This guide will illustrate a few nice things to have when running composer install in your deploy script.

1. Add --no-dev to your composer install line

This will improve security massively and save resources on your server. Besides that, the installation will take less time as it does not have to install any development packages (that are probably being used for local development anyway).

composer install --no-dev

2. Add --optimize-autoloader to your composer install line

Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production but can take a bit of time to run so it is currently not done by default.

composer install --optimize-autoloader

3. Always commit your composer.lock file

The composer.lock file is used for your server to know which package versions it should install. This generally means your tests have run locally before you run composer install on your server to make sure all new packages are compatible with your application.

4. Regularly check outdated packages

Composer is able to tell you whether there's patch, minor or major updates available. This can assist you in securing your application even further.

Run this command to check for outdated packages:

composer outdated --direct

5. Add --no-interaction if your using a deployment tool

If you're using a deployment tool like Ploi, chances are interactive questions will not get read by the platform. To avoid getting asked questions you can add the following line to your composer install command:

composer install --no-interaction