I want to create my own package manager, and currently reviewing existing solutions.
I'm playing with PHP's Composer now, and it was quite surprising that it has two files:
composer.json
for project configuration, and non-pinned dependenciescomposer.lock
for exact pinned dependencies
I do understand why one needs to pin dependencies, .lock
information by itself seems logical to me.
What I do not understand is why project metadata was split into two files.
Can anyone explain, why it was designed this way? Why deps could not be pinned right in the composer.json
?
UPD. Turns out, Rust's Cargo has the same two file configuration in place, and has a nice explanation of the meaning of the .lock
file: http://doc.crates.io/guide.html#cargotoml-vs-cargolock