If the Update Manager is used to add a module that has Composer dependencies, it would be very nice if it could automatically run Composer to resolve/download those dependencies to the Drupal site. That way the site administrator can turn the module on via the user interface immediately, rather than having to go to the command line and muck around with things there to meet all the module's requirements.
How this works (and whether it can work) depends on the method Update Manager uses to download the project:
Writable docroot method. Since Update Manager already has permission to write to the docroot in this case (and already uses that permission to add the module itself) it should just be able to run Composer directly. According to Jason Judge's comment:
Just FYI, you can install the non-phar version of composer and access all its functions through its API, so it can be "driven" from the back-end rather than the command-line if it comes to that.
Which sounds like the right way to do it.
- FTP method. Probably not possible to do anything in this case. (Edit: Or actually, would it be possible to run Composer on a copy of the module in the site's /tmp directory, and then transfer the final result over FTP?)
- SSH-over-PHP method. This is the most secure way of using the Update Manager, but almost nobody uses it in practice due to server requirements. In this case since there is a SSH tunnel to the site (with the SSH user having the ability to write to the docroot) it would be possible to run Composer via the command line.
TBD: What happens if there are multiple submodules in the downloaded project, and each one has separate Composer dependencies? (Is that even possible?) The simplest answer is probably just to resolve all of them - that way the necessary code is in place in the filesystem regardless of which module(s) the site administrator winds up turning on.