What are the differences between composer update
and composer install
?

- 8,422
- 10
- 52
- 65

- 3,780
- 2
- 20
- 26
5 Answers
composer update
composer update
will update your depencencies as they are specified in composer.json
For example, if you require this package as a dependency:
"mockery/mockery": "0.9.*",
and you have actually installed the 0.9.1
version of the package, running composer update
will cause an upgrade of this package (for example to 0.9.2
, if it's already been released)
in detail composer update
will:
- Read
composer.json
- Remove installed packages that are no more required in
composer.json
- Check the availability of the latest versions of your required packages
- Install the latest versions of your packages
- Update
composer.lock
to store the installed packages version
composer install
composer install
will not update anything; it will just install all the dependencies as specified in the composer.lock
file
In detail:
- Check if
composer.lock
file exists (if not, it will runcomposer update
and create it) - Read
composer.lock
file - Install the packages specified in the
composer.lock
file
When to install and when to update
composer update
is mostly used in the 'development phase', to upgrade our project packages according to what we have specified in thecomposer.json
file,composer install
is primarily used in the 'deploying phase' to install our application on a production server or on a testing environment, using the same dependencies stored in the composer.lock file created by composer update.
-
9You didn't describe what will be if we have no lock file and call composer install. Nice description btw. – user1954544 Jun 23 '17 at 15:36
-
1Important thing that might bite you one day - lock file is not recursive. If some package has loosely defined dependencies and if you happen to grab a clean copy of a project on a clean machine, it may install different versions of nested dependencies, which might include new bugs or even breaking changes! Especially relevant on continuous integration & build servers. The solution - hunt for the nested problematic package and add its fixed good version to json and lock file. – JustAMartin Sep 06 '17 at 10:25
-
and `composer global update` updates dependencies in your global repository on local system (`COMPOSER_HOME` env variable) – Yousha Aleayoub Oct 18 '17 at 20:20
-
2Then, how could I safely update a specific package on a production server? – Michel Feb 26 '18 at 06:08
-
3@Michel You should first run `composer update` on your local system and test your application, then upload the composer.lock on your production server and run `composer install` – Amin Shojaei Dec 30 '19 at 05:58
-
1Very good explanation here too : https://daylerees.com/the-composer-lock-file/ – St3an Jun 02 '20 at 07:43
-
I suggest you to add a precision: a `composer update` will also install the dependencies which appeared into composer.json (at the root packages or dependencies) since the last `composer install`. An `install` is not sufficient to download and install those new dependencies. – Julien Fastré Mar 24 '23 at 15:42
When you run composer install
it will look for a lock file and install whatever is contained in it, if it can't find one, it'll read composer.json
, install its dependencies and generate a lockfile.
When you run composer update
it simply reads composer.json
, installs the dependencies and updates the lockfile (or creates a new lockfile).

- 5,491
- 30
- 43
- 46

- 3,994
- 1
- 15
- 18
composer install
- If
composer.lock
does exist.- Processes and installs dependencies from the
composer.lock
file.
- Processes and installs dependencies from the
- If
composer.lock
does not exist.- Process package installs from
composer.json
. - Creates the
composer.lock
file based on the installed packages.
- Process package installs from
As per: composer help install
:
The install command reads the
composer.lock
file from the current directory, processes it, and downloads and installs all the libraries and dependencies outlined in that file. If the file does not exist it will look forcomposer.json
and do the same.
composer update
- Processes dependencies from the
composer.json
file (installs, updates and removes). - Creates or updates the
composer.lock
file according to the changes.
As per: composer help update
:
The update command reads the
composer.json
file from the current directory, processes it, and updates, removes or installs all the dependencies.
See also: Composer: It’s All About the Lock File
-
composer install point 3 doesn't make sense. If .lock file already exists it will just read it and never "update" it. It is only created if it doesn't exist yet.. – Ben May 03 '18 at 11:23
-
composer install
if(composer.lock existed){
installs dependency with EXACT version in composer.lock file
} else {
installs dependency with LATEST version in composer.json
generate the composer.lock file
}
composer update
composer update = remove composer.lock -> composer install
Why we need 2 commands. I think it can explain by composer.lock.
Imagine, we DON'T have composer.lock
and in composer.json
, there is a dependency "monolog/monolog": "1.0.*"
or "monolog/monolog": "^1.0"
.
Then, it will have some cases
- We working well today with current dependency version (eg:1.0.0) but a few months later, the dependency update (eg:1.0.1) and it possible have some bug
- Another team member may have a different dependency version if they run
composer install
in a different time.
What if we always use an EXACT version in composer.json
such as "monolog/monolog": "1.0.1"
?
We still need composer.lock
because composer.json
only track the main version of your dependency, it can not track the version of dependencies of dependency.
What if all dependencies of dependency also use the EXACT version?
Imagine you begin with ALL dependencies which use the EXACT version then you don't care about composer.lock
. However, a few months later, you add a new dependency (or update old dependency), and the dependencies of this dependency don't use the EXACT version. Then it's better to care composer.lock
at the beginning.
Besides that, there is an advantage of a semantic version over an exact version. We may update the dependency many times during development and library often have some small change such as bug fix. Then it is easier to upgrade dependency which uses semantic version.

- 57,942
- 23
- 262
- 279
The best difference between composer update
and composer install
composer install
To add dependencies you need to add it manually to the composer.json file.
If composer.lock file exists, install exactly what's specificated on this file
- Otherwise read composer.json file to look out what dependencies needs to be installed
- Write the composer.lock with the information of the project (installed dependencies)
Not any component will be updated with this command.
composer update
To add or remove dependencies you need to add it manually to the composer.json file
- The composer.lock file will be ignored
- composer.json file dependencies will be installed and updated (if a dependency is not installed it will be downloaded)
If you can't (or don't know how to add or remove a library which is in fact easy,just add the name of the dependency and version in the require property of the file) modify the composer.json file manually or you prefer use the command line instead, composer has special functions for this :
composer require
For example if we want to add a dependency with the command line we will simply execute
composer require twig/twig
- composer.json file will be modified automatically and the new dependency will be added
- the dependency will be downloaded to the project
composer remove
If you want to remove an unused dependency we will execute simply :
composer remove twig/twig --update-with-dependencies
- Twig will be removed with all his dependencies

- 3,635
- 35
- 35