Git tracking on composer.lock file

Question

I am using, like always composer in my projects.

As always, I track composer.lock file in git. First, because, a former lead developper told me so. Second, because it is really practice to get all the same dependencies. And to install them easily in production.

Anyway, I am using some library actually. It requires symfony/process. The problem is that, on the production server, because of PHP version (5.4.44), I can only have v2.8.6 of symfony/process.

But on most of developpers we have PHP5.6 or PHP7. So we could use symfony/process v3.0.6 (laste stable release).

So in composer.json, I put require symfony/process = 2.8.6

So we all have this version. This is working, any problem.

I still got a question which bother me all the time. In some way, I would to put version >= 2.8.6 in composer.json, and so for dev we could have v3.0.6, and in the production the compatible version.

But in this case, we will have a conflict all the time with the composer.lock file (between devs and production). So, we could not track it anymore. But still, I like to get the lastest stable release. And some days, we will update the production server to PHP 5.6. And so, use symfony/process to the latest stable version.

So in this kind of case, should I stop tracking composer.lock ? As we could get latest version, and doing migration to PHP5.6 easier ?

Or is this still a better idea to track composer.lock file.

Thank you,

Answer 1

Use two branches, one for dev, the other for production or release with their own composer.lock. Keep continuous merge from dev to production, daily or every several hours or any other proper interval. Branch out production from dev and modify the .lock to 2.8.6. And later merge from dev to production will cause no conflict. The developers should not push from local dev to remote production branch.

If you think 2 branches are inconvenience, you could add the 2 .lock both into some proper place of the repo. For example, 3.x.x is where it should be and 2.x.x in another folder. In the production environment, you could copy the 2.x.x version to replace the 3.x.x. This could be done in something like a pre-run script or post-checkout hook.