Manual:External libraries

This page documents how to add new external libraries to MediaWiki core.

We use [https://getcomposer.org/ composer] to manage dependencies.

It should be available on packagist, and have a tagged release that you wish to use.
 * 1) Find your external library.

Please add the [https://phabricator.wikimedia.org/project/view/818/ MediaWiki-Vendor] project to the task.
 * 1) File a bug for requesting a security review of the library.


 * 1) Once the security review is approved, submit a patch to the mediawiki/vendor repository, adding the library.
 * Your patch should use fixed version numbers (e.g. 1.0.0) so we always use a specific version of the library instead of depending upon the upstream maintainer to properly follow the semantic versioning rules as many don't.

(This step can be done earlier, but can't be merged until the security review is complete.)
 * 1) Upload your mediawiki/core patchset which uses the library and include a link to your mediawiki/vendor commit in the comments.


 * You will also need to update core's composer.json file in your patch (using a fixed version number).

Once your code is ready for merging, the mediawiki/vendor patch should be merged, and then the mediawiki/core patch, so unit tests will be able to use the library.
 * 1) Go through the normal code review process.

For Wikimedia-deployed extensions, the process is similar. You will need to create a composer.json file for your extension listing your dependencies. In your extension.json file, set  (documentation) so those dependencies are loaded.

The dist>Special:ExtensionDistributor|extension distributor automatically packages composer dependencies, so tarball users won't have to do it manually.

You'll then need to add the library to the mediawiki/vendor repository after the security review is complete.