Score:0

How to update a module in production?

cn flag

I am using git to deploy my composer.lock to production. Contrib is not part of my git repo. Therefore, in production I then run composer install to add contrib to production.

What happens when I update a module in dev via composer update, then deploy the updated composer.lock to production and run composer install there? Will it update/replace the existing module code or what is the best practices to update a module in production without having to run the resource hungry composer update command in production?

leymannx avatar
ne flag
Does this answer your question? [Order of drush commands for automated deployment?](https://drupal.stackexchange.com/questions/254407/order-of-drush-commands-for-automated-deployment)
leymannx avatar
ne flag
Update locally using composer update drupal/module_name, then run database updates, then export config. Commit updated lock file and config. Deploy. On Live, set the page in maintenance mode, run composer install or deploy latest vendor from CI, run database updates, import config, disable maintenance mode. Done.
Extect avatar
cn flag
@leymanxx: Very clear. Thanks for summarizing the process
Score:1
de flag

What happens when I update a module in dev via composer update, then deploy the updated composer.lock to production and run composer install there? Will it update/replace the existing module code

Yes. Running composer install is a fairly lightweight command that will install the components of the system exactly as they have been recorded in composer.lock which is essentially a snapshot of the codebase. As you will have committed composer.lock containing references to the updated code, when you run composer install on any server, it will update the code to match composer.lock which has the updated code.

Running composer update updates code versions, and is much more resource intensive.

I wrote a blog series on Composer and Drupal a couple of years back which explains this all in more depth: https://www.morpht.com/blog/drupal-and-composer-part-1-understanding-composer

Extect avatar
cn flag
Thank you! That's exactly what I was unsure about. Thanks for clarifying!!!
Jaypan avatar
de flag
Note that many people consider it a security risk to have Composer installed on a production server, as access to the server could allow someone to install software using it.
Extect avatar
cn flag
Thanks for the watchout!! I would guess that if someone gains access to composer, the problem is not with composer, but with the server config in general. The attacker would have loads of possibilities to do harm even if composer was not installed.
Jaypan avatar
de flag
Yeah, I haven't actually decided which side of the fence I fall on for this one. I'm not a server guy though.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.