I want to create my own package manager, and currently reviewing existing solutions.
I'm playing with PHP's Composer now, and it was quite surprising that it has two files:
.lock information is absolutely pinned, typically created by a
composer update request based on the
json information... but developers don't necessarily want to pin everything to an exact version, and without that
.json file they have to upgrade the
.lock file manually for every version upgrade of their dependencies.
.lock also holds dependencies of dependencies, and dependencies of dependencies of dependencies, etc... whereas the
.json file only holds immediate dependencies.... and as a developer, you should only need to control your immediate dependencies, and allow those libraries to control their own dependencies via their own
Basically, you should build your application against the
json but deploy against the