Cloud Platform

Using Composer with Drupal sites


Composer is a tool that manages PHP dependencies for your website or application. Composer gives you the flexibility to declare the libraries your project depends on, and installs and updates them for you.

For instructions about downloading and installing Composer for your operating system, see the getting started guide.

Using Composer with Cloud Platform

To perform updates and manage dependencies, Acquia recommends you to install Composer locally, and use it with your local copy. You can deploy your build artifact to your Cloud Platform environments using Code Studio or Pipelines.

To follow best practices with Composer, you must maintain a source code (source) repository for your project separate from your Cloud Platform (build) repository. Your source repository must contain the least amount of code required to build your project, such as composer.json file, composer.lock file, and any custom modules or settings. The source repository must not contain copies of your Composer dependencies. Your build repository that is hosted on Cloud Platform must contain static snapshots of your entire codebase, including Composer dependencies. The static snapshots are called build artifacts and they are ready for deployment to Cloud Platform.

To move code between your source and build repositories, you can use one of the following methods:

  • Copy the necessary files locally

  • Use a continuous integration service, such as Code Studio or Pipelines

  • Use a tool automating the process, such as  Acquia CLI

You can use a Composer-based workflow with a single repository. Acquia recommends you to not use a Composer-based workflow with a single repository because it impacts the development workflow by making it difficult to maintain code consistency. For example, with a single repository, you must keep the versions of dependencies in composer.json and the versions of dependencies you commit to the repository in sync, which introduces a high risk of human error.

If you cannot use Code Studio or Pipelines, you can use Composer based on the following methods:

  • Using Acquia CLI push:artifact commands
    For more information, see Acquia CLI commands.
  • Using Composer and Acquia CLI through Cloud IDE (recommended)
    After setting up your Cloud IDE, you can open your Cloud IDE terminal and follow the normal Git workflow for checking out code, such as adding changed flags, committing changes, and pushing to origin. Cloud IDE contains pre-installed Composer and Acquia CLI. By default the .gitignore file ignores the vendor directory as you use Composer and Acquia CLI to push your code to Cloud Platform.

Encrypting Composer variables

To encrypt Composer variables in Cloud Platform Pipelines, see Encrypting keys and variables.

When encrypting the COMPOSER_AUTH variable using the Encrypt Credentials field in the Cloud Platform interface, ensure you use single quotes at the beginning and end of the json, and use double quotes inside the curly brackets, as in the following example:

'{"http-basic": {"": {"username": "myuser", "password": "mypassword"}}}'

Failing to follow the preceding code format can generate the following UnexpectedValueException error:

COMPOSER_AUTH environment variable is malformed, should be a valid JSON object

Using Composer with Drupal

Drupal core uses Composer to manage dependencies, which can include Drupal modules. For more information, see the following resources:

Migrating into a Composer-managed build

Patching with Composer

To enable patching through Composer:

  1. Install the composer-patches project with Composer:

    composer require cweagans/composer-patches
  2. Add the following to the extra section of the composer.json file located above the docroot directory:

    "enable-patching": true,
       "patches": {
          "drupal/[module_name]": {
            "Note regarding the nature of the patch being applied":
  3. Update the [module_name] and [patch_name] according to your patch file from or add your patches in the patches directory above the docroot directory and record the full path in your patches.make file. However, Acquia recommends that you patch from remote, such as or Github. Local patches are difficult to maintain as the underlying dependencies require to be updated over time. Acquia recommends that you use patching to fix bugs or address outstanding issues in Drupal core and contrib modules and packages. Patches should not be used to develop or add functionality.

    Alternately, take out the patches from the root composer.json file and include in a separate file. This is a cleaner way of tracking them when you are dealing with various patches.

    The following code block would be added to your composer.json:

        // [...]
        "extra": {
          // [...]
          "patches-file": "composer.patches.json"

    Patches are added to a composer.patches.json text file as follows:

       "patches": {
         "vendor/project": {
           "Message describing the patch": ""
  4. To ensure that the updates take effect, run the following command:

    composer update patched/package --with-all-dependencies