Consider composer-merge-plugin or composer-installers-extender for 3rd party libraries

Created on 30 June 2025, 2 days ago

Problem/Motivation

The external JavaScript dependencies are hard coded to use a specific path in the module folder. Usually we want to avoid including those dependencies in the repository β†’ .

A way to work around this so you don't need to include the dependencies and assume the use of the drupal-library composer project type:

Webform module recommends use of the composer-merge-plugin to include a separate composer.libraries.json that has repositories setup for its front-end dependencies set to type "drupal-library". A site owner would then setup the composer-merge-plugin. It then falls back to using CDN, but warns about using CDNs.

An alternative way is to suggest using the composer-installers-extender plugin to use asset-packagist.org. I think this method is falling out of favor.

Proposed resolution

Remaining tasks

πŸ“Œ Task
Status

Active

Version

0.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States mradcliffe USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mradcliffe
  • πŸ‡ΊπŸ‡ΈUnited States abenbow Asheville, North Carolina

    So I like this idea, and I did explore using composer.libraries.json during development, but one thing I struggled with was the fact that the upstream releases don't include a compiled library.

    I'm not too familiar with the composer libraries workflow here, but it looks like it would need to include a npm compile step (not sure if this is possible) or ONLY pull the library from a CDN. Unpkg is a good candidate and they have recent builds we could use.

    I'm not wild about packaging partytown.js with the rest of the module, but right now it feels like the most stable option available.

    Do you have some ideas about how to solve this?

    The only other option I can see is to work with the upstream maintainers to get a lib build included in the next release.

  • πŸ‡ΊπŸ‡ΈUnited States abenbow Asheville, North Carolina

    I've filed an issue on the upstream project because I think this would probably be a good improvement, anyway. Fingers crossed!

  • πŸ‡ΊπŸ‡ΈUnited States mradcliffe USA

    Oh, there is no built version of the library. Yeah, that's problematic. I guess that's why there are a bunch of npm packages for various frameworks to use partytown.

    I can't think of any thing good that doesn't also require a bunch of work

    - gitlab job that builds and makes an extra commit.
    - manually building the source and committing it based on a package.json (like a ckeditor plugin)

  • πŸ‡ΊπŸ‡ΈUnited States abenbow Asheville, North Carolina

    Yeah, both of those are good. Thanks for brainstorming with me here.

    So it looks like we'd either be doing the build manually or getting gitlab to do it for us. I think both are valid options. My leaning is toward the manual, ckedit-like, route since that is already an accepted packaging practice in Drupal.

    I'll play around with this a little bit and see what I can make.

  • πŸ‡ΊπŸ‡ΈUnited States kreynen

    https://partytown.qwik.dev/distribution/ talks about the origin/scope requirements...

    The lib directory contains the static files that should be hosted from the same origin as the website. Hosting from the same origin is a requirement of the service worker scope.

    The library is licensed as MIT so it can be included in the module repo on Drupal.org from a licensing perspective, but the required build step and origin issues with a CDN make this a little different than most js dependencies in Drupal modules.

    Doesn't the option to change the path in https://git.drupalcode.org/project/partytown_drupal/-/blob/1.0.x/src/For... eliminate any lock in? You wouldn't be stuck with a specific version of js just because that's what the module maintainer included. Since we know this is beta and has had 82 releases since July of 2022, if you want to update before the module you could still do that. I could see adding this to a theme build.

    Not really sure what else could be done to improve this.

  • πŸ‡ΊπŸ‡ΈUnited States abenbow Asheville, North Carolina

    So CDNs are out based on the same origin policy, which leaves us with bundling it in the module using composer or npm, manually or automatically.

    To kreynen's point, there aren't exactly a lot of releases, and the burden of packaging new releases would only fall on me at the moment.

    The automated aspect of letting a package manager do this would be great, but that may not be relevant if we're looking at a handful of maintanence releases in the next year or so.

    I think having a physical receipt in the form of a lockfile or a libraries.json or something else is a good practice, so its clear what we're shipping.

    I think a good solution in the short term is to package it with npm and later on using composer if we can swing it.

    Thoughts?

Production build 0.71.5 2024