HappyDeveloper HappyDeveloper - 1 month ago 5x
PHP Question

composer.lock: how does it work?

I'm trying to understand this part: http://getcomposer.org/doc/02-libraries.md#lock-file

this lock file will not have any effect on other projects that depend on it. It only has an effect on the main project"

Does that mean that if project P depends on library A, and library A depends on library B v1.3, project P won't care about the version of library B, and will possibly install B 1.4 instead? What's the point then?

Or does it mean the opposite, as one would expect from a dependency manager?


Composer dependencies are defined in composer.json. When running composer install for the first time, or when running composer update a lock file called composer.lock will be created.

The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.***, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the composer.json (not .lock!) defined the dependency to be on 1.3.*.

Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.json is all that matters.