Good content takes time and effort to come up with.

Please consider supporting us by just disabling your AD BLOCKER and reloading this page again.

composer.json v/s composer.lock

07th May 2020 3 mins read
Share On     Share On WhatsApp     Share On LinkedIn

In this article, you will learn what is the difference between the following

  1. composer.json v/s composer.lock
  2. Composer Install & Composer Update
  3. Tip while using composer


You need to have composer installed on your computer or server.

Even if you don't have any knowledge of the composer that's totally fine. I have written a detailed article for it here What Is Composer? How Does It Work? Useful Composer Commands And Usage.

composer.json v/s composer.lock

Composer Update ( Refers composer.json file )

When you do composer update it will check for the composer.json file and updates all the packages/libraries that are listed in it & once the packages are updated it will rewrite new updates in composer.json & composer.lock file by deleting old package updates.

Basically, the following process takes place

  1. Read composer.json
  2. Remove installed packages that are not required in composer.json
  3. Check latest versions of required packages in composer.json from
  4. Install the latest versions of your packages
  5. Update composer.lock with installed packages version & even update composer.json file with it
  6. composer install

Eg: Let's take an example of this, in your composer.json file you may have this

"require": {
    "guzzlehttp/guzzle": "^6.3",

Think that you have installed the guzzle package for CURL requests 2 months back in your project with the version was 6.3.0.

When you do a composer update composer will go and check in its repositories if any new update available for the guzzle package. If any new update like 6.3.2 then it will go ahead and update the package to 6.3.2.

Along with updating the package, it will also update the composer.json and composer.lock file.

Composer Install ( Uses composer.lock file)

When you do composer install it will check for composer.lock file and install all the packages/libraries that are listed in composer.lock file.

This command won't update anything like composer update.

Basically, the following process takes place

1) composer.lock file 

  • If it does not exists then run composer-update and create it
  • If exists then read composer.lock file for installation of packages

2) Install the packages specified in the composer.lock file

Composer Install & Composer Update

Composer Install (Production, Development & Testing)

Use this command in any of the product stages ie Production, Development & Testing. As this won't have any effect on the composer.json & composer.lock file.

Composer Update (Development & Testing)

Use this command in the Development & Testing stages of your product only. This will update the composer.json & composer.lock files.

Be very cautious with this command

Tip While Using Composer

A few of the tips I would like to give you guys from my experiences are as follows

1) Add vendor folder in .gitignore

Yes! You saw it right. Make sure to put the vendor in .gitignore file if using GIT else similar file with other version control. When you use version control make sure to only commit composer.json & composer.lock file.

If any of your colleagues need to use this vendor folder then let them run composer install or composer update as per needs

2) Commit composer.lock file to production

Don't neglect the composer.lock while committing your code to production. Because in production you will be doing composer install if it doesn't find a composer.lock then it will update the composer.json file.


Hope this was helpful for you.

Author Image

Channaveer Hakari

I am a full-stack developer working at WifiDabba India Pvt Ltd. I started this blog so that I can share my knowledge and enhance my skills with constant learning.

Never stop learning. If you stop learning, you stop growing