How can I upgrade ONLY Drupal core with composer?

by RaisinBranCrunch   Last Updated August 14, 2017 20:07 PM

I knew that Drush make files were being phased out, but I kept using them, because in my opinion Composer isn't the best package manager in the known universe. It updates too much or too little, has uninformative error messages, and takes a lot more ram than necessary. Don't get me wrong, I still used composer, but not for Drupal core updates, because those are more important and sometimes security releases.

But, in 8.4, Drush 9 is required, and in Drush 9 make files don't work at all.

My concern is this: I have some wildcards in my composer.json similar to the ones mentioned in this issue: which tell composer where to find my modules' composer.json files. Yet, when I run

composer update drupal/core --with-dependencies

Whether or not I run it --with-dependencies, it will always go into the merge-plugin include paths and update all of those packages as well. Now, if my site is out in production, I would like an easy way to update core and core's vendor files WITHOUT updating a bunch of contrib modules' libraries which I do not care about. What if core releases a security update? I want to be able to conveniently update core and only core quickly. With Drush make, this was simple.

Has anyone figured out a way to do this with composer?

Answers 1

I do two things.

  1. I use webflo/drupal-core-strict in my composer.json to make sure the same tested core dependencies are the ones used in my project.
  2. I pin both drupal/core and webflo/drupal-core-strict to an exact Drupal version so I can regression test and know exactly what I am deploying.

So, my projects looks like

"require": {
    "drupal/core": "8.3.6",
    "webflo/drupal-core-strict": "8.3.6",
    "composer/installers": "^1.2",
    "drupal-composer/drupal-scaffold": "^2.2",
    "cweagans/composer-patches": "~1.0",
    "drush/drush": "~8.0",
    "drupal/console": "~1.0",

And where there is a new core version, I composer update drupal/core webflo/drupal-core-strict and then double check the lockfile.

August 14, 2017 19:26 PM

Related Questions

Updating core from 8.2 to 8.3 via composer

Updated April 18, 2017 14:07 PM