In my project I have some Composer vendor libraries that have been manually edited; my purpose is to restore them to the original state, on my development machine.
I unfortunately triggered a composer update so I don't have a correct composer.lock anymore (it has been updated). I got the composer.lock from our production system (that had the same libraries version of the old development composer.lock).
After replacing the new composer.lock with the old one, what should I execute for being sure to have the same environment as before?
Should composer install be enough to reinstall the old versions of the dependencies? (after removing the old Composer vendor/ directory)
I want to reinstall without getting any newer version.
And, in future cases where I will avoid to perform a composer update, what should I have triggered for restoring a vendor library after a manual edit of it?
As answered from Max:
"Yes, composer install will use the composer.lock file"
I just restored the composer.lock from my production system and then performed a composer install.
As stated from Édipo Costa Rebouças, if we commit the composer.lock to our repository every time we update it then we will always have the right reference to the correct versions of the dependencies.
Related
I'm working on a project based on PHP7 and Laravel. Unfortunately, there was a problem with dependencies and package versions.
I guessed that the previous developer working on the project started updating packages by calling
composer update
on his local dev environment.
Therefore, a new composer.lock file has been generated and everything has been pushed to the production server - however, the composer update command has not been called on the production...
There is a problem with the incompatibility of the PHP version and other errors in dependencies.
This is a very large project and I wouldn't like to migrate now to higher versions on the production server.
I am currently preparing a development environment and I care about maintaining the maximum compatibility of all package versions with what is on production.
By calling:
composer install
on local environment, I'm receiving a series of errors related to the incompatibility of the package versions.
Is there any way to regenerate / restore composer.json and composer.lock based on what is currently installed on the production server? Unfortunately, at this moment composer.lock on production doesn't completely reflect the current state of actually installed versions.
What is a safe and good way to recreate locally a cloned project from a repository on a production server - and maintain full compatibility of all package versions, the correct form of composer.json and composer.lock?
Thanks in advance for your help!
To run composer update and composer install
You can run with this code
composer install --ignore-platform-reqs
Or for update
composer update --ignore-platform-reqs
I found https://www.wuhaiqiao.com/2020/11/24/329.html
No, there is no way to recreate composer.json file based on what is already installed in /vendor. You can look for /vendor/composer/installed.json file as a reference for installed versions of all packages.
What you need to do in this case is:
Make sure your local environment is exactly the same as your production one. You can fake it if needed in your composer.json too by using platform configuration.
Your composer.lock file is of no use. Get /vendor/composer/installed.json file from your production. Delete your /vendor folder.
Run composer install. Write down all packages that have issues and check provided solutions by Composer.
Start downgrading the versions in your composer.json for packages that have issues based to the solutions provided by Composer. Be sure to look into those packages yourself - developers aren't always very strict with the way they maintain dependencies and versioning of their packages. You can always just take package version from production's /vendor/composer/installed.json and place that specific version in your composer.json.
Repeat steps 3-4 until you can finally generate new composer.lock file. Make sure your composer.json and composer.lock files are tracked by your VCS and fixate the changes.
I freshly installed a PHP application given with a composer.lock file.
When running composer install, command line tool is still asking for a composer.json.... I don't have.
In composer documentation, it's said that install command first look for a composer.lock and then for a composer.json.
Why composer is still asking for a file it doesn't need to install my dependencies ?
composer install > returns :
Composer could not find a composer.json file
You still need the composer.json file to install or update any dependencies.
Having a composer.lock file means that composer will not search for the latest commits of the dependencies
A few weeks ago on Twitter, I noticed that the OpenCFP project doesn’t have a composer.lock file in it’s repository. “So what,” you might say, “just composer install and away you go. You’ll get the same dependencies, right?”
Wrong.
The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer update which installs 1.2.4, and then commits the composer.lock file, when you composer install, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.
Source: Composer: It's all about Lock File
You must have a composer.json to install dependencies, because it's the file where dependencies theirself are listed. Refer to the documentation.
composer.lock lists dependencies which has already been installed. The composer looks first into it in order to keep versions consistent.
The (documentation states)[https://getcomposer.org/doc/01-basic-usage.md#installing-with-composer-lock]:
running install when a composer.lock file is present resolves and installs all dependencies that you listed in composer.json, but Composer uses the exact versions listed in composer.lock to ensure that the package versions are consistent for everyone working on your project.
If you have lost your composer.json you can reverse engineering your composer.lock. Open it and read all the packages installed, then create a composer.json which requires them. Not every single package will be a direct dependency for your problem: you should identify and remove those which are not.
This is how I use composer and svn together:
In my development version, I run composer to download required packages to the vendor directory. I then commit the vendor directory to svn together with the rest of the development folder. The production build makes a copy of the vendor folder.
I know, it is recommended not to commit the vendor directory in svn (see SVN Repo in vendor with Composer), but I want to be safe for the case when a composer update may break my application. It allows me to rollback everything in that case to the last stable state.
The problem with how composer works is that the checked out svn repo breaks, if composer deletes whole directories.
I would switch to the recommended practice and only check in composer.lock and composer.json into svn, if I knew how to rollback an eventual breaking composer update. Can somebody explain this to me, please.
When you have composer.lock and run composer install (not update) you are sure that you'll get dependencies which are "locked" by you.
Running composer update ignores entries in composer.lock and tries to download latest dependencies allowed by composer.json.
The project is set-up via composer.phar install --prefer-source and contains quite some modules which are kept in git.
I manage all these modules and their git repositories in my IDE (PhpStorm) and so might commit some changes to some of the modules in the vendor/ folder - directly to the source git repository.
How can I make sure now, that my co-workers get my recent module version when doing a composer.phar install (composer.lock is in the repo)?
If I make a local composer.phar update it looks like the composer.lock is not updated, because I already have the latest version (as I just made the commit directly in the vendor folder)
Commit the changes in the modules repos you've updated.
Push the changes to all respective remote repos.
Tag the new changes with appropriate versions.
Run composer update vendor1/package1 vendor2/package2 (or just composer update if you don't need to be explicit).
Commit and push the updated composer.lock file.
Your co-workers need to pull the updated composer.lock file and run composer install (install latest package versions from lock file).
If you have specified versions restrictions such as "vendor/package": "3.5.*" in your composer.json and you have tagged a new version like 3.6.0 you will need to update your composer.json file accordingly before step 4..
P.S. It is very good you use such a workflow with --prefer-source. Please do not use * or dev-master version restrictions in your composer.json. I would recommend always use versions even if they are in the zero major version range (0.X.X).
I'm trying to understand this part: http://getcomposer.org/doc/02-libraries.md#lock-file
this lock file will not have any effect on other projects that depend on it. It only has an effect on the main project"
Does that mean that if project P depends on library A, and library A depends on library B v1.3, project P won't care about the version of library B, and will possibly install B 1.4 instead? What's the point then?
Or does it mean the opposite, as one would expect from a dependency manager?
composer.lock records the exact versions that are installed. So that you are in the same versions with your co-workers.
composer install
Check for composer.lock file
If not, auto generate composer.lock file (Using composer update)
Install the specified versions recorded in the composer.lock file
composer update
Go through the composer.json file
Check availability of newer (latest) versions, based on the version criteria mentioned (e.g. 1.12.*)
Install the latest possible (according to above) versions
Update composer.lock file with installed versions
So in a simple check list.
If you want to keep all co-workers in the same versions as you...
Commit your composer.lock to GIT (or vcs you have)
Ask others to get the that version of composer.lock file
Always use composer install to get the correct dependencies
If you want to Upgrade the system dependencies to new versions
Check the composer.json file for version specs.
Do a composer update
This will change the composer.lock file with newest versions
Commit it to the GIT (or vcs)
Ask others to get it and composer install
Following will be a very good reading
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file
Enjoy the power of composer.lock file!
Composer dependencies are defined in composer.json. When running composer install for the first time, or when running composer update a lock file called composer.lock will be created. 1
The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.**, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the composer.json (not .lock!) defined the dependency to be on 1.3..
Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.json is all that matters.
1 composer.lock is created by default as the lock configuration option[ref] is true. Setting the option to false Composer won't create nor read the composer.lock file.
The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer update which installs 1.2.4, and then commits the composer.lock file, when you composer install, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.Read more here Composer: It’s All About the Lock File