14 Jul 2026

feedDrupal.org aggregator

Matt Glaman: phpstan-drupal 2.1.0: stricter defaults

phpstan-drupal 2.1.0 is out. The theme of this release: rules and behaviors that proved themselves as opt-ins are now the defaults. If you run `composer update` and see new errors, that is the release working as intended - everything below includes the configuration to opt back out.

Nine rules are now enabled by default

These rules shipped as opt-ins over the 2.0 cycle. They have had time to bake, and they catch real bugs, so they no longer require configuration:

14 Jul 2026 5:00pm GMT

Nonprofit Drupal posts: July 2026 Drupal for Nonprofits Chat

Join us THURSDAY, July 16 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

14 Jul 2026 3:49pm GMT

The Drop Times: Bert Boerland Makes Drupal Sustainability the Focus of Board Candidacy

Boerland links his board candidacy to a question now facing Drupal: how the project can expand institutional support without narrowing the path for contributors, local communities, and site owners.

14 Jul 2026 2:14pm GMT

Specbee: How Drupal support & maintenance services can keep your site secure, fast, and future-ready

Got your Drupal website up and running but haven't figured how to maintain it? Read to find out how you can optimize your site and make it future-ready.

14 Jul 2026 11:09am GMT

The Drop Times: Canonical Report Flags Open Source Supply Chain Gaps

Drupal site security rarely stops at core and module updates. Canonical's survey shows why package provenance, Linux maintenance, and patch ownership remain part of delivery risk.

14 Jul 2026 9:33am GMT

13 Jul 2026

feedDrupal.org aggregator

Talking Drupal: Talking Drupal #560 - Content Sync

Today we are talking about Content, syndication, and Synchronization between Drupal Sites with guest Thiemo Müller. We'll also cover Drupal core 11.4 as our module of the week.

For show notes visit: https://www.talkingDrupal.com/560

Topics

Resources

Guests

Thiemo Müller - content-sync.io thiemo

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Ashraf Abed - drupito.com ashrafabed

MOTW Correspondent

Martin Anderson-Clutz - mandclu.com mandclu

13 Jul 2026 6:00pm GMT

Droptica: Drupal Paragraphs tutorial, part 2: variants, responsive design, spacing, and admin UX

Drupal Paragraphs: Varianten, Abstände & Admin-UX | Droptica

This is the second and final part of a two-part guide to building a component-based corporate website with Drupal Paragraphs. Turn the bare components from part 1 into a flexible, production-grade library with color variants, responsive layouts, spacing controls, conditional fields, and admin UX.

Add style variants with CSS custom properties and Paragraphs behavior plugins, build mobile-first responsive layouts, give editors margin and padding controls, and polish the admin experience with Gin, conditional fields, and smart defaults.

13 Jul 2026 4:25pm GMT

The Drop Times: Drupal Governance, Security, and Automation Updates

Recent Drupal news fits inside a wider question Dries Buytaert raised in his blog post, License-only versus Stewarded Open Source: what turns code that is merely available into infrastructure people can depend on? The distinction is useful because this week's updates are not only about individual announcements. They show the work that sits behind dependable open source: governance, maintenance, security response, shared knowledge, and long-term care.

The 2026 Drupal Association at-large board election brings that work into the governance layer. One community-elected seat on the association's board is now moving through its election cycle, giving individual members a direct role in how Drupal's institutional support is represented. In a project where technical decisions and community structures constantly shape each other, governance is not a background process. It is part of how shared infrastructure is kept accountable.

The same distinction between availability and dependability appears in the ten contributed-project security advisories published on 8 July 2026. Four were rated Critical. Three direct site owners to uninstall unsupported projects, while the fourth addresses SQL injection in Location Selector. Unsupported projects may still exist in repositories and production sites, but that does not make them safe to keep using.

For site teams, the response is practical rather than abstract. Affected modules need to be identified, fixed releases need to be applied where available, and unsupported projects without advisory-listed fixes need to be removed. This is the maintenance layer of open source that rarely attracts attention until something breaks.

ECA crossing 20,000 reported Drupal site installations shows the same issue from the maintainer side. The Event-Condition-Action module allows site builders to model workflows through events, conditions, and actions instead of relying on custom glue code. Adoption at that scale is not just a usage milestone; it changes the weight of future commits, API decisions, and compatibility promises.

In a written response to The DropTimes, project co-founder Jürgen Haas said the milestone changes how he thinks about maintenance responsibility. That is the cost of relevance in practical form. Once a module becomes part of thousands of working sites, its maintainers are no longer only improving a tool. They are helping support a piece of shared infrastructure.

The week's event deadlines extend the same theme into community programming. Pacific Northwest Drupal Summit 2026 is accepting proposals ahead of its October event in Vancouver, British Columbia, while DrupalCamp Italy 2026 has extended its Call for Papers to 31 July 2026 for its one-day camp in Bologna. Event programmes are another support structure for the ecosystem because they turn project work, lessons, failures, and experiments into knowledge others can use.

Taken together, these updates make a selected but coherent brief. They are not the whole week in Drupal, and they are not a ranking of every important story. They are a thread through the work that keeps open source dependable after the code is released: electing representatives, closing security gaps, maintaining widely used modules, and making room for contributors to share what they are learning.

Readers can follow The DropTimes on LinkedIn, Twitter, Bluesky, and Facebook, or join the publication's Drupal Slack channel at #thedroptimes.

(Allen Jason, junior sub-editor at The DropTimes, writes and curates this week's Editor's Pick.)

13 Jul 2026 4:11pm GMT

Droptica: Drupal Paragraphs tutorial, part 1: planning architecture and base types

Drupal Paragraphs tutorial : planifier la bibliothèque | Droptica

This is part 1 of a two-part guide to building a component-based corporate website with Drupal Paragraphs. By the end of the series you'll have a library of 10-12 universal paragraph types with style variants, responsive layouts, and editor-friendly spacing controls.

Plan a reusable component library, set up the Paragraphs module, and build Hero, Text + Image, and Feature Grid paragraph types with Twig templates and CSS.

13 Jul 2026 7:56am GMT

DrupalCon News & Updates: AI in Drupal: from experimentation to real impact

At DrupalCon Rotterdam 2026, AI takes its place at the heart of how modern Drupal platforms are built, integrated, and scaled. The Development, AI & Agentic Architecture track puts that front and centre-focusing on complex architectures, automation, and intelligent systems in real-world environments.

This is not about hype. It's about what's already changing.

AI is moving from experimentation to everyday use-powering intelligent search, automating workflows, enabling personalization, and supporting content creation. It's reshaping how digital teams operate and how platforms deliver value.

But with that power comes responsibility.
In the Drupal ecosystem, AI is being approached with a clear focus on privacy, transparency, accountability, security, resilience, and human control. This is where the conversation gets real-and where Drupal stands out.

From possibility to practice

At DrupalCon, the key question isn't just what AI can do. It's how to use it effectively in complex, production-ready environments.
Teams are actively exploring:

  • How to integrate AI without introducing unnecessary complexity
  • How to protect data while maintaining performance and scalability
  • How to ensure systems remain transparent, governed, and maintainable over time

These are not theoretical challenges-they're critical decisions shaping the next generation of digital platforms.

Why Drupal leads this conversation

Drupal provides a unique foundation for making AI practical.

Here, AI is not explored in isolation, It's applied within structured content models, complex workflows, deep integrations, and strong governance frameworks-all backed by open-source principles.

For attendees, this makes AI more than a trend. It becomes a tangible, actionable part of modern Drupal delivery.

Be part of what's next

DrupalCon Rotterdam 2026 is where AI moves from idea to implementation.

If you want to understand how intelligent systems are being applied in real Drupal projects-and how to use them responsibly and effectively-this is where the conversation happens.

- Article by Daniela Moreira.


🎟️ Join Us at DrupalCon Rotterdam 2026

Continue the conversation at DrupalCon Rotterdam 2026, where the Development, AI & Agentic Architecture track explores the technologies, strategies, and decisions shaping open digital ecosystems.

👉 Register for DrupalCon Rotterdam 2026

13 Jul 2026 7:52am GMT

DDEV Blog: DDEV Xdebug Quickstart with PhpStorm (Video)

Xdebug logo and DDEV logo

Step debugging is one of the first things every developer should master in any language or environment, and it's my opinion that it's just as fundamental as version control. With DDEV, getting Xdebug working with PhpStorm takes less than five minutes and no php.ini fiddling. This screencast shows the whole thing on a TYPO3 project, start to finish.

Watch the Video

What You'll See

The Steps

  1. Install the DDEV Integration plugin from the PhpStorm marketplace (not required, but it handles most of the setup for you)
  2. Set a breakpoint
  3. Tell PhpStorm to listen for PHP debug connections
  4. ddev xdebug on
  5. Visit the page - PhpStorm stops at your breakpoint automatically

That's it. No manual php.ini changes, no fussing with host.docker.internal, no separate Xdebug install.

Works the Same Everywhere

This screencast uses PhpStorm, but the same setup works identically with VS Code, on Linux, and on Windows with WSL2. If you're setting up a new machine, see:

More on Xdebug and DDEV

Xdebug is created and maintained by Derick Rethans. He's been maintaining it for 20+ years. Send money to the Xdebug project!. The DDEV Foundation supports it as an upstream project, you can too.

Learn More

If you have questions, reach out in any of the support channels.

Follow our blog, Bluesky, LinkedIn, Mastodon, and join us on Discord. Sign up for the monthly newsletter.


This article was edited and refined with assistance from Claude Code.

13 Jul 2026 12:00am GMT

10 Jul 2026

feedDrupal.org aggregator

The Drop Times: Mike Gifford: Accessibility Must Move Upstream in Public-Sector Open Source

Accessibility failures often surface after budgets, architecture, and delivery plans are already fixed. Mike Gifford argues that public agencies can reduce that pattern by contributing fixes upstream.

10 Jul 2026 2:22pm GMT

Acquia.com - Drupal Blog: Vibe Coding Drupal: AI as a Reasoning Partner

Discover how to leverage AI as a reasoning partner in Drupal development, moving beyond coding to high-level architecture and system design.

10 Jul 2026 1:49pm GMT

The Drop Times: Giving Content Editors the Display Controls They Deserve with ERVMS for Drupal

Editors often rely on developers for simple display variations. ERVMS moves those decisions into the editorial workflow without changing Drupal's existing display architecture.

10 Jul 2026 11:31am GMT

Golems GABB: Drupal Anti-Spam: NoBotIQ vs CAPTCHA, Honeypot, CleanTalk, and Other Solutions

Drupal Anti-Spam: NoBotIQ vs CAPTCHA, Honeypot, CleanTalk, and Other Solutions Drupal Anti-Spam: NoBotIQ vs CAPTCHA, Honeypot, CleanTalk, and Other Solutions admin

Hi friends! It's been a while since our last article, and you might have been wondering when we'd be back with something new. Thanks for your patience-we're excited to return with a fresh topic that many Drupal site owners, marketers, and developers deal with on a regular basis: spam. Drupal websites can be secure, flexible, and high-performing. But there is one issue that keeps bothering site owners, marketers, and developers again and again. It is spam.

Spam is no longer only about strange messages in a contact form. Today, it can mean fake registrations, low-quality leads, disposable emails, bot-driven submissions, and AI-generated junk content. All of this creates extra moderation work, pollutes your CRM, and wastes your team's time.

That is exactly why Drupal anti-spam protection matters much more now than it did a few years ago.

10 Jul 2026 11:18am GMT

09 Jul 2026

feedDrupal.org aggregator

Dries Buytaert: License-only versus Stewarded Open Source

Near the end of most Open Source licenses, usually in capital letters, sits a clause that disclaims almost everything: no warranty, no liability, use at your own risk.

For an organization that depends on that code, the clause is harsh. If the code fails and takes your data or revenue with it, the license owes you nothing. No fix, no refund, and no one to explain what went wrong.

That is the license doing its job. It makes the code available and protects the people who share it. Without that protection, sharing code could become a gift that backfires: a generous act turned into unlimited legal risk.

But the license can only answer the legal questions: who may use the code, on what terms, and what risk the authors are willing to accept. It cannot tell you what kind of Open Source project you are working with.

Some Open Source is "License-only Open Source": code released under an Open Source license, without active stewardship or any promise of ongoing care. There is no guarantee of updates, fixes, security response, or long-term support.

Other Open Source is "Stewarded Open Source": code cared for as shared infrastructure. Maintainers review contributions, fix bugs, respond to security issues, manage releases, provide long-term support, and much more. Organizations fund maintainers, support core development, donate infrastructure, and absorb costs end users never see.

Both types of projects are Open Source, but they are not the same. A weekend hobby project and business-critical software can ship under the exact same license. Legally, they look identical. Practically, they are worlds apart.

The difference is stewardship. The license makes code available; stewardship makes it dependable. And the more people or organizations depend on a project, the more stewardship it often requires.

Responsibility is the tax on relevance.

Distinguishing license-only from stewarded Open Source gives us the vocabulary to describe two very different realities that the words "Open Source" alone do not capture.

For example, the distinction becomes useful when we talk about contribution. If a company depends on Open Source, should it give back?

For license-only Open Source, the answer can be simple: no one is required to contribute, and that is the point. The code was shared freely, without a promise of care or an expectation of return.

Stewarded Open Source is different. The license may still require nothing, but the work does not happen for free. Someone is paying to keep your code usable, secure, and available. When you depend on that work, the question is not only what the license allows, but who helps carry the responsibilities beyond what the license requires.

The license says use at your own risk. Stewardship is what happens when people decide you should not have to.

09 Jul 2026 9:26pm GMT