:** Disables auditing of require-dev packages.
- **\--format (-f):** Audit output format. Must be "table" (default), "plain", "json", or "summary".
- **\--locked:** Audit packages from the lock file, regardless of what is currently in vendor dir.
- **\--abandoned:** Behavior on abandoned packages. Must be "ignore", "report", or "fail". See also [config.audit.abandoned](https://getcomposer.org/doc/06-config.md#abandoned). Passing this flag will override the config value and the environment variable.
- **\--ignore-severity:** Ignore advisories of a certain severity level. Can be passed one or more time to ignore multiple severities.
- **\--filtered:** Behavior on filtered packages. Must be "ignore", "report", or "fail". See also [config.audit.filtered](https://getcomposer.org/doc/06-config.md#filtered). Passing this flag will override the config value.
## help[\#](https://getcomposer.org/doc/03-cli.md#help)
To get more information about a certain command, you can use `help`.
```
php composer.phar help install
```
## Command-line completion[\#](https://getcomposer.org/doc/03-cli.md#command-line-completion)
Command-line completion can be enabled by running the `composer completion --help` command and following the instructions.
## Environment variables[\#](https://getcomposer.org/doc/03-cli.md#environment-variables)
You can set a number of environment variables that override certain settings. Whenever possible it is recommended to specify these settings in the `config` section of `composer.json` instead. It is worth noting that the env vars will always take precedence over the values specified in `composer.json`.
### COMPOSER[\#](https://getcomposer.org/doc/03-cli.md#composer)
By setting the `COMPOSER` env variable it is possible to set the filename of `composer.json` to something else.
For example:
```
COMPOSER=composer-other.json php composer.phar install
```
The generated lock file will use the same name: `composer-other.lock` in this example.
### COMPOSER\_ALLOW\_SUPERUSER[\#](https://getcomposer.org/doc/03-cli.md#composer-allow-superuser)
If set to 1, this env disables the warning about running commands as root/super user. It also disables automatic clearing of sudo sessions, so you should really only set this if you use Composer as a super user at all times like in docker containers.
### COMPOSER\_ALLOW\_XDEBUG[\#](https://getcomposer.org/doc/03-cli.md#composer-allow-xdebug)
If set to 1, this env allows running Composer when the Xdebug extension is enabled, without restarting PHP without it.
### COMPOSER\_AUTH[\#](https://getcomposer.org/doc/03-cli.md#composer-auth)
The `COMPOSER_AUTH` var allows you to set up authentication as an environment variable. The contents of the variable should be a JSON formatted object containing [http-basic, github-oauth, bitbucket-oauth, ... objects as needed](https://getcomposer.org/doc/articles/authentication-for-private-packages.md), and following the [spec from the config](https://getcomposer.org/doc/06-config.md).
### COMPOSER\_BIN\_COMPAT[\#](https://getcomposer.org/doc/03-cli.md#composer-bin-compat)
Override the [`bin-compat`](https://getcomposer.org/doc/06-config.md#bin-compat) config setting.
### COMPOSER\_BIN\_DIR[\#](https://getcomposer.org/doc/03-cli.md#composer-bin-dir)
By setting this option you can change the `bin` ([Vendor Binaries](https://getcomposer.org/doc/articles/vendor-binaries.md)) directory to something other than `vendor/bin`.
### COMPOSER\_CACHE\_DIR[\#](https://getcomposer.org/doc/03-cli.md#composer-cache-dir)
The `COMPOSER_CACHE_DIR` var allows you to change the Composer cache directory, which is also configurable via the [`cache-dir`](https://getcomposer.org/doc/06-config.md#cache-dir) option.
By default, it points to `C:\Users\<user>\AppData\Local\Composer` (or `%LOCALAPPDATA%/Composer`) on Windows. On \*nix systems that follow the [XDG Base Directory Specifications](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html), it points to `$XDG_CACHE_HOME/composer`. On other \*nix systems and on macOS, it points to `$COMPOSER_HOME/cache`.
### COMPOSER\_CAFILE[\#](https://getcomposer.org/doc/03-cli.md#composer-cafile)
By setting this environmental value, you can set a path to a certificate bundle file to be used during SSL/TLS peer verification.
### COMPOSER\_DISABLE\_XDEBUG\_WARN[\#](https://getcomposer.org/doc/03-cli.md#composer-disable-xdebug-warn)
If set to 1, this env suppresses a warning when Composer is running with the Xdebug extension enabled.
### COMPOSER\_DISCARD\_CHANGES[\#](https://getcomposer.org/doc/03-cli.md#composer-discard-changes)
This env var controls the [`discard-changes`](https://getcomposer.org/doc/06-config.md#discard-changes) config option.
### COMPOSER\_FUND[\#](https://getcomposer.org/doc/03-cli.md#composer-fund)
If set to 0, this env suppresses funding notices when installing.
### COMPOSER\_HOME[\#](https://getcomposer.org/doc/03-cli.md#composer-home)
The `COMPOSER_HOME` var allows you to change the Composer home directory. This is a hidden, global (per-user on the machine) directory that is shared between all projects.
Use `composer config --global home` to see the location of the home directory.
By default, it points to `C:\Users\<user>\AppData\Roaming\Composer` on Windows and `/Users/<user>/.composer` on macOS. On \*nix systems that follow the [XDG Base Directory Specifications](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html), it points to `$XDG_CONFIG_HOME/composer`. On other \*nix systems, it points to `/home/<user>/.composer`.
#### COMPOSER\_HOME/config.json[\#](https://getcomposer.org/doc/03-cli.md#composer-home-config-json)
You may put a `config.json` file into the location which `COMPOSER_HOME` points to. Composer will partially (only `config` and `repositories` keys) merge this configuration with your project's `composer.json` when you run the `install` and `update` commands.
This file allows you to set [repositories](https://getcomposer.org/doc/05-repositories.md) and [configuration](https://getcomposer.org/doc/06-config.md) for the user's projects.
In case global configuration matches *local* configuration, the *local* configuration in the project's `composer.json` always wins.
### COMPOSER\_HTACCESS\_PROTECT[\#](https://getcomposer.org/doc/03-cli.md#composer-htaccess-protect)
Defaults to `1`. If set to `0`, Composer will not create `.htaccess` files in the Composer home, cache, and data directories.
### COMPOSER\_MEMORY\_LIMIT[\#](https://getcomposer.org/doc/03-cli.md#composer-memory-limit)
If set, the value is used as php's memory\_limit.
### COMPOSER\_MIRROR\_PATH\_REPOS[\#](https://getcomposer.org/doc/03-cli.md#composer-mirror-path-repos)
If set to 1, this env changes the default path repository strategy to `mirror` instead of `symlink`. As it is the default strategy being set it can still be overwritten by repository options.
### COMPOSER\_NO\_INTERACTION[\#](https://getcomposer.org/doc/03-cli.md#composer-no-interaction)
If set to 1, this env var will make Composer behave as if you passed the `--no-interaction` flag to every command. This can be set on build boxes/CI.
### COMPOSER\_PROCESS\_TIMEOUT[\#](https://getcomposer.org/doc/03-cli.md#composer-process-timeout)
This env var controls the time Composer waits for commands (such as git commands) to finish executing. The default value is 300 seconds (5 minutes).
### COMPOSER\_ROOT\_VERSION[\#](https://getcomposer.org/doc/03-cli.md#composer-root-version)
By setting this var you can specify the version of the root package, if it cannot be guessed from VCS info and is not present in `composer.json`.
### COMPOSER\_VENDOR\_DIR[\#](https://getcomposer.org/doc/03-cli.md#composer-vendor-dir)
By setting this var you can make Composer install the dependencies into a directory other than `vendor`.
### COMPOSER\_RUNTIME\_ENV[\#](https://getcomposer.org/doc/03-cli.md#composer-runtime-env)
This lets you hint under which environment Composer is running, which can help Composer work around some environment specific issues. The only value currently supported is `virtualbox`, which then enables some short `sleep()` calls to wait for the filesystem to have written files properly before we attempt reading them. You can set the environment variable if you use Vagrant or VirtualBox and experience issues with files not being found during installation even though they should be present.
### http\_proxy or HTTP\_PROXY[\#](https://getcomposer.org/doc/03-cli.md#http-proxy-or-http-proxy)
### HTTP\_PROXY\_REQUEST\_FULLURI[\#](https://getcomposer.org/doc/03-cli.md#http-proxy-request-fulluri)
### HTTPS\_PROXY\_REQUEST\_FULLURI[\#](https://getcomposer.org/doc/03-cli.md#https-proxy-request-fulluri)
### no\_proxy or NO\_PROXY[\#](https://getcomposer.org/doc/03-cli.md#no-proxy-or-no-proxy)
See the [proxy documentation](https://getcomposer.org/doc/faqs/how-to-use-composer-behind-a-proxy.md) for more details on how to use proxy env vars.
### COMPOSER\_MAX\_PARALLEL\_HTTP[\#](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-http)
Set to an integer to configure how many files can be downloaded in parallel. This defaults to 12 and must be between 1 and 50. If your proxy has issues with concurrency maybe you want to lower this. Increasing it should generally not result in performance gains.
### COMPOSER\_MAX\_PARALLEL\_PROCESSES[\#](https://getcomposer.org/doc/03-cli.md#composer-max-parallel-processes)
Set to an integer to configure how many processes can be executed in parallel. This defaults to 10 and must be between 1 and 50.
### COMPOSER\_IPRESOLVE[\#](https://getcomposer.org/doc/03-cli.md#composer-ipresolve)
Set to `4` or `6` to force IPv4 or IPv6 DNS resolution. This only works when the curl extension is used for downloads.
### COMPOSER\_SELF\_UPDATE\_TARGET[\#](https://getcomposer.org/doc/03-cli.md#composer-self-update-target)
If set, makes the self-update command write the new Composer phar file into that path instead of overwriting itself. Useful for updating Composer on a read-only filesystem.
### COMPOSER\_DISABLE\_NETWORK[\#](https://getcomposer.org/doc/03-cli.md#composer-disable-network)
If set to `1`, disables network access (best effort). This can be used for debugging or to run Composer on a plane or a starship with poor connectivity.
If set to `prime`, GitHub VCS repositories will prime the cache, so it can then be used fully offline with `1`.
### COMPOSER\_DEBUG\_EVENTS[\#](https://getcomposer.org/doc/03-cli.md#composer-debug-events)
If set to `1`, outputs information about events being dispatched, which can be useful for plugin authors to identify what is firing when exactly.
### COMPOSER\_SKIP\_SCRIPTS[\#](https://getcomposer.org/doc/03-cli.md#composer-skip-scripts)
Accepts a comma-seperated list of event names, e.g. `post-install-cmd` for which scripts execution should be skipped.
### COMPOSER\_NO\_AUDIT[\#](https://getcomposer.org/doc/03-cli.md#composer-no-audit)
If set to `1`, it is the equivalent of passing the `--no-audit` option to a `require`, `update`, `remove` or `create-project` command.
### COMPOSER\_AUDIT\_ABANDONED[\#](https://getcomposer.org/doc/03-cli.md#composer-audit-abandoned)
Set to `ignore`, `report` or `fail` to override the [audit.abandoned](https://getcomposer.org/doc/06-config.md#abandoned) config option.
### COMPOSER\_FILTER[\#](https://getcomposer.org/doc/03-cli.md#composer-filter)
Set to `0` to disable filters on updates and audit, or `1` to enable them. Setting this to `1` will use the filter configuration in the composer.json. If you want to override the config value, use `composer config filter 1` instead.
### COMPOSER\_NO\_SECURITY\_BLOCKING[\#](https://getcomposer.org/doc/03-cli.md#composer-no-security-blocking)
If set to `1`, it is the equivalent of passing the `--no-security-blocking` option to a `require`, `update`, `remove`, `install`, or `create-project` command. This allows installing packages with security advisories or that are abandoned. It overrides the config option [audit.block-insecure](https://getcomposer.org/doc/06-config.md#block-insecure).
### COMPOSER\_SECURITY\_BLOCKING\_ABANDONED[\#](https://getcomposer.org/doc/03-cli.md#composer-security-blocking-abandoned)
If set to `1`, enables blocking of abandoned packages during dependency resolution (equivalent to setting `audit.block-abandoned` config to `true`). If set to `0`, disables blocking of abandoned packages. Note that this setting does not have any effect if security blocking is generally disabled. It overrides the config option [audit.block-abandoned](https://getcomposer.org/doc/06-config.md#block-abandoned).
### COMPOSER\_NO\_DEV[\#](https://getcomposer.org/doc/03-cli.md#composer-no-dev)
If set to `1`, it is the equivalent of passing the `--update-no-dev` option to `require` or the `--no-dev` option to `install` or `update`. You can override this for a single command by setting `COMPOSER_NO_DEV=0`.
### COMPOSER\_PREFER\_STABLE[\#](https://getcomposer.org/doc/03-cli.md#composer-prefer-stable)
If set to `1`, it is the equivalent of passing the `--prefer-stable` option to `update` or `require`.
### COMPOSER\_PREFER\_LOWEST[\#](https://getcomposer.org/doc/03-cli.md#composer-prefer-lowest)
If set to `1`, it is the equivalent of passing the `--prefer-lowest` option to `update` or `require`.
### COMPOSER\_PREFER\_DEV\_OVER\_PRERELEASE[\#](https://getcomposer.org/doc/03-cli.md#composer-prefer-dev-over-prerelease)
If set to `1`, when resolving dependencies with both `--prefer-stable` and `--prefer-lowest` enabled, dev versions are treated as more stable than alpha/beta/RC versions in cases where no stable release exists. This is useful to test lowest versions while still preferring branches that may contain critical fixes over prerelease versions.
### COMPOSER\_SOURCE\_FALLBACK[\#](https://getcomposer.org/doc/03-cli.md#composer-source-fallback)
If set to `0`, Composer will not fall back to an alternative download source when the preferred one fails. Equivalent to passing `--no-source-fallback`. See also [config.source-fallback](https://getcomposer.org/doc/06-config.md#source-fallback).
### COMPOSER\_MINIMAL\_CHANGES[\#](https://getcomposer.org/doc/03-cli.md#composer-minimal-changes)
If set to `1`, it is the equivalent of passing the `--minimal-changes` option to `update`, `require` or `remove`.
### COMPOSER\_IGNORE\_PLATFORM\_REQ or COMPOSER\_IGNORE\_PLATFORM\_REQS[\#](https://getcomposer.org/doc/03-cli.md#composer-ignore-platform-req-or-composer-ignore-platform-reqs)
If `COMPOSER_IGNORE_PLATFORM_REQS` set to `1`, it is the equivalent of passing the `--ignore-platform-reqs` argument. Otherwise, specifying a comma separated list in `COMPOSER_IGNORE_PLATFORM_REQ` will ignore those specific requirements.
For example, if a development workstation will never run database queries, this can be used to ignore the requirement for the database extensions to be available. If you set `COMPOSER_IGNORE_PLATFORM_REQ=ext-oci8`, then composer will allow packages to be installed even if the `oci8` PHP extension is not enabled.
### COMPOSER\_WITH\_DEPENDENCIES[\#](https://getcomposer.org/doc/03-cli.md#composer-with-dependencies)
If set to `1`, it is the equivalent of passing the `--with-dependencies` option to `update`, `require` or `remove`.
### COMPOSER\_WITH\_ALL\_DEPENDENCIES[\#](https://getcomposer.org/doc/03-cli.md#composer-with-all-dependencies)
If set to `1`, it is the equivalent of passing the `--with-all-dependencies` option to `update`, `require` or `remove`.
### SHELL\_VERBOSITY[\#](https://getcomposer.org/doc/03-cli.md#shell-verbosity)
Since Composer uses [symfony/console](https://github.com/symfony/console), you can define the [verbosity level](https://symfony.com/doc/current/console/verbosity.html). `SHELL_VERBOSITY=-1` to hide the output of Composer (this is equivalent to using the CLI option `--quiet`). Please note that this will apply to every tool that rely on `symfony/console`, you can set `SHELL_VERBOSITY=0` after the calls to Composer in order to restore the default verbosity level.
← [Libraries](https://getcomposer.org/doc/02-libraries.md) \| [Schema](https://getcomposer.org/doc/04-schema.md) →
Found a typo? Something is wrong in this documentation? [Fork and edit](https://github.com/composer/composer/edit/main/doc/03-cli.md "Go to the docs to fork and propose updates (external link)") it\! |
| Shard | 167 (laksa) |
| Root Hash | 13364609971177452767 |
| Unparsed URL | org,getcomposer!/doc/03-cli.md s443 |