It`s crucial to understand the difference between composer install and composer update.
Lets look at some Drupal 8 composer.json:
"require": {
"composer/installers": "^1.2",
"cweagans/composer-patches": "^1.6",
"drupal-composer/drupal-scaffold": "^2.2",
"drupal/admin_toolbar": "^1.23",
"drupal/codesnippet": "^1.6",
"drupal/console": "^1.0.2",
"drupal/core": "^8.6.0",
"drupal/inline_entity_form": "^1.0@beta",
"drupal/menu_trail_by_path": "^1.1",
"drupal/metatag": "^1.5",
"drupal/panelizer": "^4.1",
"drupal/panels": "^4.3",
"drupal/paragraphs": "^1.2",
"drupal/pathauto": "^1.1",
"drupal/rabbit_hole": "^1.0@beta",
"drupal/taxonomy_menu": "^3.3",
"drupal/twig_tweak": "^2.0",
"drush/drush": "^9.0.0",
"vlucas/phpdotenv": "^2.4",
"webflo/drupal-finder": "^1.0.0",
"webmozart/path-util": "^2.3"
},
As you can see, there are no exact version specified and:
"composer/installers": "^1.2",
is equal to:
"composer/installers": ">=1.2 <2.0",
It`s more clear now right? When you run composer update, composer will look for latest version below 2.0.
So lets say you have to update some application. You run composer update on your local env and its works. Nice right?! But you make deploy after few days, and on production server, after run composer update there is a problem. We have new version of some component, and application is down! You cannot update to newest version, you want to use exactly same vendor that you have on your local env. This is example where you can be happy because of composer.lock file. You can open it and you can see that there are actual version that you use right now.
Add new comment