Why after creating a project with "composer create-project" the dependencies are not the latest available versions?

Question

For some reason, composer create-project command seems to pull stale dependencies versions.

After running create-project, if I chdir to created folder and run a composer update, the newer versions are downloaded.

aherne@aherne-System-Product-Name:/var/www/html$ cd framework/ aherne@aherne-System-Product-Name:/var/www/html/framework$ composer update Loading composer repositories with package information Updating dependencies (including require-dev) Package operations: 0 installs, 12 updates, 0 removals - Updating lucinda/request-validator (v1.0.4 => v1.0.8.1): Downloading (100%)
- Updating lucinda/internationalization (v2.0.2 => v2.0.5): Downloading (100%)
- Updating lucinda/view-language (v2.1.1 => v2.1.7): Downloading (100%)
- Updating lucinda/sql-data-access (v2.0.1 => v2.0.2): Downloading (100%)
- Updating lucinda/errors-mvc (v1.1.4 => v1.2.1.1): Downloading (100%)
- Updating lucinda/mvc (v2.0.8 => v2.1.3): Downloading (100%)
- Updating lucinda/security (v2.0.5 => v2.0.9): Downloading (100%)
- Updating lucinda/oauth2-client (v1.6.2 => v1.6.3): Downloading (100%)
- Updating lucinda/nosql-data-access (v2.0.3 => v2.0.4): Downloading (100%)
- Updating lucinda/logging (v2.0.3 => v2.0.5): Downloading (100%)
- Updating lucinda/http-caching (v2.0.1 => v2.0.3.2): Downloading (100%)
- Updating lucinda/framework-engine (v1.2.5 => v1.3.6): Downloading (100%) Writing lock file Generating autoload files

Why doesn't composer create-project download the latest dependencies versions in the first place?

Answer 1

Because doing a create-project is basically equivalent to cloning the repository and then doing a composer install.

And install downloads the dependencies declared in the composer.lock, which include a specific version declaration. Running install is supposed to be safe, and install only the declared dependency versions as explicitly stored in the repository.

update, on the other hand, reads the version constraints declared on composer.json, downloads the latest available version of each package that fit those constraints, and then updates composer.lock.

This behaviour is not safe for a brand new installation, because not only your direct dependencies are updated, but also any dependency of a dependency that can be updated will be so, and compatibility problems can be introduced by accident. A lock file in a project represents a known good state that can be used to safely install a project working as intended.

References:

• create-project
• install
• update