Project: Drupal coreDate: 2026-May-20Security risk: Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: SQL injectionAffected versions: >= 8.9.0 < 10.4.10 || >= 10.5.0 < 10.5.10 || >= 10.6.0 < 10.6.9 || >= 11.0.0 < 11.1.10 || >= 11.2.0 < 11.2.12 || >= 11.3.0 < 11.3.10CVE IDs: CVE-2026-9082Description: 

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.

This vulnerability can be exploited by anonymous users.

This vulnerability only affects sites using PostgreSQL. However, the dependency updates in this release apply to all sites.

Upstream security advisories

The Drupal releases for supported branches (11.3, 11.2, 10.6, and 10.5) in this advisory also include security updates for Symfony and Twig. Those projects have released important Security Advisories that were coordinated with this Drupal release, and Drupal is affected by some of the vulnerabilities.

Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules.

Solution: 

Install the latest version.

The following releases will be available as soon as automated release packaging is complete. You may receive a 404 in the interim. The updates may also be available on Packagist sooner.

Drupal 11

• If you use Drupal 11.3.x, update to Drupal 11.3.10.
• If you use Drupal 11.2.x, update to Drupal 11.2.12.
• If you use Drupal 11.1.x or 11.0.x, update to Drupal 11.1.10.

Drupal 10

• If you use Drupal 10.6.x, update to Drupal 10.6.9.
• If you use Drupal 10.5.x, update to Drupal 10.5.10.
• If you use Drupal 10.4.x or earlier, update to Drupal 10.4.10.

Drupal 9 and 8

• If you use any version of Drupal 9, try manually applying the Drupal 9.5 patch for this issue.
• If you use Drupal 8.9, try manually applying the Drupal 8.9 patch for this issue.

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.) Due to this issue's severity, the unsupported releases and patches for unsupported versions are provided as a best effort. Those unsupported versions will still have other, previously disclosed security vulnerabilities.

Reported By: 

• Michael Maturi (michaelmaturi)

Fixed By: 

• Björn Brala (bbrala)
• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Coordinated By: 

• Anna Kalata (akalata) of the Drupal Security Team
• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Heine Deelstra (heine) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Cathy Theys (yesct) of the Drupal Security Team

Recently, I contributed an AI-powered Schema.org JSON-LD module to Drupal that uses AI automators to generate Schema.org JSON-LD, building a knowledge graph that improves SEO/AEO by making it easier for machines to understand your website. The module was built with AI in 4 days, whereas the Schema.org Blueprints module with a similar goal took 4 years. I have been so shocked by how efficiently AI can code and build software that I realized, "AI ate my work, and I need to be okay with that." I wrote about how I am adjusting to this new "AI" normal.

A slightly different reckoning is unfolding for our websites because AI is consuming our content, thereby reducing traffic. Providing Schema.org JSON-LD is one way to feed the machines. AIs are becoming the front page of most websites. To adapt to this new "AI" normal, where an AI is the gatekeeper to your website, we need to evolve our approach to building and managing our websites.

Adaptation

Personally, "adaptation" feels like the right word to describe the challenge and change we, developers, site builders, managers, and owners, are facing right now. Adaptation is forced upon us by external constraints or opportunities, depending on your point of view, to evolve our approach to building and sharing information. There is a much larger discussion about the impact of AI on who we are, what we are building, and how we build. For now, I want to focus on what Drupal-built websites need to consider to adapt and keep up with the rapidly evolving digital landscape, which is largely out of our control.

Out of our control

How AIs are consuming our websites is out of our control. If you look back at how websites continually bent and tweaked to get a bump in page ranking, implementing now-defunct things like AMP (Accelerated Mobile Pages) because Google told us to,...Read More

The Drupal Security Team has released SA-CORE-2026-004, confirming that the highly critical issue previewed in yesterday’s advance advisory is an anonymous SQL injection vulnerability affecting Drupal sites running PostgreSQL databases. The flaw, tracked as CVE-2026-9082, exists in Drupal core’s database abstraction API and can lead to information disclosure, privilege escalation, and potentially remote code execution. The coordinated release also includes upstream Symfony and Twig security fixes, prompting update recommendations for all supported Drupal installations regardless of database configuration.

Last week at Drupal South, Pamela Barone delivered a keynote on Drupal CMS. Her talk is one of the clearest articulations I've seen of what Drupal CMS is, why it exists, and where it's headed. That shouldn't come as a surprise because Pam is the Product Lead for Drupal CMS.

Pam quoted a familiar Drupal saying: Drupal makes hard things possible, but it also makes easy things hard.. The room laughed because it's true.

Her keynote makes the case that Drupal CMS is making Drupal easier across the board: visual page editing, a gentler on ramp for new developers, and project economics that finally work for smaller budgets. Larger organizations such as universities, governments, and Fortune 2000 companies want those same advantages, which is why Drupal CMS matters at every scale.

Pam also explains how Drupal CMS sits on top of Drupal Core, why it is not a Drupal distribution, how it gives digital agencies leverage, what site templates unlock, and how Drupal Canvas reshapes the page building experience.

If you watch one Drupal video this week, make it Pam's!

Now that some drupal.org projects are having their issue queues moved to Gitlab , this is probably a good time to start getting used to the new interface and all the new functionality. This quicktip covers two important bits that I think most Drupal contributors will want to take note of. Enable notifications If you're an active contributor, then you probably depend on the email notifications that have been sent out by drupal.org when an issue that you're involved in or following has an update. If you're expecting this to just work with Gitlab, you should probably be aware that by default , Gitlab notifications will be configured to be sent to a "no-reply.drupal.org" email address for your Drupal user account - in other words, you won't be getting any notifications. You can easily change this by visiting https://git.drupalcode.org/-/profile/notifications and changing your Global notification email : This page also has (much) more granular notification settings, but for most users

Your Website Will Be Attacked. Here's How We Make Sure You Survive It. John Locke Tue, 05/19/2026 - 09:00 The question used to be whether your website would face a serious security threat. That question has been answered. The question now is whether you'll be ready when it happens — and whether you can recover cleanly when something gets through. Sustainable/Open Business

• Read more about Your Website Will Be Attacked. Here's How We Make Sure You Survive It.
• Add new comment

We are proud to share that the Drupal Association has been awarded a grant from the Alpha-Omega Project, a project of The Linux Foundation, which seeks to help open source projects identify and mitigate security vulnerabilities.

As AI-generated commits and AI-driven security threats become the norm, open-source ecosystems must evolve rapidly. This funding directly strengthens the already mature Drupal Security Team, ensuring our core ecosystem is hardened against the modern, AI-age vulnerabilities.

The funding provided by Alpha-Omega will enable the Drupal Security Team to build the program we need to stay ahead in this fast moving environment. Drupal’s already excellent security position will be even better going forward.

~ Tim Doyle, CEO at Drupal Association.

Security has been a defining pillar of the Drupal ecosystem. This collaboration with the Alpha-Omega Project underscores our ongoing commitment to open-source resilience, solidifying Drupal's position as the gold standard for secure enterprise content management.

Drupal is, and will continue to be, one of the most secure CMS platforms in the world.

Python has become central to AI systems, automation workflows and data processing, increasing demand for reliable integrations between Drupal and external developer ecosystems. In this contributed article, Drupal architect Vincenzo Gambino discusses the Python ports of Drupal API Client and Drupal JSON:API Params, explaining how cross-language tooling can help Drupal integrate more effectively with AI applications, headless architectures and modern development workflows.

Is your Drupal website silently accumulating security, performance, or scalability risks? Check out the essential Drupal maintenance best practices enterprises use to keep Drupal 11 websites secure and efficient.

The Rules Have Changed: Security in the Age of AI-Assisted Attacks John Locke Mon, 05/18/2026 - 19:00 Security is getting dramatically harder and more expensive. AI is simultaneously driving an explosion in vulnerability discovery and weaponizing the exploits that follow. The question for every organization with anything online is no longer whether to invest in resilience — it's whether that investment is already in place before the next incident arrives. Dev Corner

• Read more about The Rules Have Changed: Security in the Age of AI-Assisted Attacks
• Add new comment

We're thrilled and thankful to announce that Upsun has completed the transfer of the DDEV trademarks to the DDEV Foundation.

The DDEV Foundation now owns the DDEV name outright, and DDEV's name and identity belong to its community.

A Long Story With a Happy Ending

When we were on the verge of losing the right to use the name "DDEV" several years ago, Platform.sh (now Upsun) stepped in to acquire and hold the trademark on the project's behalf. That act of generosity kept the project alive under its own name. Since then, as documented in our December 2025 post, Upsun had been in the process of transferring that trademark to the DDEV Foundation as the foundation matured into a stable home for the project.

That transfer is now complete.

What This Means

The DDEV Foundation is the independent, community-governed home for the DDEV project. With the trademark in the foundation's hands, DDEV's governance and identity are fully decoupled from any corporate sponsor.

This is exactly the kind of long-term resilience that open-source projects need to thrive across decades, not just years.

You can learn more about the foundation's structure, board, finances, and mission at ddev.com/foundation.

Thank You, Upsun

Upsun/Platform.sh has done so much for this project over the years:

• Rescued the DDEV trademark when it was at risk
• Sponsored DDEV at a lead level for several years, funding core development
• Held and maintained the trademark until the foundation was ready to receive it
• Completed this transfer now, with no strings attached
• Continued sponsoring DDEV at $1,000/month level!

This is a real contribution to the open-source ecosystem, and we're grateful for it.

The Foundation Still Needs Your Support

Trademark ownership is a milestone, but it doesn't pay for development. The DDEV Foundation funds the developers who maintain the project you rely on every day — and we still have a funding gap.

We're excited that we've made it to 78% of our monthly sponsorship goal. Here's how you can help to get us over the top:

• GitHub Sponsors — Fast and flexible, any amount, personal or organizational
• Support contracts — Priority support while funding the project
• Custom invoicing — We work with your procurement process
• One-time contributions — Always welcome

Contact us to talk through what works for your organization, or join the conversation in Discord.

DDEV serves about 20,000 developers every week. Your sponsorship keeps it maintained, secure, and growing.

Claude Code assisted with editing for this post.

Join us THURSDAY, May 21 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document at https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

Build a custom AI agent in Drupal Canvas to score news article engagement and suggest readability improvements.

Date: 2026-May-18Description: 

There will be a Drupal core security release for all supported branches on May 20, 2026, between 17:00 and 21:00 UTC. (To see this in your local timezone, refer to the Drupal Core Calendar.) The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days.

The risk is currently rated as:
Highly critical 20 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon.

Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.

We recommend updating to the latest supported patch (bugfix) release for your site's version of Drupal before May 20, so that you can address any other upgrade issues before the security window. (Recommendations for specific Drupal versions follow.)

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected from known attack vectors, but should upgrade in the near future in case additional attack vectors are discovered.

Affected versions Supported core versions

Security releases will be provided for all the currently supported branches of Drupal core, which are:

• 11.3.x
• 11.2.x
• 10.6.x
• 10.5.x

Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window.

End-of-life minor core versions (Drupal 10 and 11)

While the Drupal Security Team does not normally provide security releases for unsupported releases, given the severity of the issue, we are providing 11.1.x and 10.4.x releases that include the fix for sites which have not yet had a chance to update. Therefore, in advance of the window:

• Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9.
• Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9.

These sites should apply the security update as soon as it is released on May 20, then plan to update to Drupal 11.3 or 10.6 in the near future. (Two other recent security advisories, SA-CORE-2026-001 and SA-CORE-2026-002, will not be addressed for 11.1 or 10.4.)

End-of-life major core versions (Drupal 8 and 9)

These major versions are fully end-of-life, so no releases will be created for these branches. However, given the potential severity of this issue, we will provide patch files for Drupal 8.9 and 9.5.

These patches must be applied manually. They are not guaranteed to work correctly, and might introduce other bugs or regressions. However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release.

For the best chance of the patches being applied successfully:

• Sites on any version of Drupal 9 should update to Drupal 9.5.11.
• Sites on any version of Drupal 8 should update to Drupal 8.9.20\.

We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.

Drupal 7 is not affected.

Disclosure policy

Neither the Security Team nor any other party is able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, on Bluesky, Mastodon, X (formerly Twitter), and LinkedIn, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on Drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Security release announcements will appear on the Drupal.org security advisory page which also has RSS feeds.

Coordinated By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• catch (catch) of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Damien McKenna (damienmckenna) of the Drupal Security Team
• Neil Drumm (drumm) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Tim Hestenes Lehnen (hestenet)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Today we are talking about The Open Web, What it means, and Why it's important with guest Alex Moreno. We'll also cover AI Schema.org JSON-LD as our module of the week.

For show notes visit: https://www.talkingDrupal.com/553

Topics

• Defining the Open Web
• Drupal in a Bubble
• Marketing and PR Challenges
• AI Bias Against Drupal
• Why AI Won't Recommend Drupal
• Is Drupal AI Native
• Marketing Against Giants
• Local Evangelism Push
• Funding Outreach Trips
• Drupal CMS PR Gap
• Templates Lower Barriers
• Need a Drupal Onramp
• Speaking Beyond Drupal
• Web Summit Lessons
• Sell Problems Not Drupal
• Rethinking DrupalCon
• Camps and New Audiences
• Marketplace Ecosystem Idea
• Wrap Up and Contacts

Resources

• Drupalcamp Grenoble 2026 - Bursting the bubble
• Drupal Iberia keynote
• Schema dot org
• Drupal is Great! Its Perception Might Not be
• TD Cafe - Caching

Guests

Alex Moreno - alexmoreno

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Bernardo Martinez - bernardm28

MOTW Correspondent

Jacob Rockowitz - jrockowitz.com jrockowitz

• Brief description:
  • The AI Schema.org JSON-LD module provides a straightforward way to send a prompt — including a webpage's content and data, along with instructions and requirements — to an AI provider and receive a response containing valid Schema.org JSON-LD for saving and embedding in a webpage. It's a "glue module" that combines AI Automators, Field Widget Actions, and JSON Field to create an AI-powered Schema.org JSON-LD field for content entities.
• Module name/project name:
  • AI Schema.org JSON-LD
• Brief history
  • How old: Created in April 2026 by jrockowitz (Jacob Rockowitz) of The Big Blue House
  • Versions available: 1.0.0-alpha1 (requires Drupal ^11.3); 1.0.x-dev branch also available
• Maintainership
  • Actively maintained Yes — updated as recently as April 30, 2026
  • Security coverage No — not currently covered by Drupal's security advisory policy; use at your own risk
  • Test coverage The module notes that all contributed code must include test coverage, though it is early alpha
  • Documentation Yes — the project page includes setup instructions, implementation guidance, philosophy, and a 2-minute demo video on YouTube
  • Number of open issues: 0 open issues, 0 of which are bugs against the current branch
• Usage stats:
  • 1 site currently reporting use of this module
• Module features and usage
  • Adds a native JSON "Schema.org JSON-LD" field to content entities (nodes, media, taxonomy terms)
  • Field is populated via an AI automator triggered by a Field Widget Action, keeping a human in the review loop before saving
  • Stores Schema.org JSON-LD as native JSON data, creating a fully queryable knowledge graph for the site
  • Works with complex nested content structures (paragraphs, components) by having AI parse and generate the structured data
  • Includes an optional sub-module for logging prompts and AI responses for human and AI review and iterative improvement
  • Configurable per entity type/bundle via UI, Drush, or Drupal recipe
  • Philosophy: "Use AI to build a tool that helps AI understand your website while always keeping a human in the loop"
  • Built using AI coding agents (Claude and Codex), with community contributions encouraged — especially around crafting and sharing optimal prompts

Among last week’s more closely watched Drupal business developments was a new initiative from Acquia that directs 2% of eligible partner-driven transactions to the Drupal Association. The contribution is built into Acquia’s updated partner programme and funded by the company itself, meaning partner incentives and customer pricing remain unchanged.

What drew attention across the community was not simply the contribution percentage, but the way the programme has been structured. Drupal funding conversations have often returned to the same pressure points around sponsorship cycles, institutional support, and long-term maintenance responsibilities. Acquia’s framing moves that discussion toward routine commercial activity rather than a separate community-facing commitment.

Both James Sims and Dries Buytaert described the initiative in terms of continuity and alignment rather than philanthropy. Their comments pointed to the same underlying argument: if commercial Drupal activity continues to scale, support structures around the project may also need models that scale more predictably alongside it.

Whether similar approaches emerge elsewhere remains uncertain. For years, much of Drupal’s organisational support has depended on periodic sponsorships and voluntary reinvestment. Acquia’s model, in contrast, ties funding directly to ongoing commercial activity, introducing a level of predictability that community funding discussions have often lacked.

With that said, here’s what else The Drop Times covered across the Drupal community last week.

DISCOVER DRUPAL

• Nick Opris Develops Daily Digest for Drupal AI Initiative Activity
• Apex AI 2.0 Expands Drupal AI Integration With Multi-Provider Orchestration
• Drupal AI Context CCC Beta 2 Expands Governed AI Workflow Capabilities
• UI Suite Monthly #35 Highlights Translation Support, Core APIs, and AI-Assisted Display Building
• Display Builder for Drupal Adds Component-Driven Entity Display Management

ORGANIZATION NEWS

• Acquia Launches Fair Trade Initiative Linking Partner Revenue to Drupal Association Funding

OBITUARY

• Drupal Community Mourns the Loss of Alanna Burke

BLOG

• Dominique De Cooman Proposes Athena Milestone for Drupal AI Initiative

EVENT

• Drupal Community Invited to Participate in The DropTimes Townhall Discussions
• DrupalSouth Announces 2026 Splash Awards Winners
• Centarro Webinar to Examine Drupal Commerce Performance Bottlenecks
• LocalGov Drupal Camp 2026 to Focus on AI Governance, Open Standards and Council Collaboration
• Montréal Drupal Meetup to Feature AI Governance and Drupal 11 Integration Demo
• Acquia Engage London 2026 Set for 18–19 May

Additional developments from across the Drupal ecosystem were published during the week. Readers can follow The Drop Times on LinkedIn, Twitter, Bluesky, and Facebook for ongoing updates. The publication is also active on Drupal Slack in the #thedroptimes channel.

Kazima Abbas
Sub-editor
The Drop Times

Enterprise Drupal projects increasingly intersect with automation systems, cloud infrastructure, decoupled frontend development, and AI-assisted workflows as Drupal 11 adoption continues across larger platforms. Ongoing community discussions and architectural shifts around modern PHP, API-driven systems, and platform engineering also continue to expand the technical scope of Drupal development work.

The Architecture That Changed the Game: Modeler API Jürgen Haas Mon 18 May 2026 - 12:10

The Modeler API completes the architectural separation between model owners (systems like ECA and Migrate) and modelers (visual UIs like BPMN.iO and Workflow Modeler). Module maintainers can now offer visual configuration without building custom UIs. The API automatically provides routing, permissions, save orchestration, import/export, testing, and Drush commands. This is infrastructure that compounds: 4 model owners × 3 modelers = 12 working combinations with zero glue code. Each new model owner makes every modeler more valuable, and vice versa. Designed at DrupalCon Atlanta in early 2025 and developed in the following months, the Modeler API positions Drupal ahead of competitors with architecture for visual configuration of any complex system.

TL;DR This 30-minute video shows DDEV from zero to everything on a completely blank new MacBook Neo (exactly the same on any macOS device.)

Using Windows or Linux? See DDEV on Windows in 10 Minutes, DDEV on WSL2 from Scratch, or DDEV on Linux in 10 Minutes.

DDEV is a local development environment based on Docker containers that gets you up and working on your project fast. When you’re ready for additional configuration and customization, you won’t be starting from scratch and can lean on the expertise of the DDEV community.

In this screencast we walk through installing Homebrew, setting up OrbStack as a Docker provider, installing DDEV, and getting started with a basic project — all on a brand-new MacBook Neo with only 8GB of RAM. We use a Composer-managed Drupal 11 project as an example, and also cover setting up Xdebug with both PhpStorm and VS Code. The presentation slides are also available.

After watching this tutorial, you’ll be able to run websites on your computer with minimal configuration and have multiple sites with different configurations available locally, all because Docker does the heavy lifting while DDEV does the simplifying. Whether you’re a solo engineer or a member of a team, DDEV will help you be more efficient.

This screencast references the regular DDEV documentation:

• DDEV Installation
• Using the CLI
• Drupal 11 Quickstart
• Step Debugging with Xdebug
• Support: DDEV Discord, Drupal Slack #ddev channel: See Support docs
• DDEV Project Repository and issue queue

Here’s the video table of contents (opens in YouTube):

• What is DDEV (1:00)
• Install Homebrew (3:01)
• Install Docker provider (OrbStack) (5:07)
• Install DDEV (7:54)
• Create a trivial "junk" project (9:03)
• Create a Drupal 11 project (11:42)
• Learn a few DDEV commands (15:35)
• Xdebug with PhpStorm (18:51)
• Xdebug with VS Code (24:40)
• DDEV Resources (30:40)

I saw two thoughtful posts in my LinkedIn feed over the last week that I wanted to reshare here before the LinkedIn feed buried them. Both were spot on, honest, and deserve a longer shelf life.

The first was from Hynek Naceradsky:

I'm pissed.

Not at Drupal. At the people confidently hating on it without ever having understood what it actually does.

"Drupal is outdated." "Drupal is too complex." "Nobody uses Drupal anymore."

Tell that to the EU institutions, governments, universities, and enterprises quietly running mission-critical platforms on it.

Here is what actually gets me though: the Drupal community lets this narrative win.

I am guilty of this too.

We literally have thousands of contributed modules, maintained for free, by people who owe you absolutely nothing. The security team responds faster than most paid vendors. The community has been showing up for 20+ years.

And yet we're somehow losing the PR war to frameworks that can't handle a proper content workflow without three paid plugins and a prayer.

Drupal people: talk louder. Write the posts. Go to the meetups. Tell the stories, fight for Drupal.

Because the Drupal community is honestly the best thing in Open Source, and both it and Drupal deserve way better than silence.

The second was from Thomas Scola, writing from a Drupal AI event in New York (lightly trimmed):

I overheard a couple people say, "Drupal? Is that still around?"

Hell yes it is.

And not only is it still around, I'd argue pretty heavily that Drupal is uniquely positioned for what comes next with the agentic web.

API-first before API-first was cool and trendy. Structured content that actually makes sense. Mature permissions, workflows, governance, integrations.

A lot of platforms are now scrambling to figure out how AI fits into what they already built.

Drupal doesn't have to force it. The architecture has been there.

But honestly, the tech is only part of it. The community is what always gets me. The people, passion and innovation. [...]

What comes next? Who knows.

But if I'm betting on a community to adapt, build, and help define that future, I'm putting my money on this one, and on what we've all built together.

For a platform people love to ask if it's "still around", it feels more relevant than ever.

I could not agree more with both posts. Drupal is one of the strongest Open Source platforms out there right now, but too few people realize it. The Drupal community has been modernizing the platform faster than its reputation evolves.

If the loudest narrative about Drupal is that it is outdated, people will keep repeating it, even when it is wrong. AI systems will too, because they absorb the same narratives, blog posts, forum threads, and social chatter the rest of the industry does.

The danger is not just that Drupal is misunderstood today. It is that the gap between what Drupal actually is and how people perceive it may be growing, not shrinking.

The narratives we reinforce today become part of how AI describes Drupal tomorrow. Drupal's silence today becomes tomorrow's AI consensus.

So if you're in the Drupal community, take Hynek's advice and help set the record straight. Not for AI, but for people. Write about the great work happening in Drupal: share the case studies, the technical breakthroughs, the AI innovation, and the hard problems being solved every day.

I know many people in Open Source dislike marketing or self-promotion. I do too, sometimes. But if we don't document what is great about Drupal, others will define Drupal for us.

Every accurate case study, technical blog post, demo, or success story helps future developers, evaluators, and AI systems understand what Drupal actually is.

Drupal does not need hype. It needs a better public record.