Composer: remove a package, clean up dependencies, don't update other packages

Question

The situation

Let's say I have a project with two packages installed by Composer:

php composer.phar require 'squizlabs/php_codesniffer:~2.0' 'phpmd/phpmd:~2.1' 

The autogenerated composer.json file looks like this:

{     "require": {         "squizlabs/php_codesniffer": "~2.0",         "phpmd/phpmd": "~2.1"     } } 

In the autogenerated composer.lock file, there are the two requested packages:

• 2.0.0 squizlabs/php_codesniffer
• 2.1.3 phpmd/phpmd

and also four dependencies of phpmd/phpmd:

• 2.0.4 pdepend/pdepend
• 2.5.9 symfony/config
• 2.5.9 symfony/dependency-injection
• 2.5.9 symfony/filesystem

A few days later, squizlabs/php_codesniffer version 2.1.0 is released, but I don't want to run update yet. I want to stay on version 2.0.0 for now, and maybe I'll run update in a few days.

---

The question

I now want to remove phpmd/phpmd from my project. I want to achieve the following points:

1. Delete phpmd/phpmd from composer.json
2. Delete phpmd/phpmd from composer.lock
3. Delete phpmd/phpmd from the vendor folder
4. Delete all the dependencies of phpmd/phpmd from composer.lock
5. Delete all the dependencies of phpmd/phpmd from the vendor folder
6. Do not update squizlabs/php_codesniffer to version 2.1.0

Edit: I'd prefer a solution which doesn't require changing the version constraint of squizlabs/php_codesniffer in composer.json

---

What I've tried

If I run:

php composer.phar remove phpmd/phpmd 

this achieves points 1, 2, 3, 6, but does not achieve points 4, 5.

The dependencies of phpmd/phpmd remain in composer.lock and the vendor folder.

If I run:

php composer.phar remove phpmd/phpmd php composer.phar update 

this achieves points 1, 2, 3, 4, 5, but does not achieve point 6.

squizlabs/php_codesniffer gets updated to version 2.1.0.

Answer 1

Remove the entry from composer.json then run composer update phpmd/phpmd.

As to why that is the solution that works. I have no idea but that is what is required to remove a package totally from composer.lock and /vendor and allow you to install a new/replacement/conflicting package.

Answer 2

Do this:

php composer.phar remove phpmd/phpmd 

Modify the composer.json file so it contains the following require section.

{     "require": {         "squizlabs/php_codesniffer": "2.0.*",     } } 

Now run composer.phar update. That should get you where you want to be.

Note: You could also pin the php_codesniffer package to a specific version e.g. 2.0.0. More information about how composer does versioning can be found on here.