Talking Drupal #443 - Violinist.io

Mar 25, 2024

Eirik Morland discusses Violinist.io, a tool for automating composer dependencies. Topics covered include security risks, costs, differences with dependabot, ideal users, self-hosting, and support from the community. They also explore managing patches with composer, open-source benefits, and future plans for Violinist.io.

Ask episode

Chapters

Transcript

Episode notes

Introduction

00:00 • 2min

Managing Drupal Patches with Composer Patches Plugin

01:38 • 6min

Unique Patching Situation and Importance of Contribution

07:44 • 2min

Exploring the Features of Violinist.io

09:50 • 3min

Managing Dependencies and Automation with Violinist.io

12:56 • 23min

Enhancing Security and Maintaining Codebase with Violinist

35:51 • 18min

Embracing Open Source at Violinist.io

54:01 • 8min

Discussion on Using Violinist.io to Maintain Website Security and Updates

01:01:58 • 3min

Today we are talking about Violinist.io, Managing Composer Dependencies, and automation with guest Eirik Morland. We’ll also cover Composer Patches as our module of the week.

For show notes visit: www.talkingDrupal.com/443 Topics

What is Violinist.io
How does it work
How much technical knowledge do you need
Is this a security risk
How much does it cost
Patron question: Peter: Difference between violinist and dependabot
What are the major differences in plans
Who is the ideal user
Can you self host
Can this help with Drupal 11 readiness
Complementary tools
Notable users
Why did you start this
What is it like using Drupal for a SAAS
Is it open source
Pros and cons of open source for a SAAS
How can the community support
What is on the roadmap

Resources

Guests

Eirik Morland - violinist.io eiriksm

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan Martin Anderson-Clutz - mandclu.com mandclu Anna Mykhailova - kalamuna.com amykhailova

MOTW Correspondent

Martin Anderson-Clutz - mandclu

Brief description:

Have you ever wanted a simple way to manage patches to Drupal core and your contrib projects? There’s a composer plugin for that

Module name/project name:

https://github.com/cweagans/composer-patches
Composer Patches

Brief history

How old:created in Apr 2015 by Cameron Weagans
Versions available: 1.7.3 and 2.0.0-beta2

Maintainership
Actively maintained, beta2 release was a little over a month ago

Test coverage
Has a documentation site, as well as a COMMANDS markdown file in the repo to help you get started
Number of open issues: 10, 2 of which are bugs

Usage stats:

It’s been installed over 42 million times and it’s approaching 43 thousand installs per day, according to a recent blog post

Module features and usage

Using the plugin is simple, you require cweagans/composer-patches the same way you would a Drupal contrib project. The important difference is that composer will ask you if you trust composer-patches to make changes to your codebase. Once you grant that, the plugin is ready to start applying patches
You can specify what patches you want applied by adding a patches section to the extra section of your project’s composer.json file, or by adding a patches.json file
Each patch can be specified using a URL or a path relative to the JSON file
In theory it’s possible to have composer patches pulled directly from the diff in a merge request, but this is a significant security risk and should always be avoided
The first beta release for the 2.0 branch actually dropped support for dependency patch resolution, noting that it had become the source of most support requests. In the end the community made it clear that they would resist upgrading without this capability, so the most recent beta2 release adds it back in.

Finally, on his website cweagans.net Cameron mentions that he’s currently looking for full-time employment. So if your organization relies heavily on composer in general or composer-patches specifically, consider reaching out to him