problem statement
We often have to add extension packages to existing projects, sometimes due to misguided documentation, as shown in the following image from this documentation:
The composer update command in our current logic may cause huge harm to the project.
Because the logic of composer update is to update all extension packages to the latest version according to the extension package version rules specified in composer.json. Note that it is all extension packages. For example, you used monolog at the beginning of the project. Configuration information is
"monolog/monolog": "1.*",- 1
The monolog version 1.1 is installed, and now, more than a month later, the monolog is already 1.2. After running the command, it is directly updated to 1.2. At this time, the project has not been tested for 1.2, and the project suddenly becomes very unstable. Sometimes it's worse than this, especially in a huge project where you don't write full coverage tests for the project and you don't know what's broken.
So which command should I use? install, update or require?
Next we explain them one by one.
simple explanation
composer install - 如有 composer.lock 文件,直接安装,否则从 composer.json 安装最新扩展包和依赖;
composer update - 从 composer.json 安装最新扩展包和依赖;
composer update vendor/package - 从 composer.json 或者对应包的配置,并更新到最新;
composer require new/package - 添加安装 new/package, 可以指定版本,如: composer require new/package ~2.5.- 1
- 2
- 3
- 4
process
Let's introduce a few daily production processes to facilitate your understanding.
Process 1: The new project process
creates composer.json and adds the extension package it depends on;
run composer install, install the extension package and generate composer.lock;
submit composer.lock to the code version controller, such as: git;
Process 2: After the project collaborator installs the existing project
and clones the project, run composer install directly in the root directory to install the specified version of the extension package and its dependencies from composer.lock;
This process applies to the deployment of production code.
Process 3: Add a new extension package to the project
Use composer require vendor/package to add extension packages;
submit the updated composer.json and composer.lock to the code version controller, such as: git;
About the composer.lock file
The composer.lock file saves the version record of each code dependency (see the figure below), submits it to the version controller, and uses it with composer install to ensure that all the collaborators in the team run in the development environment and the online production environment. Code version consistency.
How to install the extension pack
So, to add an extension package, install, update, require three commands can be used to install the extension package, which one is the correct one to choose?
The answer is: use the composer require command
In addition, after manually modifying composer.json to add the extension package, composer update new/package can be installed correctly by specifying the way to update the extension package, but this method is not recommended, because once you forget to finalize the subsequent extension package Name, you will enter a state of doom, don't leave a hole for yourself.
The above concepts are confusing for both novice and veteran, mainly remember this concept:
Newly added extensions to the original project are installed using composer require new/package.
If you need a version
composer require "foo/bar:1.0.0"- 1
Update the specified extension to the specified version
Sometimes the extension package you have used before has added new functions. If you want to update the extension package to the specified version, you can also use require to operate.
As in the example below, you need to update "sami/sami": "3.0." to "sami/sami": "3.2."
Command line run: 
finished