I want to create my own package manager, and currently reviewing existing solutions.
I'm playing with PHP's Composer now, and it was quite surprising that it has two files:
composer.jsonfor project configuration, and non-pinned dependencies
composer.lockfor exact pinned dependencies
I do understand why one needs to pin dependencies,
.lock information by itself seems logical to me.
What I do not understand is why project metadata was split into two files.
Can anyone explain, why it was designed this way? Why deps could not be pinned right in the
UPD. Turns out, Rust's Cargo has the same two file configuration in place, and has a nice explanation of the meaning of the
.lock file: http://doc.crates.io/guide.html#cargotoml-vs-cargolock