New composer bump Command in Composer 2.4

Published On2022-06-12

New `composer bump` command in Composer 2.4

Composer 2.4 adds a new command called bump, that increases the requirements listed in the composer.json file with the currently installed version numbers. When the version numbers are bumped in the composer.json file, it effectively prevents Composer from installing a lower version of the required packages.

For example, a composer.json file that requires phpunit/phpunit package with a version constraint ^9.4.0 means Composer is allowed to install phpunit/phpunit package versions in the range of >= 9.4.0 >= and < 10.

{
    "require-dev": {
        "phpunit/phpunit": "^9.4"
    }
}

When the composer bump command is executed, it updates the requirement of all packages (unless narrowed down) to the currently installed version, making the current version the lower boundary of the package constraint.

In the phpunit/phpunit example, if the currently installed version is 9.5.20, running composer bump updates the composer.json file to use that version as the lower boundary:

{
    "require": {
-        "phpunit/phpunit": "^9.4"
+        "phpunit/phpunit": "^9.5.20"
    }
}

composer bump command does not update platform requirements such as the PHP version of extension versions.

Narrowing down the package list

The composer bump command supports narrowing down the packages that are being bumped to the require and require-dev sections with optional flags.

  • --dev-only: Only bump the require-dev packages.
  • --no-dev-only: Only bump the require packages.

For example, the following command only bumps the packages listed under require-dev section of the composer.json file:

composer bump --dev-only

Requires a composer.lock file

The composer bump command requires a composer.lock file that is up to date. This is because the composer bump inspects the composer.lock file to determine the currently installed versions.

If a composer.lock file does not exists, Composer bails out with a success message:

No requirements to update in ./composer.json.

If the composer.lock file is out of date, Composer exits with an error:

The lock file is not up to date with the latest changes in composer.json. Run the appropriate `update` to fix that before you use the `bump` command.

A Word of Caution when Bumping Requirements

Note that when bumping the version constraints, it effectively narrows down the list of possible versions Composer can resolve. When a package is required by multiple immediate or indirect dependencies, narrowing down the version constraints may prevent Composer from correctly resolving the version number.

When libraries require the same package but with different version constraints, bumping one library's lower boundary may prevent it from being used together with another library.

For example, Composer can install symfony/finder library if two libraries require it with version constraints such as ^6.0.0 (any 6.* version) and ~6.0.0 (any 6.0.* version), by choosing a symfony/finder version that fulfills both version constraints, such as 6.0.8.

If package A decides to bump the symfony/finder version constraint to ^6.1.0, Composer can no longer resolve the version correctly because package B only supports symfony/finder in 6.0 series.

Composer promptly warns on this as well:

Warning: Bumping dependency constraints is not recommended for libraries as it will narrow down your dependencies and may cause problems for your users.
If your package is not a library, you can explicitly specify the "type" by using "composer config type project".
Alternatively you can use --dev-only to only bump dependencies within "require-dev".

As the warning says, it is advised to only update the require-dev section with --dev-only option to to prevent excessively narrowing down the dependency version candidates.

Recent Articles on PHP.Watch

All ArticlesFeed 
All the Easter Eggs in PHP

All the Easter Eggs in PHP

A trip down the memory with PHP's Easter Eggs over the years
Laragon: Simple, Flexible, and Modern Development Server Environment for Windows

Laragon: Simple, Flexible, and Modern Development Server Environment for Windows

Laragon is a modern, simple, and flexible Windows Development Environment that provides support for multiple PHP, Apache, and MySQL versions, with quick HTTPS setup, Quick-app templates, Composer, npm, and more
Testing Randomness of PHP Random Number Functions

Testing Randomness of PHP Random Number Functions

Visualizing and testing various Random Number Generators available in PHP.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.