Locking your Yii 2 project package versions with composer.lock

  1. STEP 1: Editing composer.lock
  2. STEP 2: Future Composer Updates

Ok, you have installed a Yii 2 basic or advanced app for the first time and completed the post install steps. You have picked up a few extensions to install for the first time as well. You would already see a composer.lock file in your application root folder.

Here are a few tips on using this file to lock your package versions for future composer updates.

Let us consider you want to lock a specific bootstrap version for this package: yiisoft/yii2-bootstrap. It is assumed you already have installed the yiisoft\yii2-bootstrap extension for the first time.

STEP 1: Editing composer.lock

You would see an entry similar to this in your composer.lock file in your Yii 2 app root: ~~~ {

"name": "yiisoft/yii2-bootstrap",
"version": "dev-master",
"source": {
    "type": "git",
    "url": "https://github.com/yiisoft/yii2-bootstrap.git",
    "reference": "86e22d908151de4fb93f898562afc3cc36ec96c1"
"dist": {
    "type": "zip",
    "url": "https://api.github.com/repos/yiisoft/yii2-bootstrap/zipball/86e22d908151de4fb93f898562afc3cc36ec96c1",
    "reference": "86e22d908151de4fb93f898562afc3cc36ec96c1",
    "shasum": ""
"require": {
    "twbs/bootstrap": "3.1.* | 3.0.*",
    "yiisoft/yii2": "*"
"type": "yii2-extension",
"autoload": {
    "psr-4": {
        "yii\\bootstrap\\": ""
"notification-url": "https://packagist.org/downloads/",
"license": [
"authors": [
        "name": "Qiang Xue",
        "email": "qiang.xue@gmail.com",
        "homepage": "http://www.yiiframework.com/",
        "role": "Founder and project lead"
"description": "The Twitter Bootstrap extension for the Yii framework",
"keywords": [
"time": "2014-05-05 12:12:21"

}, ~~~

Now, to make the extension dependent on a specific bootstrap version (say 3.0 only), you can now change the following line in your composer.lock file:

"require": {
    "twbs/bootstrap": "3.0.*",
    "yiisoft/yii2": "*"

STEP 2: Future Composer Updates

You can repeat step 1 for locking dependencies for all your extensions (e.g. kartik-v/yii2-widgets, or any extension). But do a check on extension compatibility for each dependency version though.

The only thing to ensure is that future updates to packages through composer should now be done this way:

php composer.phar install

The above command installs/updates/removes everything to the state of the composer.lock file.

Info: The difference is you are not using php composer.phar update for updating if you want everything as per your composer.lock settings.