Lock: 它是如何工作的?

我试着理解这部分: http://getcomposer.org/doc/02-libraries.md#lock-file

此锁文件对依赖于它的其他项目没有任何影响。它只对主要项目有影响”

这是否意味着如果项目 P 依赖于库 A,而库 A 依赖于库 B v1.3,那么项目 P 就不会关心库 B 的版本,而是可能安装 B1.4?那还有什么意义?

或者它的意思正好相反,正如人们对依赖管理器所期望的那样?

138721 次浏览

Composer dependencies are defined in composer.json. When running composer install for the first time, or when running composer update a lock file called composer.lock will be created. 1

The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.**, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the ABC0 (not .lock!) defined the dependency to be on 1.3..

Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.json is all that matters.


1 composer.lock is created by default as the lock configuration option[ref] is true. Setting the option to false Composer won't create nor read the composer.lock file.

composer.lock records the exact versions that are installed. So that you are in the same versions with your co-workers.

composer install

  • Check for composer.lock file
  • If not, auto generate composer.lock file (Using composer update)
  • Install the specified versions recorded in the composer.lock file

composer update

  • Go through the composer.json file
  • Check availability of newer (latest) versions, based on the version criteria mentioned (e.g. 1.12.*)
  • Install the latest possible (according to above) versions
  • Update composer.lock file with installed versions

So in a simple check list.

If you want to keep all co-workers in the same versions as you...

  • Commit your composer.lock to GIT (or vcs you have)
  • Ask others to get the that version of composer.lock file
  • Always use composer install to get the correct dependencies

If you want to Upgrade the system dependencies to new versions

  • Check the composer.json file for version specs.
  • Do a composer update
  • This will change the composer.lock file with newest versions
  • Commit it to the GIT (or vcs)
  • Ask others to get it and composer install

Following will be a very good reading
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

Enjoy the power of composer.lock file!

The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer update which installs 1.2.4, and then commits the composer.lock file, when you composer install, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.Read more here Composer: It’s All About the Lock File