Updating Modules and Themes using Composer

This guide covers the workflow for updating contributed and custom projects. Note: For Drupal core updates, please refer to the Updating Drupal core via Composer.

Drupal version compatibility

• Drupal 11.x
• Drupal 10.x

Prerequisites

• Composer: 2.x recommended for better performance and memory management.
• Drush: Version 13 or later is recommended.
• Backups: Always perform a database backup (drush sql:dump) before running updates.

Update a specific module (Minor version)

composer update drupal/modulename --with-all-dependencies
drush updatedb
drush cache:rebuild

Check for security updates

composer audit

1. Recommended update method

The standard way to install and update Drupal sites is using Composer. While this guide focuses on modules and themes, the workflow ensures your composer.lock is updated correctly for deployment.

To update outdated modules and themes, apply database updates, and clear the cache, run the following commands:

1. composer update "drupal/*" --with-all-dependencies
2. drush updatedb
3. drush cache:rebuild

2. Checking for available updates

Before applying changes, you can audit your current versions to see what requires attention.

2.1. List all available updates

Use Composer's built-in command for listing packages that have updates available:

composer outdated "drupal/*"

Note: Items in yellow match your current version constraints, while items in red may require a composer require to bypass version locks.

2.2. List security updates

Use the following Composer command to check for security-related updates across your entire project, including PHP libraries:

composer audit

Note: For a Drupal-specific advisory check, you can still use drush pm:security.

3. Installing specific updates

3.1. Minor-version updates

For a minor-version update to a specific Drupal module or project, use:

composer update drupal/modulename --with-all-dependencies

Tip: To preview the update and see what would happen without actually changing any files, add the --dry-run flag to the command.

3.2. Major-version upgrades

For a major-version upgrade (such as 1.x to 2.x), a simple update is insufficient. You must explicitly require the new major version.

Because major versions often introduce significant changes, it is highly recommended to visit the project page on Drupal.org to inspect documentation and the issue queue before proceeding. Once you are confident in the compatibility, run:

composer require drupal/modulename:^2.0 --with-all-dependencies

4. Finalizing the update

After the files are updated via Composer, you must apply any database changes, rebuild the cache, and export potential configuration changes.

1. drush updatedb (Applies schema changes and update hooks)
2. drush cache:rebuild
3. drush config:export --diff (Exports any new default settings provided by the update to your config sync directory)

5. Developer checklist

• Always commit the updated composer.lock file to Git.
• Verify your site manually after drush updatedb to ensure no "Broken/Missing" handlers appear in the UI.

6. Legacy information and deprecated commands

Drush 9+ deprecations

In modern Drupal, Drush no longer manages the filesystem. The following pm (package management) commands are deprecated. You must use the corresponding Composer commands instead:

Note: Since Drush 9, "Maintenance mode" is automatically enabled during database updates.