composer install
will install whenever stated in the composer.lock
file, but composer update
will update all the dependencies and create a new composer.lock
file based on what is required in composer.json
.
So many said only run composer update
in development. But my question is doing composer update
did replaced the old composer.lock
file, if your app is going to break it will break, because there might be conflict with the new updated dependencies.
I came across with a situation where I must do composer update
, the issue is related to pcntl
extension. The only solution is to do composer update
PHP pcntl module installation
I don't understand why people are afraid of running composer update
on production.
When you want to deploy to production, you'll need to make sure composer. lock doesn't have any packages that came from require-dev . Once you've tested locally with --no-dev you can deploy everything to production and install based on the composer.
update / u# In order to get the latest versions of the dependencies and to update the composer. lock file, you should use the update command. This command is also aliased as upgrade as it does the same as upgrade does if you are thinking of apt-get or similar package managers.
Do not run composer update
nor composer install
in production. Execute it somewhere else and upload the result to the production server, but not to the same directory where the application is hosted. As a general rule, you shouldn't modify the application that's being served while it's being served. Create a different copy of the application and when it's ready replace it with the closest to instantaneous command you can (e.g. mv
or ln -s
).
But if you HAVE to run either: always run install
and create a fresh installation; and never update
. install
is more predictable and reliable, with update
you are at the mercy of any of the project's dependencies.
Composer works recursively. So even if you have very tight version constraints in your composer.json
, by running composer update
you would be updating not only your dependencies, but your dependencies' dependencies.
While most of the time this won't introduce breakage, sometimes it will. One dependency down the line may introduce a change of behaviour that may impact your code in a way you may have not tested against.
Also, it's basically using the wrong tool for the job. Composer is a dependency management tool, not a deployment tool. To deploy your code to production you should be using some sort of code deployment tool (even if that "tool" is as simple as an FTP upload and a couple of scripts).
The appropriate flow is:
require
and update
calls on your development machine, where you can test the project without risk. This generates a composer.lock
, which is a known state for the whole project, with discrete installed versions.install --no-dev
. On this step you also should dump an optimized autoloader, run after-install scripts, etc. I usually separate this in more than one step:composer install --prefer-dist --no-scripts --no-progress --no-suggest --no-interaction --no-dev
:
^^ This for a complete, silent installation of everything, excluding development dependencies.
composer dump-autoload --optimize --no-dev
^^ To dump an optimized autoloader script suitable for production.
composer run-script --no-dev post-install-cmd
^^ This is mostly for Symfony, but if you have any post-install scripts to run (e.g. to copy assets to your "public" directory, warm-up some type of cache, anything like that), this would be a good moment to do it.
Note that if you use any "slow" push method (FTP, copy, rsync
, etc), you shouldn't write directly to the application filesystem, but create a fresh copy of the application and once the file transfer is ready, use a quick method to replace "production" with the new release. A popular and effective way is use a symlink as "production" root, so you only need to update the symlink once all of the above is done and ready, without impacting a running application (that otherwise could be temporarily broken, by virtue of suddenly containing files that belong to different versions of the application).
My thoughts about this are,
composer-update
is needed:
composer update
,composer install
My thoughts here :
You should never use composer update without argument.
composer update
reads every package listed on composer.json, and updates it to the latest available version compatible with the specified version constraints.
In a perfect world, all librairies would follow semver correctly, and it shouldn't have any side effects. But technically, that is never always true, and you could download a version incompatible with the previous one, or just a version with uncorrected bugs.
So, updating all your packages at once would probably lead to some issues, unless you have the time to check everything on your website to ensure nothing went wrong.
But of course, you'll have to update specific packages sometimes, so using composer update xxx/xxx
is useful, assuming you'll check all your implementations of the package.
When the updated package is fully tested, you can commit your code to staging/production, and then run composer install
to ensure you'll have the same exact version of package and dependencies on all your platforms.
Long story short, here's the process I use :
composer require xxx/xxx
to install new packagescomposer update xxx/xxx
to update a specific packagecomposer install
on all environments when the package.lock file has been updated.Additional thoughts
I stumbled once upon an implementation which would give the exact version of the package in composer.json. The developer explained that this way you could use composer update
without damage.
I disagree with this option, since even with the exact versions in composer.json, the dependencies are not fixed, and a composer update could lead to potential bugs in them.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With