What is the difference between require and require-dev sections in composer.json?
Solution 1:
Different Environments
Typically, software will run in different environments:
development
testing
staging
production
Different Dependencies in Different Environments
The dependencies which are declared in the require
section of composer.json
are typically dependencies which are required for running an application or a package in
staging
production
environments, whereas the dependencies declared in the require-dev
section are typically dependencies which are required in
developing
testing
environments.
For example, in addition to the packages used for actually running an application, packages might be needed for developing the software, such as:
-
friendsofphp/php-cs-fixer
(to detect and fix coding style issues) -
squizlabs/php_codesniffer
(to detect and fix coding style issues) -
phpunit/phpunit
(to drive the development using tests) - etc.
Deployment
Now, in development
and testing
environments, you would typically run
$ composer install
to install both production
and development
dependencies.
However, in staging
and production
environments, you only want to install dependencies which are required for running the application, and as part of the deployment process, you would typically run
$ composer install --no-dev
to install only production
dependencies.
Semantics
In other words, the sections
require
require-dev
indicate to composer
which packages should be installed when you run
$ composer install
or
$ composer install --no-dev
That is all.
Note Development dependencies of packages your application or package depend on will never be installed
For reference, see:
- https://getcomposer.org/doc/04-schema.md#require
- https://getcomposer.org/doc/04-schema.md#require-dev
Solution 2:
-
According to composer's manual:
require-dev (root-only)
Lists packages required for developing this package, or running tests, etc. The dev requirements of the root package are installed by default. Both
install
orupdate
support the--no-dev
option that prevents dev dependencies from being installed.So running
composer install
will also download the development dependencies. The reason is actually quite simple. When contributing to a specific library you may want to run test suites or other develop tools (e.g. symfony). But if you install this library to a project, those development dependencies may not be required: not every project requires a test runner.
Solution 3:
From the composer site (it's clear enough)
require#
Lists packages required by this package. The package will not be installed unless those requirements can be met.
require-dev (root-only)#
Lists packages required for developing this package, or running tests, etc. The dev requirements of the root package are installed by default. Both install or update support the --no-dev option that prevents dev dependencies from being installed.
Using require-dev in Composer you can declare the dependencies you need for development/testing the project but don't need in production. When you upload the project to your production server (using git) require-dev
part would be ignored.
Also check this answer posted by the author and this post as well.
Solution 4:
require section This section contains the packages/dependencies which are better candidates to be installed/required in the production environment.
require-dev section: This section contains the packages/dependencies which can be used by the developer to test her code (or to experiment on her local machine and she doesn't want these packages to be installed on the production environment).
Solution 5:
General rule is that you want packages from require-dev section only in development (dev) environments, for example local environment.
Packages in require-dev section are packages which help you debug app, run tests etc.
At staging and production environment you probably want only packages from require section.
But anyway you can run composer install --no-dev and composer update --no-dev on any environment, command will install only packages from required section not from require-dev, but probably you want to run this only at staging and production environments not on local.
Theoretically you can put all packages in require section and nothing will happened, but you don't want developing packages at production environment because of the following reasons :
- speed
- potential of expose some debuging info
- etc
Some good candidates for require-dev are :
"filp/whoops": "^2.0",
"fzaninotto/faker": "^1.4",
"mockery/mockery": "^1.0",
"nunomaduro/collision": "^2.0",
"phpunit/phpunit": "^7.0"
you can see what above packages are doing and you will see why you don't need them on production.
See more here : https://getcomposer.org/doc/04-schema.md