Friday, May 20, 2022

[FIXED] How to composer install using a package's composer.lock file?

           No comments   

Issue

If I have:

  • a fresh project
  • no composer.lock
  • composer.json like the following
{
    "name": "fresh",
    "type": "library",
    "require": {
        "consolidation/robo": "3.0.3"
    }
}

Then run composer install It will install consolidation/robo and update the consolidation/robo internal dependencies instead of using the consolidation/robo internal composer.lock to get a known working version of the library.

How do to get composer install to use https://github.com/consolidation/robo/blob/3.0.3/composer.lock when installing consolidation/robo dependencies instead of running the equivalent of composer update on consolidation/robo?

Currently, it's retrieving a broken internal dependency and I have to outline it in my root composer.json which internal dependency should be retrieved. Where as the https://github.com/consolidation/robo/blob/3.0.3/composer.lock has the working version of the library.


Solution

That's the way composer is supposed to work.

Lockfiles for dependencies are ignored, that's by design. If the package you are using has broken version constraints (e.g. it says its compatible with ^2.1 of foo/bar, but in reality was only tested with versions >= 2.1.0 && <= 2.2.2, and installing version 2.3 of foo/bar breaks), it's either becuse foo/bar broke the semver promise, or because the package you depend on was not adequately tested.

What you can do is simply add in your root composer.json:

{
 "conflict":
     "foo/bar": ">=2.3"
}


Answered By - yivi
Answer Checked By - Robin (PHPFixing Admin)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...