Manual:External libraries/en

This page documents how to add new external libraries to MediaWiki core. We use composer to manage dependencies.


 * 1) Find your external library. It should be available on packagist, and have a tagged release that you wish to use.
 * 2) File a bug for requesting a security review of the library. Please add the MediaWiki-Vendor project to the task.
 * 3) Once the security review is approved, submit a patch to the mediawiki/vendor repository, adding the library.
 * 4) Upload your mediawiki/core patchset which uses the library and include a link to your mediawiki/vendor commit in the comments. (This step can be done earlier, but can't be merged until the security review is complete.)
 * You will also need to update core's composer.json file in your patch.
 * 1) Go through the normal code review process. Once your code is ready for merging, the mediawiki/vendor patch should be merged, and then the mediawiki/core patch, so unit tests will be able to use the library.

For WMF-deployed extensions, the process is similar. You will need to create a composer.json file for your extension listing your dependencies. In your extension's entry point (or via a callback in extension.json), add code to load the composer autoloader if it has been created:

The extension distributor automatically packages composer dependencies, so tarball users won't have to do it manually. You'll then need to add the library to the mediawiki/vendor repository after the security review is complete.