Do you miss that the version numbers of your PHP dependencies are automatically updated in the composer.json file after a
Just like npm or yarn are updating the version numbers in the package.json file.
Then upgrade to Composer 2.4 and say hi to
This version introduced a new command
composer bump which will update your composer.json file to the precise version which is pinned in the composer.lock file.
It basically will sync the composer.json with the composer.lock versions and will keep the caret version constraints, so you can still make minor or patch version upgrades.
This will have the effect that the version constraints are hardenend and you will not be able to install versions lower than the currently installed version.
With not updated versions in composer.json file you will not have a precise version base and could install lower versions than actually required.
Another benefit is that you can more easily read the currently installed version number of your dependencies.
Otherwise you would need to grep through the composer.lock file which is much less readable and cumbersome.
Some IDEs like PHPSTORM are helping here though by adding the installed version behind the dependency constraint in the composer.json file in the editor pane (see below).
Before composer bump:
After composer bump:
composer dump is benefical on projects but should be avoided in libraries because it could accidently limit the versions in which can you use the library.
Also it might be a good idea to have a option on
composer update to integrate composer bump functionality.