Skip to content


Composer is a dependency manager for PHP projects, including Drupal. It allows you to declare the libraries your project depends on and manages ( install/update) them for you.

DrevOps comes with a pre-configured composer.json file based on the Drupal Composer project, extended to support additional features and tools.


See Working with packages for more information on how to add and manage dependencies in your project.

Drupal Composer project

Drupal Composer project provides a starter kit for managing your site dependencies with Composer.

DrevOps extends the Drupal Composer project's composer.json to support additional features and tools.

DrevOps team will keep the composer.json file up-to-date with the latest version of the composer.json in the Drupal Composer project, so you can always make sure you are using the best community practices.


The composer.json file is the core configuration file for Composer, detailing your project's dependencies, scripts, and settings.

This section provides an overview of each part of the composer.json file, explaining its role and how it contributes to your project's setup and management.


name is a unique identifier for the project in Composer's ecosystem consisting of a vendor name and the project's name.


A brief summary of the project's purpose.


type is used to specify the type of the package. This is important because it tells Composer and any systems integrating with Composer how to treat the package. The type key can influence how the package is installed and used.


license indicates the licence of the project. Since DrevOps is a template for your consumer sites that are usually proprietary, we use proprietary as the default value. More license identifiers are listed at the SPDX Open Source License Registry.


The repositories section defines custom package repositories, essential for accessing packages outside the default Packagist repository.

See Working with packages for more information on how to provide custom and override existing packages in your project.

  • drupal: Serves as the official source for Drupal modules, themes, and distributions. It's crucial for a Drupal project using Composer, as it allows access to Drupal-specific packages not available on Packagist.
  • asset-packagist: Enables the installation of Bower and NPM packages via Composer. This is especially important for Drupal projects needing front-end libraries and tools, bridging the gap between Composer's PHP-centric ecosystem and the broader world of front-end package management.


The require section specifies the essential packages and libraries your project needs.

  • php: Specifies the minimum PHP version required to run this project. This should be specified as a range rather than an exact version number. E.g. >=8.1 and not 8.1.0.
  • composer/installers: Allows to install packages to the correct location based on the specified package type such as drupal-module, drupal-theme, drupal-profile, etc.
  • cweagans/composer-patches: Allows applying patches to Composer packages, useful for incorporating fixes not yet in official releases. See Working with packages for more information on how to work with patches.
  • drupal/admin_toolbar, drupal/clamav, drupal/coffee, etc. - Drupal modules that provide various site administration and development helping functionalities that is usually installed across all of your Drupal sites. DrevOps comes with pre-configured settings for some of the modules to make them work out of the box.
  • drupal/core-recommended: A package that provides a carefully selected set of dependencies, including specific versions, which are tested and recommended for a particular Drupal core version. It simplifies dependency management by ensuring compatibility and stability, as these dependencies are maintained and curated by the Drupal community.
  • drupal/core-composer-scaffold: Allows downloading and placing scaffold files (like index.php, update.php, etc.) from the drupal/core project into their desired location inside the web root.
  • drush/drush: A command-line shell and scripting interface for Drupal, providing a wide range of utilities to manage and interact with your Drupal sites.
  • oomphinc/composer-installers-extender: Allows any package to be installed to a directory other than the default vendor directory within a project on a package-by-package basis. This plugin extends the composer/installers plugin to allow any arbitrary package type to be handled by their custom installer.
  • vlucas/phpdotenv: Allows to load environment variables from .env files into PHP so that they become available to the application and can be accessed via getenv(), $_ENV, and $_SERVER.
  • webflo/drupal-finder: Locates Drupal installations in a directory structure.


The require-dev section lists packages used for development purposes, like code quality checks and testing. These tools are essential for development but not required in production environments. This distinction helps to keep the production deployment streamlined and efficient, while still supporting a comprehensive and effective development environment.

  • behat/behat: A PHP framework for Behavior-Driven Development (BDD), allowing you to write human-readable stories that describe the behavior of your application. It facilitates communication between developers, stakeholders, and clients.
  • dealerdirect/phpcodesniffer-composer-installer: This tool automatically configures PHP_CodeSniffer to use the coding standards (like PSR-2 or Drupal coding standards) installed in a project.
  • drevops/behat-format-progress-fail: Enhances the output format of Behat tests, focusing specifically on progress and failure scenarios. This makes it easier to spot and address test failures.
  • drevops/behat-screenshot: An extension for Behat that automatically captures screenshots when tests fail. This is helpful for debugging and understanding why a test failed.
  • drevops/behat-steps: Provides a collection of pre-defined step definitions for Behat. This package speeds up the process of writing new Behat tests by providing common step implementations.
  • drupal/core-dev: Includes development-specific dependencies and tools primarily for testing and code analysis, including PHPUnit, PHP_CodeSniffer with rules ( via Coder module).
  • drupal/drupal-extension: A Behat extension that provides integration with Drupal, offering step definitions specific to Drupal functionality. It facilitates the creation and management of Drupal sites for testing purposes.
  • friendsoftwig/twigcs: This tool ensures that Twig templates adhere to a set coding standard, helping maintain consistency and readability in template files.
  • mglaman/phpstan-drupal: Integrates PHPStan static analysis with Drupal-specific code, helping identify potential issues and bugs in Drupal modules and themes.
  • palantirnet/drupal-rector: Automates the process of updating deprecated code, making Drupal upgrade processes more efficient.
  • phpcompatibility/php-compatibility: Provides a collection of sniffs for PHP_CodeSniffer to check PHP code for compatibility with different PHP versions, crucial for ensuring long-term maintainability.
  • phpmd/phpmd: PHP Mess Detector is a user-friendly tool that helps you detect several potential problems in your PHP code, including possible bugs, suboptimal code, and overcomplicated expressions.
  • phpspec/prophecy-phpunit: Integrates the Prophecy mocking library with PHPUnit to provide advanced mocking capabilities in tests.
  • phpstan/extension-installer: This package automatically installs and enables PHPStan extensions, streamlining the setup process for PHPStan in your project.
  • pyrech/composer-changelogs: Provides a summary of package changes (like updates, removals, and additions) after running composer update, improving the visibility of package changes and updates in your project.


The conflict section prevents installation conflicts with standalone Drupal core, crucial for avoiding version clashes and ensuring consistency in core files.


The minimum-stability setting controls the minimum stability level of the packages that Composer is allowed to install. By setting it to "stable", you are instructing Composer to prefer stable versions of packages over their unstable (like beta or alpha) versions.\


The prefer-stable settings, when set to true, instructs Composer to prefer stable versions of packages even when the minimum-stability setting allows less stable versions. This is especially useful in a mixed stability scenario where some dependencies might not have a stable release yet. It ensures that Composer will use stable versions wherever possible, thus providing a balance between stability and the need for newer features or fixes that might only be available in a less stable package version.


The config section specifies key configurations for Composer's behavior in the project.

  • discard-changes: When set to true, any local changes made to the dependencies (packages under version control like Git) are discarded without prompting when you run composer install or composer update. Composer will overwrite the local changes with the data from the source repository.
  • sort-packages: When set to true, this configuration ensures that packages are sorted in composer.json and composer.lock. It makes these files more readable and helps reduce merge conflicts in version control.
  • allow-plugins: This setting specifies which Composer plugins are allowed to run. It's a security measure to prevent the execution of untrusted code from third-party plugins. Each plugin needs to be explicitly allowed to ensure it can execute.
  • platform: Specifies the PHP version of the platform environment where the current project runs. This should be specified as an exact version number (e.g. 8.1.0). Should be kept in sync with the php version in the Docker containers.


The autoload section is essential for defining how Composer automatically loads PHP classes within the project, without needing to manually include or require each class file.


The autoload-dev section is essential for defining how Composer automatically loads PHP development-specific classes within the project, without needing to manually include or require each class file.


The scripts section defines custom scripts to be executed at specific points in Composer's workflow, enhancing the automation and maintenance of your Drupal project.

  • pre-install-cmd: Executes scripts before the composer install command is run. In your configuration, DrupalProject\composer\ScriptHandler::checkComposerVersion is specified, which ensures that the Composer version being used is compatible with your project setup. This is vital for maintaining consistency and avoiding issues due to version mismatches.
  • pre-update-cmd: Runs scripts before the composer update command is executed. It uses the same script as pre-install-cmd to check the Composer version, ensuring that updates to your project’s dependencies are compatible with your current Composer setup.
  • post-install-cmd: Invoked after the composer install command completes. The script DrupalProject\composer\ScriptHandler::createRequiredFiles is executed, which typically handles tasks like setting up default files and configurations necessary for the Drupal installation.
  • post-update-cmd: Executes scripts after the composer update command. It calls the same createRequiredFiles method as in post-install-cmd, ensuring that necessary files and configurations are updated or re-established following an update of dependencies.


The extra section serves as a source of custom configuration for various packages. These packages read settings from this section to tailor their behavior according to the specific needs and structure of your Drupal project.

  • drupal-scaffold: This setting controls which files should be scaffolded:
  • locations: Specifies the location of the web root (the directory containing the index.php file).
  • file-mapping: Determines which files are managed by the scaffold process. DrevOps comes with sensible defaults, but you can customize this section to suit your needs.
  • installer-paths: Defines custom installation paths for various types of packages like Drupal modules, themes, and libraries.
  • installer-types: Specifies additional installer types, such as bower-asset and npm-asset, that are handled by the oomphinc/composer-installers-extender plugin.
  • composer-exit-on-patch-failure: This setting, when enabled, causes Composer to exit if a patch from the cweagans/composer-patches plugin fails to apply.
  • patchLevel: Defines the patch level for specific packages, in this case, drupal/core. The -p option followed by a number (e.g., -p1, -p2) in patch commands specifies the number of leading directories to strip from the file paths found in the patch file. This determines how the paths in the patch file are interpreted relative to the current directory where the patch is being applied.
  • patches: Specifies the patches to be applied to specific packages. See Working with packages for more information on how to work with patches.