These are chat archives for composer/composer
composer.lockthen all packages would come from GitHub? and it checks packagist.org as well? or could packafist.org tell composer to go someplace other than GitHub?
composer.jsonthen all packages...
composer.jsonpoint to package indexes other than
packagist.org, but those can in turn point to content anywhere other than GitHub
composer.lockfile. is it safe to assume that if all the
"url"values in it point to GitHub that all the dependencies will reside on GitHub (at least for now)?
composer update. You should be in the clear for
composer install, given the scenario you described.
composer installwill work in that environment,
composer updatemay not.
composer updatein production, though; he should be doing it elsewhere and then committing the
composer.lockfile once he's vetted it, and only ever running
composer installin production.
composer.lockand I run
composer installto get them