---
title: "Using Composer with Drupal sites"
date: "2024-02-14T06:18:38+00:00"
summary: "Streamline your Drupal development with Composer. Learn how to manage dependencies, update modules, and implement best practices for efficient PHP-based website management."
image:
type: "page"
url: "/acquia-cloud-platform/using-composer-drupal-sites"
id: "056b82b0-4e5e-48dc-8079-8d9e0bf5275a"
---

Table of contents will be added

[Composer](https://getcomposer.org/) is a tool that manages PHP dependencies for your website or application. Composer gives you the flexibility to declare the libraries your project depends on, and installs and updates them for you.

For instructions about downloading and installing Composer for your operating system, see the [getting started guide](https://getcomposer.org/doc/00-intro.md).

Using Composer with Cloud Platform
----------------------------------

To perform updates and manage dependencies, Acquia recommends you to install Composer locally, and use it with your local copy. You can deploy your build artifact to your Cloud Platform environments using [Code Studio](https://docs.acquia.com/acquia-cloud-platform/add-ons/code-studio) or [Pipelines](https://docs.acquia.com/acquia-cloud-platform/features/pipelines).

To follow best practices with Composer, you must maintain a source code (source) repository for your project separate from your Cloud Platform (build) repository. Your source repository must contain the least amount of code required to build your project, such as `composer.json` file, `composer.lock` file, and any custom modules or settings. The source repository must not contain copies of your Composer dependencies. Your build repository that is hosted on Cloud Platform must contain static snapshots of your entire codebase, including Composer dependencies. The static snapshots are called build artifacts and they are ready for deployment to Cloud Platform.

To move code between your source and build repositories, you can use one of the following methods:

*   Copy the necessary files locally
    
*   Use a continuous integration service, such as [Code Studio](https://docs.acquia.com/acquia-cloud-platform/add-ons/code-studio) or [Pipelines](https://docs.acquia.com/acquia-cloud-platform/features/pipelines)
    
*   Use a tool automating the process, such as  [Acquia CLI](https://docs.acquia.com/acquia-cloud-platform/add-ons/acquia-cli)
    

You can use a Composer-based workflow with a single repository. Acquia recommends you to not use a Composer-based workflow with a single repository because it impacts the development workflow by making it difficult to maintain code consistency. For example, with a single repository, you must keep the versions of dependencies in `composer.json` and the versions of dependencies you commit to the repository in sync, which introduces a high risk of human error.

If you cannot use [Code Studio](https://docs.acquia.com/acquia-cloud-platform/add-ons/code-studio) or [Pipelines](/acquia-cloud-platform/features/pipelines), you can use Composer based on the following methods:

*   Using Acquia CLI `push:artifact` commands  
    For more information, see [Acquia CLI commands](https://docs.acquia.com/acquia-cloud-platform/add-ons/acquia-cli/commands/push:artifact).
*   Using Composer and Acquia CLI through Cloud IDE (recommended)  
    After [setting up your Cloud IDE](https://docs.acquia.com/acquia-cloud-platform/add-ons/ide/start), you can open your Cloud IDE terminal and follow the normal Git workflow for checking out code, such as adding changed flags, committing changes, and pushing to origin. Cloud IDE contains pre-installed Composer and Acquia CLI. By default the `.gitignore` file ignores the `vendor` directory as you use Composer and Acquia CLI to push your code to Cloud Platform.

### Encrypting Composer variables

To encrypt Composer variables in Cloud Platform Pipelines, see [Encrypting keys and variables](/acquia-cloud-platform/features/pipelines/encrypt).

When encrypting the `COMPOSER_AUTH` variable using the **Encrypt Credentials** field in the Cloud Platform interface, ensure you use single quotes at the beginning and end of the `json`, and use double quotes inside the curly brackets, as in the following example:

    '{"http-basic": {"mysite.com": {"username": "myuser", "password": "mypassword"}}}'

Failing to follow the preceding code format can generate the following `UnexpectedValueException` error:

    COMPOSER_AUTH environment variable is malformed, should be a valid JSON object

Using Composer with Drupal
--------------------------

Drupal core uses Composer to manage dependencies, which can include Drupal modules. For more information, see the following Drupal.org resources:

*   [Using Composer in a Drupal project](https://www.drupal.org/node/2404989)
*   [Using Composer to install Drupal packages through Drupal.org](https://www.drupal.org/node/2718229)
*   [Drush GitHub project](https://github.com/drush-ops/drush)
*   [Drush documentation](https://docs.drush.org/en/8.x/)
*   [Installing a Drupal distribution through Composer](/acquia-cloud-platform/create-apps/install#install-drupal-composer)

Migrating into a Composer-managed build
---------------------------------------

### Patching with Composer

To enable patching through Composer:

1.  Install the `composer-patches` project with Composer:
    
        composer require cweagans/composer-patches
    
2.  Add the following to the **extra** section of the `composer.json` file located above the docroot directory:
    
        "enable-patching": true,
           "patches": {
              "drupal/[module_name]": {
                "Note regarding the nature of the patch being applied":
                "https://www.drupal.org/files/issues/[patch_name].patch"
              }
           }
    
3.  Update the `[module_name]` and `[patch_name]` according to your patch file from Drupal.org or add your patches in the `patches` directory above the `docroot` directory and record the full path in your `patches.make` file. However, Acquia recommends that you patch from remote, such as Drupal.org or Github. Local patches are difficult to maintain as the underlying dependencies require to be updated over time. Acquia recommends that you use patching to fix bugs or address outstanding issues in Drupal core and contrib modules and packages. Patches should not be used to develop or add functionality.
    
    Alternately, take out the patches from the root `composer.json` file and include in a separate file. This is a cleaner way of tracking them when you are dealing with various patches.
    
    The following code block would be added to your `composer.json`:
    
        {
            // [...]
            "extra": {
              // [...]
              "patches-file": "composer.patches.json"
            }
          }
    
    Patches are added to a `composer.patches.json` text file as follows:
    
        {
           "patches": {
             "vendor/project": {
               "Message describing the patch": "https://www.drupal.org/url/to/patch/file.patch"
             }
           }
         }
    
4.  To ensure that the updates take effect, run the following command:
    
        composer update patched/package --with-all-dependencies