These are chat archives for composer/composer
StillDreamingeven though it should be
composer.lockdoes just that: it locks your dependencies at specific versions. (That is to say, never run
composer updatein Prod, because it ignores the lock file and just grabs the latest versions of everything that match your constraints, which can introduce any unforseen problem into your code-base!)
vendor, and then run
composer.lockhandy, and ideally, source-controlled)
vendordirectory under version-control. The biggest one is no Internet access in the build environment.
vendorunder version control and I don't do anything with composer on production.
composer updatein a local/dev environment, and vet the changes before committing
vendorunder version control and use
composerin some way on production to get changes