Should composer.lock be committed to version control?

Question

I'm a little confused with composer.lock used in an application with a repository.

I saw many people saying that we should not .gitignore composer.lock from the repository.

If I update my libraries in my dev environment, I will have a new composer.lock but I will not be able to update them into production, will I?

Won't it generate conflicts on this file?

Answer 1

When you update your libs, you also want to commit the lockfile.

In other words, it states that your project is locked to those specific versions of the libs you are using.

But if you commit your changes, and then someone pulls your code and updates the dependencies, the lockfile should be unmodified.

That is the reason why having it in the repository assures you that each developer is using the same versions.