Use cfpm to Reduce Attack Surface and Footprint
ColdFusion 2025 introduces the ColdFusion Package Manager (cfpm) for modular installation and management of features. Install only what your application needs to minimize security risk and resource usage.
What is cfpm?
cfpm is a command-line tool for managing ColdFusion packages that allows you to:
- Install only the specific features your application needs instead of a monolithic installation
- Update individual packages independently of the core platform
- Remove unused features to reduce your application's attack surface
- Activate and manage your ColdFusion licenses from the command line
Common Commands
List Packages
# List all installed packages cfpm list # List available packages cfpm search # List packages with updates available cfpm list --updates
Install Packages
# Install single package cfpm install orm --acceptEULA # Install multiple packages cfpm install orm,pdfg,redis --acceptEULA # Install specific version cfpm install orm@2.0.1 --acceptEULA
Update Packages
# Update ColdFusion core cfpm update --core # Update all packages cfpm update-all # Update specific package cfpm update orm
Remove Packages
# Remove unused package cfpm remove soap # Remove multiple packages cfpm remove soap,flex
Common Packages
Here are the key packages you may need to install depending on your application requirements:
- orm: Hibernate ORM support
- pdfg: PDF generation and manipulation
- redis: Redis cache and session storage
- solr: Apache Solr search integration
- soap: SOAP web services
- mongo: MongoDB NoSQL support
- debugger: Remote debugging tools
Security Best Practices
- Minimal Installation: Only install the packages your application actually requires
- Regular Updates: Run
cfpm update-all
after applying core ColdFusion updates - Remove Unused: Promptly uninstall packages that are no longer needed by your application
- Audit Dependencies: Review your installed packages quarterly to ensure they're still necessary
- Document Requirements: Maintain documentation of which packages each application depends on
Update Policy
After every ColdFusion core update, you should check for and apply package updates using this process:
- Apply the ColdFusion core update or hotfix
- Run
cfpm list --updates
to check for available package updates - Run
cfpm update-all
to apply all available package updates - Restart the ColdFusion service to load the updated packages
- Thoroughly validate your application functionality to ensure everything works correctly
Important: Package updates may be required after core hotfixes. Always check after applying updates.
Container and CI/CD Integration
You can integrate cfpm into your Dockerfiles and deployment scripts to automate package management:
# Dockerfile example FROM adobe/coldfusion:2025 # Install required packages RUN cfpm install orm,redis,pdfg --acceptEULA \ && cfpm remove soap,flex \ && cfpm update-all # Application code COPY ./app /app
cfpm Checklist
- Only required packages installed
- Unused packages removed
- All packages updated to latest
- Package list documented
- Update policy defined
- cfpm integrated into deployment scripts
Gotchas
- Package updates may require ColdFusion restart
- Some packages have dependencies on other packages
- Removing a package doesn't clean up all files - may need manual cleanup
- cfpm requires internet access for updates - configure proxy if needed
- Package versions are tied to ColdFusion core version
References
Need Help?
Convective can help plan and implement modular ColdFusion deployments with cfpm. Find out more.