How Composer Changed PHP Forever: Origin Story & What's Next

Laravel News| 00:06:07|Mar 24, 2026

Chapters9

Nils explains that he created Composer, works on packages including private and paid offerings that fund the infrastructure behind PHP and Laravel packages, and shares excitement about ecosystem conferences like Europe and Laracon. He sets the stage for discussing Composer's impact across the PHP ecosystem.

Composer reshaped PHP by turning package management into a core, community-driven tool, with private packages and Conductor as the next frontier.

Summary

Laravel News sits down with Niles to recount the origin of Composer and its rapid evolution in the PHP ecosystem. He explains how Composer started as a collaboration with Symfony and Zen Framework communities, born from the need to install and manage packages more reliably than the old copy-paste approach. The interview highlights the moment when Composer stopped being a personal project and became a universal PHP tool used by Laravel and beyond. Niles also dives into the current commercial side, detailing Packages.org as the public hub and Packages.com for private deployments, including security monitoring and deployment safeguards. He outlines practical features for teams, like composer audit, vulnerability scanning, and update review that surfaces changes directly in pull requests. The conversation then pivots to Conductor, a private-beta project positioned as a stronger alternative to Dependabot specifically for PHP projects. Throughout, Niles shares behind-the-scenes anecdotes—from floppy-disc promos to the evolution of versioning—that illustrate Composer’s lasting impact on PHP development. The video closes with a plug for private packages and an invitation to explore how these tools can improve uptime, security, and collaboration in PHP teams.

Key Takeaways

Composer began as a practical solution for installing Symfony components and grew into the de facto PHP package manager used by Laravel and the broader PHP community.
Packages.org is the public hub for PHP packages, while Packages.com extends the model with private repositories, enhanced security, and deployment tooling.
Composer Audit and security monitoring help teams proactively detect and respond to vulnerability results from databases, integrated into teams’ existing workflows (e.g., Slack, Microsoft Teams).
Update review features provide nicely formatted markdown diffs on pull requests to show exactly what changes in composer.lock, including moved download URLs or metadata changes.
Conductor is the upcoming PHP-focused alternative to Dependabot/Innovate, aimed at delivering better dependency management for PHP projects.
Private packages and monitoring tooling enable organizations to keep a pristine, auditable supply chain, even if a public package maintainer changes or withdraws a dependency.
Versioning decisions (like the shift from early releases to formal 1.x) helped stabilize adoption and project longevity, with tangible artifacts like the floppy-disc celebration from early versions.

Who Is This For?

Essential viewing for PHP developers and DevOps engineers who rely on Composer for dependency management, especially teams using Laravel or Symfony who are considering private repos, security monitoring, and automated updates.

Notable Quotes

"“I think actually the framework that first started officially recommending use of composer was zen framework.”"

—Highlighting early adoption by Zen Framework as a tipping point for Composer’s legitimacy.

"“Conductor which is basically a replacement for dependabot or innovate that just works a lot better for PHP projects.”"

—Showcases the newest focus area and why it matters for PHP ecosystems.

"“So that was really just to help ourselves in our two projects and then very quickly it actually turned into more of a… generic PHP tool.”"

—Describes the pivot from a niche tool to a universal PHP asset.

"“If some open source maintainer deletes their package that you depend on someday, you still have a copy you can deploy with.”"

—Explains the value proposition of private packages for availability and compliance.

"“Update review that will send you comments on your pull request that modify composer.lock with like nicely formatted markdown files.”"

—Illustrates how the tooling integrates into code review workflows.

Questions This Video Answers

how did composer start in PHP and who created it?
what is Conductor and how does it compare to Dependabot for PHP projects?
what are private packages in Composer and why use Packages.com?
how does composer audit work and what vulnerabilities does it cover?
what is the difference between packages.org and packages.com for PHP developers?

Composer PHP Laravel SymfonyZen Frameworkpackages.orgpackages.comConductorDependabotsecurity monitoring','composer audit','update review'

Full Transcript

All right. So, with me now, um, Niles, did I say it right? Yeah. Niles. Uh, I'm the one who created Composer. I work on packages. Uh, we have private packages. There's our paid offering that pays for, uh, all the infrastructure that we run for the free public packages that everybody in PHP uses, that everybody in Laravel uses. Um, and yeah, it's exciting to come to like these different ecosystem conferences like Europe like Laracon. uh and kind of see a bit like what's up in that particular ecosystem, what they're all interested in right now, but also to kind of talk to everybody about their experiences with composer, like their struggles with packages and like where that's going. Um yeah, also was great to have a talk to actually share a bit about like what we're working on right now. Sweet. Yeah. So, um uh I I probably age myself with this with this one, but if you're sort of new to PHP and Laravel, um back in the old days, there was no composer. Um, and it was just this weird mismatch of like you would find some PHP code on the internet and you would just copy and paste it into your project and um, and then there was this thing called PHP classes and you would go find stuff there and import it in. So what you created was actually really revolutionary in the in the grand scheme of PHP itself. Um, so my question is like how how did you come up with the idea for composer in the beginning? Yeah, I think it's it's funny especially from birthday perspective but you can't even imagine like how would I build a project without a package manager like this and it's like funny to look back but no I actually back then I used to work in PHPVB this form software like in the 2000s um and we were trying to switch over to use some of the symfony components much like what Laravel eventually was built on um and the symfony community similarly had this problem that they came up with a concept for these bundles they can install in their framework but they also had no mechanism of installing them actually the first version of symfony 2 shipped like a shell script that would run a bunch of git clone commands to get them installed. Um, and so around that time we were also looking at like how to install plugins and so we started building something together with them like Jordy Bojano was the guy who started composer whereas he was more from the symphony side I came from this side and then yeah it was really just to help ourselves in our two projects and then very quickly it actually turned into more of a oh this is a generic PHP tool has nothing to do with our specific project. I think actually the framework that first started officially recommending use of composer was zen framework. Um which yeah again yeah we had not seen coming. Um and it also happened I think a few months before we would have considered this a stable thing to use. So that was funny but then things picked up really quickly and like that's how eventually we got to this point where today like you work with PHP it's just yes you use composer to install dependencies like it's just obvious right? Yeah. Yeah. Exactly. U and actually uh I have a shirt uh with composer gold floppy disc on it from your vers your version one which was like I feel like it was like a year after the like after it already became adopted. It was like oh now we're actually official version one. Yeah, it's actually way later. Like the 1.0 we actually only declared it for five years of composer. So like people have been using like pre-release versions for a long time and it worked well around the time because people were just always staying on the latest release automatically and uh but at some point it was a bit like okay maybe we do need to actually figure out some versioning thing here and people like I think it's like basically I think we started wanting to make some more breaking changes again it's like okay we can't do that unless we kind of declare a particular version number but the floppy disc was a fun thing like Jordy actually produced like an actual like he got like an actual floppy disc composer the fire file actually fit in there he did he did have to remove all the TLS uh certificate bundles that we ship with the far file usually. Uh but then he could fit it onto an actual floppy disc and then yeah it's like gold sprayed and I got like the composer logo and everything on it. I still have one of those frames hanging in my apartment. That's awesome. That's awesome. Um so speaking about the commercial side of of Composer, you have private packages. um for those that have never ventured into that, what is like why why does somebody need that and what should they check out about it? Yes, I mean it's easy to find. It's packages.org is the public one that everybody knows and then packages.com is our commercial offering. Um, and so that's basically targeting anybody who cares either a bit about their availability, um, their deployment security, uh, for compliance reasons because it copies all of your open source dependencies into your own package repository so that you have a copy of everything. So like even if some open source maintainer deletes their package that you depend on someday, you still have a copy you can deploy with and figure out what's going on. And it integrates with additional tools like uh we do security monitoring checking against vulnerability databases the same way that packages.org or kind of has that info and you can you know you just basically composer audit you already gives you that info um but we kind of proactively monitor your packages for you send you notifications on something like Microsoft teams or slack and like wherever you happen to work um and we integrate also with your code hosting platform so um there's a thing called update review that will send you uh comments on your pull request that modify composer lock file with like nicely formatted markdown files you can actually review what's changing like which versions and also point out like oh damn like there's a the download URL changed from github com's like evil website whatever. Um, and like point out this kind of metadata changes that you would see when reviewing a composer log file which basically nobody does. Um, so I think there's like that kind of tooling just makes it possible because suddenly you can easily scan this and see like oh something stands out. Um, and then yeah the newest thing that we're working on right now that we still like in private beta is a thing called conductor which is basically a replacement for dependabot or innovate that just works a lot better for PHP projects. Um, so that's kind of what I'm excited about this year, the final public launch that. Awesome. Awesome. Um, well, we are running out of time. It's I hear the music dropping in there and they're like, we're going to start we're going to go back to there. So, uh, I'll just we'll just close this out. I want to thank Niles Neils for coming in here. Um, go check it out. Go check it out. You've already you're already using Composer, so go check out um private packages. Um, yeah, there there you go. Get it out there. Um but so now we'll head back to the uh live talks and we appreciate everybody for tuning in here. Neils, appreciate you, buddy. Thank y'all.