When installing/updating an extension which has Composer dependencies, there are three approaches:
- run composer update in the main MediaWiki directory. This will cause composer to collect all dependencies (including the dependencies of the changed/new extension) via composer-merge-plugin, and update them. The result is always correct but will update every library to the newest version allowed by composer.json, not just the ones for the newly installed extension. Besides taking longer, more code changes means a higher probability of something breaking, thus more effort needed to test that the site works correctly.
- run composer install in the extension directory. This usually works (as long as the extension is able to use the autoloader from its vendor subdirectory, e.g. by setting the load_composer_autoloader flag in extension.json), and does not do unnecessary updates. It can fail in one edge case though: when the extension uses a library that is also used by another extension or MediaWiki core, Composer is not able to merge the version requirements and calculate the correct version (or throw an error if they conflict). Thus, there will be two different versions of the library, and callers might end up with a library version they did not expect.
- run composer update --with-dependencies library/one library/two ... to manually limit updates to the libraries needed by the extension. This works but is fairly cumbersome.
It would be nice to have a simpler way to install/update the affected libraries only.
Upstream bug: #6601