74

It does exist a command to generate the composer.lock from a composer.json?

Something similar ruby's bundler : $ bundle lock

ciaoben
  • 3,138
  • 4
  • 27
  • 42
  • Not that I'm aware of. Seems like a weird requirement. – ceejayoz Jun 28 '17 at 14:18
  • 4
    I think `composer update --lock` does this. "--lock: Only updates the lock file hash to suppress warning about the lock file being out of date." or perhaps [this](https://github.com/composer/composer/issues/754#issuecomment-6043855) – Sevvlor Jun 28 '17 at 14:18
  • @Sevvlor I don't have deps installed at first, and running `update --lock` it installs them.. – ciaoben Jun 28 '17 at 14:23
  • 2
    I actually think that this is not possible without installing or updating. [Which is probably due to it's purpose](https://stackoverflow.com/a/44412385/1604068) – Sevvlor Jun 28 '17 at 14:50
  • @ciaoben What's wrong with installing them first? – ceejayoz Jun 28 '17 at 15:25
  • @Sevvlor that last comment seems like the right answer to the question. Make it a real answer. – Thibault Jun 28 '17 at 16:42
  • 2
    I actually think this would be very useful. In my scenario I need to update the version of a dependency in 6 applications. Because this feature is not available I have to checkout each application and install ALL the dependencies (70,000 files) just to get the lock file updated. Would be great to skip the copying of 70,000 files. – bmerigan Sep 14 '18 at 03:13
  • Please add some clarification to your question - what would be wrong in running `composer install` to generate the file? – Nico Haase Feb 03 '22 at 13:29

3 Answers3

117

If you do not have a composer.lock

The answer is "no", you have to generate the lock file using:

composer install

Installing Without composer.lock

If you have never run the command before and there is also no composer.lock file present, Composer simply resolves all dependencies listed in your composer.json file and downloads the latest version of their files into the vendor directory in your project.

Source: getcomposer.org

NB Potential Issue: Without the lock file Composer will use the latest version of the dependencies.

If you already have a composer.lock

If you already have a composer.lock and Composer is complaining about it being out of sync, you'll see this warning:

Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. Run update to update them.

To fix this you can update the lock file itself, without updating the dependencies. This will only update the content-hash in the lock file:

composer update --lock

From the Composer manual:

--lock Only updates the lock file hash to suppress warning about the lock file being out of date.

Duncanmoo
  • 3,535
  • 2
  • 31
  • 32
  • So can I somehow create a dummy `composer.lock` file and then the the `composer update --lock` to get effectivery the same lock file as with `composer install`? – mvorisek Jan 24 '20 at 21:54
  • 1
    From what I can see in [the documentation](https://getcomposer.org/doc/03-cli.md) the only way to generate a composer.lock is by running composer install. It would be nice if `--dry-run` or a similar flag wrote the lock file if it is missing. – Duncanmoo Jan 27 '20 at 07:54
  • 1
    created an issue for it directly in the composer repo - https://github.com/composer/composer/issues/8551 – mvorisek Jan 27 '20 at 07:59
  • 1
    @mvorisek if I could give you kudos or a bounty I would, your suggestion will be included in Composer 2.0! – Duncanmoo Jun 18 '20 at 09:39
  • 4
    just noting `composer update --lock` will also update other parts of the lock file to match `composer.json` not only the hash. – David Thomas Jun 25 '20 at 10:06
  • And what is the command for updating the lock file for Composer v2? I do not want to update any package just the lock file to match checksum and other parts. – Gabor Garami Aug 15 '22 at 23:09
24

Writing lock file composer.lock without download packages:

composer update --no-install

--no-install: Does not run the install step after updating the composer.lock file.

https://getcomposer.org/doc/03-cli.md#update-u-upgrade

(originally reported against Composer version 2.2.5)

hakre
  • 193,403
  • 52
  • 435
  • 836
Deividson Damasio
  • 431
  • 1
  • 6
  • 15
-1
 composer install --ignore-platform-req=ext-fileinfo

solved my issue. It worked 100%.

Stephen Muindi
  • 39
  • 2
  • 1
    Please add some explanation to your answer such that others can learn from it. How does this answer relate to the given question? – Nico Haase Aug 28 '23 at 13:46