Dev Notes

Software Development Resources by David Egan.

Using Composer to Manage Specific Version of a Package in a Private Repo

Composer, Git, PHP
David Egan

According to their website, Composer is a dependency manager for PHP. While true, I think this is a bit of an understatement. I’m fairly new to Composer, but it’s revolutionising my workflow.

Package in Private Repo

You may need to keep your work in a private VCS repo while it’s still in the early stages of development. It’s easy to set up git repos as public packages on Packagist, the PHP package repository - but if you need to keep work private you can set Composer up to use a private repo. Here’s a simple example composer.json for such a use case:

    "name": "project-vendor-name/project-name",
    "description": "Your description",
    "type": "library",
    "license": "MIT",
    "authors": [
            "name": "Joe Bloggs",
            "email": ""
    "repositories": [
            "type": "vcs",
            "url": ""
    "require": {
        "vendor-name/private-project": "dev-master"

This assumes that you’re accessing your private repo by means of SSH keys.

Use a Specific Tag or Commit

To lock your project to a specific commit, add a hash to dev-master followed by a git tag or commit reference:

"vendor-name/private-project": "dev-master#1.0.5"

Now when you run composer update, your project remains locked to a specific version (in this case, tag 1.0.5) of the required package.


In the long run, you’re better off creating public Composer packages from your work:

Note: This feature has severe technical limitations, as the composer.json metadata will still be read from the branch name you specify before the hash. You should therefore only use this as a temporary solution during development to remediate transient issues, until you can switch to tagged releases. The Composer team does not actively support this feature and will not accept bug reports related to it.


comments powered by Disqus