gerardw85's avatar

Upgrading Packages - best practices?

Hi, I'm looking into Laravel 10, currently running Laravel 9, and started to check packages and noticed I've got quite a few with patches/minor - a handful of major ones. Most packages - I'm not even sure if I'm using - or must be deep in the guts of laravel where I don't even realize I'm using them. So, I decided to go package by package and upgrade them. I'm doing this locally - testing as much as I can - and pushing to git and then committing to prod (using forge).

Is this the "right" way? Is there a "right" way? Is there a series on Laravel I missed about this? I was planning on using shift to go from v9 to v10 - but thought I'd just upgrade up the packages I know I use individually.

Experienced devs, how do you decide to upgrade? I'm solo - so there's no team/release cadence to follow. But, I also realize if I put this off - it can cause headaches down the road.

0 likes
12 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

The best practice for upgrading packages is to first check the release notes for any breaking changes that may occur when upgrading. If there are any breaking changes, you should plan to update your code accordingly. Additionally, you should test the upgrade locally before pushing to production.

If you are using a package manager such as Composer, you can use the composer update command to update all of your packages at once. This command will check for any available updates and install them. You can also specify a particular package to update by using the composer update <package-name> command.

It is also important to keep your packages up to date with the latest version of Laravel. You can use the composer create-project command to create a new project with the latest version of Laravel and then copy over your code from the old project.

Finally, you should consider using a tool such as Laravel Shift to automate the process of upgrading your packages. Laravel Shift can detect any outdated packages and automatically upgrade them to the latest version. This can save you a lot of time and effort.

1 like
jlrdw's avatar

To add, when a new version of laravel comes out, give outside packages maybe a month to catch up. They are not going to be necessarily updated the exact same day a new laravel is released.

And remember much of checking packages is a manual job, meaning looking at the various composer.json files.

1 like
gerardw85's avatar

@jlrdw Ok -seems like there's a bit of trial/error and isolating what you change so that it's easier to fix. Unless you can see something in the release notes that you know needs to change. Is that the jist of it?

gerardw85's avatar

@jlrdw Hey, I have a quick question if you wouldn't mind....

I upgraded fakerphp/faker to v1.21.0..but my composer.json still shows

    "require-dev": {
        "fakerphp/faker": "^1.9.1",

Am I supposed to do something else? Composer is showing...

fakerphp/faker                      v1.21.0   v1.21.0   Faker is a PHP library that generates fake data for you.
rodrigo.pedra's avatar

@gerardw85

If you already had "fakerphp/faker": "^1.9.1" in your composer.json file, requesting fakerphp/faker:^1.21.0 won't change your composer.json automatically, as the ^1.9.1 already resolves to this range: 1.9.1 <= current version < 2.0.0.

reference: https://getcomposer.org/doc/articles/versions.md#caret-version-range-

Recently, a 'bump' command was added to composer.

After running composer update, run composer bump and it will update the versions of your dependencies in your composer.json file to the ones you are actually using.

reference: https://getcomposer.org/doc/03-cli.md#bump

2 likes
gerardw85's avatar

@rodrigo.pedra I've gone ahead and followed the process on my dev server (updated the package on my dev server, tested for issues etc..). Then I've committed the composer.lock updates and pushed them into my production server which is using forge. However, I haven't run any commands to update composer on the live server. How do my changes from composer.lock actually get implemented in the production environment?

rodrigo.pedra's avatar

@gerardw85 forge deploy script should run a composer update on every deploy.

You can check the deployment script on the front page of any project within forge.

ousid's avatar

Well, the logic is no different from what the docs say.

As a package creator, when I decide to upgrade my package to latest version, I will see first the packages that mine relies on, if they already upgraded to the latest version I'm attending to use (let's say L10), and if that's the case, I'll upgrade them manually, one by one, till composer "composer update" run successfully (with tests running behind the scene of course)

In Conclusion: there's no difference if you are trying to upgrade your Laravel application, because in the end it's all just a package, relying on other packages. So, make sure that the parent package (e.g.: spatie-permissions) you use support the targeted version, and you are good to go.

Here's a real world example, if you want to take a look: https://github.com/coderflexx/laravel-ticket/commit/90d86cc370dd67f6d744daa8dc04773c64efbc5f

1 like
gerardw85's avatar

@ousid That makes sense, but I think I'm just trying to understand...now that I've run the upgrade via composer - do I just manually change composer.json on my laravel app like below and push it to my production server?

        "fakerphp/faker": "^1.9.1",

to

        "fakerphp/faker": "^1.21.0",
ousid's avatar

@gerardw85 yes, you need to change the version of the packages (if needed), as @jlrdw said, you need to check each package you use manually.

Let me give you an example:

Laravel 9 uses nunomaduro/collision V ^6.*, but if you wish to upgrade the app to V10, you need to manually change the version of the package version into V7, then run composer upgrade to let composer fetch the correct package's version for you, with a compatibility with L10.

Hope this make sense.

PS: do not forget that L10 drop the support of PHP V8, so you need to use either PHP v8.1 or v8.2

1 like
gerardw85's avatar

Thanks guys - this helped quite a bit!

1 like

Please or to participate in this conversation.