Closed ottok closed 3 years ago
elguitar
commented
3 years ago I think it's okay to remove composer.lock from this repo. However, if using some kind of git-based deploy workflow, ignoring the composer.lock from version control lets the composer install install untested versions in production.
I think that the .gitignore change is very risky.
ottok
commented
3 years ago Composer.lock only matters in development. As soon as the site is in production, the WordPress site will update it's plugins completely ignoring both composer.json and composer.lock. Having devs rely on composer.lock during development time might lead to misunderstandings about what it does and how reliable the file/mechanism is..?
elguitar
commented
3 years ago Good point! I think we should merge this, since the change is low risk and it becomes effective for new sites only on default.
Composer.json is enough to specify dependencies. Using a lock file does not make much sense in a WordPress environment where even version requirements are most of the time just '*' (latest version) and that is good enough for collaboration inside dev teams anyway.