 |
VOOZH | about |
|
VOOZH | about |
This document describes the Composer-based dependency management system used by the Light framework, including core required packages, optional feature packages, and the auto-detection pattern for storage backends and authentication providers. For information about environment-specific configuration variables, see Environment Configuration. For cache configuration and performance optimization, see Performance and Caching.
The Light framework uses Composer for dependency management with a modular approach that separates core functionality from optional features. The system automatically detects the presence of optional packages (such as cloud storage adapters and OAuth providers) at runtime, enabling features only when their dependencies are installed. This allows for minimal installations in resource-constrained environments while supporting rich features when needed.
Sources: composer.json1-65
Sources: composer.json10-36 composer.lock1-7
The following table lists all required packages that must be installed for the Light framework to function:
| Package | Version | Purpose | Key Feature |
|---|---|---|---|
| PHP | >=8.1 | Runtime environment | Required for modern type system and attributes |
| mathsgod/light-server | ^1.1 | HTTP server foundation | PSR-7/15 request pipeline, routing |
| mathsgod/light-graphql | ^1.2 | GraphQL layer | Schema generation, query execution |
| mathsgod/light-db | ^1.5 | Database abstraction | Query builder, collections, ORM |
| mathsgod/light-db-graphqlite-mappers | ^1.0 | Type mapping | Automatic DB to GraphQL type conversion |
| mathsgod/light-rbac | ^1.0 | Authorization | Role hierarchy, permission checking |
| mathsgod/json-to-sql | ^1.0 | Schema conversion | JSON to SQL DDL translation |
| mathsgod/mysql-schema-migrate | ^1.0 | Schema management | Database migration tool |
| league/container | ^4.2 | Dependency injection | PSR-11 container, autowiring |
| league/flysystem | ^3.15 | File storage | Multi-backend storage abstraction |
| league/event | ^3.0 | Event system | PSR-14 event dispatcher |
| firebase/php-jwt | ^6.11 | JWT tokens | Access/refresh token generation |
| web-auth/webauthn-lib | ^4.9 | Biometric auth | FIDO2/WebAuthn passwordless login |
| endroid/qr-code | ^4.8 | 2FA codes | QR code generation for TOTP |
| laminas/laminas-code | ^4.7 | Code generation | Model/controller scaffolding |
| laminas/laminas-diactoros | ^3.5 | HTTP messages | PSR-7 request/response objects |
| symfony/yaml | ^6.4 | Configuration | Parse permissions.yml |
| symfony/cache | ^6.0 | Caching | PSR-6/16 cache implementation |
| symfony/console | ^7.4 | CLI commands | bin/light command framework |
| symfony/serializer | ^6.3 | Serialization | Object normalization |
| symfony/property-info | ^6.4 | Reflection | Property metadata extraction |
| symfony/property-access | ^6.4 | Property access | Dynamic property reading/writing |
| ramsey/uuid | ^4.7 | UUID generation | Filesystem drive identifiers |
| phpmailer/phpmailer | ^6.8 | SMTP mail sending | |
| sebastian/diff | ^4.0 | Diffing | Revision comparison |
| utopia-php/system | ^0.9.0 | System info | Server resource monitoring |
Sources: composer.json10-36
The core packages bring in additional dependencies automatically:
Sources: composer.lock8-2451
The following packages are listed in require-dev and are optional for runtime but enable additional features:
| Package | Version | Purpose | Feature Enabled |
|---|---|---|---|
| laminas/laminas-httphandlerrunner | * | HTTP runner | Production HTTP server integration |
| google/apiclient | ^2.15 | Google APIs | Google OAuth authentication |
| league/flysystem-aws-s3-v3 | ^3.24 | S3 adapter | Amazon S3 file storage |
| alphasnow/aliyun-oss-flysystem | ^3.4 | OSS adapter | Aliyun OSS file storage |
| hostlink/hostlink-storage-adapter | ^1.0 | Hostlink adapter | Hostlink cloud storage |
| phpstan/phpstan | ^2.0 | Static analysis | Development quality checks |
| phpunit/phpunit | ^9.6 | Testing | Unit and integration tests |
Sources: composer.json38-45
The system uses runtime package detection to enable features conditionally. The Light\App class performs class_exists() checks during initialization to detect installed optional packages and register them dynamically.
Runtime Feature Detection Flow
Implementation Pattern:
The detection follows this pattern in filesystem initialization:
Similarly, OAuth providers are conditionally enabled in AuthController methods based on package availability. If google/apiclient is not installed, the loginWithGoogle mutation is not exposed in the GraphQL schema.
This pattern allows developers to install only the storage adapters they need without requiring all backends in production. The LocalFilesystemAdapter is always available as it's included with the required league/flysystem package.
Sources: composer.json38-45 composer.json18 (league/flysystem required)
The Light framework uses version constraints that balance stability with security updates:
| Constraint Type | Example | Packages Using It | Rationale |
|---|---|---|---|
| Caret (^) | ^6.4 | Most Symfony packages, Laravel packages | Allow minor and patch updates within major version |
| Specific minimum | >=8.1 | PHP runtime | Require modern language features |
| Wildcard (*) | * | Development tools only | Always use latest for dev tools |
The composer.lock file pins exact versions of all packages (including transitive dependencies) to ensure reproducible builds:
Key version examples from lock file:
symfony/yaml: Constrained to ^6.4 in composer.json composer.json16firebase/php-jwt: 6.11.1 locked (from constraint ^6.11) composer.lock476-537league/flysystem: 3.30.2 locked (from constraint ^3.15) composer.lock1696-1777league/container: 4.2.5 locked (from constraint ^4.2) composer.lock1555-1635thecodingmachine/graphqlite: Transitive via mathsgod/light-graphql ^1.2Sources: composer.json10-36 composer.lock1-7 composer.lock476-537 composer.lock1696-1777 composer.lock1555-1635
To update dependencies within version constraints:
Sources: composer.json56-64
The framework is split into separate internal packages for modularity:
Package versions in composer.json:
mathsgod/light-server: ^1.1 composer.json26mathsgod/light-graphql: ^1.2 composer.json27mathsgod/light-db: ^1.5 composer.json32mathsgod/light-db-graphqlite-mappers: ^1.0 composer.json33mathsgod/light-rbac: ^1.0 composer.json23mathsgod/json-to-sql: ^1.0 composer.json34mathsgod/mysql-schema-migrate: ^1.0 composer.json35Each internal package is independently versioned and can be updated separately, though the main framework specifies compatible versions.
Sources: composer.json23-35
The framework uses PSR-4 autoloading with additional function files:
All classes under the Light\ namespace are mapped to the src/ directory. The function/base85.php file is loaded on every request to provide global utility functions.
Sources: composer.json47-54
Composer plugins are explicitly allowed for package discovery:
php-http/discovery: Enables automatic discovery of PSR-17/18 HTTP implementationstbachert/spi: Service Provider Interface for package integrationSources: composer.json56-61
The framework provides a CLI binary installed in vendor bins:
After installation, the bin/light command is available via vendor/bin/light for code generation, database management, and other CLI operations. The binary is implemented as a Symfony Console application that loads commands from the Light\Command namespace. See page 9.1 (CLI Overview) for available commands.
Installed Commands:
DbInstallCommand - Schema installation and table managementMakeModelCommand - Generate model classes from db.jsonMakeControllerCommand - Scaffold GraphQL controllersMakeInputCommand - Generate GraphQL input typesMakeTsCommand - Generate TypeScript interfacesSources: composer.json55
Custom Composer scripts for development:
Run tests with: composer test
Sources: composer.json62-64
For minimal resource usage (e.g., embedded systems or Docker containers with local storage only):
This installs only the 24 required packages from composer.json require section, excluding:
Features available with minimal installation:
League\Flysystem\Local\LocalFilesystemAdapterLight\Model\User::verifyPassword()Firebase\JWT\JWTLight\TwoFactorAuthenticationWebauthn\ServerTheCodingMachine\GraphQLite\SchemaFactoryLaminas\Db\Adapter\AdapterSources: composer.json10-36 (required packages), composer.json38-45 (optional dev packages)
For production with all storage backends and OAuth:
Additional features enabled:
Aws\S3\S3Client, detected by Light\App and registered in League\Flysystem\MountManagerOSS\OssClient, enables Alibaba Cloud storage backendHostlink\Storage\HostlinkAdapter, enables Hostlink cloud backendGoogle\Client, enables AuthController::loginWithGoogle() mutationLaminas\HttpHandlerRunner\Emitter\SapiEmitter for efficient response emissionGraphQL Schema Impact:
When google/apiclient is installed, the loginWithGoogle(code: String!): AuthPayload mutation becomes available in the schema. Without it, attempting to call this mutation results in a schema error.
Sources: composer.json38-45
For local development with testing and analysis tools:
This installs all packages including dev dependencies for running tests and static analysis.
Development tools included:
phpunit/phpunit ^9.6 - Run via composer test or vendor/bin/phpunit tests --verbosephpstan/phpstan ^2.0 - Static analysis to detect type errorslaminas/laminas-httphandlerrunner for integration testingRunning tests:
The test script is defined in composer.json:
Sources: composer.json38-45 (require-dev), composer.json62-64 (scripts)
The framework's dependencies are monitored for security vulnerabilities. Several packages include roave/security-advisories in their dev dependencies to prevent installation of known vulnerable versions:
league/container composer.lock1583league/route composer.lock1917kcs/class-finder composer.lock824Regular security updates should be applied:
Sources: composer.lock1-7
Refresh this wiki