Does the vendor folder need to be in the original control?
No , your vendor folder is not part of your source code and should not be registered with your git repository.
A good workflow would be:
- check your composer .json
- whenever you want to update your dependencies:
- run
composer update
in local repository - check modified
composer.lock
- Deploy and run
composer install
to production repository
- run
Why would you also check in composer.lock:
Yours composer.json
defines the valid versions of your dependencies that will be used at startup composer update
.
The problem that comes with using only composer.json
is to have reproducible assemblies (for example, exactly the same versions of your dependencies in all environments). This is why when starting the composer.lock
composer , if there is a file , composer will instead load the same dependencies as those written in the composer.lock file. Your file is composer.lock
updated whenever you run composer update
.
source to share