Symfony Flex & Aliases

It's time to demystify something incredible: tractor beams. Well actually, we haven't figured those out yet... so let's demystify something else, something that's already been happening behind the scenes. First commit everything, with a nice message:

git add .
git commit -m "making so much good progress"

Installing the Security Checker

Let's install a new feature called the Symfony Security Checker. This is a great tool.... but... full disclosure: we're mostly installing it to show of the recipe system. Ooooo. Run:

git status

Ok, there are no changes. Now run:

composer require sec-checker


This package will only be used while developing. So, it would be even better to run composer require sec-checker --dev.

Hello Symfony Flex

Once again, sec-checker should not be a valid package name! So what's going on? Move over and open composer.json:

64 lines composer.json
... lines 2 - 3
"require": {
... lines 5 - 8
"symfony/flex": "^1.0",
... lines 10 - 13
... lines 15 - 62

Our project began with just a few dependencies. One of them was symfony/flex: this is super important. Flex is a Composer plugin with two superpowers.

Flex Aliases

The first superpower is the alias system. Find your browser and go to

This is the Symfony "recipe" server: we'll talk about what that means next. Search for "security". Ah, here's a package called sensiolabs/security-checker. And below, it has aliases: sec-check, sec-checker, security-check and more.

Thanks to Flex, we can say composer require sec-checker, or any of these aliases, and it will translate that into the real package name. Yep, it's just a shortcut system. But the result is really cool. Need a logger? composer require logger. Need to send emails? composer require mailer. Need a tractor beam? composer require, wait, no, we can't help with that one.

Back in composer.json, yep! Composer actually added sensiolabs/security-checker:

64 lines composer.json
... lines 2 - 14
"require-dev": {
"sensiolabs/security-checker": "^4.1",
... line 17
... lines 19 - 62

That's the first superpower of Flex.

Flex Recipes

The second superpower is even better: recipes. Mmmm. Go back to your terminal and... yes! It did install and, check this out: "Symfony operations: 1 recipe". Then, "Configuring sensiolabs/security-checker".

What does that mean? Run:

git status

Woh! We expected composer.json and composer.lock to be updated. But there are also changes to a symfony.lock file and we suddenly have a brand new config file!

First, symfony.lock: this file is managed by Flex. It keeps track of which recipes have been installed. Basically... commit it to git, but don't worry about it.

The second file is config/packages/dev/security_checker.yaml:

9 lines config/packages/dev/security_checker.yaml
public: false
arguments: ['@SensioLabs\Security\SecurityChecker']
- { name: console.command }

This was added by the recipe and, cool! It adds a new bin/console command to our app! Don't worry about the code itself: you'll understand and be writing code like this soon enough!

The point is this: thanks to this file, we can now run:

php bin/console security:check

Cool! This is the recipe system in action! Whenever you install a package, Flex will execute the recipe for that package, if there is one. Recipes can add configuration files, create directories, or even modify files like .gitignore so that the library instantly works without any extra setup. I love Flex.

By the way, the purpose of the security checker is that it checks to see if there are any known vulnerabilities for packages used in our project. Right now, we're good!

But the recipe made one other change. Run:

git diff composer.json

Of course, composer require added the package. But the recipe added a new script!

64 lines composer.json
... lines 2 - 40
"scripts": {
"auto-scripts": {
... lines 43 - 44
"security-checker security:check": "script"
... lines 47 - 52
... lines 54 - 62

Thanks to that, whenever we run:

composer install

when it finishes, it runs the security checker automatically. So cool!

Oh, and I won't show it right now, but Flex is even smart enough to uninstall the recipes when you remove a package. That makes testing out new packages fast and easy.

The Recipes Repository

So you might be wondering... where do these recipes live? Great question! They live... in the cloud. I mean, they live on GitHub. On, click "Recipe" next to the Security checker. Ah, it takes us to the symfony/recipes repository. Here, you can see what files will be added and a few other changes described in manifest.json.

All recipes either live in this repository, or another one called symfony/recipes-contrib. There's no important difference between the two repositories: but the official recipes are watched more closely for quality.

Next! Let's put the recipe system to work by installing Twig so we can create proper templates.

Leave a comment!

  • 2018-06-21 Victor Bocharsky

    Hey Daniel,

    Haha, where did you find that "run" command in our screencasts? The command should be "git diff composer.json", the "run" was just a word, a simple verb ;)


  • 2018-06-09 Tasatko

    for now passed without any errors. ty!

  • 2018-06-08 Victor Bocharsky

    Hey Tasatko,

    Could you show the entire command you're trying to execute? Looks like your have a misprint in it. Please, double check the command is:
    composer require sec-checker --dev

    Because --dev does not mean the version of "sensiolabs/security-checker" but that this package should be installed in dev section, i.e. "require-dev".

    Btw, what version of Composer do you use? Could you try to upgrade to the latest available version?


  • 2018-06-07 Tasatko

    about --dev version: Could not find package sensiolabs/security-checker in a version matching dev

  • 2018-02-22 Victor Bocharsky

    Hey Dmitriy,

    Uh oh, looks like this bundle does not have a release which supports Symfony 4 yet so... you have a few options:
    1. Look at composer.json in master branch, probably this bundle already supports Symfony 4 but does not have a stable release yet. Well, I see master branch does not support Symfony 4 yet :)
    2. Help author to add Symfony 4 support by submitting a PR if nobody haven't done it yet - probably there's already one which exists but haven't merged yet. Well, see the related issue:
    3. Make a fork of this bundle, add support of Symfony 4 and use your fork in composer.json file - but this way you won't have new updates from the bundle, well, you need to merge it manually into your fork in the future


  • 2018-02-22 Дмитрий Ченгаев

    I would like to install the egeloen/ckeditor-bundle package on my Symfony 4, but I get an error "requires symfony/form ^2.7|^3.0". How can I use this package on Symfony 4?