Exclude a package from updating in composer

Question

Whenever I try to add a new package using composer like \"composer require packagename/package\" or use \"composer.phar update\", I am getting all the

Answer 1

If you feel the need to exclude some of your packages from being updated, I'd consider this the beginning of getting into a dependency mess. You should clean up your dependencies now before it gets worse.

From my experience, the topmost reason not wanting to update a dependency is when you used a branch of a package instead of a released version. You should try to fix this as thoroughly as possible:

• If you are using your own packages, tag a release version for the commits you want to use. Then switch your software to either use that exact version, or use a wildcard version requirement like 1.0.*, ~1.2 or ^1.3.4.
• If you are using external code that you cannot influence directly, try to contact the developers of that code and ask them to tag a version. Tagging versions is important to maintain a sane dependency tree.
• If you cannot make the external developers tag a version, find a way to tag it yourself:
• • Clone their repository on Github, tag a version, and include your copy of the repository instead of going to packagist.org.
• • Create the necessary metadata in a "type=package" repository entry in your composer.json file.
• • Or at the very least, when depending on the branch, assign it a version alias to allow for a smoother transition later when the external project starts tagging their versions. Note that this will not fix your current problems at all, but it may make things better in the future.
• If all else fails, you might point to a certain commit id in your composer.json. This will

In general, you should always be able to run composer update unconditionally. If not, this is a warning sign for dependencies not properly declared in your own composer.json file.

The second reason for not wanting to update is incompatible changes in a package that were tagged as a bug fix instead of a major version increase. The solution for this would be simple:

• First you'd have to investigate the reason for such an error: Was it really an incompatible API change? If yes, raise an issue with the developers of that package. They should create a new bug fix version with that incompatible update rolled back or fixed, and if they want to keep their change, they should tag it with a minor or major version increment, depending on what they changed.
• If however you incorrectly used their code, somehow not using the public API, a bug fix is unlikely. You should try fixing your code by not using stuff that is not supposed to be the public API. For example, in recent versions of Symfony, the public API is explicitly tagged in the code and documentation - using something else will break at some point, even when doing "compatible" version updates like from 2.6.x to 2.7.x.
• Another way to fix it would be to exclude the newer version inside the composer.json file: Instead of "external/package":"~1.2" you'd put "external/package":"~1.2,!1.2.5" if you find that version 1.2.5 broke your software. Or maybe you are afraid of further updates also breaking your software, you'd put in "external/package":"~1.2,!>=1.2.5".

One more thing to add: If you run composer require, you won't get updates for packages that are already installed. They are fixed. The required package will be selected based on all the installed versions, and it will only be installed if there is a version available that is compatible with all the versions already installed. Note that this will not work correctly if there are dependencies on branches of packages in both your own composer.json and the new package. The reason is that the branch name will be the same, but you'll never know which commit was being used. Maybe the new package uses a very recent commit of dev-master of a third package, and your own software a very old one, and there have been incompatible changes in between - this will break things without Composer being able to detect it.