Say, composer.lock file is git-ignored.
Now in production, on composer install, files are installed from composer.json and composer.lock is generated.
After few days, I added few packages in my composer.json, and pushed the file to production.
On running composer install on the server, will it recognize the updated packages in the json file? Or does it just run the composer.lock file?
How does the composer handle this, since the json and lock files in the production server are out-of-sync now?
I have this question because other teams where I work prefer git-ignoring the lock file, and it seems to work out fine.
composer.lockfile is good practice for public packages with a regularly scheduled build-process but not for production applications. For production applications you need reproducible builds that are tested against the exact same set of dependencies. If you - for example - test your app on CI successfully and deploy afterwards but meanwhile some dependency itself was updated in a way that breaks your application ... your production system will go down upon deployment! - Nicolai Fröhlichcomposer updateand then package the generatedcomposer.locktogether with your application for deployment during the build-process... if you do have a high enough test-coverage. But even then there's the risk of multiple developers checking out the same commit of your application but in fact developing against a different set of dependencies -> works-on-my-machine :) - Nicolai Fröhlich