PHP Composer: Adding new required package to the lock file

Composer's lock file is a great way to keep your project's packages locked to a specific tested/working version. If it wasn't there, your project's dependencies would receive the latest package versions every time you spool up your dev environment, or whatever you are currently deploying your project to. Therefore, the command composer install is your friend, and will only install the versions specified in the lock file - which, I would argue, is a good thing to version control if you are working in a team to ensure everyone is using the same packages and dependencies. composer update is a nasty command to run on a regular basis - it bypasses your lock, updates the lock file, and specifically updates all packages in the project to their latest version. This would likely require a round of testing to make sure nothing broke.

So how do you add a new package to the lock file without running a project-wide composer update - i.e. without updating the other packages? From the command line:

composer require "phpoffice/phpexcel":"1.8.*"
composer update --lock

This adds the new package require to the composer.json. Running the update --lock command after that will literally only add the new package info to the composer.lock file.