Don't forget to pin PECL extensions

We pin Composer packages and PHP versions, but what about PECL extensions?

Joel Clermont
Joel Clermont

Today's tip came from a real-world scenario that burned me recently.

Any time we install a Composer package, it installs a specific version, which is stored in the composer.lock file. So any other machine where we run composer install we always get the same version.

If you are using Docker, you quite likely do the same thing for your versions of PHP, nginx, mysql, and so on. Consistency between environments is great!

One place, I hadn't been doing this was with PECL extensions, like the redis extension. In my Dockerfile, I'd just have this line:

# unpinned - will jump major versions - don't do this
RUN pecl install redis && docker-php-ext-enable redis

And then in my composer.json file, I'd specify "ext-redis": "^5.3" as a requirement.

But recently, version 6.0 of this extension came out, so when my Docker containers were built in our CI pipeline, it installed that new version, which failed the constraint of ^5.3 in my composer.json file.

The solution was simple, and obvious in hindsight: pin the version of the extension in my Dockerfile:

# pinned to a specific patch version - no surprises!
RUN pecl install redis-5.3.7 && docker-php-ext-enable redis

Here to help,


P.S. Laravel is pretty secure by default, but Aaron published a course to go even deeper on Laravel security.

Toss a coin in the jar if you found this helpful.
Want a tip like this in your inbox every weekday? Sign up below 👇🏼

Level up your Laravel skills!

Each 2-minute email has real-world advice you can use.