I'm trying to understand this part: http://getcomposer.org/doc/02-libraries.md#lock-file
this lock file will not have any effect on other projects that depend on it. It only has an effect on the main project"
Composer dependencies are defined in
composer.json. When running composer install for the first time, or when running composer update a lock file called
composer.lock will be created.
The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.***, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the
.lock!) defined the dependency to be on 1.3.*.
Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in
composer.json is all that matters.