Use cfpm to Reduce Attack Surface and Footprint
Install only what you need, nothing you don't
Last updated: February 23, 202610 min read
The ColdFusion Package Manager (cfpm) was introduced in ColdFusion 2021 and significantly enhanced in ColdFusion 2025 for modular installation and management of features. Install only what your application needs to minimize security risk and resource usage.
What is cfpm?
cfpm is a command-line tool for managing ColdFusion packages that allows you to:
- Install only the specific features your application needs instead of a monolithic installation
- Update individual packages independently of the core platform
- Remove unused features to reduce your application's attack surface
- Activate and manage your ColdFusion licenses from the command line
Common Commands
List Packages
List cfpm Packages
# List all installed packages
cfpm list
# List all available packages
cfpm listall
# List packages with updates available
cfpm list --updatesInstall Packages
Install cfpm Packages
# Install single package
cfpm install orm --acceptEULA
# Install multiple packages
cfpm install orm,pdfg,redis --acceptEULA
# Install specific version
cfpm install orm:2.0.1 --acceptEULAUpdate Packages
Update cfpm Packages
# Update all packages including core
cfpm update ALL
# Update specific package
cfpm update ormRemove Packages
Remove cfpm Packages
# Uninstall unused package
cfpm uninstall soap
# Uninstall multiple packages
cfpm uninstall soap,flexCommon Packages
Here are the key packages you may need to install depending on your application requirements:
- orm: Hibernate ORM support
- pdfg: PDF generation and manipulation
- redis: Redis cache and session storage
- solr: Apache Solr search integration
- soap: SOAP web services
- mongo: MongoDB NoSQL support
- debugger: Remote debugging tools
Security Best Practices
- Minimal Installation: Only install the packages your application actually requires
- Regular Updates: Run
cfpm update ALLafter applying core ColdFusion updates - Remove Unused: Promptly uninstall packages that are no longer needed by your application
- Audit Dependencies: Review your installed packages quarterly to ensure they're still necessary
- Document Requirements: Maintain documentation of which packages each application depends on
Update Policy
After every ColdFusion core update, you should check for and apply package updates using this process:
- Apply the ColdFusion core update or hotfix
- Run
cfpm list --updatesto check for available package updates - Run
cfpm update ALLto apply all available package updates - Restart the ColdFusion service to load the updated packages
- Thoroughly validate your application functionality to ensure everything works correctly
Important: Package updates may be required after core hotfixes. Always check after applying updates.
Container and CI/CD Integration
You can integrate cfpm into your Dockerfiles and deployment scripts to automate package management:
cfpm in Docker Container
# Dockerfile example
FROM adobecoldfusion/coldfusion2025:latest
# Install required packages
RUN cfpm install orm,redis,pdfg --acceptEULA \
&& cfpm uninstall soap,flex \
&& cfpm update ALL
# Application code
COPY ./app /appcfpm Checklist
- Only required packages installed
- Unused packages removed
- All packages updated to latest
- Package list documented
- Update policy defined
- cfpm integrated into deployment scripts
Gotchas
- Package updates require restart: Package updates may require ColdFusion restart
- Package dependencies: Some packages have dependencies on other packages
- Incomplete removal: Removing a package doesn't clean up all files - may need manual cleanup
- Internet access required: cfpm requires internet access for updates - configure proxy if needed
- Version compatibility: Package versions are tied to ColdFusion core version
References
Need Help?
Convective can help plan and implement modular ColdFusion deployments with cfpm.
Find out more