Is it possible to update a required dependency from another package in the composer lock file?

Question

I'm currently using the stof/doctrine-extensions-bundle in one of my Symfony projects and this bundle requires gedmo/doctrine-extensions. The latest version in gedmo/doctrine-extensions is failing. But the solution is in one of the sibling branches v2.4.x.

https://github.com/Atlantic18/DoctrineExtensions/commit/0b7bdbefd3d166def27928dcd62ab67c11c8f172

Is it possible to add this branch in the requirements of stof/doctrine-extensions-bundle or should I wait till the owner of the bundle creates a new tag?

Answer 1

Since this fix has not been released yet, you need to use branch for this dependency. You can do this by calling:

composer require "gedmo/doctrine-extensions:2.4.x-dev"

This will add this dependency to composer.json of your project. But be careful with this and treat this only as a temporary workaround, till stable version with this fix will be released. Using branches for dependencies is usually not recommended.

Answer 2

Reviewing stof/doctrine-extensions-bundle's composer.json require block:

"gedmo/doctrine-extensions": "^2.3.4"

It supports versions 2.3.4 to <=3.0.0. So you should be able to install a 2.4.x version in your project without issue. (Read about composer's version constraints here)

You should not manually modify a composer.lock file and you should not modify their composer.json file in your vendor directory. You can require different versions of dependencies in your own project as long as they are compatible with other dependency requirements.