Currently, I have a private SVN repo checked out in my vendor directory that works with Composer. It works pretty fine, but only as long as I don't change/commit stuff. When I composer update after committing a change to the SVN repo I get the clear message that my way of working is not recommended, along with the message my .svn directory is missing. (The missing .svn directory may be because I have a checkout of multiple vendor packages from a single repo)
I understand that having a checkout right in the vendor directory isn't exactly best practice. But it feels rather comfortable (if it works ofcourse). Now, since I'm not someone who likes to stick with bad practices I'd like to improve on this.
The Composer recommendation only gives me some examples on how to get SVN in the vendor directory running anyway and the "best practice" sentence isn't exactly clear to me either. Also, this post isn't really helping either as I am not getting the message Seldaek is demonstrating.
My question is, what is the correct way to manage a vendor with SVN?
The recommended way is to commit only the composer.lock and composer.json files. This makes your repository lightweight, as you don't have to commit all those files that make up the included libraries. Composer promises to install exactly the same files if you call composer install.
The way it also works is to actually commit all the included vendor files into your project repository. I did it in some projects because there was not yet a way to deploy these besides having everything in the repository. The good part is that everyone checking out or updating the repository instantly has a working copy of the software. The bad part is that as soon as the dependencies are exported from a repository, you have a much more complicated update and commit process, because you manually have to delete all signs of the foreign repository (like the .git directories - you do not want to have git submodules if you are using git as the repo, and you do not want to commit the complete git history if you are using SVN) - it is the same way with a library checked out from SVN.
Without creating an update script that does everything you need to commit your dependencies into your repository, you will never ever update your software unless forces to. Without committing the dependencies, updating is as easy as calling composer update and then committing the changes in composer.json and composer.lock.
How are the dependencies deployed to the production server if they are not in the projects repository? Call composer install before copying the files to the production system. :)
