Should composer.lock be committed to version control?

Question

I\'m a little confused with composer.lock used in an application with a repository.

I saw many people saying that we should not .gitignore

Answer 1

If you’re concerned about your code breaking, you should commit the composer.lock to your version control system to ensure all your project collaborators are using the same version of the code. Without a lock file, you will get new third-party code being pulled down each time.

The exception is when you use a meta apps, libraries where the dependencies should be updated on install (like the Zend Framework 2 Skeleton App). So the aim is to grab the latest dependencies each time when you want to start developing.

^{Source: Composer: It’s All About the Lock File}

See also: What are the differences between composer update and composer install?