composer install will install packages listed in the lock file composer.lock. When composer.lock is committed to the git repo, this ensures all developers in a team will install the same dependencies, meaning less room for works on my machine kind of error due to different setup.
However, running composer update doesn’t install the exact versions of packages stated in composer.lock. Instead it installs versions that matches those listed in composer.json. Hence newer versions could be installed.
Example.
- Developer A first created the repo, did a commit, did not track
composer.lock. v1.0.0 of package A is installed in Developer A’s machine - Some time passed, package A now has version 1.0.12
- Developer B joined the team, clone the repo onto his machine, runs
composer update. But package A version 1.0.12 is installed as there’s nocomposer.lock file. Due to different versions of package A installed, the app works well in Developer A’s machine but not in Developer B’s machine.
When to run composer update
Only when we are upgrading packages do we run composer update.
Of course, then we run the automated tests to check if all went well and fix.
The same applies to package.json.
More readings: