Managing Drupal sites with composer brings a number of benefits. However, when installing Drupal dependencies from source (an option offered by composer), you also lose the functionality provided by Drupal core’s “Available Updates” page. Thankfully Composer will allow you to keep tabs on the available updates for all of your project’s dependencies, including Drupal core/contrib.
Tracking Dependency Updates
composer outdated from the top level of your composer-managed repository produces output similar to the screenshot below. The results include dependencies of your dependencies (such as those of Drupal core), but you can limit the checks to those dependencies that are directly required by the root package by running
composer outdated --direct.
If you are following composer best practices and avoiding exact version constraints in
composer.json using the
^ or similar constraints, then running
composer update with no arguments or flags could result in a large number of dependencies updated at one time. I recommend limiting updates to a single dependency, or at least a group of related dependencies at any given time.
composer update drupal/token --with-dependencies
For example, if you wanted to update Drupal’s token module, you would use the command
composer update drupal/token --with-dependencies and it would update it to the latest available version that matches your version requirements defined in
composer.json. Limiting updates to a single dependency at a time has the practical benefit of allowing you to more easily trace a bug to its origin if one is introduced via an update.
Rebuilding composer.lock – A Bonus
composer update --lock
If your reaction to my recommendation to never run
composer update on its own was to break into a cold sweat thinking about “lock file out of date” warnings,
composer update --lock is for you. Occasionally you may want to rebuild the lock file, without making any changes to your dependencies; this option is especially useful when trying to resolve merge conflicts in
> [--lock]: Only updates the lock file hash to suppress warning about the lock file being out of date.