Managing Drupal using Composer
What is composer
Dependency management
Drupal modules
PHP libraries
3rd party JS libraries (though npm might be better)
But Composer Sucks!
They all do, its a means to an end
Composer is slow
They all are
Dependency management is an NP-complete problem
Very hard problem in computer science
dependencies -> dependencies -> dependencies ...
Composer is one of the better ones out there!
Keep all dependencies in Repo?
Yay
deployment is easy since everything in repo
no reliance on dependencies being 'up'
bloated repos
multiple ppl working on project = possible conflicts
Nay
repos not so bloated
conflict only really in composer.lock
dependencies need to be 'up'
deployment is more complex
dependencies can 'change' if not using lock file
Useful composer commands
composer install
composer update
composer why
composer validate
composer install
Installs dependencies in composer.json (and creates composer.lock file if not exists)
slow if first install and no composer.lock file
Installs dependencies in composer.lock
fast
Generally safe as composer.lock is not updated
composer update
Updates your dependencies
Updates composer.lock
Can also limit what you update
composer update drupal/core:8.9.2
Does NOT use composer.lock
slow
composer why
Useful when you have conflicts
will let you see what libraries are not compatible in the setup
composer validate
Validates the composer.json file
Lets you know if your dependencies are too 'locked' down
If you have bad dependencies
Write your own command
post install commands
custom one time commands
sync commands
Managing Drupal
Shit show x (number of client sites you manage)
Core
Distributions
Modules
PHP Libraries
Themes
Semantic versioning
x.y.z
z: patch
no new functionality added or functinonality removed. Only bug fixes
y: feature
New functionality added. Nothing removed.
x: version upgrade
functionality added/removed.
Gotchas
See how developer releases their code
Following semantic versioning, you should be safe on a major release
Not following semantic versioning, you may need to look at their code
Code review time
Also where testing comes in handy (which I've been saying for years)