Menu’s Composer endpoints are out of beta

December 21st, 2016 Composer Logo's Composer endpoints have been available in beta for some time now, and in that time we've begun to see many, many people use Composer to manage Drupal modules and themes. We first launched these repositories before DrupalCon New Orleans as an alpha release, and move into beta a few months later. After receiving your feedback and bug reports we've made updates, and are ready to call this service stable.

What is Composer?

Composer is a tool for dependency management in PHP. It allows you to declare the libraries your project depends on and it will manage (install/update) them for you. … Composer is strongly inspired by node's npm and ruby's bundler." - Source
In a nutshell, Composer allows you to declare the dependencies of your project in a composer.json file in the root of your PHP project. Those dependencies, which you then install through Composer, can have their own composer.json files and their own dependencies—all of which will be automatically managed and installed by Composer. When you need specific control over the versions of dependencies, you can use a composer.lock file. You can read more about Composer at

How do's composer repositories work? offers two Composer repositories—one for Drupal 7, and one for Drupal 8. Composer requires that packages adhere to semantic versioning, which Drupal 8 core does, but Drupal 8 contrib, and Drupal 7 core and contrib, don’t. To solve this problem, we've created a Composer façade, which takes all of the metadata about projects on and translates them into a format Composer can understand—including translating the Drupal-specific versioning for Drupal 7 and contrib into semantic versioning. By creating this façade, we've made sure that is still the canonical source for metadata about projects, and that we can update this translation layer as the versioning schema changes. (Learn more about the effort to move Contrib projects to semantic versioning). In addition to providing endpoints for building projects, Drupal's automated testing suite— DrupalCI—now uses Composer to test Drupal core and contributed projects. This allows developers to test any external dependencies.

How do I use's Composer repositories?

To begin using's Composer repositories, you'll need to update your composer.json file to include the appropriate Composer repository for the version of Drupal. To use Composer with Drupal 7, use the repository url:
. To use Composer with Drupal 8, use the repository url:
, as in this example. After setting up composer, simply run the command:
$ composer config repositories.drupal composer
And your project's composer.json should be updated to look like the following:
    "repositories": { 
        "drupal": {
            "type": "composer",
            "url": "" 
Once you've made that change, you should be able to use Composer for Drupal modules and themes as you would for any other PHP package, using the drupal/ namespace:
$ composer require drupal/<modulename>
There is one caveat about the pattern: there are some namespace collisions among modules, and so it is on our roadmap to update project pages to specify the exact namespace to use to require a given project. To learn more about how to use's Composer repositories, and for some troubleshooting tips, read the Project Composer documentation.

What about licensing?

All the projects hosted on are licensed GPLv2 or later or have an entry in the packaging whitelist. This means that you can rely on Drupal Core and contributed modules and themes to be licensed under the GPL or compatible. And if you need to redistribute your code created with Drupal projects, it must be redistributed as GPLv2 or later. However, because Composer is a tool that can manage packages in the wider PHP ecosystem, you might find that you want to require a non-GPL package in your project. Using GPL-licensed Drupal projects with external packages that are GPL compatible is fine. Just be aware that if you redistribute that code, you will have to redistribute under a GPL license. We cannot provide legal advice for your use of open source software. If you use Composer to install packages that are not compatible with the GPL alongside GPL-licensed projects like Drupal, you may use that software together, but per the terms of the GPL you may not copy, distribute, or modify that software. "Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted…" GPL 2.0 Section 0. For more questions about Drupal and the GPL you can read the Licensing FAQ.

What's next?

At this point, the Composer service is stable and you can use it to manage modules and themes in your production websites. That said, we do have a roadmap of additional features that we'd like to add. And your contributions are welcome! As development on's Composer service continues, we want to focus on the following features: Supporting Composer-based workflows for distributions and install profiles Providing sub-tree splits of Drupal Core Updating project pages to provide information about using Composer with any given hosted project Adding features to the updates service, to collect statistics about projects installed with Composer, and to explore providing update alerts about external dependencies We also hope to work with core maintainers to add the Composer repositories to Drupal Core's composer.json file If you're interested in learning more about our roadmap for Composer, or contributing to this service on, you can learn more in the Composer plan issue.

How you can help

If you’re interested in helping to improve's support for Composer workflows, please take a look at the issue above, find us on irc in #drupal-infrastructure, or send us a volunteer proposal.

Thanks to our Community Initiative contributors

We'd like to thank the individuals who worked with us as part of this Community Initiative. In particular, we'd like to thank: We'd also like to thank Appnovation, who sponsored the initial development of's composer endpoints. To these volunteers and sponsoring organizations—it is your expertise, your insight, and your affirmation of our work that make these Community Initiatives successful. Thank you!