mkurnikov mkurnikov - 11 months ago 52
PHP Question

Why composer was designed to work with two files: composer.json and composer.lock, instead of one

I want to create my own package manager, and currently reviewing existing solutions.

I'm playing with PHP's Composer now, and it was quite surprising that it has two files:

  • composer.json
    for project configuration, and non-pinned dependencies

  • composer.lock
    for exact pinned dependencies

I do understand why one needs to pin dependencies,
information by itself seems logical to me.

What I do not understand is why project metadata was split into two files.

Can anyone explain, why it was designed this way? Why deps could not be pinned right in the

Answer Source

.lock information is absolutely pinned, typically created by a composer update request based on the json information... but developers don't necessarily want to pin everything to an exact version, and without that .json file they have to upgrade the .lock file manually for every version upgrade of their dependencies.

The .lock also holds dependencies of dependencies, and dependencies of dependencies of dependencies, etc... whereas the .json file only holds immediate dependencies.... and as a developer, you should only need to control your immediate dependencies, and allow those libraries to control their own dependencies via their own .json files

Basically, you should build your application against the json but deploy against the .lock