Hace unos años una pequeña empresa con librerías en GIT / GITHUB fue amenazada de ser demandada por otra empresa, asi que lo que hizo fue quitar todos su repositorios, provocando con ello problemas en muchos lugares, creo que hasta en kernel de linux, porque esta persona era sin saberlo la fuente de las rutinas left y right.

Composer actualiza las librerias de terceros. No me gusta usarlo por varias razones. De momento estoy en un server con problemas de SSH.

https://web.archive.org/web/20170710204208/https://www.codeenigma.com/build/blog/do-you-really-need-composer-production

  • large VCS repository size and diffs when you update code;
  • duplication of the history of all your dependencies in your own VCS; and
  • adding dependencies installed via git to a git repo will show them as submodules.

Asi es. La gente en general no se da cuenta que cambio de versiones  de PHP o de servers pueden tener problemas, pero activar composer a lo bestia no es buena idea aunque sea de moda.

Otro comentario en otra pagina menciona el problema del bloqueo de GIT por interfases firewall, o el consumo de ancho de banda en malas conexiones.  Despues de eso comentan:

https://www.ostraining.com/blog/coding/composer-cms/

«Composer has a myriad awful problems asides from attitudes, it has technical problems. I basically feel the same overall. I’ll point out the great firewall of chine problem has quite a large scope and isn’t entirely on composer though when it pulls stuff from git that is a questionable model as opposed to its own repository system.»

 

I don’t like the term but it generally is a best practice to not have builds depend on external resources.

When updating (resolving dependencies), it uses gigabytes of memory and that really makes no sense. It’s gotten slightly better in new versions but it’s still dog slow and really quite amazing just how much resources it needs. Out of a dozen package managers for different languages and operating systems there’s nothing at all approaching composer in terms of resource consumption. When it takes a couple minutes and over 4GB of RAM to upgrade a single package that’s just not acceptable.

Whoever thinks a system that takes several minutes and huge amounts of RAM to resolve dependencies in cases that should not be difficult needs their brain examined.