don't ignore composer.lock #38

rodsouto · 2015-02-04T22:15:33Z

Ignoring the composer.lock file is considered a bad practice because it forces us to do a 'composer update' every time we add a new dependency instead of the proper 'composer install'

related: https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

Ignoring the composer.lock file is considered a bad practice because it forces us to do a 'composer update' every time we add a new dependency instead of the proper 'composer install' related: https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

blag001 · 2015-05-07T15:00:08Z

I think keeping the .lock outside GIT (as the vendor/ folder) is the best way :
you clone the project without the content of vendor/ and you will never save it in git, so same thing for the .lock file.

JnMik · 2016-03-10T22:02:03Z

.lock file is important in the git repository, it is THE way to freeze all the dependencies you have for the current release, which have been tested and known as "bug free".

If I clone the project and run composer install based on the composer.json, I might as well pull newest tag of dependencies which break the current application code, and I won't know if the app owner is responsible or not.

So I'll say +1 to this.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

don't ignore composer.lock #38

don't ignore composer.lock #38

rodsouto commented Feb 4, 2015

blag001 commented May 7, 2015

JnMik commented Mar 10, 2016

don't ignore composer.lock #38

Are you sure you want to change the base?

don't ignore composer.lock #38

Conversation

rodsouto commented Feb 4, 2015

blag001 commented May 7, 2015

JnMik commented Mar 10, 2016