Closed ottok closed 3 years ago
I think it's okay to remove composer.lock
from this repo. However, if using some kind of git-based deploy workflow, ignoring the composer.lock
from version control lets the composer install
install untested versions in production.
I think that the .gitignore
change is very risky.
Composer.lock only matters in development. As soon as the site is in production, the WordPress site will update it's plugins completely ignoring both composer.json and composer.lock. Having devs rely on composer.lock during development time might lead to misunderstandings about what it does and how reliable the file/mechanism is..?
Good point! I think we should merge this, since the change is low risk and it becomes effective for new sites only on default.
Composer.json is enough to specify dependencies. Using a lock file does not make much sense in a WordPress environment where even version requirements are most of the time just '*' (latest version) and that is good enough for collaboration inside dev teams anyway.