how to downgrade dependency of my dependencies version [composer]

Question

I did composer update recently. But new version of my dependencies what I got I completely don't like. I would say that I don't like dependency of my dependencies, it's more precise. Is there any way to roll back, except fetching from git history composer.lock?

Answer 1

There is no direct way of downgrading a dependency of a dependency; it takes some work:

1. Require the package in the desired version

   composer require aws/aws-sdk-php=3.158.17
   

   The dependency will be downgraded. It also gets added to composer.json which we don't want, because our application does not depend on it.

2. Simply removing the dependency with "composer remove" will upgrade the package to the lastest version which we don't want.

   So instead, manually remove the require line from composer.json and run composer update nothing to update the hash in composer.lock.

Answer 2

I've had a similar problem with laravel/passport =7.5.1, that depends on league/oauth2-server ^7.0, that requires lcobucci/jwt ^3.2.2. And at the time, lcobucci/jwt was updated to latest 3.4 version. But this sudden update introduces the bug, so everyone has to downgrade it to 3.3.*.

You can override the version of nested dependency needed or apply another version number constraint by simply putting it in require section of your top-level composer.json:

    "require": {
        ...
        "lcobucci/jwt": "3.3.*"
    }

Then don't forget to run composer update lcobucci/jwt, so it installs the right version of nested dependency and updates the record in composer.lock.