How to make composer update only files in composer.lock/json and not pull new versions

Question

We are keeping the composer.json/composer.lock in our repository and using composer to update the dependencies. We have a githook for post-checkout to do a composer update. If there is a new version of one of our dependencies or dependencies dependencies it will download the update and change the composer.lock

The problem is that I don't want this because I'll have two developers committing the lock files and there will be needless conflicts.

What I would like is to have the composer update be a manual process, commit the composer.lock with the specific versions, and have composer update only based on what has changed in the composer.lock. But I don't see how to do that (and maybe I'm misunderstanding - and it doesn't work that way..)

Is there a way to do this, or another way to solve this problem?

Answer 1

Change your hook to composer install , which will read from the lock file on checkout. Then also add a post-merge hook to do the same, such that if one person commits changes to composer.lock the merged version will automatically install and/or update as necessary.

General rule is that install uses .lock if it exists, update always just uses .json .

Answer 2

I found a way to (almost) do this. https://gist.github.com/yehosef/8ffbab1f2dbbef22b757

#!/bin/bash
OLD=`md5 -q composer.lock.old`
NEW=`md5 -q composer.lock`
if [ "$NEW" != "$OLD" ]
then
  php composer.phar  update
fi
cat composer.lock > composer.lock.old

I run this in the post-checkout git hook. I commit the composer.lock and .gitignore the composer.lock.old. When I want to do an update, I do it manually with composer update and then commit the composer.lock.

The problem is that this is not directly matching the versions to the what's in the composer.lock - just keeping me from doing composer updates all the time.

Still would be better to force composer to only load the specific versions in composer.lock.