Composer won't load private repository within private repository?

Question

So I am trying to leverage the power of composer packages to make my application more modular. So my main application is now depending on a private repository which I am pulling

Answer 1

Composer has to know about all possible repositories before deciding which packages are available. By default, only packagist.org is on the list and knows about all publicly published packages.

If you want to add individual repositories, you have to add them all into the root package. You cannot use repositories that are mentioned in packages you require in the root package indirectly.

Composer will scan the all repositories for information about any included packages, but if it would allow indirect package links, this search might never end if a package either points to a long list of other packages (a very evil denial of service if included in a public package you use), or it will recursively continue to find new repositories with new links to other repositories and so on.

The design decision was being made to only use the repository knowledge of the root package composer.json, so that is where all your Git repos would have to be mentioned.

As you can imagine, this is tedious, so there is some help: Satis. You'd configure it to know about all your repositories, and it will collect all meta data it finds in one place. Running it creates some static files that you'd have to serve via HTTP or HTTPS, and you point to this location in all your composer.json files with "type":"composer", "url": "http://example.com/your/satis/path".

Whenever you add a new package or new version of a new package, after Satis updated the meta data files, Composer will know about them and allow adding any package from anywhere in the most recent (non-conflicting) version.