I have been working on a project which used composer to manage dependencies. If you are a PHP developer and do not know about it, I think you
should learn about it. If you happen to worry about the combination in the topic, that means you are already using composer. Great.
In a project I was working on at work was using composer and composer.phar was added to the version control (we use git). Composer.phar is a binary file that would change sometimes when you run
php composer.phar self-update
I didn’t like the idea of having a binary file in version call that would occasionally require a pointless commits in the history. So I went reading about what’s the right thing to do. It was bit of a messy subject but finally I decided that there is no point of adding composer.phar to version control.
Also I found that composer.lock should be in version control (which was not in the project I mentioned). So here it is right from the horse’s mouth.
Commit your application’s composer.lock (along with composer.json) into version control.
This is important because the install command checks if a lock file is present, and if it is, it downloads the versions specified there (regardless of what composer.json says).
So you add composer.lock to version control but keep composer.phar out of it. But what about when you want to use composer.phar? You just get it with
wget -O - https://getcomposer.org/installer | php
Maybe add the instructions to the project’s README file. Also add it to .gitignore to avoid accidents from colleagues who do ‘git add .’
So if you were losing sleep over this, I think now you know what to do.