composer install, it’s probably mostly almost safe” criticism, but actually it’s quite tricky to run Composer without excluding
vendor/ from source control so I thought I’d share how we did it so that anyone who wants to do so can learn from my experience!
The Prescribed Method
Let’s start with the usual method of using composer:
composer.jsonto describe the dependencies
composer updateto find specific versions of those dependencies and write exact versions to
composer.lock. Repeat this step if
- Add the
.gitignore, but add the
composer installon all platforms (and do this again whenever
That’s the basic composer pattern, and it works well. Most people should do it this way.
Checking Libraries into Git
There are a few reasons you might want to check your dependencies into source control yet still use composer, such as:
- Either your users or your tools aren’t ready to start using composer yet
- Your live servers don’t have internet access so dependencies need to be packaged with code
- Running composer on live scares you because it’s recently had some bad security press
- You like composer for managing dependencies, or think it will become production-ready soon, but you’re not running it on live yet – because you, your sysadmins or your IT director aren’t ready
When I tried to just commit my vendor directory, some git submodule weirdness ensued, and in fact, the documentation does cover this:
Adding dependencies installed via git to a git repo will show them as submodules. This is problematic because they are not real submodules, and you will run into issues.
I did, indeed, run into issues.
The workaround (from the same docs) is to add a
.gitignore line that removes all
.git directories within your vendor directory. So add this line to the
.gitignore file at the same level as
Now when you install dependencies into composer (I found I had to
git rm my entire
vendor directory, commit, and then
composer install again to clean up my earlier mistakes) you can safely add the vendor directory to the project and treat it as a library directory you had unzipped downloaded packages to. Apart from it’s fabulous autoloader and easy-to-update format, that is :)