composer.lock: how does it work?
Solution 1:
composer.lock
records the exact versions that are installed. So that you are in the same versions with your co-workers.
composer install
- Check for
composer.lock
file - If not, auto generate
composer.lock
file (Usingcomposer update
) - Install the specified versions recorded in the
composer.lock
file
composer update
- Go through the
composer.json
file - Check availability of newer (latest) versions, based on the version criteria mentioned (e.g. 1.12.*)
- Install the latest possible (according to above) versions
- Update
composer.lock
file with installed versions
So in a simple check list.
If you want to keep all co-workers in the same versions as you...
- Commit your
composer.lock
to GIT (or vcs you have) - Ask others to get the that version of
composer.lock
file -
Always use
composer install
to get the correct dependencies
If you want to Upgrade the system dependencies to new versions
- Check the composer.json file for version specs.
- Do a
composer update
- This will change the
composer.lock
file with newest versions - Commit it to the GIT (or vcs)
- Ask others to get it and
composer install
Following will be a very good reading
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file
Enjoy the power of composer.lock
file!
Solution 2:
Composer dependencies are defined in composer.json
. When running composer install for the first time, or when running composer update a lock file called composer.lock
will be created.
The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.***, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the composer.json
(not .lock
!) defined the dependency to be on 1.3.*.
Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.json
is all that matters.
Solution 3:
The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer update
which installs 1.2.4, and then commits the composer.lock file, when you composer install
, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.Read more here Composer: It’s All About the Lock File