Whenever I try to add a new package using composer like
\"composer require packagename/package\"
or use \"composer.phar update\"
, I am getting all the
If you feel the need to exclude some of your packages from being updated, I'd consider this the beginning of getting into a dependency mess. You should clean up your dependencies now before it gets worse.
From my experience, the topmost reason not wanting to update a dependency is when you used a branch of a package instead of a released version. You should try to fix this as thoroughly as possible:
1.0.*
, ~1.2
or ^1.3.4
.composer.json
file.composer.json
. This willIn general, you should always be able to run composer update
unconditionally. If not, this is a warning sign for dependencies not properly declared in your own composer.json
file.
The second reason for not wanting to update is incompatible changes in a package that were tagged as a bug fix instead of a major version increase. The solution for this would be simple:
composer.json
file: Instead of "external/package":"~1.2"
you'd put "external/package":"~1.2,!1.2.5"
if you find that version 1.2.5 broke your software. Or maybe you are afraid of further updates also breaking your software, you'd put in "external/package":"~1.2,!>=1.2.5"
.One more thing to add: If you run composer require
, you won't get updates for packages that are already installed. They are fixed. The required package will be selected based on all the installed versions, and it will only be installed if there is a version available that is compatible with all the versions already installed. Note that this will not work correctly if there are dependencies on branches of packages in both your own composer.json
and the new package. The reason is that the branch name will be the same, but you'll never know which commit was being used. Maybe the new package uses a very recent commit of dev-master
of a third package, and your own software a very old one, and there have been incompatible changes in between - this will break things without Composer being able to detect it.