Will It Vibe logoWill It Vibe?
SCA-016Medium severity-8 points

composer.json with no composer.lock

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A composer.json exists with no composer.lock in the same directory, so composer install can resolve different package versions between environments.

Why it matters

A composer.json with no composer.lock means composer install resolves PHP package versions fresh within whatever ranges composer.json allows, so different environments (developer machines, CI, production) can end up running different dependency versions. Composer's own documentation explicitly recommends committing composer.lock for applications.

How to fix it

Run composer install once and commit the generated composer.lock. Deploys and CI should use composer install --no-dev (as appropriate) against the committed lock rather than composer update, and composer validate --check-lock catches drift between composer.json and composer.lock.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks