Composer dependencies are defined in composer.json. When running composer install for the first time, or when running composer update a lock file called composer.lockwill be created.

Composer 依赖项在composer.json. 首次运行 composer install 或运行 composer update 时，composer.lock将创建一个名为的锁定文件。

The quoted documentation refers to the lock file only. If your project P depends on library A and A depends on B v1.3.***, then if A contains a lock file saying someone ran "composer update" resulting in B v1.3.2 being installed, then installing A in your project P might still install 1.3.3, as the composer.json(not .lock!) defined the dependency to be on 1.3.*.

引用的文档仅指锁定文件。如果您的项目 P 依赖于库 A 而 A 依赖于 B v1.3.***，那么如果 A 包含一个锁定文件，说明有人运行了“composer update”导致安装了 B v1.3.2，则在您的项目中安装 A P 可能仍会安装 1.3.3，因为composer.json（不是.lock！）将依赖项定义为 1.3.*。

Lock files always contain exact version numbers, and are useful to communicate the version you tested with to colleagues or when publishing an application. For libraries the dependency information in composer.jsonis all that matters.

锁定文件始终包含准确的版本号，可用于将您测试的版本传达给同事或发布应用程序时使用。对于库，依赖信息composer.json才是最重要的。

composer.lockrecords the exact versions that are installed. So that you are in the same versions with your co-workers.

composer.lock记录安装的确切版本。这样您就可以与您的同事使用相同的版本。

composer install

作曲家安装

• Check for composer.lockfile
• If not, auto generate composer.lockfile (Using composer update)
• Install the specified versions recorded in the composer.lockfile

• 检查composer.lock文件
• 如果没有，自动生成composer.lock文件（使用composer update）
• 安装composer.lock文件中记录的指定版本

composer update

作曲家更新

• Go through the composer.jsonfile
• Check availability of newer (latest) versions, based on the version criteria mentioned (e.g. 1.12.*)
• Install the latest possible (according to above) versions
• Update composer.lockfile with installed versions

• 通过composer.json文件
• 根据提到的版本标准（例如 1.12.*）检查更新（最新）版本的可用性
• 安装最新的（根据上述）版本
• composer.lock使用已安装的版本更新文件

So in a simple check list.

所以在一个简单的检查表中。

If you want to keep all co-workers in the same versions as you...

如果您想让所有同事保持与您相同的版本...

• Commit your composer.lockto GIT (or vcs you have)
• Ask others to get the that version of composer.lockfile
• Always usecomposer installto get the correct dependencies

• 将您的提交composer.lock给 GIT（或您拥有的 vcs）
• 要求其他人获取该版本的composer.lock文件
• 始终用于composer install获取正确的依赖项

If you want to Upgrade the system dependencies to new versions

如果要将系统依赖项升级到新版本

• Check the composer.json file for version specs.
• Do a composer update
• This will change the composer.lockfile with newest versions
• Commit it to the GIT (or vcs)
• Ask others to get it and composer install

• 检查 composer.json 文件以获取版本规范。
• 做一个 composer update
• 这将composer.lock使用最新版本更改文件
• 将其提交给 GIT（或 vcs）
• 要求其他人得到它并 composer install

Following will be a very good reading
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

以下将是一个非常好的阅读
https://blog.engineyard.com/2014/composer-its-all-about-the-lock-file

Enjoy the power of composer.lockfile!

享受composer.lock文件的力量！

The point of the lock file is to record the exact versions that are installed so they can be re-installed. This means that if you have a version spec of 1.* and your co-worker runs composer updatewhich installs 1.2.4, and then commits the composer.lock file, when you composer install, you will also get 1.2.4, even if 1.3.0 has been released. This ensures everybody working on the project has the same exact version.Read more here Composer: It's All About the Lock File

锁定文件的目的是记录已安装的确切版本，以便可以重新安装。这意味着如果你的版本规范是 1.* 并且你的同事运行composer update安装了 1.2.4，然后提交了 composer.lock 文件，当你composer install，你也会得到 1.2.4，即使 1.3.0已被释放。这可确保参与该项目的每个人都拥有完全相同的版本。在此处阅读更多内容Composer：这就是锁定文件的全部内容