Using `composer outdated` to Manage Drupal Dependencies

Managing Drupal sites with composer brings a number of benefits. However, when installing Drupal dependencies from source (an option offered by composer), you also lose the functionality provided by Drupal core’s “Available Updates” page. Thankfully Composer will allow you to keep tabs on the available updates for all of your project’s dependencies, including Drupal core/contrib.

Tracking Dependency Updates

Running composer outdated from the top level of your composer-managed repository produces output similar to the screenshot below. The results include dependencies of your dependencies (such as those of Drupal core), but you can limit the checks to those dependencies that are directly required by the root package by running composer outdated --direct.

A screenshot of using drush in the terminal

Updating Dependencies

If you are following composer best practices and avoiding exact version constraints in composer.json using the ^ or similar constraints, then running composer update with no arguments or flags could result in a large number of dependencies updated at one time. I recommend limiting updates to a single dependency, or at least a group of related dependencies at any given time.

composer update drupal/token --with-dependencies

For example, if you wanted to update Drupal’s token module, you would use the command composer update drupal/token --with-dependencies and it would update it to the latest available version that matches your version requirements defined in composer.json. Limiting updates to a single dependency at a time has the practical benefit of allowing you to more easily trace a bug to its origin if one is introduced via an update.

Rebuilding composer.lock – A Bonus

composer update --lock

If your reaction to my recommendation to never run composer update on its own was to break into a cold sweat thinking about “lock file out of date” warnings, composer update --lock is for you. Occasionally you may want to rebuild the lock file, without making any changes to your dependencies; this option is especially useful when trying to resolve merge conflicts in composer.lock.

[--lock]: Only updates the lock file hash to suppress warning about the lock file being out of date.