Closed colinodell closed 5 years ago
According to Composer documentation composer.lock
should be versioned in the project, to make sure that the versions of all dependencies are consistent with each release. Otherwise, users could run composer install
and get dependency versions untested with the release they're using, and get broken code.
For projects I totally agree. However, this is a library, so only you and contributors to this plugin would be locked to those exact versions - WP site maintainers who install this plugin would not be subject to this restriction and can use any dependency versions within the ranges found in composer.json
. See http://stackoverflow.com/a/24247443/158766.
If composer.lock
is removed, Travis will automatically test using the latest dependency versions. However, you can add another entry to the test matrix which automatically tests the oldest supported versions - see https://github.com/thephpleague/commonmark/blob/master/.travis.yml#L13 for an example.
Here's an example of what I mean - drop this composer.json
into a temporary folder somewhere and run composer install
or composer update
:
{
"name": "test/my-awesome-wp-site",
"description": "Pretend this is a WordPress project",
"repositories":[
{
"type":"composer",
"url":"https://wpackagist.org"
}
],
"require": {
"composer/installers": "1.0.19",
"wpackagist-plugin/featured-image-caption": "0.8.4"
}
}
Note that we're requiring a version of composer/installers
which is older than what you've locked but still allowed by your composer.json
.
Users installing this plugin via composer won't be bound by the
composer.lock
file. This means it's only locking the versions for those developing this project. It's therefore recommended to not version thecomposer.lock
as you won't necessarily be testing against the latest versions of the dependencies unless you manually runcomposer update
frequently.