1. Home
2. Questions
3. Tags
5. Users
6. Companies
7. Labs
8. Jobs
9. Discussions
10. Collectives
11. Communities for your favorite technologies. Explore all Collectives
Teams

Now available on Stack Overflow for Teams! AI features where you work: search, IDE, and chat.
Learn more Explore Teams
Teams
Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Timeline for Should composer.lock be committed to version control?

Current License: CC BY-SA 3.0

14 events

when toggle format	what		by	license	comment
Nov 1, 2022 at 14:42	comment	added	Peter Chaula		@JoshJohnson for reproducibility between installs you need the lock file. Especially if you have no control over the libraries you are using.
Jul 1, 2021 at 17:46	comment	added	SteveExdia		@TheodoreR.Smith Does your CI rebuilding master every night refer to it running composer install or update every night? I'd think that downloading and installing packages each night wouldn't be a good idea unless composer.json had changes.
Jul 27, 2020 at 15:25	comment	added	Tofandel		@TheodoreR.Smith Yes you should run composer update from the CI build and push the lock (or not if build fails) like this your users won't have any issue in the first place
Jul 13, 2020 at 22:36	comment	added	redusek		@TheodoreR.Smith then you should commit and push your composer.lock from you CI system so that the version you ran CI with is the version that your dependencies are locked to. composer.lock is about repeatability and if your CI worked then you'll want that documented. Of course, if you are always packaging up your vendor folder from CI and deploying it with your code, then you don't need composer.lock at all.
Mar 21, 2019 at 6:41	comment	added	Theodore R. Smith		@tonix, I can answer this with some authority! The reason I don't commit composer.lock for my libraries is that my CI builds master every night no matter what. It guarantees that if any of the library's dependencies have upgrade problems a user of the library would have, that the CI fails. Works good!
Dec 26, 2018 at 14:18	comment	added	tonix		Symfony and many other PHP libraries I have seen all exclude `composer.lock` from Git, still I don't understand why. Could someone make a use case which justifies it? Thank you!
May 11, 2018 at 8:58	comment	added	g4b0		Non-trivial conflicts can arise when reintegrating in trunk 2 branches that both have new packages installed through composer. Happened right now :)
Aug 3, 2017 at 10:55	history	edited	Francesco Casula	CC BY-SA 3.0	Updating links to composer documentation
May 8, 2017 at 6:49	comment	added	mindplay.dk		Committing the lock-file with a library is probably a good thing - the lock-file documents which versions of dependencies were installed when the test-suite was run. That's particularly important in a team, and especially in continuous integration environments.
Oct 24, 2014 at 8:18	history	edited	Fieg	CC BY-SA 3.0	improved text
Jul 24, 2014 at 11:55	comment	added	Fieg		Perhaps the use of the word "coworkers" was confusing here, I changed it to collaborators. The main difference is "main project" vs library, in which a main project consists of one or more libraries and code to integrate those. When running composer from the main project it doesn't use a library's composer.lock file, so it installs its dependencies at the latest version. I think this should be similar when testing your library.
Jul 24, 2014 at 11:47	history	edited	Fieg	CC BY-SA 3.0	changed coworkers into collaborators
Jul 21, 2014 at 19:00	comment	added	Josh Johnson		Why treat projects at work differently from "libraries"?
Jun 16, 2014 at 15:41	history	answered	Fieg	CC BY-SA 3.0