It looks super cool, but I am wondering if the 11M vendor folder is worth the extra tool? My head says yes, but I want to make sure it is. Is one of the upside with composer is that it's all together.

I am wondering if the 11M vendor folder is worth the extra tool?

The reduced size is more a side effect, to be honest. It's about clear separation between production and development dependencies of the software being developed and the software you need as a developer.

For example, coding standards would live in composer.json as they are project-specific. You define what makes the coding standards and rules to use for a given project. But the tool to perform these checks doesn't have to live with the project. All you need is a manifest that dictates what version to use.

This separation prevents running into issues that are no real issues, such as dependency conflicts.

It's about clear separation between production and development dependencies of the software being developed and the software you need as a developer.

My bad, i totally missed that point in your post

Adding another tool to install tools doesn't excite me to be honest, we have 2 right now:

1. npm install
2. composer install

Having to manage another would add:

3. phive install

I also like that dependabot can automate these dependency updates e.g here, it appears Phive is not supported by dependapot.

I guess my question is, is reducing the /vendor folder size by ~11M instead of automated dependency updates worth it?

Adding another tool to install tools doesn't excite me to be honest, we have 2 right now:

1. `npm install`

2. `composer install`


Having to manage another would add:

1. `phive install`


Well yes. That's because they are all for different things.

And to be fair, you could easily use a build or install script such bin/install.sh or whatever you fancy, so it's just a single command to get it all set up. I'm fine with the separation, and actually welcome it. Managing your software dependencies and managing your tools are two different things after all.

I also like that dependabot can automate these dependency updates e.g here, it appears Phive is not supported by dependapot.

Yeah, automatically checking dependencies for updates or issues would be nice.

is reducing the /vendor folder size by ~11M instead of automated dependency updates worth it?

It's not primarily about the reduced size, as I mentioned in my last comment. Quoting from the post I wrote:

...all Composer dependencies affect each other, and the platform. There are several downsides of that. Let's assume that your project code should be built for PHP 7.4. And let's assume you want (or maybe need) to run your tools in the most recent version, which maybe only supports PHP 8. There is a Composer issue for that, which was closed a long time ago, but still people come back to it, because it is frustrating.

Or let's assume your production code has a dependency on, say, Symfony Command. Just like PHPUnit, or other developer tooling. Now, let's assume the two version constraints are incompatible with one another. This should not prevent you from using the tools in whatever your desired or required version is. The dependencies needed to build your software should not affect, or be affected, by the dependencies of your developer tooling.

Also, if you already have the tools installed on your machine, and if they are no longer part of your Composer dependency tree, living in the vendor folder, everything will be (at least a bit) quicker, and smaller.