Locking Yii 2 package versions with composer.lock

Ok, you have installed a Yii 2 basic or advanced app for the first time and completed the post install steps. You have picked up a few extensions to install for the first time as well. You would already see a composer.lock file in your application root folder.

Here are a few tips on using this file to lock your package versions for future composer updates.

Let us consider you want to lock a specific bootstrap version for this package: yiisoft/yii2-bootstrap. It is assumed you already have installed the yiisoft\yii2-bootstrap extension for the first time.

STEP 1: Editing composer.lock

You would see an entry similar to this in your composer.lock file in your Yii 2 app root:

    "name": "yiisoft/yii2-bootstrap",
    "version": "dev-master",
    "source": {
        "type": "git",
        "url": "https://github.com/yiisoft/yii2-bootstrap.git",
        "reference": "86e22d908151de4fb93f898562afc3cc36ec96c1"
    "dist": {
        "type": "zip",
        "url": "https://api.github.com/repos/yiisoft/yii2-bootstrap/zipball/86e22d908151de4fb93f898562afc3cc36ec96c1",
        "reference": "86e22d908151de4fb93f898562afc3cc36ec96c1",
        "shasum": ""
    "require": {
        "twbs/bootstrap": "3.1.* | 3.0.*",
        "yiisoft/yii2": "*"
    "type": "yii2-extension",
    "autoload": {
        "psr-4": {
            "yiibootstrap": ""
    "notification-url": "https://packagist.org/downloads/",
    "license": [
    "authors": [
            "name": "Qiang Xue",
            "email": "qiang.xue@gmail.com",
            "homepage": "http://www.yiiframework.com/",
            "role": "Founder and project lead"
    "description": "The Twitter Bootstrap extension for the Yii framework",
    "keywords": [
    "time": "2014-05-05 12:12:21"

Now, to make the extension dependent on a specific bootstrap version (say 3.0 only), you can now change the following line in your composer.lock file:

"require": {
    "twbs/bootstrap": "3.0.*",
    "yiisoft/yii2": "*"

STEP 2: Future Composer Updates

You can repeat step 1 for locking dependencies for all your extensions (e.g. kartik-v/yii2-widgets, or any extension). But do a check on extension compatibility for each dependency version though.

The only thing to ensure is that future updates to packages through composer should now be done this way:

php composer.phar install

The above command installs/updates/removes everything to the state of the composer.lock file.


The difference is you are not using php composer.phar update for updating if you want everything as per your composer.lock settings.

One thought on “Locking Yii 2 package versions with composer.lock

  1. Pingback: 九州娛樂城

Comments are closed.