Using Composer with Acquia products

Composer is an open-source package management tool for PHP applications and a core part of the current Drupal version development workflows. Composer 1 was released in 2016 and Composer 2 was released in October 2020.

Composer 2 has many significant new features and performance improvements over Composer 1. The Composer maintainer has stated that Composer 1 is now effectively end-of-life. Acquia recommends that all customers upgrade to Composer 2 as soon as possible.

Given that the Composer 2 upgrade process is not backwards compatible for all applications and Acquia products either provide or depend on Composer in varying capacities, Acquia provides this guide to assist with the transition to Composer 2.

What are the benefits of Composer 2?

Compared to Composer 1, Composer 2 is faster in terms of magnitude and resource-efficient in terms of memory and CPU. Composer 2 achieves this performance out of the box, without requiring global plugins (such as Prestissimo or Composer Drupal Optimizations for Composer 1). Besides being faster, this also makes it more stable in container-based environments, such as Docker and Cloud IDE.

What is the status of the Composer upgrade in relation to Acquia products?

  • All Acquia products that provide Composer are upgraded to provide Composer 2 by default.

  • All Acquia products that depend on Composer are upgraded to support or require Composer 2. This is part of Acquia’s ongoing efforts to ensure Acquia products and services are secure, reliable, and scalable.

Which Acquia products provide Composer?

The following products provide Composer as a global, pre-installed, command-line (CLI) tool:

  • Acquia Pipelines:

    This product supports Composer 1 and Composer 2. For more information, see Tools.

  • Cloud IDE:

    This product provides Composer 2 by default. This means that if your application calls the composer command, Composer 2 runs by default. You can change this behavior in the following ways:

    • Modify your application to call composer1 instead of composer, which forces the usage of Composer 1.

    • Download and install a specific version of Composer as part of your application and call that version of Composer explicitly using an absolute path to the Composer binary. Follow the instructions to download and install Composer, which can be done in any development environment (Cloud IDE, Acquia Pipelines) without sudo access as long as you install into your home directory.

    • Modify and export the PATH variable for your environment to place any installed version of Composer ahead of the default version, allowing you to use a specific Composer version without modifying your application.

Which Acquia products depend on Composer?

The following products either require Composer to be globally installed in your development environment, or are dependent on your application being created through a compatible Composer version:

  • Remote Administration

  • Drupal packages

    • Acquia DAM

    • Content Hub

For more information on using Composer to install Drupal core or contrib modules, see Installing a Drupal distribution through Composer.

Remote Administration

Remote Administration supports applications built with both Composer 1 and 2.

Drupal packages

Acquia’s Drupal modules and profiles, including Acquia DAM and Content Hub, support both Composer 1 and Composer 2.

How to upgrade to Composer 2

Upgrading to Composer 2 consists of the following steps:

  • Ensure that Acquia products or non-Acquia development environments that provide Composer are upgraded to provide Composer 2.

  • Ensure that any Acquia products, non-Acquia development tools, or Drupal applications that depend on Composer are upgraded to work with Composer 2.

To make your application compatible with Composer 2, follow the guide . You may need to upgrade, remove, or replace certain dependencies that conflict with Composer 2. Following this guide modifies your composer.lock file. Ensure that you commit the changes to this file to complete the upgrade.

Known issues with Composer

Build failure on Acquia products upgrading to Composer v2.2

Drupal applications running the current Drupal version may encounter CI build failures when upgrading to Composer v2.2 or later. The Composer 2.2 release includes a feature for secure plugin execution, which requires you to declare allowed plugins explicitly in your composer.json file. If you do not declare them, your CI builds might fail with an error.


To prevent build failures, add the appropriate code snippet to your composer.json file for the plugins your application uses, as in the following common example:

--- a/composer.json
      +++ b/composer.json
      @@ -1,4 +1,12 @@
         "name": "example/example",
         "require": {}
      +    "config": {
      +        "allow-plugins": {
      +            "composer/installers": true,
      +            "cweagans/composer-patches": true,
      +            "drupal/core-composer-scaffold": true,
      +            "drupal/core-project-message": true
      +        }
      +    }


If you created your application with acquia/drupal-recommended-project (v1.8.2 or later) or acquia/drupal-minimal-project (1.4.3 or later), you do not need to update your composer.json file.