What should my composer.json file look like in production environment?

Question

I have a Symfony 2.1 project, with additional bundles installed via composer. I want to deploy it to my production server, but I'm wondering if I need to change any things in the composer.json file. Here is my current file content:

{
    "name": "symfony/framework-standard-edition",
    "description": "The \"Symfony Standard Edition\" distribution",
    "autoload": {
        "psr-0": { "": "src/" }
    },
    "require": {
        "php": ">=5.3.3",
        "symfony/symfony": "2.1.1",
        "doctrine/orm": ">=2.2.3,<2.4-dev",
        "doctrine/doctrine-bundle": "1.0.*",
        "twig/extensions": "1.0.*",
        "symfony/assetic-bundle": "2.1.*",
        "symfony/swiftmailer-bundle": "2.1.*",
        "symfony/monolog-bundle": "2.1.*",
        "sensio/distribution-bundle": "2.1.*",
        "sensio/framework-extra-bundle": "2.1.*",
        "sensio/generator-bundle": "2.1.*",
        "jms/security-extra-bundle": "1.2.*",
        "jms/di-extra-bundle": "1.1.*",

        "friendsofsymfony/user-bundle": "*",
        "knplabs/knp-paginator-bundle": "dev-master",
        "ornicar/gravatar-bundle": "dev-master",
        "liip/url-auto-converter-bundle": "dev-master"
    },
    "scripts": {
        "post-install-cmd": [
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::buildBootstrap",
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::clearCache",
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::installAssets",
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::installRequirementsFile"
        ],
        "post-update-cmd": [
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::buildBootstrap",
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::clearCache",
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::installAssets",
            "Sensio\\Bundle\\DistributionBundle\\Composer\\ScriptHandler::installRequirementsFile"
        ]
    },
    "config": {
        "bin-dir": "bin"
    },
    "minimum-stability": "dev",
    "extra": {
        "symfony-app-dir": "app",
        "symfony-web-dir": "web"
    }
}

Should I change the minimum-stability setting?

Should I fix every requirement to a single version, without wildcard, or "dev-master"?

Am I supposed to search on http://packagist.org/ the last stable version of each dependency?

Answer 1

I think the most important is your composer.lock, not so much the composer.json.

Deploy your app on a test server, php composer.phar install, then run the tests to ensure everything is ok. If it is indeed ok, just deploy on the production server along with the composer.lock.

This way your deps will be exaclty the same as your test server. This is also useful if you have multiple front server, the composer.lock will ensure everyone uses the exact same code.

You said

Should I fix every requirement to a single version, without wildcard, or "dev-master"?

This is the role of the composer.lock to "fix" everything. The composer.json is about declaring the dependencies, and handling possible incompatibilities between versions. By default, you should stick with the stable versions, unless you need some fancy new feature in the develop branch, or a bugfixe not yet merged.

Hence, you should version your composer.lock, that's easier for automatic deployment.