We use Composer to include certain 3rd party libraries with DokuWiki. However we're using it a bit different from what you may know from other projects:
All composer installed library files as well as the autogenerated autoload configuration is checked into git.1) This ensures that a git checkout (or TGZ download from github) is immediately usable without the need to run composer.
We only check in what we need. Everything we don't need is added to our
.gitignore to avoid accidental checkins. This way we avoid shipping potential harmful example code and unnecessary tests and documentation.
We try to avoid large dependencies. We don't want to ship a huge tree of potential buggy/security relevant of dependencies with DokuWiki. So each library should be evaluated carefully before adding it.
Useful code developed for DokuWiki should be moved to external composer packages where sensible. This is still in progress.
Dependencies and tools needed for development are installed via composer in the
_test directory. We no longer check in those - instead developers need to install the dependencies themselves:
cd _test composer install
We provide three shortcut scripts: