November 12th, 2016
As a best practice, development tools should not be deployed on production sites. Accordingly, packaged Drupal 8 stable releases will no longer contain development PHP libraries, because development code is not guaranteed to be secure or stable for production.
This only applies to a few optional libraries that are provided with Drupal 8 for development purposes. The many stable required libraries for Drupal 8, like Symfony and Twig, will still be included automatically in packaged releases. Drupal 7 is not affected.
Updating your site
To adopt this best practice for your site, do one of the following (depending on how you install Drupal):
- If you install Drupal using the stable release packages provided by Drupal.org (for example, with an archive like drupal-8.2.2.tar.gz or via Drush), update to the next release (8.2.3) as soon as it is available. (Read about core release windows.) Be sure to follow the core update instructions, including removing old vendor files. Once updated, your site will no longer include development libraries and no further action will be needed.
- If you use a development snapshot on your production site (like 8.2.x-dev), you should either update to a stable release (preferred) or manually remove the dependencies. Remember that development snapshots are not supported for production sites.
- If you install your site via Composer, you should update your workflows to ensure you specify
--no-devfor your production sites.
Development and continuous integration workflows
If you have a continuous integration workflow or development site that uses these development dependencies, your workflow might be impacted by this change. If you installed from a stable Drupal.org package and need the development dependencies, you have three options:
- Install Composer and run
composer install --dev,
- Use a development snapshot (for example, 8.2.x-dev) instead of a tagged release for your development site, or
- Install the development dependencies you need manually into Drupal’s vendor directory or elsewhere.
However, remember that these development libraries should not be installed on production sites.
For background on this change, see Use “composer install –no-dev” to create tagged core packages. For more information on Composer workflows for Drupal, see Using Composer to manage Drupal site dependencies.