CODEWITHSUNDEEP
phpcomposer-phpsemantic-versioning
Muaath Alhaddad
Muaath Alhaddad

Reputation: 361

"composer.lock" does not show the exact version

According to the composer documentation, composer.lock file should always record the exact packages' versions installed in the project.

However, sometimes I can see some packages in composer.lock have no exact version number rather they have a range value such as "^7.0 || ^8.0".

What does that mean?

Upvotes: 3

Views: 298

Answers (1)

yivi
yivi

Reputation: 47329

You are likely not reading the version of the installed packages, which is indeed specified as a discrete version (e.g. 4.1.5, no range, just a specific version constraint), but the requirements of one of the installed packages.

If you are looking at the contents of packages, within composer.lock, only the root packages will have a discrete version number. E.g.:

{
    "_readme": "foo bar",
    "content-hash": "1098098s908019foobar",
    "packages": [
        {
            "name": "somevendor/somepackage",
            "version": "1.2.3" // <-- specific version, no range
            // etc
        }
    ]
}

But each for each package the require and require-dev sections are included (among other things). So if you keep drilling down you'll see stuff like:

{
        "name": "somevendor/somepackage",
        "version": "1.2.3" <-- specific version, no range
        "source": {
            "type": "git",
            "url": "https://github.com/somevendor/somepackage.git",
            "reference": "a035d3d2de85f762233aedbc6522f22ee29e5252"
        },
        "dist": {
            "type": "zip",
            "url": "https://api.github.com/repos/somevendor/somepackage/zipball/a035d3d2de85f762233aedbc6522f22ee29e5252",
            "reference": "a035d3d2de85f762233aedbc6522f22ee29e5252",
            "shasum": ""
        },
            "require": {
                "php": "^7.0 || ^8.0" // <-- like here
            }
        }
}

etc.

That information is used by composer when installing/updating new packages, so it does not need to traverse all the package's composer.json files again each time.

But the specific version number for each installed package is correctly declared on composer.lock.

Upvotes: 4

Related Questions