Composer: how can I install another dependency without updating old ones?

composer-php

I have a project with a few dependencies and I'd like to install another one, but I'd like to keep the others the way they are. So I've edited the composer.json, but if I run composer install, I get the following output:

Installing dependencies from lock file
Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. Run update to update them.
Your requirements could not be resolved to an installable set of packages.

Problem 1
    - laravel/framework dev-master requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system.
    - laravel/framework dev-master requires ext-mcrypt * -> the requested PHP extension mcrypt is missing from your system.
    - Installation request for laravel/framework dev-master -> satisfiable by laravel/framework dev-master.

First of all, I do have mcrypt installed, so I don't know why it's complaining about that there.

So, how can I install this new dependency?

My composer.json:

{
    "require": {

        "opauth/opauth": "*",
        "opauth/facebook": "*",
        "opauth/google": "*",
        "opauth/twitter": "*",

        "imagine/Imagine": "dev-develop",

        "laravel/framework": "4.*",
        "loic-sharma/profiler": "dev-master"
    },
    "autoload": {
        "classmap": [
            "app/libraries",
            "app/commands",
            "app/controllers",
            "app/models",
            "app/database/migrations",
            "app/tests/TestCase.php"
        ]
    },
    "minimum-stability": "dev"
}

The mcrypt warning could be from multiple php installs… the php with mcrypt extension may not be the same install as your php-cli

alcohol

To install a new package and only that, you have two options:

Using the require command, just run: composer require new/package Composer will guess the best version constraint to use, install the package, and add it to composer.lock. You can also specify an explicit version constraint by running: composer require new/package ~2.5

–OR–

Using the update command, add the new package manually to composer.json, then run: composer update new/package

If Composer complains, stating "Your requirements could not be resolved to an installable set of packages.", you can resolve this by passing the flag --with-dependencies. This will whitelist all dependencies of the package you are trying to install/update (but none of your other dependencies).

Regarding the question asker's issues with Laravel and mcrypt: check that it's properly enabled in your CLI php.ini. If php -m doesn't list mcrypt then it's missing.

Important: Don't forget to specify new/package when using composer update! Omitting that argument will cause all dependencies, as well as composer.lock, to be updated.

I received the message "Package [...] listed for update is not installed. Ignoring."

This doesn't work for me. I'm told 'Package "x/y" listed for update is not installed. Ignoring." and then it goes about updating everything. So it doesn't install the new package I want and it updates everything else, which is exactly the opposite of what I want.

It just doesn't work. "Your requirements could not be resolved to an installable set of packages." (and text about some old packages, not related at all to which I ask) when I ask just update one package.

@tremby Works just fine here. Maybe you forgot to add "new/package" : "*", in composer.json "require" section?

@OZ_ Even if only one dependency is to be installed, it still needs to be resolved first to make sure it does not conflict with your other dependencies.

Matthemattics

Actually, the correct solution is:

composer require vendor/package

Taken from the CLI documentation for Composer:

The require command adds new packages to the composer.json file from the current directory. php composer.phar require After adding/changing the requirements, the modified requirements will be installed or updated. If you do not want to choose requirements interactively, you can just pass them to the command. php composer.phar require vendor/package:2.* vendor/package2:dev-master

While it is true that composer update installs new packages found in composer.json, it will also update the composer.lock file and any installed packages according to any fuzzy logic (> or * chars after the colons) found in composer.json! This can be avoided by using composer update vendor/package, but I wouldn't recommend making a habit of it, as you're one forgotten argument away from a potentially broken project…

Keep things sane and stick with composer require vendor/package for adding new dependencies! 😉

But will using composer require update the composer.lock file?

this will however, update other packages, which was a requirement of the question.

Andrew

We can install a new package without updating other dependencies like this:

 composer require package/name --no-update

this will add your package to composer.json (no update to composer.lock)

composer update package/name

this will now install/update your new package, adding it to composer.lock without updating other deps

tremby

My use case is simpler, and fits simply your title but not your further detail.

That is, I want to install a new package which is not yet in my composer.json without updating all the other packages.

The solution here is composer require x/y

Xavi Montero

In my case, I had a repo with:

requirements A,B,C,D in .json

but only A,B,C in the .lock

In the meantime, A,B,C had newer versions with respect when the lock was generated.

For some reason, I deleted the "vendors" and wanted to do a composer install and failed with the message:

Warning: The lock file is not up to date with the latest changes in composer.json.
You may be getting outdated dependencies. Run update to update them.
Your requirements could not be resolved to an installable set of packages.

I tried to run the solution from Seldaek issuing a composer update vendorD/libraryD but composer insisted to update more things, so .lock had too changes seen my my git tool.

The solution I used was:

Delete all the vendors dir. Temporarily remove the requirement VendorD/LibraryD from the .json. run composer install. Then delete the file .json and checkout it again from the repo (equivalent to re-adding the file, but avoiding potential whitespace changes). Then run Seldaek's solution composer update vendorD/libraryD

It did install the library, but in addition, git diff showed me that in the .lock only the new things were added without editing the other ones.

(Thnx Seldaek for the pointer ;) )

that's an overkill. just delete the lock file and run composer install. it works

That stays true for non-pro environments, where you can happily rebuild the dependencies and if something breaks you go and fix it. But if for you, servers failing mean you loose $10.000 per hour, then you don't doubt that the composer.lock should never be happily deleted and rebuilt. .lock is... for locking!! ;D - otherwise the lock file would be useless and you wouldn't be commiting it or it wouldn't exist at all. If you run in a quality-oriented company and rebuild and commit a lock with say 1.000 dependencies, all of them will change, and QA people will come to kill you hahaha.

Hey @astroanu just to clarify that if you installed a dependency at an earlier date and some of it's dependency were grabbing the the latest version of dev master then there could be significant issues in simply deleting the composer.lock and just hitting install. If you have not had an opportunity to verify the impact of introducing a dependency then there is potential for unexpected outcomes and possibly creating a poor experience for users.

of course, deleting the lock file and running install/update or running update even without deleting the lock file will impact the applications stability. Composer update should be run on dev environment only. On production always use composer install because the production build is tested against what's saved on the lock file.