在 Windows 中，你需要下载并运行 Composer-Setup.exe。

地址：https://getcomposer.org/Composer-Setup.exe

...

下载后运行安装

安装时指定使用的php目录。

安装完成后，找到composer.bat所有路径，将路径添加到系统环境变量path中

...

打开命令行窗口（windows用户）或控制台（Linux、Mac 用户）并执行如下命令：

阿里云：

composer config -g repo.packagist composer https://mirrors.aliyun.com/composer/

华为云：

composer config -g repo.packagist composer https://repo.huaweicloud.com/repository/php/

...

安装稳定版

如果你是第一次安装的话，在命令行下面，切换到你的WEB根目录下面并执行下面的命令：

composer create-project topthink/think tp

这里的tp目录名你可以任意更改，这个目录就是我们后面会经常提到的应用根目录。

如果你之前已经安装过，那么切换到你的应用根目录下面，然后执行下面的命令进行更新：

composer update topthink/framework

...

D:phpstudy_proWWW>composer create-project topthink/think tp
Creating a "topthink/think" project at "./tp"
Installing topthink/think (v6.0.13)
  - Downloading topthink/think (v6.0.13)
  - Installing topthink/think (v6.0.13): Extracting archive
Created project in D:phpstudy_proWWW	p
Loading composer repositories with package information
Updating dependencies
Lock file operations: 16 installs, 0 updates, 0 removals
  - Locking league/flysystem (1.1.9)
  - Locking league/flysystem-cached-adapter (1.1.0)
  - Locking league/mime-type-detection (1.11.0)
  - Locking psr/cache (1.0.1)
  - Locking psr/container (1.1.1)
  - Locking psr/http-message (1.0.1)
  - Locking psr/log (1.1.4)
  - Locking psr/simple-cache (1.0.1)
  - Locking symfony/polyfill-mbstring (v1.26.0)
  - Locking symfony/polyfill-php72 (v1.26.0)
  - Locking symfony/polyfill-php80 (v1.26.0)
  - Locking symfony/var-dumper (v4.4.46)
  - Locking topthink/framework (v6.0.13)
  - Locking topthink/think-helper (v3.1.6)
  - Locking topthink/think-orm (v2.0.54)
  - Locking topthink/think-trace (v1.4)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 16 installs, 0 updates, 0 removals
  - Downloading psr/cache (1.0.1)
  - Downloading league/mime-type-detection (1.11.0)
  - Downloading league/flysystem (1.1.9)
  - Downloading league/flysystem-cached-adapter (1.1.0)
  - Downloading psr/container (1.1.1)
  - Downloading psr/http-message (1.0.1)
  - Downloading symfony/polyfill-php80 (v1.26.0)
  - Downloading symfony/polyfill-php72 (v1.26.0)
  - Downloading symfony/polyfill-mbstring (v1.26.0)
  - Downloading symfony/var-dumper (v4.4.46)
  - Downloading topthink/think-helper (v3.1.6)
  - Downloading psr/simple-cache (1.0.1)
  - Downloading psr/log (1.1.4)
  - Downloading topthink/think-orm (v2.0.54)
  - Downloading topthink/framework (v6.0.13)
  - Downloading topthink/think-trace (v1.4)
  - Installing psr/cache (1.0.1): Extracting archive
  - Installing league/mime-type-detection (1.11.0): Extracting archive
  - Installing league/flysystem (1.1.9): Extracting archive
  - Installing league/flysystem-cached-adapter (1.1.0): Extracting archive
  - Installing psr/container (1.1.1): Extracting archive
  - Installing psr/http-message (1.0.1): Extracting archive
  - Installing symfony/polyfill-php80 (v1.26.0): Extracting archive
  - Installing symfony/polyfill-php72 (v1.26.0): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.26.0): Extracting archive
  - Installing symfony/var-dumper (v4.4.46): Extracting archive
  - Installing topthink/think-helper (v3.1.6): Extracting archive
  - Installing psr/simple-cache (1.0.1): Extracting archive
  - Installing psr/log (1.1.4): Extracting archive
  - Installing topthink/think-orm (v2.0.54): Extracting archive
  - Installing topthink/framework (v6.0.13): Extracting archive
  - Installing topthink/think-trace (v1.4): Extracting archive
14 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
> @php think service:discover
Succeed!
> @php think vendor:publish
Succeed!
6 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Found 1 security vulnerability advisory affecting 1 package.
Run composer audit for a full list of advisories.

...

--发现有个问题，找不到composer.json

D:phpstudy_proWWW>composer audit
Composer could not find a composer.json file in D:phpstudy_proWWW
To initialize a project, please create a composer.json file. See https://getcomposer.org/basic-usage

...>>>打开上面地址：https://getcomposer.org/basic-usage

Basic usage#
Introduction#
For our basic usage introduction, we will be installing monolog/monolog, a logging library. If you have not yet installed Composer, refer to the Intro chapter.

Note: for the sake of simplicity, this introduction will assume you have performed a local install of Composer.

composer.json: Project setup#
To start using Composer in your project, all you need is a composer.json file. This file describes the dependencies of your project and may contain other metadata as well. It typically should go in the top-most directory of your project/VCS repository. You can technically run Composer anywhere but if you want to publish a package to Packagist.org, it will have to be able to find the file at the top of your VCS repository.

The require key#
The first thing you specify in composer.json is the require key. You are telling Composer which packages your project depends on.

{
    "require": {
        "monolog/monolog": "2.0.*"
    }
}
As you can see, require takes an object that maps package names (e.g. monolog/monolog) to version constraints (e.g. 1.0.*).

Composer uses this information to search for the right set of files in package "repositories" that you register using the repositories key, or in Packagist.org, the default package repository. In the above example, since no other repository has been registered in the composer.json file, it is assumed that the monolog/monolog package is registered on Packagist.org. (Read more about Packagist, and about repositories).

Package names#
The package name consists of a vendor name and the project's name. Often these will be identical - the vendor name only exists to prevent naming clashes. For example, it would allow two different people to create a library named json. One might be named igorw/json while the other might be seldaek/json.

Read more about publishing packages and package naming. (Note that you can also specify "platform packages" as dependencies, allowing you to require certain versions of server software. See platform packages below.)

Package version constraints#
In our example, we are requesting the Monolog package with the version constraint 2.0.*. This means any version in the 2.0 development branch, or any version that is greater than or equal to 2.0 and less than 2.1 (>=2.0 <2.1).

Please read versions for more in-depth information on versions, how versions relate to each other, and on version constraints.

How does Composer download the right files? When you specify a dependency in composer.json, Composer first takes the name of the package that you have requested and searches for it in any repositories that you have registered using the repositories key. If you have not registered any extra repositories, or it does not find a package with that name in the repositories you have specified, it falls back to Packagist.org (more below).

When Composer finds the right package, either in Packagist.org or in a repo you have specified, it then uses the versioning features of the package's VCS (i.e., branches and tags) to attempt to find the best match for the version constraint you have specified. Be sure to read about versions and package resolution in the versions article.

Note: If you are trying to require a package but Composer throws an error regarding package stability, the version you have specified may not meet your default minimum stability requirements. By default, only stable releases are taken into consideration when searching for valid package versions in your VCS.

You might run into this if you are trying to require dev, alpha, beta, or RC versions of a package. Read more about stability flags and the minimum-stability key on the schema page.

再运行 compose update,

D:phpstudy_proWWW	p>composer update
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Generating autoload files
> @php think service:discover
Succeed!
> @php think vendor:publish
File D:phpstudy_proWWW	pconfig	race.php exist!
Succeed!
6 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
Found 1 security vulnerability advisory affecting 1 package.
Run composer audit for a full list of advisories.

D:phpstudy_proWWW	p>composer audit
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | topthink/framework                                                               |
| CVE               | CVE-2022-38352                                                                   |
| Title             | ThinkPHP deserialization vulnerability                                           |
| URL               | https://github.com/advisories/GHSA-qjjj-7g7h-54v3                                |
| Affected versions | <=6.0.13                                                                         |
| Reported at       | 2022-09-16T00:00:39+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

D:phpstudy_proWWW	p>

未完