How to composer install using a package's composer.lock file?

Question

If I have:

• a fresh project
• no composer.lock
• composer.json like the following

{
    "name": "fresh",
    "type": "library",
    "require": {
        "consolidation/robo": "3.0.3"
    }
}

Then run composer install It will install consolidation/robo and update the consolidation/robo internal dependencies instead of using the consolidation/robo internal composer.lock to get a known working version of the library.

How do to get composer install to use https://github.com/consolidation/robo/blob/3.0.3/composer.lock when installing consolidation/robo dependencies instead of running the equivalent of composer update on consolidation/robo?

Currently, it's retrieving a broken internal dependency and I have to outline it in my root composer.json which internal dependency should be retrieved. Where as the https://github.com/consolidation/robo/blob/3.0.3/composer.lock has the working version of the library.

Answer 1

That's the way composer is supposed to work.

Lockfiles for dependencies are ignored, that's by design. If the package you are using has broken version constraints (e.g. it says its compatible with ^2.1 of foo/bar, but in reality was only tested with versions >= 2.1.0 && <= 2.2.2, and installing version 2.3 of foo/bar breaks), it's either becuse foo/bar broke the semver promise, or because the package you depend on was not adequately tested.

What you can do is simply add in your root composer.json:

{
 "conflict":
     "foo/bar": ">=2.3"
}