Why I can't update composer.json via composer update?

fakruzaruret

I have used composer update command and it find updated packages and downloaded then wrote them to composer.lock but they are not written to composer.json file. So I use require command for each package to install. How can I solve the problem.
Composer.lock is updated but not composer.json.

luceos

fakruzaruret require updates the json.

fakruzaruret

luceos can I use just composer require without package name ?

writing commands for each package takes time.
composer require fof/...
composer require fof/...

İs not there any short way?

010101

fakruzaruret Probably not, you have to do composer require for each extension to install them. Once they are all installed, you could do composer update by itself and it will update everything, however, warning: running composer update (alone without stating a package) will also update core dependencies. There is no 100% guarantee that this will not break your site. Typically it won't. If you keep regular backups of your site and you don't care about having to restore from back up, then feel free to use composer update without mentioning a specific package. It definitely is a lot faster.

fakruzaruret

010101 composer update commmand does not update composer.json. İt change just composer.lock file. What is the reason?

jordanjay29

fakruzaruret This might be a question better directed at Composer and its developers, btw.

clarkwinkelmann

There are many articles about how dependencies and lock files work, though I don't have a particular one to recommend. I found these while doing a quick search now:

https://stackoverflow.com/questions/10674641/composer-lock-how-does-it-work
https://www.engineyard.com/blog/composer-its-all-about-the-lock-file

But basically I'd say composer.json says what your requirements are. composer.lock says what is installed. The reason you don't specify exact versions in composer.json is because multiple extensions might have different constraints for some of the same dependencies. Your requirement will be something like "I want version 1 including any minor and bugfixes updates of extension A" (that's require). Then update looks at that and determines what the best version is for you. If next time you update your requirements have not changed (you still want version 1), then the line in composer.json doesn't need to change.

Only if you want a new version that doesn't fit the requirements from composer.json, then you need to use require.

It can be useful familiarizing with semver to understand the requirements https://semver.org/

Most usual is ^1.0.0: Version 1 including any minor and bugfix update. (major.minor.bugfix)

There's a special rule for 0.x packages though, where it's considered as 0.major.minor. So an update of requirements is necessary to go from ^0.1.0 to ^0.2.0.

In the case of Flarum there's no harm using require to perform the updates. Composer will tell you if you try doing something it doesn't like anyway. The only difference might be memory consumption, though I don't know which one uses more.