ImageX: The ECA Module: Setting Up Automated Actions For Various Scenarios on Your Drupal Website
Authored by Nadiia Nykolaichuk.
Your Drupal website is an advanced, powerful, and intelligent system capable of performing remarkable tasks. One of them is triggering automatic actions in response to certain events, which opens a treasure trove of options to meet your needs.
Security public service announcements: 3rd Party Libraries and Supply Chains - PSA-2024-06-26
Following on from previous PSAs on 3rd Party code in the Drupal ecosystem:
- PSA-2011-002 - External libraries and plugins
- Various 3rd Party Vulnerabilities - PSA-2019-09-04 | Drupal.org
It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of 3rd party libraries.
Supply chains are increasingly complex, and managing the associated risks is challenging. Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP and SRI.
Concerns around polyfill.io
The most recent case that has affected some contributed Drupal projects relates to the polyfill.io service.
Recently, a new organization acquired and updated the polyfill.io service. The new service appears to be serving malicious content from the polyfill.io endpoints under specific circumstances.
- https://thehackernews.com/2024/06/over-110000-websites-affected-by.html
- https://sansec.io/research/polyfill-supply-chain-attack
- https://github.com/polyfillpolyfill/polyfill-service/issues/2873
In response to these concerns, several trusted providers of Javascript libraries are now also serving replacements for the polyfill.io service. Website owners should update their site to incorporate a newer, more reliable source for the polyfill.io files.
- https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
- https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-yo...
On the other hand, the polyfills may no longer be necessary in many cases, and it may be possible to remove them from sites rather than rely on a new source.
Multiple Drupal projects utilize this service in various ways; several of which require code changes and new releases to switch to alternative providers. As this relates to 3rd party libraries, the Drupal Security Team will not be issuing Security Advisories for these projects and work has been done in the public issue queues (note this may not be a complete list of all affected projects).
There have been significant changes in the way that 3rd party code is utilized in the Drupal ecosystem since PSA-2011-002 linked to above, but the remit of the Drupal Security Team remains limited to code hosted on drupal.org’s systems.
Reported By: Coordinated By:- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Cathy Theys of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
- Michael Hess of the Drupal Security Team
The Drop Times: Embracing the AI Revolution: A Drupal Developer's Perspective
Dries Buytaert: Drupal upgrades: tools and workflow
When a new major version of Drupal is released, custom code often requires updates to align with API changes, including the removal of deprecated APIs.
Because I keep forgetting certain aspects of this workflow, I decided to document it for future reference.
Tools overview
Tool Interface Functionality Target Audience Upgrade Status module UI in Drupal Identifies deprecated code, hosting environment compatibility, and more Site administrators and developers Drupal Check Command-line Identifies deprecated code Developers, especially during coding and continuous integration (CI)Upgrade Status module
The Upgrade Status module assesses a Drupal site's readiness for major version upgrades by checking for deprecated code and other compatibility issues.
Install the Upgrade Status module like you would install any other Drupal module:
[code bash]$ ddev composer require –dev drupal/upgrade_status[/code]Here,
ddev
is the tool I prefer for managing my local development environment.composer
is a dependency manager for PHP, commonly used to install Drupal modules. The–dev
option specifies that the module should be installed as a development requirement, meaning it is necessary for development environments but not installed on production environments.Enable the Upgrade Status module:
[code bash]$ ddev drush pm-enable upgrade_status[/code]drush
stands for "Drupal shell" and is a command-line utility for managing Drupal sites. The commandpm:enable
(wherepm
stands for "package manager") is used to enable a module in Drupal.- After enabling the module, you can access its features by navigating to the Admin > Reports > Upgrade status page at
/admin/reports/upgrade-status
.
Upgrading PHP and MySQL using DDEV
The Upgrade Status module might recommend updating PHP and MySQL, per Drupal's system requirements.
To update the PHP version of DDEV, use the following command:
[code bash]$ ddev config –-php-version 8.3[/code]To upgrade the MySQL version of DDEV and migrate your database content, use the following command:
[code bash]$ ddev debug migrate-database mariadb:10.11[/code]After updating these settings, I restart DDEV and run my PHPUnit tests. Although these tests are integrated into my CI/CD workflow, I also run them locally on my development machine using DDEV for immediate feedback.
Drupal Check
Drupal Check is a command-line tool that scans Drupal projects for deprecated code and compatibility issues.
I always run drupal-check
before updating my Drupal site's code and third-party dependencies. This helps ensure there are no compatibility issues with the current codebase before upgrading. I also run drupal-check
after the update to identify any new issues introduced by the updated code.
Installation:
[code bash]$ ddev composer require –dev mglaman/drupal-check[/code]Run Drupal Check from the root of your Drupal installation:
[code bash]$ ./vendor/bin/drupal-check –-memory-limit 500M docroot/modules/custom[/code]I usually have to increase the memory limit, hence the
--memory-limit 500M
.
Using PHPStan directly
In the future, I'd like to evaluate whether using PHPStan directly is simpler. This is a TODO for myself. Drupal Check is essentially a wrapper around PHPStan, offering default configuration such as automatically running at level 2. To achieve the same result with PHPStan, I should be able to simply run:
[code bash]$ php vendor/bin/phpstan analyze -l 2 docroot/modules/custom[/code]The Drop Times: Drupal DevDays Burgas Is Here: Insights from Organizers and Speakers
Tag1 Consulting: Tag1's Recap of DrupalCon Portland 2024: Gander, Migrations & Human Connections
At the beginning of May, over a thousand people converged on the Oregon Convention Center in Portland, Oregon, for four days packed with announcements, learning opportunities, and comradery with the larger Drupal community. Among the many attendees, twenty-eight members of the Tag1 Team joined sessions, discussions, and led three impactful presentations – including the introduction of Gander as part of the Initiatives Keynote. Now that our team has slept off the jetlag and unpacked their bags, we’re reflecting on DrupalCon Portland and, specifically, Tag1’s highlights. Initiatives Keynote: Introducing Gander Tag1’s Strategic Growth and Innovation Manager, Janez Urevc , was invited to speak as part of the Drupal Project Initiatives Keynote on Day 3 of the conference. Gander was a hit! It was standing room only, and attentive attendees took notes and snagged the links to review more information at a later time. “While I presented at many DrupalCons in the past,” Janez said, “this was my first DrupalCon keynote. I spent significantly more time (and it was more stressful) preparing for those 6.5 minutes than for my entire 45-minute talk. But it was all worth it and I really enjoyed doing it at the end.” Janez introduced Gander , the...
Read more Jeremy Tue, 06/25/2024 - 06:57Specbee: SAML and OAuth2 - What’s the difference and how to implement in Drupal
Talking Drupal: Talking Drupal #456 - DDEV Grows Up
Today we are talking about DDEV, The DDEV Community, and It’s Future Sustainability with guest Randy Fay and Andrew Berry. We’ll also cover DDEV Drupal Contrib as our module of the week.
For show notes visit: www.talkingDrupal.com/456
Topics- What is DDEV
- In March you posted the DDEV Project Plan for 2024, what is the contributor training initiative
- DDEV has grown rapidly over the past few years, what do you attribute that to
- You seem to be the face of DDEV, who else is involved
- How is DDEV funded
- What happens when you retire
- Does the DDEV Foundation have employees
- What is DDEV coded in
- What is your favorite feature of DDEV
- What is next
- How can people get involved
- DDEV Project 2024 Plans
- DDEV Contributor Live Training
- Scheduling and signup
- DDEV Discord
- Nerdsniping XKCD Comic
- Level one learning xz utils
Andrew Berry - deviantintegral
HostsNic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Randy Fay - rfay
MOTW CorrespondentMartin Anderson-Clutz - mandclu.com mandclu
- Brief description:
- Have you ever wanted a local DDEV environment optimized for working on a Drupal contrib project? There’s a DDEV add-on for that.
- Module name/project name:
- Brief history
- How old: created in Apr 2023 by Moshe Weitzman, a Drupal core maintainer, and according to his resume the first American to contribute to Drupal
- Versions available: 1.0.0-rc8
- Maintainership
- Actively maintained
- Test coverage
- Documentation - Lengthy README
- Number of open issues: 2 open issues, 1 of which is a bug
- Module features and usage
- The add-on adds two ddev commands to help during setup:
- ddev poser creates a temporary composer.contrib.json, adding drupal/core-recommended as a dev dependency. It also runs composer install and yarn install so that all dependencies are available
- The additional ddev symlink-project command adds symlinks from your project files to an expected path within the custom modules directory of the installed version of Drupal
- Once it’s set up, you can easily run tests locally exactly the way they will be run in GitlabCI. It’s also even easier to apply any of the automatic fixes that are available, for example by running ddev phpcbf or ddev eslint with the –fix flag
- You can also commit the generated .ddev directory inside your project, to make it easy for other contributors to use the same tools
- I will note that after running ddev poser I got errors trying to use composer to add any other projects to the local environment, for example to use admin toolbar for manual testing
- That said, this is another great example of how the set of Drupal developer tools is always improving, and also illustrates to the power of DDEV’s add-ons
The Drop Times: Momentum for Change
Dear Readers,
Marketing in the open-source community often grapples with a unique set of perceptions and challenges. Traditionally, the open-source ethos values transparency, community collaboration, and accessibility, sometimes viewing commercial activities with scepticism. However, effective marketing is not antithetical to open-source values; it can amplify the reach and impact of projects like Drupal. By embracing strategic marketing, open-source projects can attract a wider audience, ensuring their tools and innovations benefit more users and contributors. This expanded reach helps sustain the project's growth and ensures it remains competitive in a rapidly evolving technological landscape.
The importance of marketing for open-source projects like Drupal cannot be overstated. It is not merely about promoting a product but telling a compelling story that resonates with potential users and contributors. Shawn Perritt, the Brand and Creative Director of Acquia, who is leading the brand refresh, believes that every great idea should live at the intersection of creativity and commerce.
According to Suzanne Dergacheva, the lead of the Promote Drupal team, strategic rebranding and marketing efforts help to refresh Drupal’s image, making it more relatable and appealing. These efforts ensure that Drupal continues to attract diverse contributors who bring fresh perspectives and innovations. The right marketing strategies help articulate Drupal's value proposition, highlighting its robustness, flexibility, and vibrant community, driving adoption and engagement.
The recent Drupal brand refresh, discussed at the Drupal Branding Panel session at DrupalCon Portland 2024, exemplifies how marketing can reinvigorate an open-source project. The rebranding initiative introduces new design elements and a refreshed DrupalCon logo, better capturing the spirit of open source and Drupal’s innovative edge without losing its core values. This strategic rebranding is not just a visual update; it represents a concerted effort to position Drupal as a leading digital experience platform, ensuring its relevance and appeal in the market.
With that, let's move on to the important stories of last week.
Last week, Suzanne Dergacheva, co-founder and strategist at Evolving Web, also the lead of the Promote Drupal Initiative and a member of the Drupal Branding Panel, spoke with The DropTimes. In this interview, Suzanne discusses the ongoing Drupal rebranding efforts. She shares insights into the key factors that prompted the rebranding, the collaborative contributions from the community, and the challenges faced in a competitive landscape. Suzanne also highlights how the new branding strategy aligns with Drupal’s commitment to the open web and the significance of community feedback in shaping the final decisions. This conversation provides a comprehensive overview of the exciting changes underway for Drupal, complementing our earlier interview with Shawn Perritt, about the brand refresh.
Another highlight from last week is that Kazima Abbas, sub-editor of The DropTimes, had the chance to connect with Christina Lockhart, Digital Marketing Manager with the Drupal Association. The interview explores her role in promoting Drupal through digital marketing, her efforts to empower women in the tech community, and her initiatives to support women within the Drupal ecosystem. Christina also shares her insights on ensuring equal access to leadership roles and the potential impact of emerging trends like AI on Drupal's future.
The 20thDrupalJam was celebrated in Utrecht, the Netherlands, with over 330 participants in attendance. This year's event was especially festive, highlighted by a personal keynote from Dries Buytaert. The day featured a variety of engaging presentations, insightful workshops, and stimulating discussions and panels. Esmeralda Braad-Tijhoff shared the key highlights.
The Drupal AI Meetup debuted last week, marking the beginning of a series of quarterly meetups dedicated to exploring the intersection of Drupal and artificial intelligence. This new initiative aims to bring together enthusiasts and experts to delve into the dynamic fusion of these fields, writes Nico Grienauer, the event organiser.
Drupal 10.3 is available now! Drupal has announced the release of Drupal 10.3, the third and final feature release for Drupal 10. This update introduces several new features, including an experimental Navigation user interface, stable Workspaces functionality, and Single-Directory Components support, among others.
A significant development has emerged in the Drupal ecosystem with the announcement of a new AI Initiative module. Reported by Jamie Abrahams from FreelyGive and Marcus Johansson from OSK Berlin, this module aims to consolidate the best features of various AI modules into a comprehensive set of foundational tools for all AI applications in Drupal.
Last week, Drupal introduced a new community Frontend Bundler Initiative to address the lack of a standard method for installing JavaScript dependencies in Drupal. The initiative aims to create a unified approach to managing these dependencies, drawing on discussions and collaborations with key contributors like Lee Rowlands and Théodore Biadala. Additionally, Jürgen Haas announced the release of ECA 2.0.0 for Drupal 10.3 and 11, featuring significant improvements such as dynamic event subscriptions, 74 new plugins, and a comprehensive code clean-up.
Aten Group is hosting a webinar titled "Migrate with Might: Tips and Tricks for Drupal's Migration Tools" on June 26, 2024, at 2 PM EDT. Joel Steidl, VP of Engineering at Aten, will lead the session. The webinar aims to explore Drupal's versatile migration system, which is instrumental in data integration tasks. The DropTimes has released a complete list of Drupal events for this week. Find the guide here.
In interesting news, Lauri Timmanee has joined the DrupalCamp Spain 2024 as the featured speaker. The event has also extended its deadline for papers until June 30, 2024, and has opened the call for training proposals. Also, Submissions for the 2024 Splash Awards Deutschland und Österreich, honouring outstanding Drupal projects in Germany and Austria, are now open until July 31.
PHPCamp 2024, held on June 8th, was a resounding success. The event stood out with its relaxed atmosphere, where knowledge-sharing, impromptu demos and collaborative problem-solving took centre stage.
amazee.io has partnered with ANNAI Inc. to bring its open-source Platform-as-a-Service (PaaS) to Japan. The company aims to empower local businesses with scalable, flexible application delivery and hosting solutions.
We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now.
To get timely updates, follow us on LinkedIn, Twitter and Facebook. Also, join us on Drupal Slack at #thedroptimes.
Thank you,
Sincerely
Alka Elizabeth
Sub-editor, The DropTimes.