PHPackages prinsfrank/composer-version-lock - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. prinsfrank/composer-version-lock Abandoned → composerArchivedComposer-plugin[Utility & Helpers](/categories/utility) prinsfrank/composer-version-lock ================================ Functionality now provided by composer itself; Locks composer to a specific version for a project v1.7(4y ago)814.1k↓100%MITPHPPHP >=7.2 Since Oct 21Pushed 3y ago1 watchersCompare [ Source](https://github.com/PrinsFrank/composer-version-lock)[ Packagist](https://packagist.org/packages/prinsfrank/composer-version-lock)[ RSS](/packages/prinsfrank-composer-version-lock/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (4)Versions (12)Used By (0) > **Warning** > > As the functionality provided by this package is [now fully provided by composer itself](https://getcomposer.org/doc/articles/composer-platform-dependencies.md#composer-package-composer) Thanks @szepeviktor!, this package is now abandoned. To migrate, execute the following commands. > > As stated in the docs, it is a good idea to add a requirement to the plugin api, as the exact composer version wasn't available in versions before 2.2.0. > > ``` > composer require "composer-plugin-api:>=2.2.0" > ``` > > > > Now you can add the requirement for the actual composer version: > > ``` > composer require "composer:^2.3.9" > ``` > > > > And finally you can remove this package! > > ``` > composer remove prinsfrank/composer-version-lock > ``` > > > > After this command has run, the "composer-version" and "composer-suggest" keys should be automatically removed from the "extra" section in your composer.json and the entire section should be removed if no other keys are set. If not, remove these keys manually. Composer version lock ===================== [](#composer-version-lock) [![Code Coverage](https://camo.githubusercontent.com/4e2c31d703d7501fd89e87f0ac12c0fbb224b8a125217b938ceaae00e42d9335/68747470733a2f2f636f6465636f762e696f2f67682f5072696e734672616e6b2f636f6d706f7365722d76657273696f6e2d6c6f636b2f6272616e63682f6d61696e2f67726170682f62616467652e737667)](https://codecov.io/gh/PrinsFrank/composer-version-lock)[![Release](https://camo.githubusercontent.com/d0e2ef183b435a06d1bde0d881b8a864d3c3a232f694c47de1f145a6bfa03ea7/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f5072696e734672616e6b2f636f6d706f7365722d76657273696f6e2d6c6f636b3f73656d766572)](https://github.com/PrinsFrank/composer-version-lock/releases)[![License](https://camo.githubusercontent.com/b30768155119b62d7084d5498965c7ac08e3647c16a1be5de22ada3eba413162/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f5072696e734672616e6b2f636f6d706f7365722d76657273696f6e2d6c6f636b)](https://github.com/PrinsFrank/composer-version-lock/blob/main/LICENSE)[![Open Issues](https://camo.githubusercontent.com/7ef051faa073ad6c060835abb058f1a2a24c84d1570da4156d831cf552585cc0/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d7261772f5072696e734672616e6b2f636f6d706f7365722d76657273696f6e2d6c6f636b)](https://github.com/PrinsFrank/composer-version-lock/issues) Why this plugin? ---------------- [](#why-this-plugin) When working with many people in the same codebases, it sometimes is quite a hassle to resolve merge conflicts on the Composer lockfile. Even when the only changes between branches is that two different packages have been added, the diff on the `composer.lock` file can still be several hundred lines. When the only expected changes are the hash and the info about the packages (and maybe some changed dependency versions), differences in composer versions between developers are often the culprit. Sometimes these are big differences, like [support for a Funding section](https://github.com/composer/composer/releases/tag/1.10.0), other times the order of some keys is just changed form one Composer version to the next. This plugin makes it possible to share the required composer version in the `composer.json` file. Read more about it [in a post on my personal blog](https://prinsfrank.nl/2021/04/07/Seemingly-random-Composer-lock-changes) Getting started --------------- [](#getting-started) to include this package, simply run; ``` composer require prinsfrank/composer-version-lock ``` [![](docs/images/require-package.gif)](docs/images/require-package.gif) To set the required composer version for your project, run; ``` composer config extra.composer-version {VERSION_CONSTRAINT} ``` [![](docs/images/set-version.gif)](docs/images/set-version.gif) Any [Composer constraint](https://getcomposer.org/doc/articles/versions.md#versions-and-constraints) can be used as the `composer/semver` package is used to determine if the current composer version satisfies the version constraint. To get your current version, run `composer --version`. > **Note:** When no composer version is set, an error is displayed with instructions on how to enforce your current Composer version. How it works ------------ [](#how-it-works) ### Commands that change the lock file [](#commands-that-change-the-lock-file) Some of the composer commands change the `composer.lock`: - update - remove - require Whenever a developer executes any of the above commands with a Composer version that doesn't satisfy the version constraint, they will get the following error, with the command aborting: [![](docs/images/invalid-version.gif)](docs/images/invalid-version.gif) > **Note:** When the version constraint is not an exact version or a next significant operator it is not possible to deduce a matching version so `composer self-update {version}` is displayed instead. ### Commands that don't change the lock file [](#commands-that-dont-change-the-lock-file) When the developer executes any other command without a satisfiable version, they will just get a warning, with Composer continuing: [![](docs/images/incorrect-version-continuing.gif)](docs/images/incorrect-version-continuing.gif) ### Information when using the correct version [](#information-when-using-the-correct-version) When the developer is using a Composer version that satisfies the constraint, the following message will be displayed: [![](docs/images/valid-version.gif)](docs/images/valid-version.gif) Options ------- [](#options) ### Suggested version [](#suggested-version) When using a version constraint that has multiple valid versions, you might want to suggest a specific version. For example, when using the version constraint `1.10.14 || 1.10.15`, this plugin doesn't know what version to suggest as either of them is a valid version. When you specifically want to suggest `1.10.15`, you can do that by setting the `composer-suggest` extra key using the following command: ``` composer config extra.composer-suggest {VERSION} ``` > When a suggested version is set, but it it is not correct according to the version constraint, you will get a console error and the plugin will prevent any further actions until you resolve this issue. Either set a correct suggested version or remove the suggested version. Version update strategies ------------------------- [](#version-update-strategies) ### Implementing a "grace period" [](#implementing-a-grace-period) When you have a main/master branch that is locked to a specific version of Composer - for example `2.0.5` - and a couple of feature branches that recently have been branched from master, you might run into issues where upgrading the Composer version on master results in you having to switch Composer versions every time you switch between the master and feature branches. A good strategy here can be to use a grace period as follows: 1. The initial version constraint is `2.0.5` 2. Add the old and new versions seperated by two pipe characters as the new version constraint: `2.0.5 || 2.0.6`. 3. After a while the version constraint for both the old and new versions should live in all branches. You can now require the new version `2.0.6` > When the plugin is removed with the command `composer remove prinsfrank/composer-version-lock`, the `composer-version` and `composer-suggest` settings in the `extra` section in the composer.json are also cleaned up. When the remaining extra section is then empty, it is removed. Examples of changes to lock files between Composer versions ----------------------------------------------------------- [](#examples-of-changes-to-lock-files-between-composer-versions) - The url of the readme section changed between and - The "hash" section was renamed to "content-hash" or the other way round. - The "hash" or "content-hash" was recalculated even when the rest of the composer.lock hasn't changed. - The "support" section was added or removed with individual packages. - The "time" section has now added or removed a "T" and timezone offset indicating localized timestamps with individual packages. - A "funding" section was added or removed with individual packages. - A "plugin-api-version" section was added or removed. - and more ... Developing ---------- [](#developing) If you want to improve this plugin and create a PR you're more than welcome to do so! To have autocomplete when developing locally, run `composer u` to switch to the most recent composer/composer version, and `composer u --prefer-lowest` to switch to the first composer/composer version. To actually test the package, run `composer self-update {VERSION}` to switch to the composer version the system is using. Tests can be run with `composer test` or `vendor/bin/phpunit`, and are automatically run on a push or PR to master for every stable composer version and every PHP version. ### Health Score 31 — LowBetter than 68% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity26 Limited adoption so far Community9 Small or concentrated contributor base Maturity55 Maturing project, gaining track record Bus Factor1 Top contributor holds 98.1% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~59 days Recently: every ~97 days Total 10 Last Release 1489d ago Major Versions v0.1 → v1.02020-10-24 ### Community Maintainers ![](https://www.gravatar.com/avatar/288919c24dc651727390578a2bfe6ef020f6f508c30db717b54c943a9e2ac0b3?d=identicon)[PrinsFrank](/maintainers/PrinsFrank) --- Top Contributors [![PrinsFrank](https://avatars.githubusercontent.com/u/25006490?v=4)](https://github.com/PrinsFrank "PrinsFrank (155 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (3 commits)") --- Tags composercomposer-pluginconstrainthacktoberfestlockphppluginversion ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/prinsfrank-composer-version-lock/health.svg) ``` [![Health](https://phpackages.com/badges/prinsfrank-composer-version-lock/health.svg)](https://phpackages.com/packages/prinsfrank-composer-version-lock) ``` ### Alternatives [orchestra/canvas Code Generators for Laravel Applications and Packages 21017.2M157](/packages/orchestra-canvas)[vaimo/composer-patches Applies a patch from a local or remote file to any package that is part of a given composer project. Patches can be defined both on project and on package level. Optional support for patch versioning, sequencing, custom patch applier configuration and patch command for testing/troubleshooting added patches. 2994.3M15](/packages/vaimo-composer-patches)[symfony/asset-mapper Maps directories of assets & makes them available in a public directory with versioned filenames. 1656.9M131](/packages/symfony-asset-mapper)[sllh/composer-versions-check Checks if packages are up to date to last major versions after update 2352.4M16](/packages/sllh-composer-versions-check)[mglaman/composer-drupal-lenient 1317.4M15](/packages/mglaman-composer-drupal-lenient)[drupal/core-composer-scaffold A flexible Composer project scaffold builder. 5341.9M442](/packages/drupal-core-composer-scaffold) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)