Understanding the Composer Lock file

As you may know, Composer is a PHP dependency manager that manages the versions of the PHP libraries, tools & frameworks that we utilise in our applications.

Introduction

As you may know, Composer is a PHP dependency manager that manages the versions of the PHP libraries, tools & frameworks that we utilise in our applications. Everyone understands the working of composer.json file very well, which is used to list the versions of your PHP dependencies that you wish to install. But in process of fetching and installing the dependencies composer generates a mysterious composer.lock file alongside the vendor directory.

If we take Laravel for instance, its composer.json file looks like this in the beginning.

{
    "name": "laravel/laravel",
    "description": "The Laravel Framework.",
    "keywords": ["framework", "laravel"],
    "license": "MIT",
    "type": "project",
    "require": {
        "php": ">=7.0.0",
        "fideloper/proxy": "~3.3",
        "laravel/framework": "5.5.*",
        "laravel/tinker": "~1.0",
    },
    "require-dev": {
        "filp/whoops": "~2.0",
        "fzaninotto/faker": "~1.4",
        "mockery/mockery": "~1.0",
        "phpunit/phpunit": "~6.0"
    },
    "autoload": {
        "classmap": [
            "database/seeds",
            "database/factories"
        ],
        "psr-4": {
            "App\\": "app/"
        }
    },
    "autoload-dev": {
        "psr-4": {
            "Tests\\": "tests/"
        }
    },
    "extra": {
        "laravel": {
            "dont-discover": [
            ]
        }
    },
    "scripts": {
        "post-root-package-install": [
            "@php -r \"file_exists('.env') || copy('.env.example', '.env');\""
        ],
        "post-create-project-cmd": [
            "@php artisan key:generate"
        ],
        "post-autoload-dump": [
            "Illuminate\\Foundation\\ComposerScripts::postAutoloadDump",
            "@php artisan package:discover"
        ]
    },
    "config": {
        "preferred-install": "dist",
        "sort-packages": true,
        "optimize-autoloader": true
    }
}

The most important part here is the require block which contains all of the dependencies

{
 "require": {
    "php": ">=7.0.0",
    "fideloper/proxy": "~3.3",
    "laravel/framework": "5.5.*",
    "laravel/tinker": "~1.0",
 }
}

If you notice, it only contains the packages along with their version numbers. Or if we aren’t sure of the proper version, we just pass a (*) wildcard, which will play the trick for us. Its not really self-explanatory. We do not have any idea what these packages do and what effect it will bring to our application. Its kind of a incomplete guide for most of us who’d want to dig in deeper regarding every single detail of the application.

Generating the composer.lock file

When we run composer install inside our project directory, composer generates the composer.lock file for us. And if you look inside of it, you’d surprised to see that its pretty big. But if you look clearly, this file holds the complete record of every dependency & all of the sub dependencies installed with each dependency, which is being installed by composer.json.

Let’s have a look at one of the package information inside composer.lock file

"packages": [
  
    {
        "name": "ddctd143/google-translate",
        "version": "dev-master",
        "source": {
            "type": "git",
            "url": "https://github.com/ddctd143/google-translate.git",
            "reference": "b2a584e251976bdd62239ac14a00489963000b0f"
        },
        "dist": {
            "type": "zip",
            "url": "https://api.github.com/repos/ddctd143/google-translate/zipball/b2a584e251976bdd62239ac14a00489963000b0f",
            "reference": "b2a584e251976bdd62239ac14a00489963000b0f",
            "shasum": ""
        },
        "require": {
            "guzzlehttp/guzzle": "^6.1",
            "php": ">=5.5.9"
        },
        "require-dev": {
            "phpunit/phpunit": "^5.2"
        },
        "type": "library",
        "autoload": {
            "psr-4": {
                "Dedicated\\GoogleTranslate\\": "src/"
            }
        },
        "notification-url": "https://packagist.org/downloads/",
        "license": [
            "MIT"
        ],
        "authors": [
            {
                "name": "Arturs Terehovics",
                "email": "ddctd143@gmail.com"
            }
        ],
        "description": "Free Laravel package for Paid Google Translate REST API",
        "homepage": "http://github.com/ddctd143/google-translate",
        "keywords": [
            "google",
            "laravel",
            "php",
            "translate"
        ],
        "time": "2017-05-01T23:22:22+00:00"
    },
]

Above is the sample package, which contains every single detail associated with the google translator package. The name, the version, commit reference string, sub dependencies, license etc.

Pretty useful right?

Updating your composer.lock file

composer.lock file generates in result of composer install command. Whenever you need to add another package, you can run either composer update or composer install to update your composer.lock file along with the updated packages versions.

Conclusion

I hope this somehow clears the understanding regarding the mystery of composer.lock file. If not leave us a comment below to ask any query. You can also follow us on Twitter.

More Readings