Managing Drupal sites with composer brings a number of benefits. However, when installing Drupal dependencies from source (an option offered by composer), you also lose the functionality provided by Drupal core’s “Available Updates” page. Thankfully Composer will allow you to keep tabs on the available updates for all of your project’s dependencies, including Drupal core/contrib.
Tracking Dependency Updates
Running composer outdated
from the top level of your composer-managed repository produces output similar to the screenshot below. The results include dependencies of your dependencies (such as those of Drupal core), but you can limit the checks to those dependencies that are directly required by the root package by running composer outdated --direct
.
Updating Dependencies
If you are following composer best practices and avoiding exact version constraints in composer.json
using the ^
or similar constraints, then running composer update
with no arguments or flags could result in a large number of dependencies updated at one time. I recommend limiting updates to a single dependency, or at least a group of related dependencies at any given time.
composer update drupal/token --with-dependencies
For example, if you wanted to update Drupal’s token module, you would use the command composer update drupal/token --with-dependencies
and it would update it to the latest available version that matches your version requirements defined in composer.json
. Limiting updates to a single dependency at a time has the practical benefit of allowing you to more easily trace a bug to its origin if one is introduced via an update.
Rebuilding composer.lock – A Bonus
composer update --lock
If your reaction to my recommendation to never run composer update
on its own was to break into a cold sweat thinking about “lock file out of date” warnings, composer update --lock
is for you. Occasionally you may want to rebuild the lock file, without making any changes to your dependencies; this option is especially useful when trying to resolve merge conflicts in composer.lock
.
[--lock]: Only updates the lock file hash to suppress warning about the lock file being out of date.