Composer.json getting latest package version and - composer-php

For each new project, I want to:
Get the latest versions of all packages inside composer.json
Once I have them I no longer want to get the latest - just the version of the first run.
I know I could manually specify latest versions from packagist.org, but Ideally I'd like this automated.
I hope this makes sense.
Thanks

the latest package:
"require": {
"namespace/libname": "#dev"
}
after install of this package, composer will dump all info (and version) to composer.lock. do not remove this file and do not use composer update.
always use composer install because this will force composer to look into composer.lock file for package version

Running composer require vendor/package will consult packagist.org for the most current released version and add both the latest release and the version requirement to get this release and compatible updates later.
This will install only stable versions.
After the initial install, you have two options:
composer install will again install the previously found packages.
composer update will look for updated packages that match the version requirement.
Never run update unattended. A developer should run this consciously and then run the test suite to determine if everything still works (or the continuous integration job does it if available). Especially only run install when deploying to production.

Related

Installing Prestashop developer version

I wonder if anyone has experiencing installing Prestashop 1.7 dev version on Windows 10? I cloned the developer vbersion of Prestashop from the official git repo and initiated the install. The install asks me to run the command "php composer.phar install" so I did and get the following error when I do:
Problem 1
- composer/installers is locked to version v1.7.0 and an update of this package was not requested.
- composer/installers v1.7.0 requires composer-plugin-api ^1.0 -> found composer-plugin-api[2.0.0] but it does not match your constraint.
Use the option --with-all-dependencies to allow updates and removals for packages currently locked to specific versions.
You are using a snapshot build of Composer 2, which some of your plugins seem to be incompatible with. Make sure you update your plugins or report an issue to them to ask them to support Composer 2. To work around this you can run Composer with --ignore-platform-reqs, but this will also ignore your PHP version and may result in bigger problems down the line.
I am running the latest version of composer on Windows 10 and am at a complete loss on how to proceed any further therefore any help would be appreciated.
According to the Prestashop team their development build is not yet compatible with Composer 1.10.5 hence the errors I encountered.
Thanks.

Updating mirrors in composer.lock?

Is there a way to update the .lock file regarding mirrors, without updating versions?
I've started using toran, but it appears composer install is still using github for installing.
composer update updated some libraries, but many of the ones I'm using have not had a version change, and their entry in the .lock appears to be unchanged by the addition of a mirror.
To force Composer into reevaluating all of its install history for a project you should delete vendor/composer/installed.json, which is the internal cache file for what is installed and how. If you remove it and then composer install it will re-evaluate and reprocess the entire installation according to the settings in composer.json and the state in composer.lock.

Manually install Parse PHP SDK without Composer

I've got a client on a shared hosting environment (which I can't change) and I'm needing to install the Parse PHP SDK, but the host won't allow me to install the Composer package manager. Does anyone else know of a manual install method?
If you have wget/unzip available, just download latest release zip (bellow the release, this file).
Use unzip to unpack package and load it with PSR-4 autoloading (the composer's approach).
Composer isn't meant to be an installer, so you are not expected to run Composer on the production machine. What would happen if during your update process Github would be down? No new website version! And maybe also no old version.
Run Composer somewhere else, and then upload the result to the server, after you verified that everything went well.

composer update on PROD server

There's always been a note in many Readmes of composer-based projects:
Never run composer update on production server
However, there are times that we want to run composer update on PROD servers to keep current (of course after a thorough test on local server). What's the best way to do that?
You should run on local server.
composer update
Next you should test application and add composer.lock to repository. And on PROD server you should run
composer install
composer update is checking if there are any new versions of the packages available within the limits of the versions given. This will unconditionally install new packages if they are eligible. After that you have to test.
composer install will install whatever is mentioned in the lock file, and if the currently installed packages are not the ones mentioned there, they will get uninstalled or updated.
Of course you want to "update" the prod application. But to update the packages, you run composer install which will update the packages to the TESTED state in the lock file - not to an UNTESTED state because newer versions did appear after you tested.

Composer Best Practise?

I work in a team with ~15 developers and we've been asking ourselves: What is the best practise to work with composer?
Our composer.json has ~5 Packages. We use Bamboo as a Continous Integration system and Subversion.
Today, we run composer self-update / composer update and commit the vendor folder into the repository.
It feels kind of wrong to do that. What is the best practise?
You put the requirements (dev and normal) in the composer.json file
You run composer update to update all dependencies
This command creates a composer.lock file, which contains which versions of the dependencies is used.
Commit that file and exclude (ignore) the vendor/ directory
Whenever you want to install the dependencies, you run composer install. This will install all dependencies with the versions stored in the composer.lock file. This means that everyone have the same versions.
Once in a week, someone run composer update to update all dependencies and create a new composer.lock file with the updated versions.
This file gets committed
Everyone runs composer install (once a day or once in 2 days) and gets the new versions installed.

Resources