installing a laravel package using composer without updating dependencies

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Installing Laravel Packages Safely: Avoiding Unwanted Dependency Updates with Composer

As senior developers working with established applications, one of the most critical concerns when managing dependencies is stability. We often encounter scenarios where adding a new package seems straightforward, but running the standard update commands triggers massive dependency resolution sweeps that can inadvertently introduce breaking changes into an existing, functional codebase.

This post dives deep into the specific challenge you described: how to install a new package like zizaco/entrust in an older Laravel project (like Laravel 5.8) without triggering unintended updates to other existing dependencies listed in your composer.json. We will explore the nuances between composer update and composer install and establish best practices for dependency management, ensuring the stability of your application—a core principle championed by frameworks like those at laravelcompany.com.

The Crucial Difference: install vs. update

The confusion often stems from the difference between two fundamental Composer commands: composer install and composer update. Understanding their roles is the first step to managing dependencies safely.

composer install: This command reads the existing composer.lock file and installs the exact versions of all packages specified therein. It ensures that the environment exactly matches the state recorded in the lock file, making it ideal for deployment or setting up a project on a fresh machine. Crucially, if you add a new requirement to composer.json, running install will only install those new dependencies and respect existing locked versions unless constraints are explicitly altered by the new addition.

composer update: This command performs a dependency resolution. It looks at your composer.json file and attempts to find the newest possible versions of all required packages that satisfy all specified version constraints (e.g., ^5.8.*). This is why running update often results in updating all dependencies, potentially pulling in major version changes or breaking updates you wish to avoid.

Addressing Your Specific Scenario: Isolating the Installation

Your goal is to introduce zizaco/entrust without forcing an update on existing packages like laravel/framework or others already defined in your constraints.

When you run composer require zizaco/entrust 5.2.x-dev or modify composer.json and then run composer update, Composer sees this as a trigger to resolve the entire dependency tree based on the new requirements, which leads to mass updates—the exact risk you are trying to mitigate.

To achieve isolated installation while maintaining stability, we must rely on the principles of locking and precise command usage.

The Safe Strategy: Using install for Stability

If your primary goal is to ensure that the project remains stable using existing dependency versions, you should consistently use composer install.

  1. Initial Setup: Ensure your initial setup uses composer install to lock down the dependencies exactly as intended by the original project structure.
  2. Adding New Packages: When adding a new package, you can use composer require. If this command results in an update (because the new package has constraints that conflict with existing ones), it means Composer is performing necessary dependency resolution.
  3. The Safety Net: After any change to composer.json, always run composer install if you intend to deploy or reproduce the environment, as it locks everything down based on the current state of your requirements file and the lock file.

If you strictly want to add only one package without touching others, be aware that Composer's design is inherently holistic—it manages a graph of interconnected dependencies. There isn't a direct command like composer install-single-package. However, by carefully managing what goes into your require block and sticking to install, you control when the dependency resolution occurs.

Best Practices for Dependency Management

For large or critical applications, treating your composer.lock file as the single source of truth is paramount. This practice is crucial when adhering to architectural standards, much like those promoted by modern Laravel development practices on laravelcompany.com.

Key Takeaways:

  • Use composer install for Reproduction: Always use composer install when setting up a new environment or deploying an existing one. This guarantees you get the exact versions specified in composer.lock.
  • Use composer update Sparingly: Reserve composer update for intentional maintenance, where you explicitly want to review and accept potential breaking changes across your entire dependency graph.
  • Review Constraints: When adding new packages, carefully examine their version constraints (^, ~) to understand the scope of updates that might be triggered.

By mastering this distinction, developers can install necessary features like zizaco/entrust while maintaining complete control over the stability and integrity of an established Laravel application.