How to manage Drupal with Composer

This article covers the essential Composer workflows for managing a Drupal site: installing modules and themes, updating packages, removing packages, and understanding the composer.json and composer.lock files. All commands are run via SSH — HOSTDOG provides SSH access and Composer 2 on all hosting plans. [VERIFY: Confirm Composer 2 availability on shared hosting plans]

What Composer does in Drupal

Composer is a PHP dependency manager. In the context of Drupal, it tracks exactly which versions of Drupal core, contributed modules, themes, and third-party PHP libraries your site uses. The two key files are:

composer.json — declares your project's requirements (what you need and which versions are acceptable)
composer.lock — records the exact versions currently installed (ensures every developer and server runs identical code)

Never delete or manually edit composer.lock. Always commit both files to version control.

Connecting via SSH

All Composer commands must be run from the server via SSH — not from your local machine or via FTP. Connect to your HOSTDOG hosting via SSH and navigate to your Drupal project root (the directory containing composer.json):

cd ~/public_html

If you are unsure how to connect via SSH, see how to connect via SSH.

Tip: Verify Composer is available and check the version with: composer --version

Installing a module or theme

To install a contributed module from drupal.org, use composer require followed by the package name in the format drupal/module_name:

# Install a module
composer require drupal/token

# Install a specific version
composer require drupal/token:^1.13

# Install a theme
composer require drupal/bootstrap5

Composer downloads the module files into web/modules/contrib/ and updates both composer.json and composer.lock.

After installing, enable the module in Drupal:

drush en token -y
drush cr

Note: composer require downloads the code but does not enable the module in Drupal. You must enable it via Drush or the Drupal admin interface at Extend (Administration → Extend).

Updating packages

To update all Drupal packages to the latest versions allowed by your version constraints:

composer update drupal/* --with-all-dependencies

To update Drupal core specifically:

composer update drupal/core-recommended drupal/core-composer-scaffold --with-all-dependencies

To update a single module:

composer update drupal/token --with-all-dependencies

After any update, always run database updates and clear the cache:

drush updb -y
drush cr

For a complete guide to updating Drupal, see how to update Drupal core and modules.

Removing a module

Before removing a module from Composer, you must first uninstall it in Drupal to avoid database inconsistencies:

# Uninstall the module in Drupal first
drush pmu token -y
drush cr

# Then remove it from Composer
composer remove drupal/token

Checking what's installed

To see all currently installed packages and their versions:

composer show --installed

To check for available updates without applying them:

composer outdated --direct

Useful Composer commands

Command	What it does
`composer require drupal/module_name`	Download and add a module/theme to your project
`composer update drupal/*`	Update all Drupal packages within version constraints
`composer remove drupal/module_name`	Remove a module from the project (uninstall in Drupal first)
`composer install`	Install all packages from composer.lock (use on new server or fresh clone)
`composer outdated --direct`	Show packages with available updates
`composer show --installed`	List all installed packages and versions
`composer validate`	Check that composer.json is valid
`composer --version`	Show the installed Composer version

Troubleshooting

Composer runs out of memory

Increase the PHP memory limit for the Composer process by prepending COMPOSER_MEMORY_LIMIT=-1 to the command: COMPOSER_MEMORY_LIMIT=-1 composer update drupal/*. This removes the memory cap for that execution. On HOSTDOG hosting, if you continue to face memory issues, open a support ticket — our team can advise on the best approach for your plan.

Permission denied errors when running Composer

Ensure you are running Composer as your hosting user via SSH, not as root. Do not use sudo composer on shared hosting — this can create files owned by root that your web server cannot read or write.

Composer says a package cannot be found

Verify the package name on drupal.org — the Composer package name (e.g., drupal/token) can differ from the module's display name. Also run composer clear-cache to clear any stale package metadata before retrying.

Need Help? If you run into Composer issues on your HOSTDOG hosting, our team is available 24/7. Navigate to the HOSTDOG homepage and click the Log in button to open a support ticket and we'll assist you promptly.

Tags: HOSTDOG Drupal Composer Tutorial