if we add a library to composer.json in MobileFrontend what do we need to ensure composer update gets run on deploy? Does it just happen magically or do we need to add a script/make a config change?

There are fundamentally 3 ways that existing extensions share code:

• Extension B depends on Extension A being installed (either conditionally or as an absolute dependency)
• Both Extension A and Extension B depend on Extension C which only serves to provide the shared code (either conditionally or as an absolute dependency)
• Extension A and Extension B both depend on a Composer managed library

For WMF production deployment, Composer managed dependencies need to be included in the mediawiki/vendor git repo which is managed through gerrit and its own composer.json file. This is accomplished by proposing a gerrit patch that adds the new library or bumps the version of an existing library and an associated gerrit patch in mw-core or an extension that depends on the library (code and composer.json changes). When the addition to mediawiki/vendor has been reviewed and merged then the associated change can be merged.

Thanks for the quick reply.
So to clarify two extensions to share code via composer must share it via the composer.json in mediawiki/vendor even if the code is not used by mediawiki/core ?

In T115366#1739026, @Jdlrobson wrote:

Thanks for the quick reply.
So to clarify two extensions to share code via composer must share it via the composer.json in mediawiki/vendor even if the code is not used by mediawiki/core ?

Yes, but this is needed for WMF deployment only.

Generally, an extension wishing to use Composer to manage a dependency should:

• Provide a composer.json file declaring the dependency
• Include bootstrap code that looks for and loads ExtensionName/vendor/autoload.php if present

This setup allows a large amount of flexibility for deployment of the extension and its dependency:

1. The extension tarball creation system will automatically include the dependency in ExtensionName/vendor.
2. MediaWiki-Vagrant or a manual deploy from git can use Composer to populate ExtensionName/vendor.
3. composer-merge-plugin can be used from the core MediaWiki deployment to include extensions/*/composer.json dependencies in the $IP/vendor repo.

For the WMF cluster deployments (beta cluster and production) we use a fourth management scheme. The mediawiki/vendor.git repo is used to manually stage, review and deploy libraries into $IP/vendor for release branches. This system requires a bit of double bookkeeping in the maintenance of a second composer.json file for the same dependency, but it allows us to tightly version and review changes deployed to the cluster.

More details can be found at https://www.mediawiki.org/wiki/Manual:External_libraries and https://www.mediawiki.org/wiki/Requests_for_comment/Composer_managed_libraries_for_use_on_WMF_cluster.

Thanks @bd808
@csteipp how does security work for using composer libraries? For example if we were to pull out some code from MobileFrontend, publish it as a composer library and then make MobileFrontend depend on it - how would you want us to work with you?

The snarky answer being that it doesn't :). But we work around that my putting the libraries into mediawiki/vendor (assuming the library is of general use to mediawiki), so people can check that out via git and don't have to be put at risk by composers lack of sanity. If the library is only valuable to MobileFrontend, then the correct thing (iirc) is to have a developer compose the extension, then checkin any changes from the library into the extension, and go through the normal code review process.

None here. Thanks for the background/links/pointers @bd808 and @csteipp.