composer install will install packages listed in the lock file
composer.lock is committed to the git repo, this ensures all developers in a team will install the same dependencies, meaning less room for works on my machine kind of error due to different setup.
composer update doesn’t install the exact versions of packages stated in
composer.lock. Instead it installs versions that matches those listed in
composer.json. Hence newer versions could be installed.
- Developer A first created the repo, did a commit, did not track
composer.lock. v1.0.0 of package A is installed in Developer A’s machine
- Some time passed, package A now has version 1.0.12
- Developer B joined the team, clone the repo onto his machine, runs
composer update. But package A version 1.0.12 is installed as there’s no
composer.lock file. Due to different versions of package A installed, the app works well in Developer A’s machine but not in Developer B’s machine.
When to run
Only when we are upgrading packages do we run
Of course, then we run the automated tests to check if all went well and fix.
The same applies to