@jeremycherfas A lock file records precise versions for every dependency in the entire dependency graph. A long lock file means the project has a lot of libraries it depends on (each of which has its own maintainers (you hope), bugs, security vulnerabilities, etc). This happens a lot with Rails projects pulling in oodles of Ruby gems; evidently PHP has since adopted this approach as well. To me, it looks like one more step along the [legacy PHP design path.](https://eev.ee/blog/2012/04/09/php-a-fractal-of-

@JeremyCherfas A lock file records precise versions for every dependency in the entire dependency graph. A long lock file means the project has a lot of libraries it depends on (each of which has its own maintainers (you hope), bugs, security vulnerabilities, etc).

This happens a lot with Rails projects pulling in oodles of Ruby gems; evidently PHP has since adopted this approach as well. To me, it looks like one more step along the legacy PHP design path. [eev.ee]

2017-04-15T18:09:41Z