I could use some feedback related to https://gerrit.wikimedia.org/r/#/c/215815/1 ("Use composer install, not composer update").

Composer strongly recommends committing both composer.json and composer.lock to the repository (https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file).

This means the user can install the exact dependencies tested by the last developer who updated composer.lock (the goal is that you will only commit composer.lock if the dependency set works).

Can you comment at https://gerrit.wikimedia.org/r/#/c/215815/1 on why Wikibase does not commit it?

Thanks,

Matt Flaschen