问题
I understand that composer.lock is meant to pin down the exact version of the installed dependencies. But what purpose does the vendor/composer/installed.json file play?
Both contain JSON and both are generated automatically.
回答1:
composer.lock is generated when installing for the first time or updating. It contains references to the exact versions used. It should be committed into the version tracking repository to allow restoring this exact combination of libraries.
installed.json is an internal file of Composer. It's used when you remove a package manually from composer.json to remove the files from the vendor directory. Otherwise, the old vendor package would be around forever.
来源:https://stackoverflow.com/questions/19434827/whats-the-difference-between-composer-lock-and-installed-json