Upgrade Your Drupal Skills

We trained 1,000+ Drupal Developers over the last decade.

See Advanced Courses NAH, I know Enough

Using `composer outdated` to Manage Drupal Dependencies

Parent Feed: 

Managing Drupal sites with composer brings a number of benefits. However, when installing Drupal dependencies from source (an option offered by composer), you also lose the functionality provided by Drupal core’s “Available Updates” page. Thankfully Composer will allow you to keep tabs on the available updates for all of your project’s dependencies, including Drupal core/contrib.

Tracking Dependency Updates

Running composer outdated from the top level of your composer-managed repository produces output similar to the screenshot below. The results include dependencies of your dependencies (such as those of Drupal core), but you can limit the checks to those dependencies that are directly required by the root package by running composer outdated --direct.

Updating Dependencies

If you are following composer best practices and avoiding exact version constraints in composer.json using the ^ or similar constraints, then running composer update with no arguments or flags could result in a large number of dependencies updated at one time. I recommend limiting updates to a single dependency, or at least a group of related dependencies at any given time.

composer update drupal/token --with-dependencies

For example, if you wanted to update Drupal’s token module, you would use the command composer update drupal/token --with-dependencies and it would update it to the latest available version that matches your version requirements defined in composer.json. Limiting updates to a single dependency at a time has the practical benefit of allowing you to more easily trace a bug to its origin if one is introduced via an update.

Rebuilding composer.lock – A Bonus

composer update --lock

If your reaction to my recommendation to never run composer update on its own was to break into a cold sweat thinking about “lock file out of date” warnings, composer update --lock is for you. Occasionally you may want to rebuild the lock file, without making any changes to your dependencies; this option is especially useful when trying to resolve merge conflicts in composer.lock.

[--lock]: Only updates the lock file hash to suppress warning about the lock file being out of date.

Author: 
Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web