I am using, like always composer in my projects.
As always, I track composer.lock file in git. First, because, a former lead developper told me so. Second, because it is really practice to get all the same dependencies. And to install them easily in production.
Anyway, I am using some library actually. It requires symfony/process. The problem is that, on the production server, because of PHP version (5.4.44), I can only have v2.8.6 of symfony/process.
But on most of developpers we have PHP5.6 or PHP7. So we could use symfony/process v3.0.6 (laste stable release).
So in composer.json, I put require symfony/process = 2.8.6
So we all have this version. This is working, any problem.
I still got a question which bother me all the time. In some way, I would to put version >= 2.8.6 in composer.json, and so for dev we could have v3.0.6, and in the production the compatible version.
But in this case, we will have a conflict all the time with the composer.lock file (between devs and production). So, we could not track it anymore. But still, I like to get the lastest stable release. And some days, we will update the production server to PHP 5.6. And so, use symfony/process to the latest stable version.
So in this kind of case, should I stop tracking composer.lock ? As we could get latest version, and doing migration to PHP5.6 easier ?
Or is this still a better idea to track composer.lock file.
Thank you,