Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

composer.lock: how does it work?

Tags:

php

dependency-management

package-managers

composer-php

I'm trying to understand this part: http://getcomposer.org/doc/02-libraries.md#lock-file

this lock file will not have any effect on other projects that depend on it. It only has an effect on the main project"

Does that mean that if project P depends on library A, and library A depends on library B v1.3, project P won't care about the version of library B, and will possibly install B 1.4 instead? What's the point then?

Or does it mean the opposite, as one would expect from a dependency manager?

like image 304
HappyDeveloper Avatar asked May 20 '12 15:05

HappyDeveloper

People also ask

Why do we need composer lock?

If you're concerned about your code breaking, you should commit the composer. lock to your version control system to ensure all your project collaborators are using the same version of the code. Without a lock file, you will get new third-party code being pulled down each time.

What does composer update -- lock do?

As mentioned above, the composer. lock file prevents you from automatically getting the latest versions of your dependencies. To update to the latest versions, use the update command.

Is composer lock auto generated?

json of your project and try to install all the dependencies listed in it under require and require-dev keys. Now, when you are installing dependencies for the first time and once all the dependencies are resolved successfully, Composer will automatically generate a composer. lock file along with it.

What is the use of composer lock file in laravel?

This time, Composer will see that you have a composer. lock file in the directory. Instead, of finding compatible versions of your dependencies to fulfil the composer. json file, it will install the exact version of your dependencies as defined in your composer.

2 Answers

composer.lock records the exact versions that are installed. So that you are in the same versions with your co-workers.

composer install

  • Check for composer.lock file
  • If not, auto generate composer.lock file (Using composer update)
  • Install the specified versions recorded in the composer.lock file

composer update

  • Go through the composer.json file
  • Check availability of newer (latest) versions, based on the version criteria mentioned (e.g. 1.12.*)
  • Install the latest possible (according to above) versions
  • Update composer.lock file with installed versions

So in a simple check list.

If you want to keep all co-workers in the same versions as you...

  • Commit your composer.lock to GIT (or vcs you have)
  • Ask others to get the that version of composer.lock file
  • Always use composer install to get the correct dependencies

If you want to Upgrade the system dependencies to new versions

  • Check the composer.json file for version specs.
  • Do a composer update
  • This will change the composer.lock file with newest versions
  • Commit it to the GIT (or vcs)
  • Ask others to get it and composer install

Following will be a very good reading
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

Enjoy the power of composer.lock file!

like image 95
Dilhan Maduranga Avatar answered Oct 22 '22 12:10

Dilhan Maduranga

Composer dependencies are defined in composer.json. When running composer install for the first time, or when running composer update a lock file called composer.lock will be created.

The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.***, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the composer.json (not .lock!) defined the dependency to be on 1.3.*.

Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.json is all that matters.

like image 22
3 revs, 3 users 67% Avatar answered Oct 22 '22 12:10

3 revs, 3 users 67%
Sign in to Comment

Related questions

Is there Java HashMap equivalent in PHP?
Check if PHP-page is accessed from an iOS device
How to to send mail using gmail in Laravel?
managing curl output in php
If else embedding inside html
Warning: Cannot modify header information - headers already sent by ERROR [duplicate]
Headers and client library minor version mismatch
Pass a variable to a PHP script running from the command line
PHP Carbon, get all dates between date range?
How to send 500 Internal Server Error error from a PHP script
Get environment value in controller
PHP cURL error code 60
Ubuntu typing 'php' in terminal shows a lot of errors
How to make a drop down list in yii2?
How to check if an integer is within a range of numbers in PHP?
php == vs === operator [duplicate]
Laravel What is a guard?
Closures in PHP... what, precisely, are they and when would you need to use them?
Why is my $_ENV empty?
Does UTC observe daylight saving time?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!