Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you.
composer install is for installing all packages of new application (all mentioned in composer. json ), use: composer install. composer require is for adding a new package, use: composer require symfony/symfony. composer update is for updating current dependencies, use: composer update.
lock file is present resolves and installs all dependencies that you listed in composer. json , but Composer uses the exact versions listed in composer. lock to ensure that the package versions are consistent for everyone working on your project. As a result you will have all dependencies requested by your composer.
You should never use composer update without argument. composer update reads every package listed on composer. json, and updates it to the latest available version compatible with the specified version constraints. In a perfect world, all librairies would follow semver correctly, and it shouldn't have any side effects.
composer update
composer update will update your depencencies as they are specified in composer.json 
For example, if you require this package as a dependency:
"mockery/mockery": "0.9.*",
and you have actually installed the 0.9.1 version of the package, running composer update will cause an upgrade of this package (for example to 0.9.2, if it's already been released)
in detail composer update will:
composer.json
composer.json
composer.lock to store the installed packages versioncomposer install
composer install will not update anything; it will just install all the dependencies as specified in the composer.lock file
In detail:
composer.lock file exists (if not, run composer-update and create it)composer.lock filecomposer.lock fileWhen to install and when to update
composer update is mostly used in the 'development phase', to upgrade our project packages according to what we have specified in the composer.json file,
composer install is primarily used in the 'deploying phase' to install our application on a production server or on a testing environment, using the same dependencies stored in the composer.lock file created by composer update.
When you run composer install it will look for a lock file and install whatever is contained in it, if it can't find one, it'll read composer.json, install its dependencies and generate a lockfile.
When you run composer update it simply reads composer.json, installs the dependencies and updates the lockfile (or creates a new lockfile).
composer installcomposer.lock does exist.
composer.lock file.composer.lock does not exist.
composer.json.composer.lock file based on the installed packages.As per: composer help install:
The install command reads the
composer.lockfile from the current directory, processes it, and downloads and installs all the libraries and dependencies outlined in that file. If the file does not exist it will look forcomposer.jsonand do the same.
composer updatecomposer.json file (installs, updates and removes).composer.lock file according to the changes.As per: composer help update:
The update command reads the
composer.jsonfile from the current directory, processes it, and updates, removes or installs all the dependencies.
See also: Composer: It’s All About the Lock File
if(composer.lock existed){
   installs dependency with EXACT version in composer.lock file
} else {
   installs dependency with LATEST version in composer.json
   generate the composer.lock file
}
composer update = remove composer.lock -> composer install
Why we need 2 commands. I think it can explain by composer.lock.
Imagine, we DON'T have composer.lock and in composer.json,  there is a dependency "monolog/monolog": "1.0.*" or "monolog/monolog": "^1.0".
Then, it will have some cases  
composer install in a different time.What if we always use an EXACT version in composer.json such as "monolog/monolog": "1.0.1"?
We still need composer.lock because composer.json only track the main version of your dependency, it can not track the version of dependencies of dependency.
What if all dependencies of dependency also use the EXACT version?
Imagine you begin with ALL dependencies which use the EXACT version then you don't care about composer.lock. However, a few months later, you add a new dependency (or update old dependency), and the dependencies of this dependency don't use the EXACT version. Then it's better to care composer.lock at the beginning.
Besides that, there is an advantage of a semantic version over an exact version. We may update the dependency many times during development and library often have some small change such as bug fix. Then it is easier to upgrade dependency which uses semantic version.
The best difference between composer update and composer install
composer install
To add dependencies you need to add it manually to the composer.json file.
If composer.lock file exists, install exactly what's specificated on this file
Not any component will be updated with this command.
composer update
To add or remove dependencies you need to add it manually to the composer.json file
If you can't (or don't know how to add or remove a library which is in fact easy,just add the name of the dependency and version in the require property of the file) modify the composer.json file manually or you prefer use the command line instead, composer has special functions for this :
composer require
For example if we want to add a dependency with the command line we will simply execute
composer require twig/twig
composer remove
If you want to remove an unused dependency we will execute simply :
composer remove twig/twig --update-with-dependencies
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With