Composer Lock file in PHP Application Development

  |   Business   |   No comment

Composer may be a PHP application development that manages the versions of the PHP libraries, tools and frameworks that we use in our application. For the aim of this text, i am aiming to assume that you have a minimum of build a composer-powered application previously.


Let’s begin with a new project and really much imaginary project. It begins with a composer.json file. This file is employed to list the versions of our PHP dependencies that we would like to put in. Our composer.json file contains 3 packages.


    "require": {
        "assassins/ezio":   "1.1.0",
        "assassins/edward": "1.1.2",
        "templars/shay":    "1.1.*",

Now it’s price noting that these are pretend packages. Do not go and check out to put in them. I promise you, they will not work. I’ve simply been playing way an excessive amount of Assassin’s Creed lately.


You could say that the composer.json may be a terribly ‘rough’ guide to the versions that should be put in. It isn’t precise, because we’ve got these wild card versions obtainable to us. It is a ballpark blueprint for our application dependency hierarchy.


Behold we’ve dead composer install and also the mysterious composer.lock file has appeared. If you are taking a look within, you will notice that it’s pretty big!


That’s right, it’s recording what composer has put in for you, right all the way down to the commit hash. Here’s a little example:


"source": {
    "type": "git",
    "url": "",
    "reference": "98c313c831e5d99bb393ba1844df91bab2bb5b8b"



You see that massive long string? that is the precise commit version that was put in once composer followed the directions in your composer.json file. It conjointly keeps track of all the versions of your dependencies’ dependencies. Your entire application dependency hierarchy can have their versions ‘locked’ in your composer.lock file.


Why is that this useful? Well it’s easy. go ahead and delete your seller directory. that may take away all of the put in composer packages that are your applications dependencies.


Composer can see that you just have a composer.lock go into the directory. rather than finding compatible versions of your dependencies to fulfil the composer.json file, it’ll install the precise version of your dependencies as outlined in your composer.lock file.


This means that we have got the precise version of our dependencies that we had put in before we deleted the seller directory. that is pretty nifty, right?


Time and time once more I hear the question…


The answer thereto question should currently be apparent. If you wish to record the precise versions of your dependencies that are used for your application, then yes you must version your lock file. In most things, this can be true.


If you are operating with a team, version the lock file can make sure that you are all working using the precise same versions of your dependency packages. this will be very helpful once debugging errors that happen for under one developer.


Finally what would cause the composer.lock file to change? You must be using composer install , as a result of it’ll install your new package without change the versions of your alternative packages. this may be abundant safer.


Here is an inventory of some actions that may update your composer.lock file.


    • You run composer install for the primary time, and also the composer.lock file is updated to put in versions of the dependencies. You run composer install when adding a new package, and also the precise version of the new package is additional to the composer.lock file.


    • You run composer update, and every one of your packages are updated to their latest versions in step with the composer.json. this can update the precise version records within the composer.lock file.


    • You run composer update package/name and also the version of the required package is updated to it’s latest version observant the package version hint in composer.json. the precise version within the composer.lock file is updated to respect this.


    • This means that composer install may be a “safe” command, and can only add packages to your composer.lock file. The command composer update may be a “risky” command, because it’ll directly manipulate the version numbers held inside your composer.lock file.


Hopefully you have currently deciphered the mystery of the composer.lock file, and even have a desire to play the Assassin’s Creed games.


If this guide has helped you learn a issue or 2 concerning the composer lock file, then please consider sharing this text along with your friends, so they too, can learn the key behind mankind’s greatest mystery.


Thanks for reading!


No Comments

Post A Comment

6 + fourteen =