Reproducible Installs

A common pitfall in the PHP ecosystem is the failure to guarantee identical dependencies across team members and production servers. EvoLayer Base solves this by mandating reproducible installs.

The Role of composer.lock

The composer.lock file records the exact version hash of every dependency (including transitive dependencies) installed in your project.

The EvoLayer Starter explicitly commits the composer.lock file. When you or a team member runs composer install, Composer reads the lock file and installs the exact same bytes, completely bypassing the version resolution step.

Why This Matters

  • No "Works on my machine": If it works locally, it will run identically in CI and Production.
  • Dependency Drift: It prevents a scenario where a third-party package releases a breaking minor update that breaks your app on a Friday afternoon deployment.
  • Security: It guarantees you are running the audited version of a package.

Was this page helpful?

PreviousOwnership ModelNextEject and Updates
Source: xuple/evodevops/resources/js/pages/docs/evolayer-base/explanation/reproducible-installs.tsx