Php – Composer: remove a package, clean up dependencies, don’t update other packages

composer-phpPHP

The situation

Let's say I have a project with two packages installed by Composer:

php composer.phar require 'squizlabs/php_codesniffer:~2.0' 'phpmd/phpmd:~2.1'

The autogenerated composer.json file looks like this:

{
    "require": {
        "squizlabs/php_codesniffer": "~2.0",
        "phpmd/phpmd": "~2.1"
    }
}

In the autogenerated composer.lock file, there are the two requested packages:

  • 2.0.0 squizlabs/php_codesniffer
  • 2.1.3 phpmd/phpmd

and also four dependencies of phpmd/phpmd:

  • 2.0.4 pdepend/pdepend
  • 2.5.9 symfony/config
  • 2.5.9 symfony/dependency-injection
  • 2.5.9 symfony/filesystem

A few days later, squizlabs/php_codesniffer version 2.1.0 is released, but I don't want
to run update yet. I want to stay on version 2.0.0 for now, and maybe I'll run update in a few days.


The question

I now want to remove phpmd/phpmd from my project. I want to achieve the following points:

  1. Delete phpmd/phpmd from composer.json
  2. Delete phpmd/phpmd from composer.lock
  3. Delete phpmd/phpmd from the vendor folder
  4. Delete all the dependencies of phpmd/phpmd from composer.lock
  5. Delete all the dependencies of phpmd/phpmd from the vendor folder
  6. Do not update squizlabs/php_codesniffer to version 2.1.0

Edit: I'd prefer a solution which doesn't require changing the
version constraint of squizlabs/php_codesniffer in composer.json


What I've tried

If I run:

php composer.phar remove phpmd/phpmd

this achieves points 1, 2, 3, 6, but does not achieve points 4, 5.

The dependencies of phpmd/phpmd remain in composer.lock and the vendor folder.

If I run:

php composer.phar remove phpmd/phpmd
php composer.phar update

this achieves points 1, 2, 3, 4, 5, but does not achieve point 6.

squizlabs/php_codesniffer gets updated to version 2.1.0.

Best Answer

Remove the entry from composer.json then run composer update phpmd/phpmd.

As to why that is the solution that works. I have no idea but that is what is required to remove a package totally from composer.lock and /vendor and allow you to install a new/replacement/conflicting package.

Related Question