Should I regularly update the framework using composer update? I also have composer on the hosting account.
@developer654079525 You should regularly keep software up to date, yes. But you should also read release notes of packages before updating, just in case there’s something that may have changed that may be incompatible with your application or other installed packages.
composer audit is a useful tool. It shows known vulnerabilities in the installed package versions. You should update all packages from time to time, but fixing vulnerabilities is the first priority.
Just to be clear: you shouldn't run composer update in production. You should run it in the development environment and test that everything works. That generates a composer.lock file in the project root, which tells Composer the exact package versions to install. You deploy that file along with everything else and then run composer install to install the packages.
Many thanks. So, in a nutshell, is it composer update on a local machine, then push and composer install on a production machine? What happens if I accidentally run composer update on a remote machine?
What happens if I accidentally run composer update on a remote machine?
It updates packages to the latest versions allowed by your constraints, and generates a composer.lock file that differs from the one in version control. Your production environment may then be running package versions that you haven't tested.
In principle, that shouldn't cause issues if the version constraints in composer.json are sensible, meaning they don't allow updates between major versions (e.g. 5.x.x to 6.x.x). Only major versions are supposed to include backward-incompatible changes. But that's the theory. In practice you should always test the code you're about to deploy.
So, in a nutshell, is it composer update on a local machine, then push and composer install on a production machine?
That's the basic idea. If you used a CI/CD pipeline, the packages would be installed in the build environment and then pushed to the production server(s). In a simpler setup, you would run composer install as part of your deployment process on the production server.
I am guessing you are also aware of:
I am now :). Many thanks.
Please or to participate in this conversation.