Updating Modules and Themes using Composer

The recommended way to install and update Drupal 9 and 10 sites is using Composer.

People who are used to upgrading module with Drush should notice that from Drush 9 and forward, all the up commands pm-update, pm-updatecode and pm-updatestatus are deprecated. You have to use the corresponding Composer commands instead.

To update core, all outdated modules and theme, update the db, clear the cache:

composer update "drupal/*" --with-all-dependencies
vendor/bin/drush updatedb
vendor/bin/drush cache:rebuild

To update specific module or update things one at the time, see below.

List updates

Use Composer's built-in command for listing packages that have updates available:

composer outdated "drupal/*"

You can get the same information with the Composer's show command.

List security updates

The security status from Drupal.org isn't available through Composer. Luckily Drush comes to the rescue:

vendor/bin/drush pm:security

Install updates

For a minor-version update to a given Drupal module/project, simply use the following:

composer update drupal/modulename --with-all-dependencies

To preview the update, and show you what would happen, without actually changing anything, add --dry-run.

For a major-version upgrade (such as 1.x to 2.x), update alone isn't enough: you must instead require the new major version explicitly. Since major versions often introduce major changes, this would be an excellent time to visit the module/project to inspect its documentation and issue queue. Once you're confident that the upgrade is fully compatible with your site, use the following, substituting the new major version number as needed:

composer require drupal/modulename:^2.0

Finally, run any database updates, rebuild the cache and export the potentially changed configurations, reviewing the changes via --diff:

vendor/bin/drush updatedb
vendor/bin/drush cache:rebuild
vendor/bin/drush config:export --diff