7

I did composer update recently. But new version of my dependencies what I got I completely don't like. I would say that I don't like dependency of my dependencies, it's more precise. Is there any way to roll back, except fetching from git history composer.lock?

user1016265
  • 2,307
  • 3
  • 32
  • 49
  • 2
    I'm not really sure why you seem to imply that using git isn't a valid solution to this. – Jonnix May 16 '16 at 13:58
  • 1
    @JonStirling I thought maybe I missed some hidden composer feature to select\froze version :) – user1016265 May 16 '16 at 14:05
  • Don't think so. That's what `composer.lock` is for :P – Jonnix May 16 '16 at 14:07
  • @JonStirling Ok, thanks. Maybe you know the way how to upgrade everything except one of dependency of my dependencies :) except manually insert it back into composer.lock :( – user1016265 May 16 '16 at 14:09
  • I'm not sure what you mean. If you update a dependency of yours, and that updated package depends on an updated version of another package, why would you not want it? – Jonnix May 16 '16 at 14:11
  • for instance, I'm using framework, that framework use some other dependencies, one of it not good after upgrade, previous one still compatible, would be nice to keep previous one and not updating it – user1016265 May 16 '16 at 14:14
  • 1
    I believe (note I'm not sure) that you can define that package in your composer.json explicitly in that case to force a version. – Jonnix May 16 '16 at 14:16
  • @JonStirling did not help, anyway thanks. I will try to research in that later on. for now faster revert composer.lock :-) – user1016265 May 16 '16 at 14:29
  • For the git: [_How can I reset or revert a file to a specific revision?_](https://stackoverflow.com/q/215718/367456) – hakre Jul 02 '22 at 23:32
  • I typed `composer require company/package:"x.xx.xx" --with-all-dependencies` and worked for me. Try first without `--with-all-dependecies` – Pathros Aug 30 '22 at 19:49

3 Answers3

4

There is no direct way of downgrading a dependency of a dependency; it takes some work:

  1. Require the package in the desired version

    composer require aws/aws-sdk-php=3.158.17

    The dependency will be downgraded. It also gets added to composer.json which we don't want, because our application does not depend on it.

  2. Simply removing the dependency with "composer remove" will upgrade the package to the lastest version which we don't want.

    So instead, manually remove the require line from composer.json and run composer update nothing to update the hash in composer.lock.

cweiske
  • 30,033
  • 14
  • 133
  • 194
  • I'd go along with all the "which we don't want" statements, however removing the require line but keeping the pinning in the lock file alone, is this well aligned with what we don't/do want? Isn't there a better way to document the intend in the composer.json configuration file already (maybe _replace_)? – hakre Jul 02 '22 at 23:28
2

I've had a similar problem with laravel/passport =7.5.1, that depends on league/oauth2-server ^7.0, that requires lcobucci/jwt ^3.2.2. And at the time, lcobucci/jwt was updated to latest 3.4 version. But this sudden update introduces the bug, so everyone has to downgrade it to 3.3.*.

You can override the version of nested dependency needed or apply another version number constraint by simply putting it in require section of your top-level composer.json:

    "require": {
        ...
        "lcobucci/jwt": "3.3.*"
    }

Then don't forget to run composer update lcobucci/jwt, so it installs the right version of nested dependency and updates the record in composer.lock.

vintprox
  • 931
  • 1
  • 11
  • 24
0

Today it is better to put the version to 3.4 and also install mbstring on your system with the command:

sudo apt-get install php-mbstring

If you are under ubuntu and finally do a composer update lcobucci / jwt just like you say.

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Bocar Diallo
  • 1