Advanced Composer Patches for Drupal: Secure, Maintainable Workflow with v2 Enhancements

Joe Fitzpatrick expands on his earlier guide to patching Drupal with a deep dive into advanced Composer Patches usage. He warns against relying on auto-generated patches from merge request URLs, as their contents can change over time and even pose security risks. Instead, developers are encouraged to download patch files directly and manage them locally, or use Composer Patches v2 features like patch locking for stability.

One new option is the composer config extra.patches command, which simplifies adding patches to composer.json without manual editing. Version 2 of Cameron Eagans’ package introduces a patches.lock.json file, storing sha256 checksums for each patch. This ensures reproducibility by only fetching updated patches when checksums change, with composer patches-repatch available to refresh when necessary (docs).

Other enhancements include support for an external patches.json file (details), keeping patch definitions separate from composer.json, and an expanded format (docs) that allows additional metadata fields like issue-tracker-url. These improvements make patch management more transparent, secure, and maintainable for Drupal developers working with contrib projects such as Smart Trim.