Should the vendor folder be in source control?

Question

For instance, files like

/vendor/composer/classLoader.php
/vendor/composer/autoload_classmap.php

On a project I'm on these are checked in. I wasn't sure whether that's good practice or not, as I remember reading Laravel recommends /vendor to be in .gitignore.

Answer 1

No, your vendor folder is not part of your source code, and shouldn't be checked in in your git repository.

A good workflow would be :

• check in your composer.json
• whenever you want to upgrade your dependencies:
  • run composer update on your local repository
  • check in the changed composer.lock
  • Deploy and run composer install on your production repository

Why should you also check in composer.lock :

Your composer.json defines the acceptable versions of your dependencies that will be used when running composer update.

The problem that comes in when using only composer.json is to have reproducible builds (eg exactly the same versions of your dependencies in all your environments). That is why, when you run composer install, if there is a composer.lock file, composer will instead load the exact same dependencies as the ones written in the composer.lock file. Your composer.lock file is updated whenever you run composer update.

Answer 2

No, the vendor directory should be excluded, and never manually touched. A composer update / composer install will generate the class loader when you install your dependencies.