New composer bump Command in Composer 2.4

Published On12 Jun 2022

New `composer bump` command in Composer 2.4

Composer 2.4 adds a new command called bump, that increases the requirements listed in the composer.json file with the currently installed version numbers. When the version numbers are bumped in the composer.json file, it effectively prevents Composer from installing a lower version of the required packages.

For example, a composer.json file that requires phpunit/phpunit package with a version constraint ^9.4.0 means Composer is allowed to install phpunit/phpunit package versions in the range of >= 9.4.0 >= and < 10.

{
    "require-dev": {
        "phpunit/phpunit": "^9.4"
    }
}

When the composer bump command is executed, it updates the requirement of all packages (unless narrowed down) to the currently installed version, making the current version the lower boundary of the package constraint.

In the phpunit/phpunit example, if the currently installed version is 9.5.20, running composer bump updates the composer.json file to use that version as the lower boundary:

{
    "require": {
-        "phpunit/phpunit": "^9.4"
+        "phpunit/phpunit": "^9.5.20"
    }
}

composer bump command does not update platform requirements such as the PHP version of extension versions.

Narrowing down the package list

The composer bump command supports narrowing down the packages that are being bumped to the require and require-dev sections with optional flags.

  • --dev-only: Only bump the require-dev packages.
  • --no-dev-only: Only bump the require packages.

For example, the following command only bumps the packages listed under require-dev section of the composer.json file:

composer bump --dev-only

Requires a composer.lock file

The composer bump command requires a composer.lock file that is up to date. This is because the composer bump inspects the composer.lock file to determine the currently installed versions.

If a composer.lock file does not exists, Composer bails out with a success message:

No requirements to update in ./composer.json.

If the composer.lock file is out of date, Composer exits with an error:

The lock file is not up to date with the latest changes in composer.json. Run the appropriate `update` to fix that before you use the `bump` command.

A Word of Caution when Bumping Requirements

Note that when bumping the version constraints, it effectively narrows down the list of possible versions Composer can resolve. When a package is required by multiple immediate or indirect dependencies, narrowing down the version constraints may prevent Composer from correctly resolving the version number.

When libraries require the same package but with different version constraints, bumping one library's lower boundary may prevent it from being used together with another library.

For example, Composer can install symfony/finder library if two libraries require it with version constraints such as ^6.0.0 (any 6.* version) and ~6.0.0 (any 6.0.* version), by choosing a symfony/finder version that fulfills both version constraints, such as 6.0.8.

If package A decides to bump the symfony/finder version constraint to ^6.1.0, Composer can no longer resolve the version correctly because package B only supports symfony/finder in 6.0 series.

Composer promptly warns on this as well:

Warning: Bumping dependency constraints is not recommended for libraries as it will narrow down your dependencies and may cause problems for your users.
If your package is not a library, you can explicitly specify the "type" by using "composer config type project".
Alternatively you can use --dev-only to only bump dependencies within "require-dev".

As the warning says, it is advised to only update the require-dev section with --dev-only option to to prevent excessively narrowing down the dependency version candidates.

Recent Articles on PHP.Watch

All ArticlesFeed 
How to fix PHP Curl HTTPS Certificate Authority issues on Windows

How to fix PHP Curl HTTPS Certificate Authority issues on Windows

On Windows, HTTPS requests made with the Curl extension can fail because Curl has no root certificate list to validate the server certificates. This article discusses the secure and effective solutions, and highlights bad advice that can leave PHP applications insecure.
AEGIS Encryption with PHP Sodium Extension

AEGIS Encryption with PHP Sodium Extension

The Sodium extension in PHP 8.4 now supports AEGIS-128L and AEGIS256 Authenticated Encryption ciphers. They are significantly faster than AES-GCM and CHACHA20-POLY1305. This article benchmarks them and explains how to securely encrypt and decrypt data using AEGIS-128L and AEGIS256 on PHP.
How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

Install PHP 8.3 and PHP extensions on MacOS with Homebrew.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.