Package Manager module

The Package Manager modules provides a framework for updating Drupal core and installing extensions via Composer. It provides an API for creating a temporary copy of the current site, making changes to the copy, and then syncing those changes back into the live site.

Requirements

• The Drupal application's codebase must be writable in order to use Automatic Updates. This includes Drupal core, modules, themes and the Composer dependencies in the vendor directory. This makes Automatic Updates incompatible with some hosting platforms.
• A Composer executable whose version is 2.7 or greater.
• PHP must have permission to run composer.
• Your site's composer.json file must be valid according to composer validate. See Composer's documentation for more information.
• Composer must be configured for secure downloads. To enable secure downloads set the disable-tls option to false, and the secure-http option to true in the config section of your composer.json file. If these options are not set in your composer.json, Composer will behave securely by default. To set these values at the command line, run the following commands:
  

  composer config --unset disable-tls
  composer config --unset secure-http
  

Composer

• The function proc_open() must be enabled on your PHP installation. To enable proc_open() remove it from the disable_functions setting in php.ini.

• If the composer executable's path cannot be automatically determined, it can be explicitly set by adding the following line to settings.php:

  $config['package_manager.settings']['executables']['composer'] = '/full/path/to/composer.phar';

• The version of the composer executable must satisfy ^2.7. See the the Composer documentation for more information, or use this command to update Composer:

  composer self-update

• If the composer validate command failed then Composer detected problems with your composer.json and/or composer.lock files, and the project is not in a completely valid state. See the Composer documentation for more information.

Composer patches

Enable PHP-TUF protection

Package Manager requires PHP-TUF, which implements The Update Framework as a way to help secure Composer package downloads via the PHP-TUF Composer integration plugin. This plugin must be installed and configured properly in order to use Package Manager.

To install and configure the plugin as needed, you can run the following commands:

composer config allow-plugins.php-tuf/composer-integration true
composer require php-tuf/composer-integration

Package Manager currently requires the https://packages.drupal.org/8 Composer repository to be protected by TUF. To set this up, run the following command:

composer tuf:protect https://packages.drupal.org/8

Unsupported Composer plugins

A fresh Drupal installation only uses supported Composer plugins, but some extension may depend on additional Composer plugins. Create a new issue when you encounter this.

It is possible to trust additional Composer plugins, but this requires significant expertise: understanding the code of that Composer plugin, what the effects on the file system are and how it affects the Package Manager module. Some Composer plugins could result in a broken site!

cweagans composer-patches

Installation or removal of cweagans/composer-patches via Package Manager is not supported. You can install or remove it manually by running Composer commands in your site root.

To install, use the following command.

composer require cweagans/composer-patches

To remove, use the following command.

composer remove cweagans/composer-patches

cweagans/composer-patches must be a root dependency

If cweagans/composer-patches is installed, it must be defined as a dependency of the main project (i.e., it must be listed in the require or require-dev section of composer.json). You can run the following command in your site root to add it as a dependency of the main project:

composer require cweagans/composer-patches

Using rsync

Package Manager must be able to run rsync to copy files between the live site and the stage directory. Package Manager will try to detect the path to rsync, but if it cannot be detected, you can set it manually in two ways.

Explicitly by adding the following line to settings.php:

$config['package_manager.settings']['executables']['rsync'] = '/full/path/to/rsync';

or from the Package Manager settings page, admin/config/system/package-manager.