1. Home
2. Questions
3. Tags
5. Users
6. Companies
7. Labs
8. Jobs
9. Discussions
10. Collectives
11. Communities for your favorite technologies. Explore all Collectives
Teams

Now available on Stack Overflow for Teams! AI features where you work: search, IDE, and chat.
Learn more Explore Teams
Teams
Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Timeline for Should composer.lock be committed to version control?

Current License: CC BY-SA 3.0

10 events

when toggle format	what		by	license	comment
Feb 14 at 5:08	comment	added	Luis Mauricio		@PierredeLESPINAY Under no normal circumstances you should update dependencies in production unless it comes from a tested preprod environment. Also, production should not have the hability to push to the repo as they should be as lean as possible and with a possible attack in mind, if an attacker gets a hold on one server and pushes changes, can then do an small ddos to pop more servers and "update" other servers with his code. Real attackers are not looking to drop your servers, but control them.
Oct 28, 2019 at 19:04	comment	added	ToolmakerSteve		@Radu - If using composer, you are doing `composer install` at some step of your release cycle, right? My situation is use of `docker` containers and CircleCI (e.g. build/deploy to Amazon AWS). I don't see how one would accomplish this with no `composer install`. For the same reason that when there are multiple developer machines, `composer install` is a recommended step after anyone has changed `composer.lock`. What alternative is there?
Mar 22, 2019 at 15:43	comment	added	Radu		@Seldaek I don't know if `composer install` should be part of the build/deploy procedure on production (or any remote environment to be honest). I personally prefer deploying the code package after it has been previously "prepared".
May 2, 2016 at 7:39	review	Suggested edits
May 2, 2016 at 8:30
Dec 23, 2013 at 12:31	comment	added	Joaquín L. Robles		"In production you should not update your dependencies" should be written in all caps
Oct 15, 2012 at 13:58	vote	accept	Pierre de LESPINAY
Oct 15, 2012 at 13:54	comment	added	Seldaek		In production you should not update your dependencies, you should run `composer install` which will read from the lock file and not change anything.
Oct 15, 2012 at 13:48	comment	added	meza		If the composer.lock gets modified, you need to push the modifications back to the repository. If you want to tie the software to given versions of the libraries, then do so explicitly in the configuration. That way the lock will never change. Think of the lock file as an indicator of a dependency management issue which needs to be resolved one way or the other.
Oct 15, 2012 at 13:45	comment	added	Pierre de LESPINAY		Ok but imagine if I update the libraries from the production environment, composer.lock will be overwritten so a next pull from the production will ask me to merge this file...
Oct 15, 2012 at 13:39	history	answered	meza	CC BY-SA 3.0