Things to Know When Updating a Single Composer Package

There are times you may want to update a single Composer package without updating everything in your project all at once. I’ve put together a few tips to keep in mind when using this workflow.

Recently, I’ve been testing the newly-released ScoutAPM support for Laravel. (Updated: Scout APM review for Laravel) I ran into an issue with Blade directives from third-party packages. Two days later, they published a new version which fixed the bug, hooray!

In order to test this, I needed to upgrade the scoutapm/scout-apm-laravel package from version 1.2.1 to version 1.2.3. Since this is a patch release, it should be pretty straightforward to update this one package: composer update scoutapm/scout-apm-laravel, right? Let’s try it using the handy --dry-run option:

(Note: my project runs in Docker, so I’m calling bin/dev/composer which is just a thin wrapper to run composer from inside the container) First attempt to update the package

That’s no good. It’s saying there’s nothing to update, but I know there’s an update available because it shows one when I run composer outdated:

Composer outdated output shows updates

Yep, there’s definitely an update available, but it’s that second line which gives us a hint why Composer is choosing to not update our single package. One of our package’s dependencies has bumped to a new major version, and our current pacakge has the dependency for scoutapp/scout-apm-php pegged to ^3.1. Composer is dutifully following our instructions and refusing a major version update for this dependency.

One option would be to run composer update scoutapp/scout-apm-laravel --with-dependencies which is our way of telling Composer it’s okay for those dependencies to be updated as well:

Second attempt with dependencies

It’s interesting to note that Composer is still unwilling to update a dependency if it’s also specified in our composer.json file. That’s what it means when it says it’s ignoring a “root requirement.” The good news is our dry run now shows it is updating our single package. This is great! But, I’m still a little cautious and I’d rather not update those other packages if I don’t have to. Let’s see if we can be more specific:

Third attempt with single explicit dependency

And this is exactly what I want. We have a winner!

One final side note: the order of these packages is important. If I reversed them and listed scout-apm-laravel first, it still wouldn’t update anything.