Understanding the Composer Lock file

Last Updated at : January 2, 2018 By - Usama Muneer | 1132

    Introduction

    As you may know, Composer is a PHP dependency manager that manages the versions of the PHP libraries, tools & frameworks that we utilise in our applications. Everyone understands the working of composer.json file very well, which is used to list the versions of your PHP dependencies that you wish to install. But in process of fetching and installing the dependencies composer generates a mysterious composer.lock file alongside the vendor directory.

    If we take Laravel for instance, its composer.json file looks like this in the beginning.

    {
        "name": "laravel/laravel",
        "description": "The Laravel Framework.",
        "keywords": ["framework", "laravel"],
        "license": "MIT",
        "type": "project",
        "require": {
            "php": ">=7.0.0",
            "fideloper/proxy": "~3.3",
            "laravel/framework": "5.5.*",
            "laravel/tinker": "~1.0",
        },
        "require-dev": {
            "filp/whoops": "~2.0",
            "fzaninotto/faker": "~1.4",
            "mockery/mockery": "~1.0",
            "phpunit/phpunit": "~6.0"
        },
        "autoload": {
            "classmap": [
                "database/seeds",
                "database/factories"
            ],
            "psr-4": {
                "App\\": "app/"
            }
        },
        "autoload-dev": {
            "psr-4": {
                "Tests\\": "tests/"
            }
        },
        "extra": {
            "laravel": {
                "dont-discover": [
                ]
            }
        },
        "scripts": {
            "post-root-package-install": [
                "@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
            ],
            "post-create-project-cmd": [
                "@php artisan key:generate"
            ],
            "post-autoload-dump": [
                "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
                "@php artisan package:discover"
            ]
        },
        "config": {
            "preferred-install": "dist",
            "sort-packages": true,
            "optimize-autoloader": true
        }
    }

    The most important part here is the require block which contains all of the dependencies

    {
     "require": {
        "php": ">=7.0.0",
        "fideloper/proxy": "~3.3",
        "laravel/framework": "5.5.*",
        "laravel/tinker": "~1.0",
     }
    }

    If you notice, it only contains the packages along with their version numbers. Or if we aren’t sure of the proper version, we just pass a (*) wildcard, which will play the trick for us. Its not really self-explanatory. We do not have any idea what these packages do and what effect it will bring to our application. Its kind of a incomplete guide for most of us who’d want to dig in deeper regarding every single detail of the application.

    Generating the composer.lock file

    When we run composer install inside our project directory, composer generates the composer.lock file for us. And if you look inside of it, you’d surprised to see that its pretty big. But if you look clearly, this file holds the complete record of every dependency & all of the sub dependencies installed with each dependency, which is being installed by composer.json.

    Let’s have a look at one of the package information inside composer.lock file

    "packages": [
      
        {
            "name": "ddctd143/google-translate",
            "version": "dev-master",
            "source": {
                "type": "git",
                "url": "https://github.com/ddctd143/google-translate.git",
                "reference": "b2a584e251976bdd62239ac14a00489963000b0f"
            },
            "dist": {
                "type": "zip",
                "url": "https://api.github.com/repos/ddctd143/google-translate/zipball/b2a584e251976bdd62239ac14a00489963000b0f",
                "reference": "b2a584e251976bdd62239ac14a00489963000b0f",
                "shasum": ""
            },
            "require": {
                "guzzlehttp/guzzle": "^6.1",
                "php": ">=5.5.9"
            },
            "require-dev": {
                "phpunit/phpunit": "^5.2"
            },
            "type": "library",
            "autoload": {
                "psr-4": {
                    "Dedicated\\GoogleTranslate\\": "src/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
            "license": [
                "MIT"
            ],
            "authors": [
                {
                    "name": "Arturs Terehovics",
                    "email": "ddctd143@gmail.com"
                }
            ],
            "description": "Free Laravel package for Paid Google Translate REST API",
            "homepage": "http://github.com/ddctd143/google-translate",
            "keywords": [
                "google",
                "laravel",
                "php",
                "translate"
            ],
            "time": "2017-05-01T23:22:22+00:00"
        },
    ]

    Above is the sample package, which contains every single detail associated with the google translator package. The name, the version, commit reference string, sub dependencies, license etc.

    Pretty useful right?

    Updating your composer.lock file

    composer.lock file generates in result of composer install command. Whenever you need to add another package, you can run either composer update or composer install to update your composer.lock file along with the updated packages versions.

    Conclusion

    I hope this somehow clears the understanding regarding the mystery of composer.lock file. If not leave us a comment below to ask any query. You can also follow us on Twitter.

    More Readings

     

    blog user
    Usama Muneer

    A web enthusiastic, self-motivated & detail-oriented professional Full-Stack Web Developer from Karachi, Pakistan with experience in developing applications using JavaScript, WordPress & Laravel specifically. Loves to write on different web technologies with an equally useful skill to make some sense out of it.

    Related Posts

    In this article, we'll go through a brief introduction on setting up PSR4 Autoloading using Composer within your project.

    What is composer?
    October 1, 2017 By - Usama Muneer

    If you're a PHP developer and has been coding up for years, you may have noticed that while developing in PHP, you have to re-invent the wheel every single time.

    Manually Installing composer is an advanced technique, however there are several reasons why a developer might prefer this reason instead of using the interactive installation routine.

    Over the years, Laravel has brought so much excitement in developing applications with its out of the box code-base