Composer: how can I install another dependency without updating old ones?

Question

I have a project with a few dependencies and I'd like to install another one, but I'd like to keep the others the way they are. So I've edited the composer.json, but if I run composer install, I get the following output:

Installing dependencies from lock file Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. Run update to update them. Your requirements could not be resolved to an installable set of packages.  Problem 1     - laravel/framework dev-master requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system.     - laravel/framework dev-master requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system.     - Installation request for laravel/framework dev-master -> satisfiable by laravel/framework dev-master. 

First of all, I do have mcrypt installed, so I don't know why it's complaining about that there.

So, how can I install this new dependency?

My composer.json:

{     "require": {          "opauth/opauth": "*",         "opauth/facebook": "*",         "opauth/google": "*",         "opauth/twitter": "*",          "imagine/Imagine": "dev-develop",          "laravel/framework": "4.*",         "loic-sharma/profiler": "dev-master"     },     "autoload": {         "classmap": [             "app/libraries",             "app/commands",             "app/controllers",             "app/models",             "app/database/migrations",             "app/tests/TestCase.php"         ]     },     "minimum-stability": "dev" } 

Answer 1

To install a new package and only that, you have two options:

1. Using the require command, just run:

   composer require new/package 

   Composer will guess the best version constraint to use, install the package, and add it to composer.lock.

   You can also specify an explicit version constraint by running:

   composer require new/package ~2.5 

–OR–

2. Using the update command, add the new package manually to composer.json, then run:

   composer update new/package 

If Composer complains, stating "Your requirements could not be resolved to an installable set of packages.", you can resolve this by passing the flag --with-dependencies. This will whitelist all dependencies of the package you are trying to install/update (but none of your other dependencies).

Regarding the question asker's issues with Laravel and mcrypt: check that it's properly enabled in your CLI php.ini. If php -m doesn't list mcrypt then it's missing.

Important: Don't forget to specify new/package when using composer update! Omitting that argument will cause all dependencies, as well as composer.lock, to be updated.

Answer 2

Actually, the correct solution is:

composer require vendor/package

Taken from the CLI documentation for Composer:

The require command adds new packages to the composer.json file from the current directory.

php composer.phar require

After adding/changing the requirements, the modified requirements will be installed or updated.

If you do not want to choose requirements interactively, you can just pass them to the command.

php composer.phar require vendor/package:2.* vendor/package2:dev-master

While it is true that composer update installs new packages found in composer.json, it will also update the composer.lock file and any installed packages according to any fuzzy logic (> or * chars after the colons) found in composer.json! This can be avoided by using composer update vendor/package, but I wouldn't recommend making a habit of it, as you're one forgotten argument away from a potentially broken project…

Keep things sane and stick with composer require vendor/package for adding new dependencies! 😉