How to Manage Composer Dependencies in Magento 2

Composer is the package manager for Magento 2. All Magento core modules, third-party extensions, and PHP libraries are managed through Composer. Understanding how to work with Composer effectively prevents installation failures, dependency conflicts, and deployment issues.

Setting Up Authentication

Magento Marketplace (repo.magento.com)

Magento modules and metapackages are hosted on repo.magento.com, which requires authentication. Create an auth.json file in the Magento root or global Composer directory:

# Per-project authentication
composer config http-basic.repo.magento.com <public-key> <private-key>

# Global authentication (applies to all projects)
composer config --global http-basic.repo.magento.com <public-key> <private-key>

Keys are generated at Magento Marketplace under My Profile → Access Keys.

The auth.json file stores credentials and should not be committed to version control. Add it to .gitignore.

Third-Party Repositories

Third-party extensions distributed via private Composer repositories require their own authentication. Add each repository to composer.json:

{
    "repositories": [
        {
            "type": "composer",
            "url": "https://composer.vendor-name.com/"
        }
    ]
}

Then configure authentication for the repository:

composer config http-basic.composer.vendor-name.com <username> <password>

Common Errors and Solutions

Curl Error 28: Operation Timed Out

[Composer\Downloader\TransportException]
curl error 28 while downloading https://repo.magento.com/...

This error is almost always caused by hosting infrastructure, not by the Composer repository being down. Common causes:

• Firewall rules blocking outbound HTTPS connections to repo.magento.com
• NAT gateway limitations on cloud hosting (OCI, some AWS configurations) that throttle or block sustained HTTPS connections
• Deep packet inspection by enterprise firewalls interfering with HTTPS traffic

Solutions:

1. Contact your hosting provider to verify outbound HTTPS access to repo.magento.com and packagist.org
2. Increase Composer's process timeout: composer config --global process-timeout 600
3. Clear Composer cache: composer clearcache
4. Try running Composer from a different network to confirm it is a hosting issue
5. For OCI/cloud hosting, check NAT gateway egress rules

Version Conflict Errors

Your requirements could not be resolved to an installable set of packages.

This means two or more packages require incompatible versions of a shared dependency.

Diagnosis:

# See why a package is installed and what depends on it
composer why vendor/package-name

# See what versions are available
composer show vendor/package-name --available

Solutions:

• Update the conflicting extension to a version compatible with your Magento version
• Use --with-all-dependencies flag to allow Composer to resolve transitive dependencies
• As a last resort, temporarily remove the conflicting extension until a compatible version is available

See also: Composer Requirements Could Not Be Resolved

Memory Exhaustion

PHP Fatal error: Allowed memory size of ... bytes exhausted

Composer dependency resolution is memory-intensive, especially for Magento projects with many extensions.

Solutions:

# Increase memory limit for the Composer command
COMPOSER_MEMORY_LIMIT=-1 composer update

# Or set PHP memory limit directly
php -d memory_limit=4G $(which composer) update

Composer Operations

composer update vs composer require

• composer require vendor/package: Adds a new package and updates the lock file. Use this to install new extensions.
• composer update: Updates all packages (or specified packages) to their latest allowed versions and regenerates the lock file. Use this during planned upgrades.
• composer install: Installs exact versions from the lock file. Use this for deployments and CI/CD pipelines.

Rule: Production deployments should always use composer install (from the lock file), never composer update (which resolves versions fresh).

Lock File Management

The composer.lock file records the exact versions installed. This file must be committed to version control. It ensures every deployment and every developer gets identical package versions.

If composer.lock is missing or corrupted:

# Regenerate lock file from composer.json
composer update --lock

Removing Extensions

# Remove via Composer (preferred method)
composer remove vendor/extension-name

# Then run the deployment sequence
php bin/magento setup:upgrade
php bin/magento cache:flush
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy
php bin/magento cache:clean

Do not remove extensions by deleting files manually. This leaves orphaned database entries and DI configuration that cause errors.

See also: How to Remove Magento 2 Extension