Composer.lock in library

Question

I have an application using Composer here at work, and we commit the composer.lock file so our dev and prod are the same. But when creating a library that is installed by composer, should I commit the composer.lock file for the library as well? Or will that cause problems for our internal repo or for composer itself?

Answer 1

It's worth putting the composer.lock in a library for the same reason that you would put it in deployable projects; to allow you develop and test the library against exactly the same dependencies that were used in it's development.

This would be useful for your automated testing of libraries, as well as helping to quickly identify whether bugs in the library are caused either by a an actual bug in the library itself, or a bug/changed behaviour in one of it's dependencies. Or to put it more colloquially it help avoids the 'works for me' problem.

As Seldaek said, the composer.lock file for a library is not passed up to be used by a project that merely requires that library. It is only used when you are running composer in the root of the library.

So with a small benefit of adding it, and with no downside, I'd recommend adding it.

Answer 2

It won't cause any issue because the composer.lock is only used when you actually run composer install within the library's root directory. When it is installed as a dependency the dependencies' lock files are never taken into account.

That said, for libraries it indeed does not really make sense to commit a lock file, so feel free to .gitignore it. We just say to always commit it because that is what 99% of the people should do. If some library authors know better and ignore it in their libs that's fine, but it does not really matter either way.