Why is composer.lock included in project? #21
Comments
|
We could (and maybe should) leave it out of this repo because we aren't using any wildcard dependency versions so they don't need to be "locked" down. The minor issue is we don't want to add it to |
|
Going to close this for now due to the reason above. May re-visit it later. |
|
I'd like to second this. The first step of my Bedrock setup was adding the lock file to the .gitignore as is done with all of my projects. |
|
@benjibee your |
|
@swalkinshaw yes, I understand this when the given dependency version is Anyway, it's a minor thing, I just wanted to give my 2¢, sorry to "bump" a closed issue! |
|
👎 |
|
@QWp6t dislike removing the file or dislike that we're keeping it in Bedrock? |
|
I don't agree with removing the lock file. I agree with you that the lock serves an important function. The idea behind the lock file is that you can include the lock file instead of including dependencies. If you're not including the dependencies in the repo, then the lock should be included; this is especially important if the development repo doubles as your distribution channel (as is the case with bedrock). Even if your dependencies aren't wildcards, the lock is still a good idea because it is more specific. |
|
Necrobump, sorry. The lock provides a useful function, but committing it to the project defeats its purpose. The .lock file's purpose is to lock my clone of the repo, after I run composer, to particular versions of dependencies. This lets me fetch the latest-and-greats versions, within the limits specified in the project's composer.json file. If the exact version matters, it can be specified that way in composer.json. The .lock file is supposed to be created by my run of composer. I hope this makes sense and doesn't seem contentious. Not a huge deal, just not "proper", I don't believe, and something that jumped out at me on first look. |
|
bitwombat, I'm not following your reasoning. You're talking like once a lock file is included in the repo, the dependencies can never be changed, which is obviously not true. If you want a set dependency, or a new one, modify the |
|
FWIW bedrock's lockfile is updated by an automated script every time WP updates |
|
I retract this and stand corrected. Composer's own docs say to commit the lock file (as @swalkinshaw said above). Though not for libraries - perhaps why I've rarely seen this. One reasonably rated answer on Stack Exchange makes the case I did above, "but still", I now think it's correct as is. Basically, committing the lock file is saying to your users "Use these, they're what we tested with", whereas wildcards in composer.json are saying, to devs, "We're willing to test with any of these". |
|
I think there may be a bit of misunderstanding here. The issue is only about whether or not the I think everyone agrees that including the lock file with your app/project is the way to go. I don't think this repo should add The lock file will be created on the first With this in mind I think "Why is composer.lock included in project?" is a valid question. At the end of the day, I don't think it really matters all that much but maybe there's a better reason to go one way or the other. Does dependabot require the lock file to work? Is dependabot even necessary without it? Apart from potential integrations/inspectability I don't see a strong reason to include the lock file in this repo, but I would be interested to know if there are others. |
|
My take on this is that when using Bedrock as an upstream in git, I get conflicts on the lock file upon merging. I handle this by keeping my local version, and then updating lock after the merge is complete, which is a necessary step anyways. It would be nice to not have this merge issue, but it's a pretty common thing within our CI across multiple composer based projects, and the way to deal with it is always the same. It speak more to the composer file having stable constraints, and proper testing before it makes it way to a release. |
|
I'm in favor of leaving composer.lock in this repo, as it gives critical information on which versions of dependencies work with the project's code. For example, in a Bedrock-based project we removed the vendor directory and composer.lock and installed, which pulled vlucas/phpdotenv version 4.1.0, in which dotenv's create() method no longer accepts a string as its argument. By reviewing this repo's composer.lock file we were able to see on which version of dotenv the application.php file is based, allowing us to alter our code to be compatible with version dotenv v4.1.0. |
This is what the
What you're describing is a problem regarding the version constraint you have in your |
|
There's been some good discussion in here over 7 years (😱 ) but I'm closing this since it's unlikely we'll change this after so long. |
Meybe I'm wrong, but this way I always need to run
composer updateafter instalation.The text was updated successfully, but these errors were encountered: