K
K
kolya_krut2016-10-05 14:41:24
PHP
kolya_krut, 2016-10-05 14:41:24

Do I need to put composer.lock in VCS?

Hello.
They say that composer.lock should be put in vcs in order to guarantee the identity of the loaded modules for all developers. But what if there are modules that are needed only in development.
For example, production does not need any phpunit. We write it in the require-dev section and do not drag it to production, i.e. update composer with --no-dev. It turns out that the developers have a complete set, but on the sale only what is necessary.
Is this approach correct? Or do I need to change the project structure so that composer.lock is still in the repository?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
O
OnYourLips, 2016-10-05
@kolya_krut

The answer is simple, and you can come up with it yourself if you think it over well. But I will still voice it:
If you are making a library, then you don’t need to put it. If you are making an application, then be sure to
put .

A
Andrey Inishev, 2016-10-05
@inish777

Well, there are packages and packages-dev sections in composer.lock, they are also separated there. composer.lock must be in the repository.

A
Artem Soshnikov, 2016-10-05
@artem90

With composer.lock you will have the following advantages:
- installation will be much faster, since everything is already calculated in the lock file.
- install is guaranteed to install the right version from the right source in the lock file. When using update, there may be a situation that the package of version 1.0.1 is on sale, and you have 1.0.0.

D
dmitriy, 2016-10-05
@dmitriylanets

1. the presence of composer.lock in the repo implies the use of one version of all libraries specified in composer.json, thus you guarantee stability when developing your functionality, the composer install command
2. the absence of composer.lock assumes that you will use the latest version specified in composer.json libraries and there, when you execute the composer install command, you will have a composer update, and thus it is possible that you will rake up a bunch of conflicts instead of implementing your feature.
so the common practice is to update dependencies always in a separate task, in a separate branch.

A
Alexey Skobkin, 2016-10-05
@skobkin

Storing composer.lock in the VCS allows you to achieve consistency of package versions on all machines where the application is running (all developers, all servers).
And then - see the answer of OnYourLips .

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question