Composer update - Git status

I initialized a git repository in a Yii 2 project. If I type “composer update” several packages are updated, but if then I type “git status” only “composer.lock” shows as modified. Is this normal? What should I do?

Yes, it is normal, vendor was ignored by .gitignore file.

You can ignore composer.lock(recommended) or commit it.

1 Like

Ok, I see. But why is vendor ignored by default? I don’t understand… Could I remove vendor from the gitignore file so that is not ignored by Git?

Yes, you can, but it is not recommended, because the vendor packages and composer.lock are relative to your environment, such as PHP version, development or production(–no-dev) environment, and if you work with others on same repository, it will causes conflicts.

1 Like

Ok, thanks. So I should do two “composer update”: One, in localhost and the other in production. That’s right?

The short answer is yes, but in production environment, you may need to use --no-dev argument and optimize autoloader, the detail could be found in the composer documentation.

1 Like

If I “composer update” in production the application works fine, but if I “composer update --no-dev” in production the application shows this error. What should I do?

It is about your configuration(main-local.php or web-local.php etc), you should disable your debug module in production.

1 Like

I changed main-local.php and now it’s working!! Concretely I changed the first line of the YII_ENV_TEST block. What I did was correct or is there a better approach?


If you are using advanced template, there is an initialize script called init, you could try it, it will helps you to generate dev/prod environment configurations and entry script etc.

For this case, you can delete or comment these configuration in production.

Further information could be found in guide. It may save your time.:yum:


Definitely not. You should run composer update on your dev environment (localhost), commit generated composer.lock file (vendor directory should be ignored) and then on production you’re running composer install --no-dev instead of composer update. I this way you can be sure that on production you will have the same versions of libraries than on dev (composer install will install dependencies specified in composer.lock) and you will get much faster and lighter installation (composer update is slow and requires a lot of memory - you may unable to run it on some servers).


If I commit composer.lock I get this error message when pulling in production:

error: Your local changes to the following files would be overwritten by merge:
Please commit your changes or stash them before you merge.

That is because you’ve already run composer update on production. Revert these changes:

git checkout -- composer.lock

And then pull changes from repo and install dependencies:

git pull
composer install --no-dev