Update Repositories for PHP Composer v2 in JFrog Artifactory

If you’re among the nearly one in four professional developers using PHP (according to StackOverflow’s 2021 survey), then the maintainers of Composer would really like you to migrate from v1 of the PHP package manager to v2. 

On October 24 2020, Composer 2.0.0 was released with some major improvements.Since almost eight out of every ten websites on the internet use PHP in some way, that’s a change with big impact. 

Updates to Artifactory 7.24 help you manage this migration, with support for both v1 and v2 standards in all PHP repositories.

PHP Composer V2

The new version of Composer is a major overhaul that reportedly brings up to 50% performance improvement in both speed and memory usage to resolve PHP dependencies. Among these are a new v2 repository metadata format and the ability to list packages by vendor or type through the API. 

To encourage migration to v2, on May 2021, packagist, the primary PHP Composer registry and maintainer began deprecating Composer 1.x with the following sanctions :

  • Reduced v1 metadata API update rate

The update rate for new versions has been reduced from every-minute to once every 15 minutes. This means new releases will take a few minutes longer to be available for installation with Composer 1.x.

  • Restricted access to unused packages via the v1 metadata API 

The v1 format uses very long file lists and maintaining millions of packages has an impact on the process’s performance. To resolve this, packagist will hide (on a rolling basis) all packages that have had no downloads in the last 4 months from the v1 index. 

PHP Composer V2 and V1 in Artifactory

Like most PHP developers, your team has almost certainly built up a substantial library of proprietary Composer packages, alongside your usage of open source dependencies in public repositories like packagist.

That’s why Artifactory enables you to support both v1 and v2 standards in your local and remote repositories, to help you manage your Composer v2 migration at your own pace.

To start, all PHP Composer repositories in Artifactory 7.24 and newer support these v2 features:

  1. Composer v2 metadata API (local & remote repos)
  2. Composer List API (local & remote repos)
  3. Drupal 7 and Drupal 8 registries support for remote repositories

This helps ensure that your remote repository in Artifactory will continue to function with packagist, as they continue to encourage phase-out of v1.

Configuring an Artifactory Composer Repo

If you need them to, any of your local Artifactory repos can also support Composer v1 operation, maintaining an index for both v1 and v2.

Once you have updated your Artifactory instance to 7.24 or newer, all of your existing local Composer repositories will support both v1 and v2 by default. This helps assure that your teams can continue to work with Composer v1 as you roll out your migration to v2.

Any new local Composer repositories you create, however, will support only v2 by default.

Enabling/Disabling Composer v1

We have added an option in your PHP repo configuration to enable/disable Composer v1 indexing.

PHP Composer repository setup in Artifactory

So if the default configurations are not your preference, you can change them. You can also retire support for v1 in your repositories as your team fully migrates to v2.

The v1 indexing can be enabled/disbaled in the repo configuration at any time. However, you must also perform a reindex of the repository for this change to take effect. This can be invoked by right-clicking the repository in the Artifacts tree and selecting Recalculate Index.

Re-index a PHP Composer repository

Composer Repository Structure

When your repo has Composer v1 indexing enabled (and its index has been calculated), Artifactory will maintain two index sets, for v1 (p) and v2 (p2). In this way, both Composer v1 and v2 operations are supported.

PHP Composer v1 and v2

You can set your local repository as the default repository for the Composer command line in the `config.json` file, using the URL shown in Set Me Up:

{
   “repositories”: [
        {
            "type": "composer",
             "url": "https://localhost:8081/artifactory/api/composer/php-local"
        }
        { “packagist”: false }
   ]
}

 

You can use Artifactory APIs to fetch the URLs you’ll need to retrieve your metadata and list package names.

GET artifactory/api/composer/php-local/packages.json

 

For example, the above command might product the following response:

{
   “search”: "https://localhost:8081/artifactory/api/composer/php-local/search.json?q=%query%&type=%type%",
   “providers-lazy-url”: "https://localhost:8081/artifactory/api/composer/php-local/p/%package%.json",
   “metadata-url: "https://localhost:8081/artifactory/api/composer/php-local/p2/%package.json”,
   “list”: "https://localhost:8081/artifactory/api/composer/php-local/packages/list.json"
}

 

Using `metadata-url`, you can retrieve the v2 metadata for a package:

GET artifactory/api/composer/php-local/p2/monolog/monolog.json

Keeping PHP Composer Current

These vital updates for PHP Composer are only the latest in our ongoing efforts to help keep your package management services in Artifactory current. With these improvements, you can bring your PHP Composer packages into compliance with v2 at your own pace, while immediately keeping your remote repositories for dependencies packagist operational and performant.

An upcoming release will also empower you to create PHP Composer virtual repositories, to combine your local, remote, and other virtual Composer v2 repositories into a collection accessed by a single logical URL.

Those are strong reasons to update your installation of Artifactory to the latest version. If you haven’t given the JFrog DevOps Platform a try yet, start for free!