Why composer install --no-dev does not work?

Question

I am developing a package library which has regular dependencies and one dev dependency. Composer recommends to not include the composer.lock file for libraries, so here is the composer.json

{
    "name": "myself/mypackage",
    "require": {
        "php": ">=5.6",
        "nesbot/carbon": "~1.20"
    },
    "require-dev": {
        "phpunit/phpunit": "^6.0"
    }
}

I want this to be compatible for use with applications running PHP 5.6, and I want to develop it using the latest PHPUnit testing tools which require PHP 7.

On the travis continuous integration testing server, I have a build matrix which runs the PHPUnit tests on PHP > 7 and a linting script:

composer install
./lint-php.bash
phpunit

and on PHP < 7, simply lint the source code:

composer install --no-dev
./lint-php.bash

However, it fails because it ignores the --no-dev flag and tries to install the dev dependency anyway.

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - phpunit/phpunit 6.0.7 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.6 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.5 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.4 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.3 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.2 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.1 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - phpunit/phpunit 6.0.0 requires php ^7.0 -> your PHP version (5.6.5) does not satisfy that requirement.
    - Installation request for phpunit/phpunit ^6.0 -> satisfiable by phpunit/phpunit[6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7].

Why is it ignoring the --no-dev flag? I just want it to install my regular dependencies and to ignore the require-dev section.

Answer 1

Despite the recommendation, this is because you don't have a composer.lock file, and is actually a requested feature.

First, it tries to resolve all dependencies. If this fails, it aborts. Next, it runs the actual install, and at that time ignores the dev dependencies. Your problem is that it couldn't pass the first step for resolution. So it's not that it ignored the --no-dev flag, it just never made it that far.

Option 1

If you include a composer.lock file, then it skips the dependency resolution and goes straight to installation at which time it will skip the dev dependencies.

Option 2

Since you're not including a library, but rather an executable tool, then instead of fighting the potential dependency conflicts between other dev tools you may include later, just pull it out of composer entirely and use phive (The PHAR Installation and Verification Environment).