26

I understand that composer.lock is meant to pin down the exact version of the installed dependencies. But what purpose does the vendor/composer/installed.json file play?

Both contain JSON and both are generated automatically.

scribu
  • 2,958
  • 4
  • 34
  • 44

2 Answers2

31

composer.lock is generated when installing for the first time or updating. It contains references to the exact versions used. It should be committed into the version tracking repository to allow restoring this exact combination of libraries.

installed.json is an internal file of Composer. It's used when you remove a package manually from composer.json to remove the files from the vendor directory. Otherwise, the old vendor package would be around forever.

Balu Ertl
  • 313
  • 5
  • 6
Sven
  • 69,403
  • 10
  • 107
  • 109
  • The reason I asked was precisely because I'm working on a project where the `vendor/` dir is under version control, for reasons I won't go into here. In such a scenario, it seems prudent to commit it along with everything else. – scribu Oct 17 '13 at 21:06
  • 1
    A very valid reason would be that the deployment process does not currently allow to fetch the dependencies independently. But even in that case I wouldn't even try to touch anything inside `vendor`, only commit it as it is after the install/update. – Sven Oct 17 '13 at 21:44
  • Should I push installed.json or not – Zaid Khan Oct 28 '19 at 10:44
  • might anything be messed up when installed.json is deleted then? – Lokomotywa Sep 14 '20 at 12:00
  • Couldn't Composer just as easily refer to `composer.lock` instead of `installed.json` when a package is manually removed from `composer.json`? – Dom Feb 08 '21 at 23:12
  • Pay attention when you change a package repository source url ie: if you fork a repo to use a custom version seems composer will ignore the new url, I suspect installed.json must be modified to remove old url – MatteoOreficeIT Mar 24 '23 at 12:32
1

installed.json appears to be used by Composer as an internal repository to keep track of what has actually been installed in the vendor directory.

I've read that composer.lock is what should be installed and installed.json is what is installed. This make some sense in the context that that its valid to have a composer.lock file without a vendor directory. You run composer install and it will install the packages listed int composer.lock and write them to installed.json.

Composers codebase treats installed.json as a local repository. The contents are loaded into a variable of type InstalledRepositoryInterface which is named localRepository.

Dom
  • 2,980
  • 2
  • 28
  • 41