In order to get Open Social covered by Drupal’s security advisory policy we have worked hard to solve coding standards issues in our distribution. One of the biggest issues was the correct way of including our front-end javascript libraries. Drupal dictates we shouldn’t include any third party libraries in our codebase.


In general 3rd party libraries and content are forbidden, so do not commit any. Instead, document for your users how to find and install the library/content themselves.”

3rd party libraries and content on


Unfortunately we had quite a few third-party scripts as part of our theme’s components. This means we have to remove all these third-party scripts from our codebase and include them in another way. There are various options to do so, but we want to minimize the number of tools and steps for developers to get the distribution up and running. Reading the blogpost Round up your front-end JavaScript libraries with Composer by Acquia’s Lightning distribution, Composer felt like the best approach to solve our problem.


As you can read in the blogpost, the concept is to use the power of Composer to install packages by making use of the Asset Packagist repository. This allows for the installation of Bower and NPM packages as native Composer packages. All our 3rd party libraries can be installed via this repository, since they are all listed in this repository.


How does this work?

For a library to be included and installed we list the repository in our composer file and specify the release version (range) we want to use.


… “Require”: { "bower-asset/waves": "0.7.5" }

Also we need to add Asset Packagist to our repositories to utilise it

"repositories": [
        "type": "composer",
        "url": ""


When we run composer update now it will download and install this library for us.

Manual steps to take update to release 1.5

The inclusion of the third party libraries has been added to the installation profile. However to make use of this new feature you need to add the Asset Packagist repository as well as the location where to install the libraries to your project’s composer.json file.


The following lines need to be added (You can see the full commit here).


Manual steps to take update to release 1.6


  1. The first addition is the asset packagist repository, where the assets will be downloaded from.

  2. The second addition are the supported installer types. We support both Bower and NPM packages. At the moment we do not use NPM, but the option to use it is there.

  3. The third addition instructs composer where to place these new libraries. As you can they will be placed in the html/libraries folder.


It is critical that you add these lines to your composer file that requires the Open Social install profile and then run composer update.


The last step that we took is to relocate the scripts to a different folder. It used to be in the socialbase theme, but as these are third party libraries it makes much more sense to put them in a libraries folder at the root of the website. In the theme we point to the (javascript) file that is in this libraries folder.


Relocate the scripts to a different folder.


We hope that with these step you can update to the latest release without any issues. In the future we try to prevent you from having to make these kind of changes. Unfortunately there is no other way at the moment to comply with the Drupal Security advisory, but to take this road. If you have any questions please create an issue on of type support request. We will be happy to assist you.

250+ Communities are powered by Open Social

Don't miss our posts

Dec 11, 2017 - User Experience

Private Messaging: A Community Feature You'll Love

Open Social now supports private messaging! In this post, we’ll discuss how this feature benefits your community.

posted by Natasha
Dec 04, 2017 - Community Building

Which Members Rule Your Online Community?

Your online community is like a small society; it consists of people adopting various roles so things run smoothly. In this post, the top community member roles and responsibilities.

posted by Natasha
Nov 28, 2017 - Development

Creating a Living Style Guide with Open Social

A living style guide is becoming an increasingly important tool for web development. Here’s why and how to implement a living style guide for Open Social with input from Lisa, one of our front-end developers.

posted by Lisa