What's Going on with EditTogether? demet Wed, 02/19/2025 - 15:13

A February 2025 update on Palantir’s module for real-time, secure collaborative editing in Drupal
 

In 2023, Palantir’s team started building EditTogether — a field-level content collaboration framework for Drupal 10 and 11 which uses the Yjs shared editing framework to facilitate real-time field-level collaboration using peer-to-peer WebRTC connections.

EditTogether enables users to change content collaboratively on node edit forms in real time, and do so securely. To ensure data privacy, content does not go into a third-party cloud. Instead the module leverages STUN/TURN, signaling server microservices, and Javascript so your data does not need to leave the browser for you to edit it together. EditTogether is in use and usable today.

During this private beta phase, we have been developing, demoing, and listening to users. This has helped us identify the minimum viable features needed for initial backend and front-end use (the project's MVP release). We spoke to a dozen publishing departments and agencies over the Fall of 2024, gaining insight on features to ship with MVP, and features that have enough interest to attend to after an initial community release. People are looking to suggest and approve edits, mention a user, track changes, do external pre-publishing review, and view changelogs.

Members of Palantir’s team will present demos at Florida DrupalCamp and DrupalCon Atlanta – come see it for yourself! We’re also available to offer private demos upon request.

Only one end-user-facing feature is blocking us from MVP release: the ability to draft content collaboratively on any field (currently, seven fields are enabled). Additionally, before public launch we will need to address various end-user UX and accessibility requirements, allow for mitigation of conflicting edits in edge-case scenarios, and enable back-end tooling sovereignty by making it possible to use EditTogether with the microservices of your choosing.

The current and launch state feature workflow of EditTogether

EditTogether workflow roadmap. PDF version available.

While demoing, we heard functional questions about what EditTogether does natively versus what other modules support. You can read our FAQ if you want deeper technical answers, but here are answers to some frequent questions folks have asked:

• When will it be released publicly? 
  EditTogether will be released as a fully open source module only once it’s at a viable MVP that enables self-managed use. We had initially targeted a Q4 2024/Q1 2025 release, but the pace has slowed and our work continues on it as we are able. While the initial development work on EditTogether was sponsored by one of our clients, since last summer it has been self-funded by Palantir. 
• How can I help? 
  We’re seeking organizations that want to use EditTogether as part of the Early Access program (we’ll install and configure so you can use the module as it is) and/or are able to sponsor feature development.  Such early support is also an important indicator that there is sufficient commercial interest to sustain the ongoing development and module maintenance necessary to justify Palantir’s continued investment in EditTogether. We are not looking for development assistance at this time.
• Can I edit in a private draft before opening it up to my colleagues to view, comment, and collaborate on? 
  Yes, you can set the visibility status of your draft content using Content Moderation and Workbench Approver. Naturally, some teams may prefer people to draft in a different tool altogether, then copy into EditTogether once they are ready to collaborate.
• Can I use Paragraphs, Layout Builder, or Experience Builder to lay out and comment on placement as well as content? 
  Currently, EditTogether works with Paragraphs, but we expect to see that capability expand after community release since EditTogether is built to be plugin extensible.
• What about my stakeholders (who avoid Drupal) who need to review and want to suggest edits to content? 
  Today, EditTogether works with Workflows, Workbench Approver and Content Moderation for users within the logged-in workflow. We have heard an interest in creating views for users to review, comment, and suggest changes outside of the editor experience, which are features we expect to see developed after community release.
• How does EditTogether align with Drupal CMS? 
  EditTogether’s architecture is designed to integrate natively with other Drupal subsystems and modules. We are actively monitoring innovations in the larger Drupal ecosystem - especially with content moderation, workspaces, and Experience Builder (XB) for Drupal CMS. The rapidly evolving and emergent nature of these developments has also influenced our decision to slow down our timeline to allow time for the broader Drupal decisions to shake out so that we release a module compatible with the future of Drupal.  
   

Attending conferences is essential for refueling and recharging your business —  and DrupalCon Atlanta 2025 is the perfect opportunity to do just that. Taking place 24-27 March, this event is a must for agency and business owners looking to gain fresh insights, connect with industry peers, and explore potential partnerships. 

DrupalCon gathers nearly 1,500 participants from the global Drupal community — people who use Drupal or build digital experiences with it. Whether you already have a Drupal-powered website or are searching for a robust enterprise-level open-source CMS, DrupalCon Atlanta will offer valuable perspectives. You’ll hear from Drupal leaders about the latest advancements and how they can enhance your online impact.

But DrupalCon isn’t just about technology — it’s also about strategy, leadership, and growth. Beyond Drupal-focused sessions, you’ll find insights on topics like building strong teams and navigating business challenges. Let’s dive into some key sessions — both Drupal and beyond — that might be of specific interest to you as an agency or business owner.

Top sessions for agency and business owners at DrupalCon Atlanta 2025

“What the WordPress Conflict Means for Open Source Businesses” — by George DeMet

Open-source software is a smart choice for businesses because it’s free to use, highly customizable, and backed by a vibrant community that drives continuous innovation. It offers freedom, flexibility, and the ability to tailor solutions to specific needs — without being locked into a single software vendor.

A recent dispute between WordPress founder Matt Mullenweg and WP Engine sparked important discussions in all open-source communities. WordPress and Drupal are both well-known open-source CMSs, so it’s no surprise that the Drupal community has been following the debate closely. Beyond the immediate conflict, this debate raised deeper questions about the social and philosophical responsibilities of open-source software.

What does this mean for agencies and businesses that rely on open-source platforms and tools? Join this DrupalCon 2025 session by George DeMet (gdemet) to explore this topic. Through the lens of social contract theory, George will examine the obligations of maintainers, contributors, and companies.

This session will explore how communities like Drupal have addressed challenges like this, the lessons learned, and practical strategies for fostering a sustainable and cooperative future — one where both businesses and developers can thrive in open source.

“AI with Drupal - Using LLM technology is easy, but how do you actually build useful applications?” — by Christoph Breidert

AI tools like ChatGPT are easy to use, and integrating them with Drupal websites has long since become a streamlined practice. But what about taking AI further — building custom applications that would fit your specific business goals?

These apps can be built based on Large Language Models (LLMs). Welcome to the session by Christoph Breidert (breidert) to discover how LLMs work, the public models available, how to use them effectively, what potential challenges you may encounter, and when customization is needed.

This DrupalCon Atlanta 2025 session will be focused on two robust techniques that improve the accuracy and relevance of AI apps:

• In-context learning. This allows AI models like GPT to adapt to the current context it’s given during a conversation with no need for any formal retraining.
• RAG (Retrieval Augmented Generation). This combines the power of retrieving relevant information from external sources with the AI’s ability to generate content.

For maximum usefulness and interactivity, the session will feature an exciting demo and a lively brainstorming process on various AI use cases. The session description assures that attendees of all experience levels can follow along.

“The Neurodivergency SuperPower - How Diverse Teams Function Better” — by Matthew Saunders

Embracing diversity — including neurodiversity — is key to building successful teams. This approach has benefits you might not have thought of. Find out how neurodivergent team members can enhance collaboration and spark innovation in the session by Matthew Saunders (matthewS).

Neurodivergent individuals, such as those with ADHD, autism, dyslexia, and other cognitive differences, bring fresh perspectives and unique problem-solving abilities that can strengthen your team. From heightened attention to detail to creative thinking, these individuals contribute valuable skills that drive productivity and foster a more inclusive, empathetic team culture. 

Matthew will share personal insights and research to help you understand how to support and empower neurodiverse team members. You’ll learn practical strategies for creating neuro-inclusive work environments that enable every team member to thrive and contribute their best. Embracing cognitive diversity not only improves team dynamics but also leads to better outcomes and long-term success.

“Using Your Superpowers to Lead in a Male-Dominated Industry” — by Shanice Ortiz, Theresa Jacobs, Elia Milán, and Adam Erickson

Despite progress, women leaders still face challenges in male-dominated industries. Here comes a great chance to gain insights and inspiration to challenge traditional gender norms and embrace the strengths that make you a great leader. You can do it by attending this DrupalCon Atlanta session. 

Shanice Ortiz (shaortiz728), Theresa Jacobs (tgjacobs), Elia Milán (elia.milan), and Adam Erickson (americkson) will speak about their journeys to leadership and explore challenges and opportunities in this realm. They will discuss their experiences navigating gender expectations, overcoming imposter syndrome, and breaking stereotypes.

Through personal stories, they will share insights on developing an authentic leadership style and fostering high-performing, inclusive teams. You’ll leave with renewed confidence in your ability to lead with purpose and empower your team. This DrupalCon Atlanta 2025 session isn’t just for women in leadership — it could also be valuable for men who want to better understand these barriers and contribute to a more inclusive, collaborative, and thriving workplace.

“Scaling quality mental health support in low income settings with two UN agencies” — by Elaman Imashov

Here’s a success story showcasing how Drupal powers a truly impactful social initiative. EQUIP (Ensuring Quality in Psychological Support), a World Health Organization & UNICEF project, is addressing a critical issue through a digital platform built as a Drupal-based Progressive Web App (PWA).

Mental health support is essential worldwide, yet many communities lack access to proper training and assessments. The mission of EQUIP is to deliver them in low and middle-income settings with low connectivity. By March 2024, this digital platform had been used in 794 training programs in 36 countries, delivering 10,000+ competency assessments.

Elaman Imashov (elaman) will take you through the journey of EQUIP’s development. This session will be a full case study. It will cover key aspects such as the project’s background, the reasons for choosing a Drupal PWA, the technical stack, the process of feature prioritization, the project’s impact via a wide range of delivery organizations, and much more.

This could inspire you to launch a meaningful social project supported by the power of Drupal or take your existing nonprofit website to the next level.

“IXP-Fellowship: Using Contribution Credits to encourage organizations to hire new Drupal talent” — by Michael Anello, Carlos Ospina, and Ana Laura Coto Tristan

If you're a Drupal development agency, you might want to know about a fantastic opportunity to hire the next generation of enthusiastic Drupal talent. By bringing fresh developers onto your team, you not only contribute to Drupal’s growth but also earn valuable drupal.org credits. Credits represent a solid reputation and recognition for your organization. This can lead to increased trust from clients, improved collaborations, and more growth opportunities.

If you want to know more about it, join the session by Michael Anello (ultimike), Carlos Ospina (Camoa), and Ana Laura Coto Tristan. They will uncover a Drupal community initiative called IXP-Fellowship. It encourages organizations to hire and mentor new talent by using Drupal’s contribution credit system. This helps aspiring Drupal developers land their first paid roles, bridging the gap between learning and real-world experience.

The speakers will walk you through the program’s goals, and the progress made so far, and tell you more details about how your Drupal agency or organization can benefit from getting involved.

Driesnote by Dries Buytaert

The Driesnote at DrupalCon Atlanta is more than just a keynote — it’s a roadmap for the future of Drupal. Dries Buytaert, Drupal’s founder, will unveil the latest insights on Drupal’s evolution, major releases, and groundbreaking innovations.

What else are the best Drupal minds crafting right now to make your digital experiences even better? What’s next for Drupal in an AI-driven world? When to expect the new version of Drupal? Driesnote is often the place for news that the wide audience has never heard before. 

It’s a great chance to stay ahead of the curve. Discover how these developments can shape your services, influence client expectations, and strengthen your competitive edge. Walk away with fresh perspectives and a clearer vision of how Drupal can help your business thrive.

Summits for various industries (and a special discount for nonprofits)

DrupalCon Atlanta 2025 offers a wonderful opportunity for agency and business owners to dive deeper into specific industries through its summits. These specialized sessions are tailored for sectors such as Healthcare, Higher Education, Government, Nonprofit, and Community, providing targeted insights, networking, and collaboration. They provide actionable insights, helping you better understand how Drupal can support and elevate your industry-specific goals.

While summits are available for an additional $250, the Community Summit is free to all attendees, making it a great option for those who want to connect with the Drupal community and share insights.

For those in nonprofit organizations and local governments, there’s a special perk. In addition to a huge discount for the main conference ticket, they have the option to attend the Nonprofit Summit for free — a $250 value. See more details about all ticket prices and eligibility guidelines and never miss a chance to get tickets for yourself and your team.

Final thoughts

Reading about these sessions can never match the experience of being at this extraordinary event in person. Immerse yourself in the vibrant energy of DrupalCon Atlanta 2025, where the brightest and most passionate Drupal enthusiasts share their expertise and ignite inspiration. Scale up your strategies, expand your horizons, and build lasting connections. We can’t wait to see you there on 24-27 March!

Project: Drupal coreDate: 2025-February-19Security risk: Critical 17 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Proof/TD:AllVulnerability: Cross site scriptingAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3Description: 

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability (XSS).

Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue.

This issue is being protected by Drupal Steward. Sites that use Drupal Steward are already protected, but are still encouraged to upgrade in the near future.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.13
• If you use Drupal 10.4.x, update to Drupal 10.4.3
• If you use Drupal 11.0.x, update to Drupal 11.0.12
• If you use Drupal 11.1.x, update to Drupal 11.1.3

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• Arne (arkepp)
• bdanin
• Douglas Groene (dgroene)
• Dragos Dumitrescu (dragos-dumi)
• Flo Kosiol (flokosiol)
• Gerardo Cadau (juanramonperez)
• Justin Christoffersen (larsdesigns)
• nuwans
• Sven Decabooter (svendecabooter)
• Will Gunn (wgunn_e)

Fixed By: 

• catch (catch) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security

Team

Project: Drupal coreDate: 2025-February-19Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3Description: 

Bulk operations allow authorized users to modify several nodes at once from the Content page (/admin/content). A site builder can also add bulk operations to other pages using Views.

A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have permission to modify on individual nodes.

This vulnerability is mitigated by the fact that an attacker must have permission to access /admin/content or other, custom views and to edit nodes.

In particular, the bulk operations

• Make content sticky
• Make content unsticky
• Promote content to front page
• Publish content
• Remove content from front page
• Unpublish content

now require the "Administer content" permission.

Solution: 

Install the latest version:

• If you are using Drupal 10.3, update to Drupal 10.3.13.
• If you are using Drupal 10.4, update to Drupal 10.4.3.
• If you are using Drupal 11.0, update to Drupal 11.0.12.
• If you are using Drupal 11.1, update to Drupal 11.1.3.

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• jeff cardwell

Fixed By: 

• Benji Fisher (benjifisher) of the Drupal Security Team
• jeff cardwell
• Mingsong (mingsong) Provisional Member of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal coreDate: 2025-February-19Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Gadget ChainAffected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 < 11.0.12 || >= 11.1.0 < 11.1.3Description: 

Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable.

This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.

Solution: 

Install the latest version:

• If you use Drupal 10.3.x, update to Drupal 10.3.13
• If you use Drupal 10.4.x, update to Drupal 10.4.3
• If you use Drupal 11.0.x, update to Drupal 11.0.12
• If you use Drupal 11.1.x, update to Drupal 11.1.3

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

Reported By: 

• anzuukino
• shin24

Fixed By: 

• ghost of drupal past
• Dave Long (longwave) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• nicxvan
• shin24

Giorgi Jibladze announces the Beta release of the Google Gemini Provider module for Drupal. This update enhances AI-powered search, CKEditor support, and Drupal Recipes integration. It also improves compatibility with Drupal CMS and introduces automated testing via GitLab CI. The Drupal community is encouraged to test and provide feedback.

Florida DrupalCamp 2025 will be held from February 21 to 23 at Florida Technical College in Orlando. It will feature expert-led workshops and diverse sessions on Drupal development, design, and project management. The Drop Times interviewed speakers Christian Burk, Steve Wirt, Aubrey Sambor, and Josh Fabean to preview their insights and key takeaways. With hands-on training and networking opportunities, the event promises to be a must-attend for Drupal professionals and enthusiasts alike.

Florida DrupalCamp 2025 will take place from February 21 to 23 at Florida Technical College in Orlando. The event will bring together the Drupal community for a weekend of learning and networking. It will start with expert-led training workshops and be followed by a variety of sessions on development, theming, usability, and more. Organizers and speakers will express their enthusiasm as attendees prepare for an interactive and insightful experience.

In the previous article, we learned how to migrate paragraphs and create custom process plugins. Good exercise for the brain. Today, we will do some exercises for the body. Get ready for a strength training session — Drupal style — where we will learn about creating custom source plugins, extending existing ones, and writing media migrations from scratch.

mauricio Tue, 02/18/2025 - 06:00

Join us THURSDAY, February 20 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits. (Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits.  Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google doc: https://nten.org/drupal/notes!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone. 

• Join the call: https://us02web.zoom.us/j/81817469653

  • Meeting ID: 818 1746 9653
    Passcode: 551681

  • One tap mobile:
    +16699006833,,81817469653# US (San Jose)
    +13462487799,,81817469653# US (Houston)

  • Dial by your location:
    +1 669 900 6833 US (San Jose)
    +1 346 248 7799 US (Houston)
    +1 253 215 8782 US (Tacoma)
    +1 929 205 6099 US (New York)
    +1 301 715 8592 US (Washington DC)
    +1 312 626 6799 US (Chicago)

  • Find your local number: https://us02web.zoom.us/u/kpV1o65N

• Follow along on Google Docs: https://nten.org/drupal/notes

View notes of previous months' calls.