Composer Lock File Policy

Beginner

Enforce composer.lock management rules — commit for applications, ignore for libraries, use install in CI, and update workflow for controlled dependency upgrades.

File Patterns

**/composer.json**/composer.lock**/.gitignore

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Composer Lock File Policy

## Rule
composer.lock MUST be committed for applications and MUST NOT be committed for library packages.

## Requirements
1. **Applications** — always commit composer.lock (Laravel, Symfony, WordPress)
2. **Libraries** — add composer.lock to .gitignore (Packagist packages)
3. **CI/CD** — always use `composer install` (reads lock file)
4. **Updates** — use `composer update package/name` for targeted updates
5. **Review** — review composer.lock diffs in pull requests

## Examples

### Good — Application .gitignore
```gitignore
/vendor/
# Do NOT ignore composer.lock for applications
```

### Good — Library .gitignore
```gitignore
/vendor/
composer.lock
```

### Good — Update Workflow
```bash
# Update a specific package
composer update guzzlehttp/guzzle

# Update all packages (review carefully)
composer update

# Check what would be updated (dry run)
composer update --dry-run

# Review lock file changes
git diff composer.lock
```

### Bad
```bash
# Running update in CI — installs untested versions
composer update --no-dev --prefer-dist  # WRONG

# Correct CI command
composer install --no-dev --prefer-dist  # RIGHT
```

## Enforcement
CI pipelines must use `composer install`. Add a CI check that verifies composer.lock exists for application repositories. Use pre-commit hooks to prevent accidental lock file removal.

FAQ

Discussion

Loading comments...

# Composer Lock File Policy ## Rule composer.lock MUST be committed for applications and MUST NOT be committed for library packages. ## Requirements 1. **Applications** — always commit composer.lock (Laravel, Symfony, WordPress) 2. **Libraries** — add composer.lock to .gitignore (Packagist packages) 3. **CI/CD** — always use `composer install` (reads lock file) 4. **Updates** — use `composer update package/name` for targeted updates 5. **Review** — review composer.lock diffs in pull requests ## Examples ### Good — Application .gitignore ```gitignore /vendor/ # Do NOT ignore composer.lock for applications ``` ### Good — Library .gitignore ```gitignore /vendor/ composer.lock ``` ### Good — Update Workflow ```bash # Update a specific package composer update guzzlehttp/guzzle # Update all packages (review carefully) composer update # Check what would be updated (dry run) composer update --dry-run # Review lock file changes git diff composer.lock ``` ### Bad ```bash # Running update in CI — installs untested versions composer update --no-dev --prefer-dist # WRONG # Correct CI command composer install --no-dev --prefer-dist # RIGHT ``` ## Enforcement CI pipelines must use `composer install`. Add a CI check that verifies composer.lock exists for application repositories. Use pre-commit hooks to prevent accidental lock file removal.