Magento 2.0.18 is the final 2.0.x release. After March 2018, Magento 2.0.x will no longer receive security patches, quality fixes, or documentation updates.
To maintain your site's performance, security, and PCI compliance, upgrade to the latest version of Magento.


We use Composer to manage dependencies and upgrades in Magento Commerce Cloud and provide context about the included packages, what the packages do, and how they fit together. We highly recommend experience with Composer.

Composer is a dependency manager for PHP. Composer manages the dependencies you require on a project by project basis. This means that Composer will pull in all the required libraries, dependencies and manage them all in one place. For Magento Commerce Cloud, we use composer.json and composer.lock to manage your modules list, packages, dependencies, and so on for determining upgrades, patches, hotfixes, and more. Magento extension and module developers use composer.json to also manage their product installations and upgrades. For details, see Your project’s Composer files.

The following sections detail the specifics of Magento Commerce Cloud composer packages, how they work, and what they do within the code base.

For information on what files should and shouldn’t be in source control, see Project structure. We provide a .gitignore file to aid.

Your project’s Composer files

Your project root directory contains composer.json and composer.lock.

You edit composer.json to specify dependencies for your Magento Commerce Cloud project. For example, when you install an extension or module, you update composer.json to add the extension to the list. You can either edit it manually or the Component Manager can do it for you.

The file composer.lock stores a set of exact version dependencies that satisfy all of the version constraints of every requirement for every package in the dependency tree of the project.

The following commands determine what’s in composer.lock:

  • composer update, which you must run every time you add or remove dependencies in composer.json. composer update updates composer.lock.
  • composer install reads composer.lock, not composer.json, to download dependencies. You must keep an up-to-date copy of composer.lock in your Cloud Git repository.

The workflow is as follows:

  1. Make a change to composer.json. For example, edit this file when installing an extension or module.
  2. Run composer update.
  3. Add composer.lock to or update it in your Cloud Git repository.
  4. Push the changes to the Cloud environment, which causes Cloud to build and deploy the environment.

During the build phase, the Cloud environment runs composer install on a fresh clone of your Git branch to retrieve the latest dependencies.

Magento composer commands

We use the following commands for Magento:

  • composer install: Use this command if you know extension and base code is updated. This command uses composer.lock, not composer.json. The command reads the lock file and checks the versions installed and listed in the file. If new lines are included or the file has a later version, the code is installed. After initial install, using the command only installs new code if you add new extensions or versions to composer.lock.
  • composer update: Use this command when you need to perform complete updates of all extensions and base code. This command uses composer.json, not composer.lock.

Magento Commerce (Cloud) packages

The following sections discuss the Composer packages used by Magento Commerce:


magento/magento-cloud-metapackage should be the only package in the require section of your composer.json. This is a metapackage and does not contain any code.

The metapackage depends on the appropriate versions of magento/magento-cloud-configuration and magento/product-enterprise-edition. At any given version, this package requires the same version of magento/product-enterprise-edition. Therefore, to use Magento Commerce version 2.1.4, for example, composer.json must specify a requirement for magento/magento-cloud-metapackage version 2.1.4.

This package depends on a floating version of magento/magento-cloud-configuration (abbreviated MCC). It depends on the major and minor version of MCC that correspond to the specified Magento Commerce version, and floats on the patch version so that compatible updates to this packages can be automatically pulled by running composer update.

magento/magento-cloud-configuration (MCC)

This package contains the following scripts and magento commands that automatically perform building and deployment of the codebase on the cloud environment:

  • pre-deploy.php
  • bin/magento magento-cloud:deploy
  • bin/magento magento-cloud:build

magento/magento-cloud-configuration also contains patch files that are specific to Cloud.

There is a many-to-one relationship between the MCC version and Magento versions.

For Magento Commerce, versions are specified as 2.<x>.<y>.

MCC versions are specified as: <100 + x>.<y>.*. For example, Magento Commerce 2.1.4 is associated with MCC 101.4.0. Subsequently, a new version of MCC could be released that corresponds to the same Magento Commerce version, and it would be 101.4.1.

We release updated MCC code to add a new patch or to improve the build and deploy hooks.

To check for patches, you can check the vendor/magento/magento-cloud-configuration/patches folder.


This metapackage requires Magento application components, including modules, frameworks, themes, and so on.

Base packages and file marshalling

Magento contains two base packages, magento/magento2-base and magento/magento2-ee-base. These packages contain interstitial files that cannot be classified as extensions, themes, frameworks, or language packages; for example, sample server configuration files, PHP entry points, and so on.

These files are location-dependent, and cannot reside in the vendor directory. They are distributed as part of the base packages, and they rely on hooks located in the magento/magento-composer-installer package, which marshals them to the appropriate locations.

One way in which Magento Commerce deploys differently than other Magento installations is that it does not marshal base packages on the Cloud environment. This could change in a future Cloud release, but for now, on the Cloud environment specifically, the marshalling functionality of magento/magento-composer-installer is disabled.

Therefore, when upgrading to a new Cloud version or adding, removing, or changing any packages that rely on file marshalling, you must:

  1. Run composer update locally.

    The new version of the base packages are marshalled out into the Cloud project root directory, which means files are added, removed, and changed.

    File marshalling works on your local system but not on the Cloud server.

  2. Add and commit these updated files to your Cloud Git repository.
  3. Push the changes to your Cloud integration environment.

For more information, see:

This makes sure that base files are placed in the correct location and are under source control. If you notice any problems after deploying an updated version of Magento, one of the first things to check should be whether all of the base package files were added to source control.