Need help with other JFrog products?
Deploying Composer Packages
The Composer client does not provide a way to deploy packages and relies on a source control repository to host the Composer package code. To deploy a Composer package into Artifactory, you need to use Artifactory's REST API or the Web UI.
A Composer package is a simple archive, usually zip or a tar.gz file, which contains your project code as well as a
composer.json file describing the package.
For Artifactory to index packages you upload, each package must have its version specified. There are three ways to specify the package version:
- Include the
versionattribute in the package
- Set a
composer.versionproperty when deploying a package via REST (or on an existing package)
- Use the version field when deploying via the UI
The public Composer repository does not contain any actual binary packages; it contains the package indexes that point to the corresponding source control repository where the package code is hosted.
Since the majority of public Composer packages are hosted on GitHub, we recommend creating a Composer remote repository to serve as a caching proxy for github.com, specifying packagist.org as the location of the public package index files. A Composer remote repository in Artifactory can proxy packagist.org and other Artifactory Composer repositories for index files, and version control systems such as GitHub or BitBucket, or local Composer repositories in other Artifactory instances for binaries.
Composer artifacts (such as zip, tar.gz files) requested from a remote repository are cached on demand. You can remove the downloaded artifacts from the remote repository cache, however you can not manually deploy artifacts to a remote repository.
To define a remote repository to proxy github.com as well as the public Composer Packagist repository follow the steps below:
- Create a new remote repository and set PHP Composer to be its Package Type
- Set the Repository Key, and enter the repository URL (e.g.
in the URL field as displayed below )
- In the Composer Settings section, select GitHub as the Git Provider, and leave the leave the default Registry URL (e.g. ).
- Finally, click "Save & Finish"
URL vs. Registry URL
To avoid confusion, note that:
URL is the URL of your Git provider where the actual package binaries are hosted.
Registry URL is the URL where the package index files holding the metadata are hosted.
To proxy a public Composer registry, set the Registry URL field to the location of the index files as displayed above. To proxy a Composer repository in another Artifactory instance, set both the URL field and the Registry URL field to the remote Artifactory repository's API URL. For example:
Using the Composer command line
Once the Composer client is installed, you can access Composer repositories in Artifactory through its command line interface.
Composer repositories must be prefixed with api/composer in the path
When accessing a Composer repository through Artifactory, the repository URL must be prefixed with api/composer in the path. This applies to all Composer commands including
For example, if you are using Artifactory standalone or as a local service, you would access your Composer repositories using the following URL:
Or, if you are using Artifactory SaaS, the URL would be:
https://<server name>.jfrog.io/<server name>/api/composer/<repository key>
Once you have created a Composer repository, you can select it in the Tree Browser and click Set Me Up to get code snippets you can use to set your Composer repository URL in your
Composer config.json file
Replacing the Default Repository
You can change the default repository specified for the Composer command line in the
config.json file as follows:
Working with a secure URL (HTTPS) is considered a best practice, but you may also work with an insecure URL (HTTP) by setting the secure-http configuration to false:
In order to authenticate the Composer client against your Artifactory server, you can configure Composer to use basic authentication in your auth.json file as follows:
Composer auth.json file
Once the Composer command line tool is configured, every
composer install command will fetch packages from the Composer repository specified above.
Cleaning Up the Local Composer Cache
The Composer client saves caches of packages that were downloaded, as well as metadata responses.
We recommend removing the Composer caches (both packages and metadata responses) before using Artifactory for the first time, this is to ensure that your caches only contain elements that are due to requests from Artifactory and not directly from Packagist. To clear your Composer cache, run the following command:
In your project directory already has a composer.lock file that contains different 'dist' URLs (download URLs) than Artifactory, you need to remove it, otherwise, when running the composer install command, the composer client will resolve the dependencies using the composer.lock file URLs
Viewing Individual Composer Package Information
Artifactory lets you view selected metadata of a Composer package directly from the UI.
In the Artifacts tab, select Tree Browser and drill down to select the package archive file you want to inspect. The metadata is displayed in the Composer Info tab.