0

I am using git to deploy my composer.lock to production. Contrib is not part of my git repo. Therefore, in production I then run composer install to add contrib to production.

What happens when I update a module in dev via composer update, then deploy the updated composer.lock to production and run composer install there? Will it update/replace the existing module code or what is the best practices to update a module in production without having to run the resource hungry composer update command in production?

Improve this question
3
  • Does this answer your question? Order of drush commands for automated deployment? Commented Jun 21, 2021 at 18:03
  • 1
    Update locally using composer update drupal/module_name, then run database updates, then export config. Commit updated lock file and config. Deploy. On Live, set the page in maintenance mode, run composer install or deploy latest vendor from CI, run database updates, import config, disable maintenance mode. Done. Commented Jun 21, 2021 at 18:05
  • @leymanxx: Very clear. Thanks for summarizing the process Commented Jun 24, 2021 at 1:20

1 Answer 1

Reset to default
2

What happens when I update a module in dev via composer update, then deploy the updated composer.lock to production and run composer install there? Will it update/replace the existing module code

Yes. Running composer install is a fairly lightweight command that will install the components of the system exactly as they have been recorded in composer.lock which is essentially a snapshot of the codebase. As you will have committed composer.lock containing references to the updated code, when you run composer install on any server, it will update the code to match composer.lock which has the updated code.

Running composer update updates code versions, and is much more resource intensive.

I wrote a blog series on Composer and Drupal a couple of years back which explains this all in more depth: https://www.morpht.com/blog/drupal-and-composer-part-1-understanding-composer

Improve this answer
4
  • Thank you! That's exactly what I was unsure about. Thanks for clarifying!!! Commented Jun 24, 2021 at 1:21
  • Note that many people consider it a security risk to have Composer installed on a production server, as access to the server could allow someone to install software using it. Commented Jun 24, 2021 at 7:00
  • Thanks for the watchout!! I would guess that if someone gains access to composer, the problem is not with composer, but with the server config in general. The attacker would have loads of possibilities to do harm even if composer was not installed. Commented Jun 29, 2021 at 22:52
  • Yeah, I haven't actually decided which side of the fence I fall on for this one. I'm not a server guy though. Commented Jun 29, 2021 at 23:16

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.