111

I'm trying to understand this part: http://getcomposer.org/doc/02-libraries.md#lock-file

this lock file will not have any effect on other projects that depend on it. It only has an effect on the main project"

Does that mean that if project P depends on library A, and library A depends on library B v1.3, project P won't care about the version of library B, and will possibly install B 1.4 instead? What's the point then?

Or does it mean the opposite, as one would expect from a dependency manager?

Improve this question

4 Answers 4

Reset to default
138

composer.lock records the exact versions that are installed. So that you are in the same versions with your co-workers.

composer install

  • Check for composer.lock file
  • If not, auto generate composer.lock file (Using composer update)
  • Install the specified versions recorded in the composer.lock file

composer update

  • Go through the composer.json file
  • Check availability of newer (latest) versions, based on the version criteria mentioned (e.g. 1.12.*)
  • Install the latest possible (according to above) versions
  • Update composer.lock file with installed versions

So in a simple check list.

If you want to keep all co-workers in the same versions as you...

  • Commit your composer.lock to GIT (or vcs you have)
  • Ask others to get the that version of composer.lock file
  • Always use composer install to get the correct dependencies

If you want to Upgrade the system dependencies to new versions

  • Check the composer.json file for version specs.
  • Do a composer update
  • This will change the composer.lock file with newest versions
  • Commit it to the GIT (or vcs)
  • Ask others to get it and composer install

Following will be a very good reading
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

Enjoy the power of composer.lock file!

Improve this answer
1
  • 2
    I would also like to point out that composer install, sometimes doesn't get the versions you wanted when they are already installed, as a workaround they have to delete the vendor folder and composer install again in order to get the right version in composer.lock. e.g. I'm getting 4.0.1 instead of 4.0.14-beta from my vendor after composer installing, I deleted the vendor then composer install again then I got the right version 4.0.14-beta
    – PauAI
    Commented Mar 19, 2017 at 23:39
88

Composer dependencies are defined in composer.json. When running composer install for the first time, or when running composer update a lock file called composer.lock will be created. 1

The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.**, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the composer.json (not .lock!) defined the dependency to be on 1.3..

Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.json is all that matters.

1 composer.lock is created by default as the lock configuration option[ref] is true. Setting the option to false Composer won't create nor read the composer.lock file.

Improve this answer
5
  • How would one update all the dependencies to what is specified in a lock file (such as when transferring a project from staging to live)?
    – Petah
    Commented Feb 27, 2013 at 17:12
  • 7
    Simply run composer.phar install - which installs/updates/removes everything to the state of the lock file
    – naderman
    Commented Feb 28, 2013 at 16:09
  • In Python and Ruby, there's a similar concept involving the Gemfile.lock and requirements.txt. See: caremad.io/blog/setup-vs-requirement and yehudakatz.com/2010/12/16/… Doesn't that mean, that for PHP "Libraries" the compooser.lock does not need to be kept. but for PHP "Applications" the composer.lock should be committed?
    – CMCDragonkai
    Commented Nov 26, 2013 at 10:22
  • The composer.lock file can be beneficial for libraries too. Not for anyone depending on the library, but for developers of the library who communicate which versions they installed to run tests or debug issues, it can also help clarify which versions of dependencies the CI system ran tests for the library with.
    – naderman
    Commented Nov 23, 2016 at 13:10
  • composer.lock is like meta data for composer.json file
    – Wasim Khan
    Commented Jan 29, 2019 at 9:45
8

The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer update which installs 1.2.4, and then commits the composer.lock file, when you composer install, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.Read more here Composer: It’s All About the Lock File

Improve this answer
0

Run

compose init

it will resolve your problem

Improve this answer
1
  • 1
    Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Jan 23 at 2:20

Not the answer you're looking for? Browse other questions tagged or ask your own question.