Why you need to only run composer install
First of all, the title of the article is misleading. You don't have to forget about all other composer command obviously. We are talking here about
composer install and
Here's the quick truth : you never should run composer update on an environment that is not local. If you need to update your project on a server,
composer install is always what you want to run.
There are a lot of developers out there who think that, in order to update their project remotely, on their server, they need to run
compose update. You know, to have the updated versions of every dependencies. But they shouldn't, because the update command will grab the latest version available of your packages (at least what's allowed by your composer.json file).
The problem with that is, you might get a totally different code behavior than what you have tested on your local environment.
To solve this problem, you get a composer.lock file. And many developers choose to ignore this file in git, so it's never available on your dev and production environments.
While you're working locally, don't hesitate to update your dependencies, that's always a good thing to do. However, you should keep track of the generated composer.lock file in your versioning system, so that you can run
composer install from your server. And by doing that, composer will actually read the composer.lock file instead of the composer.json file. Thus, your distant environments will always be identical as your local one.
I must admit that I've been doing this exact mistake during some time. One day I had an issue with an updated package. Everything worked correctly on my machine, but the production environment was broken. Super bad situation... I just ran
composer install and everything was solved !
Hope this will help some of the developers that are like I was before :)