Skip to content Contact us

Contact form

Drupal, Exove, Technology by Perttu Ehn,

Security in Code Deployment – part 4: Advantages of using Composer

Code examples for this article: https://github.com/rpsu/dwd-security-in-code-deployment

This is part of “Security in Code Deployment” -series. 

You are most probably familiar with Composer, at least on a conceptual level. It is a dependency manager with all of the functionality of Drush, and more. From the perspective of building the codebase, the difference between Drush and Composer is the recipe file format and the use or Composer, not Drush, as the build tool. Drush and Composer are not mutually exclusive, you can use both; you can even install Drush along with Drupal using Composer.

Composer uses JSON files, which use curly brackets instead of indentation, as in YAML files. However, unlike Drush make files, composer.json files are not meant to be edited in quite the same way. Composer keeps the composer.json and composer.lock files up-to-date according to your instructions. You still need to add some things manually to composer.json, such as the patches you want to use in modules.

From a code deployment perspective, using Composer is just a better way to manage all required resources, because it also makes sure all the module requirements are met; you could learn the hard way that something is missing with the use of an (incomplete) Drush make file.

Start by generating the project in a drupal.local folder. The following example uses the GitHub-based Composer template project. Before you start, make sure you have Composer installed:

$ composer create-project drupal-composer/drupal-project:8.x-dev drupal.local
--stability dev --no-interaction
$ cd drupal.local

Composer can be used with Drupal 7 projects, too. All you have to change is the branch name in the command to 7.x-dev. Now the composer.json and composer.lock files have been created. The Drupal root (the index.php file) is in the web folder, as are other Drupal modules and themes. Other resources (dependencies) are in the vendor folder. You might take a look at what is in the folders; just remember that composer.lock contains the whole dependency tree, which easily makes it quite long when compared with the composer.json file.

Start by adding Drupal.org as one of the package (module) sources; then, start adding your project dependencies. In Listing 13, I’m adding the very latest version of the Token module that is compatible with the defined Drupal core, as well as a specific version of the Field Group module and a specific commit (1fe3649) from Ctools module’s 8.x-3.x branch. Composer will update composer.json and composer.lock files when you add (or remove) dependencies.

LISTING 13: Add Modules with Composer

# Configure Drupal.org as a package source
$ composer config repositories.drupal composer https://packages.drupal.org/8
# Add some modules
$ composer require drupal/token
$ composer require drupal/field_group:1.0-rc4
$ composer require drupal/ctools:dev-3.x#1fe3649

Once you have committed and pushed changes, your colleagues can get exactly the same codebase every time, with all dependencies included. All they have to do is clone your repository and run:

$ composer install --prefer-dist --optimize-autoloader

Happy coding!

See all posts

Read next

See all posts in this series

More in this series

See all posts

More from the blog

See all careers

Related open positions

Current selection of careers

Our offices

Contacts

  • Perttu Ehn

    Competence Manager, Developer

    • perttu.ehn@exove.com