Skip to main content

Always commit composer.lock, Mostly run composer install, Seldom run composer update

By July 5, 2019Coding Tips

composer install will install packages listed in the lock file composer.lock. When composer.lock is committed to the git repo, this ensures all developers in a team will install the same dependencies, meaning less room for works on my machine kind of error due to different setup.

However, running composer update doesn’t install the exact versions of packages stated in composer.lock. Instead it installs versions that matches those listed in composer.json. Hence newer versions could be installed.


  1. Developer A first created the repo, did a commit, did not track composer.lock. v1.0.0 of package A is installed in Developer A’s machine
  2. Some time passed, package A now has version 1.0.12
  3. Developer B joined the team, clone the repo onto his machine, runs composer update. But package A version 1.0.12 is installed as there’s no composer.lock file. Due to different versions of package A installed, the app works well in Developer A’s machine but not in Developer B’s machine.

When to run composer update

Only when we are upgrading packages do we run composer update.

Of course, then we run the automated tests to check if all went well and fix.

The same applies to package.json.

More readings:

Leave a Reply

Close Menu

Remember to get up and stretch once in a while