---
title: "Using Composer to manage dependencies in Drupal 8 and 9"
date: "2022-03-14T22:41:59+00:00"
summary:
image:
type: "article"
url: "/acquia-cloud-platform/help/94046-using-composer-manage-dependencies-drupal-8-and-9"
id: "5ec0fd39-3d13-41e7-8c06-5f5fc933a3de"
---

Table of contents will be added

### Composer usage overview

[Composer](https://getcomposer.org/) should be used to manage Drupal core, all contributed dependencies, and most third party libraries in Drupal 8 and above. The primary exception to this is front-end libraries, which can be managed using a front-end specific dependency manager, such as [Bower](https://bower.io/) or [NPM](https://www.npmjs.com/).

[Why do we use Composer](http://blog.nelm.io/2011/12/composer-part-1-what-why/) for dependency management? It is the dependency manager used by Drupal core.

Be sure to familiarize yourself with Composer's [basic usage](https://getcomposer.org/doc/01-basic-usage.md), especially how the [lock file](https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control) is used. You should commit _both_ the `composer.json` and `composer.lock` files to your project, and every time you update the `composer.json` file , you must also run the following command to update the `composer.lock` file:

    composer update

Never manually edit the `composer.lock` file.

### Notable Composer concepts

*   Why [dependencies should not be committed](https://getcomposer.org/doc/faqs/should-i-commit-the-dependencies-in-my-vendor-directory.md)
*   The role of [composer.lock](https://getcomposer.org/doc/01-basic-usage.md#commit-your-composer-lock-file-to-version-control)
*   How to use [version constraints](https://getcomposer.org/doc/articles/versions.md)
    *   [Why using unbound version constraints is a bad idea](https://getcomposer.org/doc/faqs/why-are-unbound-version-constraints-a-bad-idea.md)
*   [The difference](https://stackoverflow.com/questions/16679589/whats-the-difference-between-require-and-require-dev) between `require` and `require-dev`

### Recommended tools and configuration

*   Globally install [pretissimo](https://github.com/hirak/prestissimo) for parallelized composer downloads by running the following command:
    
        composer global require "hirak/prestissimo:^0.3"
    
*   If you have [Xdebug](https://xdebug.org/) enabled for your PHP CLI binary, to dramatically improve performance it is highly recommended that you disable Xdebug.
    

### Contributed projects and third-party libraries

You can find all contributed projects hosted on Drupal.org (including Drupal core, profiles, modules, and themes) on Drupal [Packagist](https://packagist.org/packages/drupal/core), a Drupal.org-hosted packagist server. You must specify this URL in your `composer.json` file by adding the following code to allow Composer to discover the packages:

    {
        "repositories": {
            "drupal": {
                "type": "composer",
                "url": "https://packages.drupal.org/8"
            }
        }
    }

Most non-Drupal libraries can be found on [Packagist](https://packagist.com/).

For any required packaged not hosted by the preceding websites, you can define your own array of [custom repositories](https://getcomposer.org/doc/05-repositories.md#repository) for Composer to search.

Note: Composer versioning is not identical to Drupal.org versioning.

### Composer resources

*   [Composer Versions](https://getcomposer.org/doc/articles/versions.md)
*   [Using Composer to Manage Drupal Site Dependencies](https://www.drupal.org/docs/develop/using-composer/using-composer-to-install-drupal-and-manage-dependencies)
*   [Drupal Composer package naming conventions](https://www.drupal.org/node/2471927)
*   [Packagist](http://packagist.com/): Find non-drupal libraries and their current versions.

Installing dependencies
-----------------------

To install a new package to your project, use the `composer require` command. This command adds the new dependency to your `composer.json` and `composer.lock` files, and downloads the package locally. For example, to download a module, run the following command, replacing `[module]` with the module you want to download:

    composer require drupal/[module]

After you run the command, be sure to commit your `composer.json` and `composer.lock` files.

Updating dependencies (core, profile, module, theme, libraries)
---------------------------------------------------------------

To update a single package, run the `composer update [vendor/package]` command, replacing `[module]` with the module you want to update:

    composer update drupal/[module] --with-dependencies

To update all packages, run the following command:

    composer update

After you run the command, be sure to commit your `composer.json` and `composer.lock` files.

Removing dependencies
---------------------

To remove a package from your project, use the `composer remove` command, replacing `[module]` with the module you want to remove:

    composer remove drupal/[module]

After you run the command, be sure to commit your `composer.json` and `composer.lock` files.

Patching a project
------------------

For information about patch naming, patch application, patch ignoring, and patch contribution guidance, see [patches](/node/94526).

Front-end dependencies
----------------------

Drupal doesn't have a definitive solution for downloading front-end dependencies. Acquia suggests you refer to the following solutions:

*   Load the library as an external library. See [Adding stylesheets (CSS) and JavaScript (JS) to a Drupal 8 module](https://www.drupal.org/docs/creating-custom-modules/adding-stylesheets-css-and-javascript-js-to-a-drupal-module).
*   Use a front-end package manager (such as [NPM](https://www.npmjs.com/)) to download your dependencies. Then, use Acquia BLT's `source:build:frontend-assets` target-hook to trigger building those dependencies (such as call `npm install`) in your theme directory using these hooks. For more information, see [Front-end development and Acquia BLT](/node/56452).
*   Commit the library to the repository, typically in `docroot/librares`.
*   Add the library to your `composer.json` file by using a [custom repository](https://getcomposer.org/doc/05-repositories.md). Designate the package as a `drupal-library` and define an `installer-paths` path for that package type to ensure that it is installed to `docroot/libraries.` Ensure that it can be discovered in that location. See [example composer.json](https://gist.github.com/mortenson/a5390d99013b5b8c0254081e89bb4d47).

Contributed projects should provide the ability to download and discover the libraries. If you are using a contributed project, it is suggested that you patch the project to support one of these strategies.

If you cannot, commit the dependency. You can use a custom `.gitignore` file for your project.

Ensure the dependency is copied to the deployment artifact, and supply your own, custom `.gitignore` file to use in the deployment artifact.