Drupal World

Changing the Third Party Library Inclusion

In order to get Open Social covered by Drupal’s security advisory policy, we worked hard to achieve coding — continue reading
Posted by Ronald te Brake
October 9, 2017

In order to get Open Social covered by Drupal’s security advisory policy, we worked hard to achieve coding standards in our distribution. One of the biggest issues to solve was the correct way of including our front-end javascript libraries. Drupal dictates we shouldn’t include any third party libraries in our codebase.

In general 3rd party libraries and content are forbidden, so do not commit any. Instead, document for your users how to find and install the library/content themselves.”


Unfortunately, we had quite a few third-party scripts as part of our theme’s components. This means we had to remove all the third-party scripts from our codebase and include them in another way. There are various options to do so, but we wanted to minimize the number of tools and steps for developers to get the distribution up and running. According to a blog post by Acquia’s Lightning distribution, Composer felt like the best approach to solve our problem.

As stated in the blog post, the concept is to use the power of Composer to install packages by making use of the Asset Packagist repository. This allows for the installation of Bower and NPM packages as native Composer packages. All our 3rd party libraries can be installed via this repository since they are all listed in this repository.

How does this work?

For a library to be included and installed we list the repository in our composer file and specify the release version (range) we want to use.

… “Require”: { "bower-asset/waves": "0.7.5" }

Also we need to add Asset Packagist to our repositories to utilise it

"repositories": [
"type": "composer",
"url": "https://asset-packagist.org"


When we run it now, the composer update will download and install this library for us.

Steps to Update to Release 1.5

The inclusion of the third party libraries has been added to the installation profile. However, to make use of this new feature you need to add the Asset Packagist repository as well as the location where you’ll install the libraries to your project’s composer.json file.

The following lines need to be added (You can see the full commit here).

Manual steps to take update to release 1.6

  1. The first addition is the asset packagist repository, where the assets will be downloaded from.
  2. The second addition is the supported installer types. We support both Bower and NPM packages. At the moment we do not use NPM, but the option to use it is there.
  3. The third addition instructs composer where to place these new libraries. As you can see, they will be placed in the HTML/libraries folder.

It is critical that you add these lines to your composer file that requires the Open Social install profile and then run a composer update.

The last step that we took is to relocate the scripts to a different folder. It used to be in the socialbase theme but, since these are third party libraries, it makes much more sense to put them in a libraries folder at the root of the website. In the theme we point to the (javascript) file that is in the libraries folder.

Relocate the scripts to a different folder.

We hope that with these step you can update to the latest release without any issues. In the future, we try to prevent you from having to make these kinds of changes. Unfortunately, there is no other way at the moment to comply with the Drupal Security advisory, If you have any questions please create an issue on drupal.org or type support request. We will be happy to assist you.

In this article we discuss

Related articles