Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

sgupta1979's avatar

Keeping composer.lock and package-lock.json file in GIT repository

In our applications, these 2 files are added in GIT version and we can commit those files as well. Ideally (according to my understanding) these files should get deleted and regenerate each time when we run composer install while deploying. So we should un-version those files and add those in GIT ignore.

  1. In my delpoy.sh file there is below code

    git reset HEAD yarn.lock git checkout yarn.lock git fetch --all git merge "$1" composer install yarn install yarn run prod

If I am unversioning .lock files, then first 2 lines from above code can be removed? Instead of that we remove all lock files before composer install and yarn install.

Please suggest.

0 likes
6 replies
Vaweto's avatar

You have to push the composer.lock and not let the composer install regenerate it. Because:

1.When you run composer install in the presence of composer.lock, Composer will resolve and install all dependencies that you listed in composer.json, but Composer uses the exact versions listed in composer.lock to ensure that the package versions are consistent for everyone working on your project.

2.As a result of this, you’ll have your project dependencies consistent across all your CI servers, production machines, other developers in your team which helps in preventing the potential for bugs affecting only some parts of the deployments.

So you have to push the composer.lock and rely on it for the versions of package.

sgupta1979's avatar

@Vaweto Thanks for your response. It will be really helpful to me. My next Question on this .... Whether it is really required to run composer install with the same .json and .lock in each deployments?

composer install should run only when we are making changes in composer.json and it should be manually executed on production and should generate lock file as well.

Kindly please suggest.

Snapey's avatar

@sgupta1979 just leave it alone and leave it in your git repo

Composer.lock will be regenerated when you run composer update or add or remove packages

composer install will read the composer.lock file and install the exact same versions of packages as you have used in dev and testing.

Why do you feel you need to worry about it?

sgupta1979's avatar

@Snapey

Actually 'composer install' is defined in deploy.sh file. which is unnecessary get executed while each deploy. I need to remove it from there but need solid information why to remove.

Snapey's avatar

@sgupta1979 NO YOU ARE WRONG

Composer install looks at the composer.lock file and makes sure you have all the correct files in your vendor folder.

Normal process is that you clone your repository to your production machine (or other dev machine etc) and then run composer install. Therefore this is a vital step in deployment.

You don't have the vendor folder in your repository do you?

martinbean's avatar

So we should un-version those files and add those in GIT ignore.

@sgupta1979 No, you shouldn’t.

The lock files contain the specific versions of packages installed. They’re in your repository so that when you or someone else checks your code out, and runs composer install, they get the exact same versions too, or an error if they’re trying to run your application in an incorrect environment, i.e. with the wrong PHP version.

If they were meant to be ignored then they would be in your .gitignore file already. But they’re not, which means they should be in your repository.

Please or to participate in this conversation.