What are the differences between composer update and composer install?
composer update
composer update will update your depencencies as they are specified in composer.json
For example, if you require this package as a dependency:
"mockery/mockery": "0.9.*",
and you have actually installed the 0.9.1 version of the package, running composer update will cause an upgrade of this package (for example to 0.9.2, if it's already been released)
in detail composer update will:
- Read
composer.json - Remove installed packages that are no more required in
composer.json - Check the availability of the latest versions of your required packages
- Install the latest versions of your packages
- Update
composer.lockto store the installed packages version
composer install
composer install will not update anything; it will just install all the dependencies as specified in the composer.lock file
In detail:
- Check if
composer.lockfile exists (if not, it will runcomposer updateand create it) - Read
composer.lockfile - Install the packages specified in the
composer.lockfile
When to install and when to update
composer updateis mostly used in the 'development phase', to upgrade our project packages according to what we have specified in thecomposer.jsonfile,composer installis primarily used in the 'deploying phase' to install our application on a production server or on a testing environment, using the same dependencies stored in the composer.lock file created by composer update.
When you run composer install it will look for a lock file and install whatever is contained in it, if it can't find one, it'll read composer.json, install its dependencies and generate a lockfile.
When you run composer update it simply reads composer.json, installs the dependencies and updates the lockfile (or creates a new lockfile).
composer install
if(composer.lock existed){
installs dependency with EXACT version in composer.lock file
} else {
installs dependency with LATEST version in composer.json
generate the composer.lock file
}
composer update
composer update = remove composer.lock -> composer install
Why we need 2 commands. I think it can explain by composer.lock.
Imagine, we DON'T have composer.lock and in composer.json, there is a dependency "monolog/monolog": "1.0.*" or "monolog/monolog": "^1.0".
Then, it will have some cases
- We working well today with current dependency version (eg:1.0.0) but a few months later, the dependency update (eg:1.0.1) and it possible have some bug
- Another team member may have a different dependency version if they run
composer installin a different time.
What if we always use an EXACT version in composer.json such as "monolog/monolog": "1.0.1"?
We still need composer.lock because composer.json only track the main version of your dependency, it can not track the version of dependencies of dependency.
What if all dependencies of dependency also use the EXACT version?
Imagine you begin with ALL dependencies which use the EXACT version then you don't care about composer.lock. However, a few months later, you add a new dependency (or update old dependency), and the dependencies of this dependency don't use the EXACT version. Then it's better to care composer.lock at the beginning.
Besides that, there is an advantage of a semantic version over an exact version. We may update the dependency many times during development and library often have some small change such as bug fix. Then it is easier to upgrade dependency which uses semantic version.
composer install
- If
composer.lockdoes exist.- Processes and installs dependencies from the
composer.lockfile.
- Processes and installs dependencies from the
- If
composer.lockdoes not exist.- Process package installs from
composer.json. - Creates the
composer.lockfile based on the installed packages.
- Process package installs from
As per: composer help install:
The install command reads the
composer.lockfile from the current directory, processes it, and downloads and installs all the libraries and dependencies outlined in that file. If the file does not exist it will look forcomposer.jsonand do the same.
composer update
- Processes dependencies from the
composer.jsonfile (installs, updates and removes). - Creates or updates the
composer.lockfile according to the changes.
As per: composer help update:
The update command reads the
composer.jsonfile from the current directory, processes it, and updates, removes or installs all the dependencies.
See also: Composer: It’s All About the Lock File