Shared hosting recommends setting up Composer rather than relying on the global version

Created on 3 July 2025, 2 days ago

Problem/Motivation

This issue came up when using A2 Hosting. There is a global composer install that is accessible to sites, but sometime in March the requirements for Package Manager changed (to >=2.7) and the version installed (2.6.5) was no longer high enough.

I reached out to ask whether they would ever update this and they advised that they would not, essentially your site is locked to the global version it had when it was created. (Or at least, you can not expect that it will ever be updated.)

They recommend setting up Composer for your site, which is obviously possible but requires command line interaction that we want to avoid.

We highly recommend setting up your own version of Composer on your account. You can follow this guide for assistance: https://www.a2hosting.com/kb/developer-corner/php/installing-composer/

Steps to reproduce

  1. Install Drupal on A2 Hosting
  2. Set up Project Browser per the instructions β†’
  3. Visit the PB modules page and try to install a module that is not already on local disk
  4. See that there is an error because the installed Composer version doesn't meet the requirements

Proposed resolution

Include Composer in the cpanel package? This would ensure it's compatible from the start, but I guess we still can run into the issue down the road when the requirements change, assuming that the site owner is not updating their composer version.

Remaining tasks

TBC

πŸ“Œ Task
Status

Active

Component

Infrastructure

Created by

πŸ‡¦πŸ‡ΊAustralia pameeela

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @pameeela
  • πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Include Composer in the cpanel package?

    From a technical perspective, this wouldn't be hard to do. But it would put the executable composer binary into a publicly-accessible directory (http://example.com/vendor/bin/composer), which could be a, ahem, security concern (read: potentially monumental catastrophe).

    Definitely worth discussing the pros and cons here.

  • πŸ‡ΊπŸ‡ΈUnited States hestenet Portland, OR πŸ‡ΊπŸ‡Έ
  • πŸ‡¦πŸ‡ΊAustralia pameeela
  • πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Here's a way we could include Composer in the cPanel package as a runtime dependency without risking exposing executables to the Big, Bad Internet:

    • First, core would need to be changed so that Package Manager always runs Composer through the PHP interpreter, rather than as an executable of its own. There's already an issue for this (somewhere); and it works. The Drupal CMS launcher runs Composer this way. That's the blocker.
    • Then we could include Composer as a runtime dependency, with drupal/core-vendor-hardening taking care of cleaning the executable out of vendor/bin. But Package Manager would not be trying to run it, so that'd pretty much take care of it. The only other thing to do would be for site builders to set Composer's path to the locally installed copy, which is already doable (although not in the UI, but there's an issue for that as well).
  • πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    The change proposed in ✨ Add a directory to the PATH Active would allow us to implement #5. It's a worthwhile change in any case, though.

  • πŸ‡³πŸ‡¬Nigeria chike Nigeria

    I have seen this issue after I upgraded to Drupal 11 recently and tried to use automatic updates. I saw this issue and I tried in 3 other shared host companies my clients use outside Hosting.com which I think was where I first saw the issue. I tried on sites using Greengeeks, Namecheap and a local host company here called Go54; all of them have Composer version 2.6.5. I abandoned trying au until I have time to either see if they will upgrade the global Composer version or I download a local copy.

Production build 0.71.5 2024