What do I upload when working with Composer?

It's good to let the vendor folder out of the VCS (git, svn) but, if you are deploying to a shared hosting, one of those annoying ones that doesn't let you have SSH access, in that case, yes you need to upload the vendor folder every time that you update composer in your project.

Composer lets you manage the dependencies of your project. But first of all, are you building a application or a library? If it's a application, you should upload the composer.lock to your version control. If it's a library, you should not do it. The vendor folder should never be part of your version control or uploaded to your server (find why here).

Basically:

• Set the composer.json file, with all your dependencies, project name, description, etc.
• Install composer in your machine, getcomposer.org has great tutorials on how to do this. (Composer also has the composer.phar which is basically the composer app in a single file. Download it and use php composer.phar [command...] instead just composer).
• Inside the project root, run composer install (or php composer.phar install if you have the composer.phar in your project). All of your dependencies will be installed, generating the vendor folder and updating the composer.lock if it already exists or creating it if not.

The composer.lock tells you about each dependency in your project. That is why you put it in the version control of an application, because you want to run the same version of the dependencies on your local machine and on your server.

And you don't do this with libraries, because you don't know what other developers' dependencies will be when they use your library.

All you need to do is the following:

1. ignore the vendor directory and composer.lock file
2. push the rest of your project up to the server
3. run composer self-update on the server first
4. after, run composer update.
5. now it's done