2

Say, composer.lock file is git-ignored.

Now in production, on composer install, files are installed from composer.json and composer.lock is generated.

After few days, I added few packages in my composer.json, and pushed the file to production.

On running composer install on the server, will it recognize the updated packages in the json file? Or does it just run the composer.lock file?

How does the composer handle this, since the json and lock files in the production server are out-of-sync now?

I have this question because other teams where I work prefer git-ignoring the lock file, and it seems to work out fine.

Improve this question
4
  • 4
    You are doing it wrong. Your composer.lock file should be committed. In production you should be doing composer install. See stackoverflow.com/questions/22104102/…
    – gview
    Commented Aug 1, 2019 at 4:04
  • @gview that's what I thought.. but others seem to be fine without it and that's what bugs me..
    – Azima
    Commented Aug 1, 2019 at 4:08
  • 2
    git-ignoring the composer.lock file is good practice for public packages with a regularly scheduled build-process but not for production applications. For production applications you need reproducible builds that are tested against the exact same set of dependencies. If you - for example - test your app on CI successfully and deploy afterwards but meanwhile some dependency itself was updated in a way that breaks your application ... your production system will go down upon deployment!
    – Nicolai Fröhlich
    Commented Aug 1, 2019 at 8:34
  • You could git-ignore the lock-file as long as you run composer update and then package the generated composer.lock together with your application for deployment during the build-process... if you do have a high enough test-coverage. But even then there's the risk of multiple developers checking out the same commit of your application but in fact developing against a different set of dependencies -> works-on-my-machine :)
    – Nicolai Fröhlich
    Commented Aug 1, 2019 at 8:47

1 Answer 1

Reset to default
1

composer install will only recognize that there are changes in your composer.json and that the composer.lock file doesn't match.

You need to remove the composer.lock file and run composer install or the better approach would be to run composer update. This will update existing packages if necessary and install all new added packages including the composer.lock file.

Improve this answer
2
  • when compose recognizes that there are changes in composer.json , is composer install supposed to install those updated packages?
    – Azima
    Commented Aug 2, 2019 at 4:08
  • First off, this is factually wrong. Look at the answer I provided in question I referenced. If composer install doesn't find a .lock file, it has to do the same work that composer update does -- namely compute all the dependencies and build the tree which can be costly, time consuming and non-deterministic. Composer update is something you do in development, test and then version the composer.lock file. In production, you do composer install, which reads the composer.lock and will install (if necessary) only the libraries that are missing.
    – gview
    Commented Aug 2, 2019 at 6:55

Not the answer you're looking for? Browse other questions tagged or ask your own question.