Composer.lock & Packagist Issues

Hey guys,

I went a month or two without deploying my site, then when I went to deploy it I got this:

Warning: This development build of composer is over 60 days old. It is recommended to update it by running "/usr/local/bin/composer self-update" to get the latest version.
Loading composer repositories with package information
The "" file could not be downloaded: failed to open stream: Operation timed out
Retrying with degraded mode, check for more info

  The "" file could not be downloaded: failed to open stream: Operation timed out

The weird thing is that my composer.lock file is showing old versions of my plugins, even after I updated my composer.json to all current versions.

I deleted my composer.lock, cleared my composer cache, then tried running composer install and composer update but the composer.lock is still showing dated versions of my plugins.

Here’s my /site repo.

One thing to note is that composer doesn’t seem to be located in my /usr bin. But it’s been working fine until now (when GravityForms and Stripe updated versions).

Another thing to note, I wonder if it has something to do with my SSL?

You can see where a program is being run with the which command, which composer should show you where composer is installed.

This just means Composer itself should be updated. Run composer self-update

Not sure what this would be. It looks like you’re using the versions that correlate with the downloads:, so I don’t know why Composer wouldn’t be installing the correct versions.

Are you saying that when you deploy, the plugins are not updating? You have to make sure you commit the composer file updates, as the deploy will pull the latest version from git, not what’s on your computer.

1 Like

Ah, okay. Thanks man.

I see that I updated the versions here:

But not here:

So I’ll fix that. The only issue is that I still can’t get composer to self-update.

I guess composer was installed in the right location: (I tried running sudo, that might have been naughty, but it still didn’t work)

Masons-iMac:site Mason$ which composer
Masons-iMac:site Mason$ composer self-update

  Filesystem exception:
  Composer update failed: the "/usr/local/bin/composer" file could not be written

self-update [-r|--rollback] [--clean-backups] [--no-progress] [--] [<version>]

Masons-iMac:site Mason$ sudo composer self-update
The "" file could not be downloaded: failed to open stream: Operation timed out
Retrying with degraded mode, check for more info

  The "" file could not be downloaded: failed to open stream: Operation timed out

self-update [-r|--rollback] [--clean-backups] [--no-progress] [--] [<version>]

Running sudo in this case shouldn’t be an issue. Try it again - it says it timed out, but that URL works for me.

Alright I got it sorted out.

I was getting connection timeouts on both and

It seems like it’s an ISP issue with IPv6.

I followed Composer’s official instructions to disable IPv6 and force IPv4 by running: sudo sh -c "echo 'precedence ::ffff:0:0/96 100' >> /etc/gai.conf"

That didn’t do the trick for me, but this did–

Workaround for Mac OS X:

Get name of your network device:

networksetup -listallnetworkservices

Disable IPv6 on that device (in my case “Wi-Fi”)

networksetup -setv6off Wi-Fi

Update composer.

You can enable IPv6 again with:

networksetup -setv6automatic Wi-Fi



I thought it was solved, but I’m having new issues when trying to deploy–

I still got an error when deploying, which led me to realizing that my composer.lock file wasn’t synced with my composer.json.

I’ve tried a handful of different solutions.

  1. I tried deleting the .lock file and composer updating
  2. I tried deleteing the .lock file and composer installing
  3. I tried doing 1 and 2 while first clearing Composer cache (using a couple different methods: composer clear-cache and rm -rf ~/.composer/cache.
  4. I tried reverting to the original .json, updating/installing (so that it would remove all my plugins), then adding them back in and composer installing/updating.

The strange thing is that no matter what I do, it seems to pull my old URLs, not the ones in the current composer.json. I tried git committing every step of the way incase I wasn’t using the updated json in the git repo. Still no luck.

Even though I clear the cache, it’s seems to magically be pulling old json URLs into the .lock file.

I’ve read the documentation on .lock files. One thing that sticks out to me is that my composer.phar doesn’t seem to exist in Bedrock or in usr/local/bin. Or at least the command php composer.phar update returns this: Could not open input file: composer.phar

Another thing to note is that all of these issues stem from the fact that GravityForms constantly updates their download links. I started this thread awhile back on how to use composer with Gravityforms, and I should try hosting my plugins in a private repo instead of linking to GFs’ amazon servers, but I don’t think that will solve this particular bug at the moment. The bug is that the .lock file isn’t using the new URLs I put in the .json.

Edit: Let me know if your guys (@kalenjohnson) want me to start a new topic on this, because it’s overlapping but not the original issue. Imo, this is a very important topic because it’s prevented me from deploying all day, which is no bueno. (obviously it’s a GFs/Composer issue, not Roots or Bedrock).