Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bertmi01's avatar

Guidelines for Composer and deployment

So I'm a self-taught dev who has been learning through Laracasts and Udemy mostly. I likely have a lot of gaps in what best practices are, and may not know what to search for with regard to this, so apologies in advance.

I think I need some help with guidelines on using Composer across different environments.

What brought me to post this is that I've been having trouble setting up mpdf/mpdf for a particular app I'm working on for generating PDFs. The problem was that the package was so large that it would take too long and not download and install on my local machine unless I updated Composer to the latest version. Even then it was slow and it seemed like it only installed out of luck.

My test and production sites are on the same Forge server, which is probably stupid. I would like confirmation of this.

The problem is that I pulled updates to the dev site, but I didn't have the latest version of Composer. This lead to it timing out on composer-update, which I could stop. However, I left the problem unfixed and now the server is likely running composer-update as part of its restart process and I can't ssh into it as it times out... So I'm hoping support at Forge can help me out somehow.

So the things I would like some advise on:

  1. Having both test and production on the same server is probably a terrible idea. I should probably spin up another server and split them apart.

  2. Once I have everything working on a test server and update the master branch, how should I bring those changes to the production environment? In the case of getting mpdf/mpdf, via composer update, should I have just been more careful in following the exact steps to get it to work on test (remembering to update Composer itself)? Or should I transfer files in the vendor folder over? Or does Composer compile them in a special way?

Thanks for your time!

0 likes
2 replies
jlrdw's avatar

I'd say watch the series that Jeffrey has on git and GitHub. And it makes a big difference to where you deploy to. An example digitalocean has some great guides to follow.

Of course you can use Forge.

I would limit testing to development.

Snapey's avatar
Snapey
5 years ago
Best Answer
Level 122

You use composer to assemble your dependencies. This creates a composer.json file and a composer.lock file.

These should both be committed to your source code.

Your Vendor folder should NOT be part of your repository

Then, when deploying to another server, download the repository and run composer install. This will only look at the composer.lock file and download exactly same versions of the packages as you used in development. Never run composer update on your test or production environments as then you will have newer packages than you developed on.

Speaking of composer update, be careful of running this with no parameters as then every package will be updated. You may suddenly have a number of issues to deal with. Better to be a bit more controlled about which packages are being updated.

Hope this helps

Please or to participate in this conversation.