Versioning the vendor directory

WARNING: Please note that this article was published a long time ago. The information contained might be outdated.

Composer and PHP version

Before talking about versioning we need to understand how composer chooses to install packages.

When installing or updating the dependencies, composer will choose a version of the package compatible with the PHP version that we are using to run composer.

This means that if we're using different versions of PHP in development and production environments, and we are versioning the vendor directory, we might end up pushing code incompatible with the production environment.

The solution is the new config.platform option, which must be used to instruct composer to consider a specific version of PHP, which can be different from the one running the composer command. For more information please refer to these links:

• http://seld.be/notes/new-composer-patterns by Jordi Boggiano
• https://github.com/composer/composer/blob/e87190e/composer.json#L44

Versioning the vendor directory

The standard use of composer with git is to let git ignore the vendor directory and letting it track the composer.json and composer.lock files. Versioning the composer.lock file enables all developers, and production environments, to work with the same versions of the packages (for more info check this link on the getcomposer.org site).

If, for some reason, you need to deviate from the standard way of doing things, and you need to add the vendor directory to the git repository, there are three good pages you must read before doing anything:

• Using Composer Without GitIgnoring Vendor by Lorna Jane Mitchell
• Should I commit the dependencies in my vendor directory?
• How to safely commit vendor dir with php Composer by Roman Ozana
• Using Composer with shared hosting by Rob Allen

The basic rule is to add the vendor directory to git, excluding all the .git directories inside the vendor directory (and its subdirectories), or git will treat those directories as other repositories. And you will not like that. To do this you can do three things:

• recursively delete all .git directories in vendor each time you run composer install or composer update
• ignore all .git directories via the .gitignore file
• use only stable versions of the packages and use the --prefer-dist option when running composer install or composer update

For the first solution you can add triggers in the composer.json file, so that every time you install or update your packages all the .git directories in vendor get automatically deleted.

If you choose one of the other two solutions, and you're using composer with the --prefer-dist option, and in the composer.json file you've specified all stable releases, you will not have .git directories in vendor. You can also instruct composer to use the --prefer-dist option by default specifying this in the composer.json file. If one of the packages is installed using a non stable release, you will have .git directories in vendor.

Check the links above for further reference.