Talking Drupal #443 -

March 25, 2024
Today we are talking about, Managing Composer Dependencies, and automation with guest Eirik Morland. We’ll also cover Composer Patches as our module of the week.


direct Link


  • What is
  • How does it work
  • How much technical knowledge do you need
  • Is this a security risk
  • How much does it cost
  • Patron question: Peter: Difference between violinist and dependabot
  • What are the major differences in plans
  • Who is the ideal user
  • Can you self host
  • Can this help with Drupal 11 readiness
  • Complementary tools
  • Notable users
  • Why did you start this
  • What is it like using Drupal for a SAAS
  • Is it open source
  • Pros and cons of open source for a SAAS
  • How can the community support
  • What is on the roadmap
  • Brief description:
    • Have you ever wanted a simple way to manage patches to Drupal core and your contrib projects? There’s a composer plugin for that
  • Module name/project name:
  • Brief history
    • How old:created in Apr 2015 by Cameron Weagans
    • Versions available: 1.7.3 and 2.0.0-beta2
  • Maintainership
  • Actively maintained, beta2 release was a little over a month ago
    • Test coverage
    • Has a documentation site, as well as a COMMANDS markdown file in the repo to help you get started
    • Number of open issues: 10, 2 of which are bugs
  • Usage stats:
    • It’s been installed over 42 million times and it’s approaching 43 thousand installs per day, according to a recent blog post
  • Module features and usage
    • Using the plugin is simple, you require cweagans/composer-patches the same way you would a Drupal contrib project. The important difference is that composer will ask you if you trust composer-patches to make changes to your codebase. Once you grant that, the plugin is ready to start applying patches
    • You can specify what patches you want applied by adding a patches section to the extra section of your project’s composer.json file, or by adding a patches.json file
    • Each patch can be specified using a URL or a path relative to the JSON file
    • In theory it’s possible to have composer patches pulled directly from the diff in a merge request, but this is a significant security risk and should always be avoided
    • The first beta release for the 2.0 branch actually dropped support for dependency patch resolution, noting that it had become the source of most support requests. In the end the community made it clear that they would resist upgrading without this capability, so the most recent beta2 release adds it back in.
  •     Finally, on his website Cameron mentions that he’s currently looking for full-time employment. So if your organization relies heavily on composer in general or composer-patches specifically, consider reaching out to him