Dayle Rees has a post to his site help to demystify the composer.lock file for the Composer users out there - what it's for, how it works and why you may or may not want to have it in version control.
Everywhere that I go, conference, the supermarket, the dentist, building sites, people always ask me about the Composer lock file. It's a mystery that seems to cause confusion all across the globe. Well, boys and girls, I'm here today to de-mystify the lock file once and for all.
He starts with a new project and some simple dependencies (three of them), two with specific versions defined and one with a wildcard. Once a
composer install is run, the packages are downloaded and the
composer.lock file is created. He talks about the contents of the lock file and how they relate to the version of the library Composer has installed, the exact version to be precise. He then gets to the question many wonder about the lock file - should I commit it to my version control system? He suggests that, if you need exact versions installed, then yes. This helps keep versions the same across the board of a team and ensures other people working with the library are using compatible library versions. He ends the post talking about how to use the lock file (install vs update) and what changes could be made in one versus the other.