Eirik Morland discusses Violinist.io, a tool for automating composer dependencies. Topics covered include security risks, costs, differences with dependabot, ideal users, self-hosting, and support from the community. They also explore managing patches with composer, open-source benefits, and future plans for Violinist.io.
Violinist.io automates composer updates through pull requests for best practices.
Managing composer patches with Violinist.io enhances security by avoiding direct pulls from GitLab.
Violinist.io offers tier-based pricing plans, including a free tier for one private project.
Deep dives
Violinist.io Overview
Violinist.io is a tool designed to automate composer updates and create pull requests. It functions by mimicking a team member that uses composer commands, ensuring best practices by submitting changes as pull requests. The platform is ideal for organizations adopting continuous integration and deployment practices to maintain and update dependencies incrementally.
Composer Patches Management
Violinist.io simplifies managing composer patches, a crucial aspect for Drupal projects. It provides the capability to specify patches in the composer JSON file or patches.json, allowing for straightforward application. The platform enhances security by avoiding direct patch pulls from GitLab merge requests, thus preventing potential security risks.
Subscription Model and Pricing
Violinist.io offers tier-based pricing models like the agency plan and enterprise plan, ensuring affordable per-project costs. The platform's pricing structure includes a free tier for one private project and unlimited public projects, catering to individual developers and organizations with varying needs.
Drupal Core and Dependency Updates
Violinist.io aids in preparing for major upgrades like Drupal 11 by facilitating continuous updates. It assists in keeping codebases up to date, reducing the complexity of cumulative updates and enabling developers to address module conflicts promptly. The tool fosters a proactive approach to Drupal version upgrades, ensuring smoother transitions.
Community Engagement and Contribution
The community support and usage of Violinist.io play a crucial role in its development and growth. Leveraging the platform for various projects and open-source initiatives further enhances its utility. The platform benefits from community engagement by channeling feedback and use cases into feature enhancements and improvements.
Today we are talking about Violinist.io, Managing Composer Dependencies, and automation with guest Eirik Morland. We’ll also cover Composer Patches as our module of the week.
For show notes visit: www.talkingDrupal.com/443 Topics
What is Violinist.io
How does it work
How much technical knowledge do you need
Is this a security risk
How much does it cost
Patron question: Peter: Difference between violinist and dependabot
Have you ever wanted a simple way to manage patches to Drupal core and your contrib projects? There’s a composer plugin for that
Module name/project name:
https://github.com/cweagans/composer-patches
Composer Patches
Brief history
How old:created in Apr 2015 by Cameron Weagans
Versions available: 1.7.3 and 2.0.0-beta2
Maintainership
Actively maintained, beta2 release was a little over a month ago
Test coverage
Has a documentation site, as well as a COMMANDS markdown file in the repo to help you get started
Number of open issues: 10, 2 of which are bugs
Usage stats:
It’s been installed over 42 million times and it’s approaching 43 thousand installs per day, according to a recent blog post
Module features and usage
Using the plugin is simple, you require cweagans/composer-patches the same way you would a Drupal contrib project. The important difference is that composer will ask you if you trust composer-patches to make changes to your codebase. Once you grant that, the plugin is ready to start applying patches
You can specify what patches you want applied by adding a patches section to the extra section of your project’s composer.json file, or by adding a patches.json file
Each patch can be specified using a URL or a path relative to the JSON file
In theory it’s possible to have composer patches pulled directly from the diff in a merge request, but this is a significant security risk and should always be avoided
The first beta release for the 2.0 branch actually dropped support for dependency patch resolution, noting that it had become the source of most support requests. In the end the community made it clear that they would resist upgrading without this capability, so the most recent beta2 release adds it back in.
Finally, on his website cweagans.net Cameron mentions that he’s currently looking for full-time employment. So if your organization relies heavily on composer in general or composer-patches specifically, consider reaching out to him
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
