Let's say I have a composer.json file with locked dependencies:
{
"require" : {
"zendframework/zendframework" : "2.4.2"
},
"require-dev": {
"phpunit/phpunit": "4.6.6"
}
}
I want to do that because would like to update dependencies manually, so I won't be in a situation where my build fails or other developers experience issues I don't have because Composer installed a different version of the package.
Is there a good way to use Composer to list all newer versions of the locked packages, perhaps something like composer discover, where I get output: zendframework/zendframework is locked at version 2.4.2 (or 2.4.* or whatever), but there are versions 2.5.0, 2.5.1, and 2.6.0 available*?
Is any existing command capable of providing that kind of information?
Basically, I'm more about the newer versions being shown to me, so I can know what dependency to update manually. Committing the composer.lock isn't really the solution because that won't show me what to update (and my composer.json is locked at specific versions, so composer.lock won't differ anyway).
In order to do what you want, commit the composer.lock file and make sure everyone runs composer install to install the deps. This way, everyone has exact the same version/commit of each package.
You can then run composer update to get newer versions. This will update the packages and the composer.lock file, which you can commit and push, so everyone has the same versions again (after they run composer install).
This is not exactly what you are suggesting. But you can run
composer update --dry-run
to see what happens when composer updates your dependencies. This only shows you the latest version a package could be updated to, but not the versions in between:
composer update --dry-run
Loading composer repositories with package information
Updating dependencies (including require-dev)
- Updating symfony/translation (v2.5.5) to symfony/translation (v2.5.11)
- Updating symfony/security-core (v2.5.5) to symfony/security-core (v2.5.11)
- Updating symfony/routing (v2.5.5) to symfony/routing (v2.5.11)
- Updating symfony/process (v2.5.5) to symfony/process (v2.5.11)
- Updating symfony/http-foundation (v2.5.5) to symfony/http-foundation (v2.5.11)
The simplest way would probably just to run:
composer outdated
and get a list of the outdated dependencies. The output looks roughly like this:
As has been said by others, composer does what you tell it, and will only install the versions specified from the .lock file, or update to new versions (as specified within the range of the given version).
There are outside website services that will let you know that packages have been updated though - such as Versioneye.com. You can follow a number of packages, and it will let you know when any of them have been updated, so you can update the composer file as you wish.
To show the latest version of the packages, use show with -l/--latest parameter, e.g.
composer show -l
-l, --latest Show the latest version
To see the tree of dependencies, use -t/--tree parameter, e.g.
composer show -t
-t, --tree List the dependencies as a tree
To list all available version for the given package, run:
composer show -a zendframework/zendframework
Note: Change zendframework/zendframework with your package name.
Notes:
For global, add global right after composer.
For help, run: composer global help show.
Related
I need to install only 1 package for my SF2 distribution (DoctrineFixtures).
When I run
php composer.phar update
I get
- Updating twig/twig (dev-master 39d94fa => v1.13.0)
The package has modified files:
M CHANGELOG
M doc/filters/batch.test
M doc/filters/index.rst
M doc/filters/url_encode.rst
M doc/functions/index.rst
M doc/tags/index.rst
M doc/tests/index.rst
M lib/Twig/Autoloader.php
M lib/Twig/Compiler.php
M lib/Twig/CompilerInterface.php
-10 more files modified, choose "v" to view the full list
It appears the last developer edited a lot of files inside vendor.
In order to get around this, I tried
php composer.phar update <package_name>
But that doesn't seem to work. How can I update/install only one library from composer.json?
To install doctrine/doctrine-fixtures-bundle with version 2.1.* and minimum stability #dev use this:
composer require doctrine/doctrine-fixtures-bundle:2.1.*#dev
then to update only this single package:
composer update doctrine/doctrine-fixtures-bundle
If you just want to update a few packages and not all, you can list them as such:
php composer.phar update vendor/package:2.* vendor/package2:dev-master
You can also use wildcards to update a bunch of packages at once:
php composer.phar update vendor/*
As commented by #ZeroThe2nd ZSH users may need to wrap their vendor/* in quotation marks:
php composer.phar update "vendor/*"
--prefer-source: Install packages from source when available.
--prefer-dist: Install packages from dist when available.
--ignore-platform-reqs: ignore php, hhvm, lib-* and ext-* requirements and force the installation even if the local machine does not fulfill these. See also the platform config option.
--dry-run: Simulate the command without actually doing anything.
--dev: Install packages listed in require-dev (this is the default behavior).
--no-dev: Skip installing packages listed in require-dev. The autoloader generation skips the autoload-dev rules.
--no-autoloader: Skips autoloader generation.
--no-scripts: Skips execution of scripts defined in composer.json.
--no-plugins: Disables plugins.
--no-progress: Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters.
--optimize-autoloader (-o): Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default.
--lock: Only updates the lock file hash to suppress warning about the lock file being out of date.
--with-dependencies: Add also all dependencies of whitelisted packages to the whitelist.
--prefer-stable: Prefer stable versions of dependencies.
--prefer-lowest: Prefer lowest versions of dependencies. Useful for testing minimal versions of requirements, generally used with --prefer-stable.
Difference between install, update and require
Assume the following scenario:
composer.json
"parsecsv/php-parsecsv": "0.*"
composer.lock file
"name": "parsecsv/php-parsecsv",
"version": "0.1.4",
Latest release is 1.1.0. The latest 0.* release is 0.3.2
install: composer install parsecsv/php-parsecsv
This will install version 0.1.4 as specified in the lock file
update: composer update parsecsv/php-parsecsv
This will update the package to 0.3.2. The highest version with respect to your composer.json. The entry in composer.lock will be updated.
require: composer require parsecsv/php-parsecsv
This will update or install the newest version 1.1.0. Your composer.lock file and composer.json file will be updated as well.
You can use the following command to update any module with its dependencies
composer update vendor-name/module-name --with-dependencies
You can basically do following one to install new package as well.
php composer.phar require
then terminal will ask you to enter the name of the package for searching.
$ Search for a package []: //Your package name here
Then terminal will ask the version of the package (If you would like to have the latest version just leave it blank)
$ Enter the version constraint to require (or leave blank to use the latest version) []: //your version number here
Then you just press the return key. Terminal will ask for another package, if you dont want to install another one just press the return key and you will be done.
Just use
composer require {package/packagename}
like
composer require phpmailer/phpmailer
if the package is not in the vendor folder.. composer installs it and if the package exists, composer update package to the latest version.
Update:
require install or update the latest package version. if you want update one package just use update.
To ensure that composer update one package already installed to the last version within the version constraints you've set in composer.json remove the package from vendor and then execute :
php composer.phar update vendor/package
Because you wanted to install specific package
"I need to install only 1 package for my SF2 distribution (DoctrineFixtures)."
php composer.phar require package/package-name:package-version
would be enough
This question already has answers here:
Composer: how can I install another dependency without updating old ones?
(5 answers)
Closed 2 years ago.
I want to install zizaco/entrust package in laravel 5.8, in their github page it was said to include "zizaco/entrust": "5.2.x-dev" in composer.json file and run composer update command. I did so as below and ran composer update command.
"require" : {
"php" : "^7.1.3",
"fideloper/proxy" : "^4.0",
"laravel/framework" : "5.8.*",
"laravel/tinker" : "^1.0",
"laravel/ui" : "^1.2",
"maatwebsite/excel" : "^3.1",
"zizaco/entrust" : "5.2.x-dev"
},
but composer update command updates all packages to latest versions (these packages i included in "require" field as above) when installing zizaco/entrust package. So is if there are some coding faults in latest updated packages then whole site can break. FYI after i run the above command i see local git showing changes in many files in folders under vendor folder, it means that there are some updates in packages right?. so it's recommended that composer install command should be run so that those dependency packages will not be updated to latest versions.
So, in my case after including "zizaco/entrust": "5.2.x-dev" in require field in composer.json as above, if i run composer install then it don't install zizaco/entrust package. Furthermore, if i run composer require zizaco/entrust 5.2.x-dev then it still installs latest versions of dependency packages.
So how do i prevent installing latest versions of dependency packages i included in "require" field in composer.json file and i only install zizaco/entrust package.
So that my laravel 5.8 site don't break for updating any packages to latest versions because of malfunction codes or whatever in latest versions. It's very important to handle this scenario because we need to install packages in laravel site for various needs.
You've got two options: use composer require to specify the package to install, or manually update your composer.json file and use composer update [package].
Composer Require
composer require zizaco/entrust:5.2.x-dev
This will automatically update your composer.json file and install the specified version. This will not update any of your other dependencies. While the documentation specifies the package and version should be separated by a colon (:), I tested it with a space and it seemed to work.
Composer Update [package]
composer update zizaco/entrust
If you have manually updated your composer.json file, you will need to run composer update and specify the package to update. If you specify a package to update, only that package will be affected. When you don't specify the package to update, composer will look for updates for all packages.
A Note On Composer Install
composer install will not help you here. If you already have a composer.lock file (which you will since you're just attempting to add a new package), composer install will only look at your composer.lock file and attempt to install everything that is defined there. That means, if you manually update your composer.json file, and run composer install, it will not install the new requirement you specified.
Only when you don't already have a composer.lock file will composer install attempt to resolve dependencies and install them.
Run composer install instead. Alternatively you could use composer require <package name>.
Composer install looks in your composer.lock for exact versions, and only in composer.json for packages that are missing.
Composer update will look in composer.json for version constraint which roughly means "a range of versions". This is why different versions are getting installed.
Step 1:
You just need to add your package to the composer.json file and run the command:
composer install
composer install will check for the new package and install that, besides that it will check for any deprecation in other packages.
Step 2:
You can directly run your command in composer
composer require package/name
For example, if I need to install firebase, run below command from the project root:
composer require firebase/php-jwt
Installing new packages from the terminal automatically adds it into the composer.json file and it does not update previously installed packages.
Hope this helps!!
I freshly installed a PHP application given with a composer.lock file.
When running composer install, command line tool is still asking for a composer.json.... I don't have.
In composer documentation, it's said that install command first look for a composer.lock and then for a composer.json.
Why composer is still asking for a file it doesn't need to install my dependencies ?
composer install > returns :
Composer could not find a composer.json file
You still need the composer.json file to install or update any dependencies.
Having a composer.lock file means that composer will not search for the latest commits of the dependencies
A few weeks ago on Twitter, I noticed that the OpenCFP project doesn’t have a composer.lock file in it’s repository. “So what,” you might say, “just composer install and away you go. You’ll get the same dependencies, right?”
Wrong.
The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer update which installs 1.2.4, and then commits the composer.lock file, when you composer install, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.
Source: Composer: It's all about Lock File
You must have a composer.json to install dependencies, because it's the file where dependencies theirself are listed. Refer to the documentation.
composer.lock lists dependencies which has already been installed. The composer looks first into it in order to keep versions consistent.
The (documentation states)[https://getcomposer.org/doc/01-basic-usage.md#installing-with-composer-lock]:
running install when a composer.lock file is present resolves and installs all dependencies that you listed in composer.json, but Composer uses the exact versions listed in composer.lock to ensure that the package versions are consistent for everyone working on your project.
If you have lost your composer.json you can reverse engineering your composer.lock. Open it and read all the packages installed, then create a composer.json which requires them. Not every single package will be a direct dependency for your problem: you should identify and remove those which are not.
I did composer update recently. But new version of my dependencies what I got I completely don't like. I would say that I don't like dependency of my dependencies, it's more precise. Is there any way to roll back, except fetching from git history composer.lock?
There is no direct way of downgrading a dependency of a dependency; it takes some work:
Require the package in the desired version
composer require aws/aws-sdk-php=3.158.17
The dependency will be downgraded. It also gets added to composer.json which we don't want, because our application does not depend on it.
Simply removing the dependency with "composer remove" will upgrade the package to the lastest version which we don't want.
So instead, manually remove the require line from composer.json and run composer update nothing to update the hash in composer.lock.
I've had a similar problem with laravel/passport =7.5.1, that depends on league/oauth2-server ^7.0, that requires lcobucci/jwt ^3.2.2. And at the time, lcobucci/jwt was updated to latest 3.4 version. But this sudden update introduces the bug, so everyone has to downgrade it to 3.3.*.
You can override the version of nested dependency needed or apply another version number constraint by simply putting it in require section of your top-level composer.json:
"require": {
...
"lcobucci/jwt": "3.3.*"
}
Then don't forget to run composer update lcobucci/jwt, so it installs the right version of nested dependency and updates the record in composer.lock.
Today it is better to put the version to 3.4 and also install mbstring on your system with the command:
sudo apt-get install php-mbstring
If you are under ubuntu and finally do a composer update lcobucci / jwt just like you say.
I expected that
composer update videlalvaro/php-amqplib
would only update one dependency, but instead of that it updates all.
What am I missing?
PS: this dependency is defined as "videlalvaro/php-amqplib": "2.2.0" in composer.json
PPS: the composer version used is 3da05c68f9561fa822c522b1815435ff990493ff 2013-10-02 14:25:06
PPPS: the actual output:
$ composer.phar update videlalvaro/php-amqplib --no-dev
Loading composer repositories with package information
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- symfony/icu v1.2.0 requires lib-icu >=4.4 -> the requested linked library icu has the wrong version installed or is missing from your system, make sure to have the extension providing it.
- symfony/icu v1.2.0 requires lib-icu >=4.4 -> the requested linked library icu has the wrong version installed or is missing from your system, make sure to have the extension providing it.
- Installation request for symfony/icu == 1.2.0.0 -> satisfiable by symfony/icu[v1.2.0].
The command composer update videlalvaro/php-amqplib does just update that dependency. However it doesn't disable the other dependency checking that Composer does.
What the error message is complaining about is that the lib-icu is not available on your system. Apparently this would be solved by installing the PHP Intl extension.
You would see similar issues if you did a composer update on a project that required PHP 5.5 in one of it's requires, downgraded to PHP 5.4 and then ran composer update on a separate require, that didn't require PHP 5.5. Even though you wouldn't be updating the require that needs PHP 5.5, the requirements for that package would not be resolvable, and so Composer would fail.
In your case, even though you're just trying to update videlalvaro/php-amqplib to the latest version, the requirements for symfony/icu aren't met, and so the composer update fails.
Edit
To try to be helpful, I'm guessing you re-installed PHP since you last did an update, and either removed or forgot to install the PHP Intl extension. Composer can't satisfactorily satisfy the requirements your composer.json is setting, and so is defaulting to doing nothing, rather than knowingly doing an update where the requirements aren't met.
So basically, you need to install the PHP extensions that are required for your existing installed software to run, and then Composer will be able to update the single package you want to update, as well as meet the requirements for the other packages.
tl;dr:
You can list more than one dependency to update in one command:
composer update one/dependency second/dependency other/dependency
Story:
If you want to update only one dependency (composer update some/dependency), you may face an issue that request is not satisfiable due to some other dependency is installed in wrong version. And that one does not necessarily must be listed in your composer.json, it could be just dependency of some other dependency.
E.g. I wanted to update only and only google/apiclient, but calling composer update google/apiclient complained, that google/auth (dependency of apiclient) requires guzzlehttp/psr7 in version 1.2.3. I had 1.3.0 installed. The guzzlehttp/psr7 was not listed in my composer.json. What I had to do, was to call:
composer update guzzlehttp/psr7 google/apiclient
and that's it! Just update the package you want, and if composer tells you, that you need to update (or downgrade :-)) some other package, list it in the command.
I had a similar case due to security reasons on a GitHub repository.
I solved updating the dependency to a specific version like this:
composer require phpseclib/phpseclib:2.0.31
If you are working with virtual environments like docker containers (ddev, lando, etc..) before running it you should connect to the container with a:
ddev ssh
To overcome this kind of dependency problem during the update of a specific package you should specify all the specific packages versions before running their update altogether.
In your case something like this:
composer require videlalvaro/php-amqplib:2.2.0 --no-update
composer require symfony/icu:1.2.0 --no-update
composer require lib-icu:4.4 --no-update
composer update videlalvaro/php-amqplib symfony/icu lib-icu