Home>cfpm Package Management

Use cfpm to Reduce Attack Surface and Footprint

ColdFusion 2025 introduces the ColdFusion Package Manager (cfpm) for modular installation and management of features. Install only what your application needs to minimize security risk and resource usage.

What is cfpm?

cfpm is a command-line tool for managing ColdFusion packages that allows you to:

  • Install only the specific features your application needs instead of a monolithic installation
  • Update individual packages independently of the core platform
  • Remove unused features to reduce your application's attack surface
  • Activate and manage your ColdFusion licenses from the command line

Common Commands

List Packages

# List all installed packages
cfpm list

# List available packages
cfpm search

# List packages with updates available
cfpm list --updates

Install Packages

# Install single package
cfpm install orm --acceptEULA

# Install multiple packages
cfpm install orm,pdfg,redis --acceptEULA

# Install specific version
cfpm install orm@2.0.1 --acceptEULA

Update Packages

# Update ColdFusion core
cfpm update --core

# Update all packages
cfpm update-all

# Update specific package
cfpm update orm

Remove Packages

# Remove unused package
cfpm remove soap

# Remove multiple packages
cfpm remove soap,flex

Common Packages

Here are the key packages you may need to install depending on your application requirements:

  • orm: Hibernate ORM support
  • pdfg: PDF generation and manipulation
  • redis: Redis cache and session storage
  • solr: Apache Solr search integration
  • soap: SOAP web services
  • mongo: MongoDB NoSQL support
  • debugger: Remote debugging tools

Security Best Practices

  • Minimal Installation: Only install the packages your application actually requires
  • Regular Updates: Run cfpm update-all after applying core ColdFusion updates
  • Remove Unused: Promptly uninstall packages that are no longer needed by your application
  • Audit Dependencies: Review your installed packages quarterly to ensure they're still necessary
  • Document Requirements: Maintain documentation of which packages each application depends on

Update Policy

After every ColdFusion core update, you should check for and apply package updates using this process:

  1. Apply the ColdFusion core update or hotfix
  2. Run cfpm list --updates to check for available package updates
  3. Run cfpm update-all to apply all available package updates
  4. Restart the ColdFusion service to load the updated packages
  5. Thoroughly validate your application functionality to ensure everything works correctly
Important: Package updates may be required after core hotfixes. Always check after applying updates.

Container and CI/CD Integration

You can integrate cfpm into your Dockerfiles and deployment scripts to automate package management:

# Dockerfile example
FROM adobe/coldfusion:2025

# Install required packages
RUN cfpm install orm,redis,pdfg --acceptEULA \
    && cfpm remove soap,flex \
    && cfpm update-all

# Application code
COPY ./app /app

cfpm Checklist

  • Only required packages installed
  • Unused packages removed
  • All packages updated to latest
  • Package list documented
  • Update policy defined
  • cfpm integrated into deployment scripts

Gotchas

  • Package updates may require ColdFusion restart
  • Some packages have dependencies on other packages
  • Removing a package doesn't clean up all files - may need manual cleanup
  • cfpm requires internet access for updates - configure proxy if needed
  • Package versions are tied to ColdFusion core version

Need Help?

Convective can help plan and implement modular ColdFusion deployments with cfpm. Find out more.