我有点搞不懂作曲家这个词。在具有存储库的应用程序中使用的锁。

我看到很多人说我们不应该。从存储库锁定。

如果我在开发环境中更新我的库,我将有一个新的作曲家。锁,但我将无法更新到生产,是吗?

它不会在这个文件上产生冲突吗?


当前回答

对于应用程序/项目:当然可以。

composer文档中强调了这一点:

提交应用程序的编写器。锁定(连同composer.json)到版本控制。

就像@meza说的:你应该提交锁文件,这样你和你的合作者就可以在同一组版本上工作,并防止你说“但它在我的电脑上工作”。: -)

对于图书馆:可能不会。

作曲家的文档中提到了这个问题:

注意:对于库,不一定建议提交锁文件(…)

并在这里声明:

对于你的库,你可以提交作曲家。如果你想锁定文件。这可以帮助您的团队始终针对相同的依赖版本进行测试。但是,这个锁文件不会对依赖于它的其他项目产生任何影响。它只对主要项目有影响。

对于图书馆,我同意@Josh Johnson的回答。

其他回答

在以两种方式做了几个项目后,我的立场是作曲家。Lock不应该作为项目的一部分提交。

作曲家。Lock是构建元数据,不是项目的一部分。依赖关系的状态应该通过您如何控制它们(手动或作为自动构建过程的一部分)来控制,而不是由上一个开发人员任意更新它们并提交锁文件。

如果你担心在编写器更新之间依赖关系的变化,那么你对自己的版本控制方案缺乏信心。版本(1.0、1.1、1.2等)应该是不可变的,你应该避免在初始特性开发之外使用“dev-”和“x *”通配符。

提交锁文件是依赖项管理系统的回归,因为依赖项版本现在已经回到隐式定义的状态。

此外,你的项目永远不应该在每个环境中重新构建或重新获取其依赖项,尤其是prodd。你的交付品(tar, zip, phar,一个目录等)应该是不可变的,并在环境中进行推广而不需要更改。

对于应用程序/项目:当然可以。

composer文档中强调了这一点:

提交应用程序的编写器。锁定(连同composer.json)到版本控制。

就像@meza说的:你应该提交锁文件,这样你和你的合作者就可以在同一组版本上工作,并防止你说“但它在我的电脑上工作”。: -)

对于图书馆:可能不会。

作曲家的文档中提到了这个问题:

注意:对于库,不一定建议提交锁文件(…)

并在这里声明:

对于你的库,你可以提交作曲家。如果你想锁定文件。这可以帮助您的团队始终针对相同的依赖版本进行测试。但是,这个锁文件不会对依赖于它的其他项目产生任何影响。它只对主要项目有影响。

对于图书馆,我同意@Josh Johnson的回答。

如果你担心你的代码被破坏,你应该提交编写器。锁定您的版本控制系统,以确保所有项目合作者使用相同版本的代码。如果没有锁定文件,您每次都会得到新的第三方代码。

例外情况是当你使用元应用程序时,需要在安装时更新依赖关系的库(如Zend Framework 2 Skeleton应用程序)。因此,目标是在每次开始开发时获取最新的依赖项。

来源:作曲者:It’s All About the Lock File

请参见:编写器更新和安装之间的区别是什么?

这个问题没有确切的答案。

一般来说,composer不应该做构建系统应该做的事情,你也不应该把composer放在上面。锁定VCS。作曲家可能会奇怪地把它写反了。最终用户而不是产品不应该使用锁文件。通常你的构建系统会保存快照、可重用的dirs等等,而不是每次都保存一个空的dir。从composer签出库的人可能希望该库使用锁,以便对库加载的依赖项进行测试。

另一方面,这会显著增加版本管理的负担,因为依赖关系将被严格锁定,因此几乎可以肯定每个库都需要多个版本。如果每个库可能都有一个稍微不同的版本,那么你需要一些多库版本支持,你也可以很快看到需要的依赖关系的大小,因此建议将它保留在叶子上。

Taking that on board, I really don't find lock files to be useful either libraries or your own workdirs. It's only use for me is in my build/testing platform which persists any externally acquired assets only updating them when requested, providing repeatable builds for testing, build and deploy. While that can be kept in VCS it's not always kept with the source tree, the build trees will either be elsewhere in the VCS structure or managed by another system somewhere else. If it's stored in a VCS it's debatable whether or not to keep it in the same repo as source trees because otherwise every pull can bring in a mass of build assets. I quite like having things all in a well arranged repo with the exception of production/sensitive credentials and bloat.

SVN can do it better than git as it doesn't force you to acquire the entire repo (though I suspect that's not actually strictly needed for git either but support for that is limited and it's not commonly used). Simple build repos are usually just an overlay branch you merge/export the build tree into. Some people combine exernal resources in their source tree or separate further, external, build and source trees. It usually serves two purposes, build caching and repeatable builds but sometimes keeping it separate on at least some level also permits fresh/blank builds and multiple builds easily.

对此有许多策略,但没有一种特别适合持久化源代码列表,除非您在源代码树中保留外部源代码。

文件中还有哈希值,两个人更新包时如何合并?光这一点就足以让你认为这可能是误解了。

The arguments people are putting forward for lock files are cases where they've taken a very specific and restrictive view of the problem. Want repeatable builds and consistent builds? Include the vendor folder in VCS. Then you also speed up fetching assets as well as not having to depend on potentially broken external resources during build. None of the build and deploy pipelines I create require external access unless absolutely necessary. If you do have to update an external resource it's once and only once. What composer is trying to achieve makes sense for a distributed system except as mentioned before it makes no sense because it would end up with library dependency hell for library updates with common clashes and updates being as slow as the slowest to update package.

此外,我更新猛烈。每次开发时,我都会更新和测试所有内容。有一个非常非常小的窗口,显著的版本漂移潜入。实际上,当支持语义版本时,这往往是为作曲家准备的,你不应该有那么多兼容性问题或损坏。

In composer.json you put the packages you require and their versions. You can lock the versions there. However those packages also have dependencies with dynamic versions that wont be locked by composer.json (though I don't see why your couldn't also put them there yourself if you do want them to be version locked) so someone else running composer install gets something different without the lock. You might not care a great deal about that or you might care, it depends. Should you care? Probably at least a little, enough to ensure you're aware of it in any situation and potential impact, but it might not be a problem either if you always have the time to just DRY run first and fix anything that got updated.

The hassle composer is trying to avoid sometimes just isn't there and the hassle having composer lock files can make is significant. They have absolutely no right to tell users what they should or shouldn't do regarding build versus source assets (whether to join of separate in VCS) as that's none of their business, they're not the boss of you or me. "Composer says" isn't an authority, they're not your superior officer nor do they give anyone any superiority on this subject. Only you know your real situation and what's best for that. However, they might advise a default course of action for users that don't understand how things work in which case you might want to follow that but personally I don't think that's a real substitute for knowing how things work and being able to properly workout your requirements. Ultimately, their answer to that question is a best guess. The people who make composer do not know where you should keep your composer.lock nor should they. Their only responsibility is to tell you what it is and what it does. Outside of that you need to decide what's best for you.

Keeping the lock file in is problematic for usability because composer is very secretive about whether it uses lock or JSON and doesn't always to well to use both together. If you run install it only uses the lock file it would appear so if you add something to composer.json then it wont be installed because it's not in your lock. It's not intuitive at all what operations really do and what they're doing in regards to the json/lock file and sometimes don't appear to even make sense (help says install takes a package name but on trying to use it it says no).

要更新锁或应用json中的更改,你必须使用update,你可能不想更新所有内容。锁优先选择应该安装什么。如果有一个锁文件,它就是所使用的。你可以在一定程度上限制更新,但系统仍然一团糟。

更新需要一段时间,几gb的内存。我也怀疑,如果你拿起一个项目,它已经有一段时间没有被碰过了,从它的版本来看,随着时间的推移,它可能不会有效地做到这一点,这只是扼杀它。

当涉及到秘密的复合命令时,它们非常非常狡猾,你不能期望它是复合的。默认情况下,composer remove命令似乎映射到composer update和composer remove。

你真正需要问的问题不是你是否应该把锁保存在你的源树中,或者你是否应该以某种方式将它保存在某个地方,而是你应该问它实际上是做什么的,然后你可以自己决定什么时候需要将它保存在哪里。

I will point out that having the ability to have the lock is a great convenience when you have a robust external dependency persistence strategy as it keeps track of you the information useful for tracking that (the origins) and updating it but if you don't then it's neither here not there. It's not useful when it's forced down your throat as a mandatory option to have it polluting your source trees. It's a very common thing to find in legacy codebases where people have made lots of changes to composer.json which haven't really been applied and are broken when people try to use composer. No composer.lock, no desync problem.

对于任何在Heroku上的人来说,答案都是明确的“是的,应该承诺”:

如果作曲家。Json在它的require部分指定了任何类型的依赖项,对应的编写器。运行composer update生成的锁也必须提交到存储库,否则推送将被拒绝。

源码:Heroku PHP支持:激活。