drupal

Nonprofit Drupal posts: September Drupal for Nonprofits Chat

Join us THURSDAY, September 18 at 1pm ET / 10am PT, for our regularly scheduled call to chat about all things Drupal and nonprofits.(Convert to your local time zone.)

We don't have anything specific on the agenda this month, so we'll have plenty of time to discuss anything that's on our minds at the intersection of Drupal and nonprofits. Got something specific you want to talk about? Feel free to share ahead of time in our collaborative Google document!

All nonprofit Drupal devs and users, regardless of experience level, are always welcome on this call.

This free call is sponsored by NTEN.org and open to everyone.

Information on joining the meeting can be found in our collaborative Google document.

Tag1 Consulting: Beyond Code Generation: How AI Enhanced Our Load Testing Workflow and Documentation

At Tag1, we believe in proving AI within our own work before recommending it to clients. This post is part of our AI Applied series, where team members share real stories of how they're using Artificial Intelligence and the insights and lessons they learn along the way.

Jeremy Wed, 09/17/2025 - 07:00

Security public service announcements: Third-Party Libraries and Supply Chains - PSA-2025-09-17

Date: 2025-September-17Description: 

Supply-chain attack via maintainer account takeover

NPM packages have been targeted in maintainer account takeover attacks. Attackers have deployed an automatic credential scanning tool. The scanning tool tries to find secret keys that may have been published to public systems like build automation and continuous integration (CI) systems and sends such credentials back to the attacker. From there, the vulnerable NPM packages are downloaded, modified to insert a trojan-like script bundle, and then republished. These maliciously modified packages can then be used to exploit any application that has installed these packages.

Coverage and advice on remediation:

While this attack has targeted NPM packages, the same strategy could be used to exploit other packages as well.

Managing supply-chain security

Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP and SRI.

It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries and any non-Drupal components of the stack. In rare cases, the Drupal Security Team will post an informational public service announcement (PSA) such as this one, but the remit of the Drupal Security Team remains limited to code hosted on Drupal.org’s systems. Previous PSAs on third-party code in the Drupal ecosystem include:

Impact to the Drupal project itself

Drupal's infrastructure maintainers, the Drupal Security Team, and Drupal core maintainers have received tips about this situation from several sources. Individuals in those groups have evaluated their exposure and we believe the Drupal project itself is not affected by this issue. If you have information about concerns that Drupal is affected please reach out to us.

This post is likely to be be updated as the situation evolves and more information is available.

Reported By: Coordinated By: 

ComputerMinds.co.uk: Fixing Sass @import deprecation warnings

Using Sass >= 1.80 and wanting to shush those @import deprecation notices with minimal effort?

There was a nice clear notice , with a decent explainer.

But you want a quick 1-2-3, so keep reading 🙃

It should take you minutes, not hours.

Do the upgrade

They made a lovely cli tool to help us out -> https://sass-lang.com/documentation/cli/migrator/

It should help us do exactly what we need to do, and it's got nice documentation if you need further options or details.

Install the tool

As per their instructions, there are lots of ways to install.

Our skittish Drupallers currently recommend to do something like this:

// Hop into your ddev container, if using ddev ssh // Install carefully npm install -g sass-migrator --ignore-scripts

Run the tool

We need to run the module migration, which handles the @import statement changes (and a couple of other necessary bits - read the docs if you're concerned)

For each top level .scss file, we're going to run a command like this:

sass-migrator module ./path/to/style.scss -dv

We're using the d flag to --migrate-deps - which will help ensure that child stylesheets get upgraded too.

We're also using the v flag for --verbose - to make sure we get decent output if something goes wonky.

So a real-world example for a Drupal theme looked like this: 

sass-migrator module ./webroot/themes/custom/cmx/sass/base/base.scss -dv

And I used PHPStorm to make the various duplications for the different top-level scss files across my theme's directories, paste a big pile of commands all at the same time.

You could probably make a nice script to find them all and run magically 🤔

Things that don't work

Susy

You'll get errors for susy/susy, which the tool can't upgrade (and it shouldn't be!).

  1. Comment out the @import 'susy/susy'; line
  2. Run the migrations
  3. Go back and reinstate, changing @import to @use

⚠️ Important: you can't make the @use change before you run the migration, as the tool will assume the file has already been upgraded!

Check your changes

Can’t stress this enough. Make sure you’re getting what you expect and that it all looks good!

Compile

Run your compile action (gulp, watch, sass or whatever) and check that it runs happily. Hopefully all is good and there aren’t any deprecation logs anymore.

If there are some, go back and run the migration on those affected files.

Git diff your compiled css

The changes should be few and trivial, though that depends on your project!

Take a look!

Check out your website locally or on staging, make sure it’s tickety boo.

Nextide Blog: Maestro Template Builder v2.0

We've updated our Maestro Template Builder in our Maestro 4.2 release!  

Image removed.

Our new Template Builder is now based on diagram-js, the same Javascript library that powers BPMN.iO.  With this update Template Builder now supports:

  • Panning the canvas
  • Zooming in and out
  • Task palette bar where you can drag and drop tasks on to your canvas
  • Alignment guides automatically appear allowing you to properly align tasks horizontally and vertically
  • Task shapes to show start and end as round and IF as a diamond
  • Modal editing window enlarged.

You can watch a quick video on how it looks and works here.

 

Drupal Association blog: A New Era of Digital Accessibility: The EAA and its Implications for Drupal

The following is a guest post from Drupal Accessibility Working Group maintainer Mike Gifford.

The digital world is becoming increasingly regulated, and for good reason. New legislation like the European Accessibility Act (EAA) is setting a clear standard for digital inclusion, ensuring that everyone, regardless of ability, has equal access to digital products and services. For the Drupal community, this isn’t a challenge, but an opportunity to showcase what we do best — building an open, accessible web for all.

In Europe, the push for digital accessibility has been a long-term effort, beginning with the Web Accessibility Directive (WAD) in 2016. The WAD set the stage by requiring public sector websites and mobile apps to be accessible. Building on this foundation, the EAA extends these requirements to a much broader range of private sector products and services, including e-commerce, banking, and e-books, and these requirements are in effect now.

The core of both directives is their alignment with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA, a set of internationally recognized standards developed by the World Wide Web Consortium (W3C). To provide a clear legal framework, the EU relies on the harmonized technical standard EN 301 549, which incorporates WCAG but also extends its scope to include hardware and other ICT products. For any organization operating within the EU, understanding this legislative landscape is no longer just a "nice to have" – it's now a legal imperative.

Drupal's Longstanding Commitment to Core Accessibility

Drupal has a deep, longstanding commitment to accessibility, viewing it as a core value. From the very beginning, the platform has been built to be accessible, with key features and functionality available out-of-the-box. The community's proactive approach ensures that new releases, like Drupal 10 and 11, adhere to the latest accessibility standards. This means that a standard Drupal install provides a powerful and inclusive foundation for any web project.

The foundation of web accessibility is built on four core principles, often abbreviated as POUR: Perceivable, Operable, Understandable, and Robust. Let's explore how Drupal's core features directly contribute to each of these principles.

1. Perceivable: Ensuring All Users Can Access Information

A website is perceivable when its content can be consumed by users regardless of their sensory abilities. Drupal helps meet this principle in several key ways:

  • Semantic HTML5: Drupal's architecture is built on clean, semantic HTML5. It uses proper tags like <nav>, <header>, <main>, and <footer> to define the structure of the page, which is essential for screen readers to navigate and interpret content.
  • Image Handling: Drupal's media system makes adding and managing descriptive alternative text (alt text) for images a fundamental and required part of the content creation process. By default, content authors are prompted to add this critical information, ensuring that users with visual impairments can understand the purpose and content of an image.
  • Visual Contrast: The core front-end theme, Olivero, and the administrative theme, Claro, are meticulously designed to meet WCAG 2.1 AA color contrast requirements. This ensures that text is readable against its background, a crucial element for users with low vision or color blindness.

2. Operable: Enabling All Users to Interact

A website must be operable for users who can't use a mouse, relying instead on a keyboard or other assistive devices. Drupal's core is designed for full keyboard operability.

  • Keyboard Navigation: All interactive elements, from dropdown menus to form fields, are fully accessible via keyboard. Clear, visible focus states make it easy for keyboard-only users to see exactly where they are on the page.
  • Skip Navigation: Drupal’s core themes include a "skip to main content" link that is a required feature for WCAG. This link allows keyboard users to bypass repetitive navigation links at the top of a page and jump directly to the main content, saving time and effort.
  • Developer helpers: JavaScript helpers are provided in Drupal core, allowing developers to easily add accessibility features to their sites like ARIA live regions or tabbing constraint to their modules and themes.

3. Understandable: Creating Clear and Predictable Interfaces

For a website to be understandable, both its content and its user interface must be clear and predictable.

  • Logical Structure: Drupal’s use of semantic HTML also creates a logical heading structure (H1, H2, H3, etc.). This hierarchy is vital for screen reader users and helps all users quickly grasp the organization of the content.
  • Inline Form Errors: The core Inline Form Errors module, while not enabled by default, is a powerful tool for this. It provides immediate, context-sensitive feedback on form errors right next to the field, rather than a generic message at the top of the page. This is far more helpful and less confusing for all users.
  • Clear Labels: Drupal’s Form API ensures that form fields have correctly associated, descriptive labels, making them understandable for screen reader users.

4. Robust: Functioning Across Technologies

A robust website can be reliably interpreted by a wide range of user agents, including older browsers and assistive technologies. Drupal achieves this by adhering to web standards and providing full support for WAI-ARIA (Accessible Rich Internet Applications), a set of attributes that add semantic information to elements to make dynamic content and custom widgets more accessible. This allows for rich, interactive experiences that still work for users who rely on assistive technologies.

The Role of AI in a More Accessible Future

The Drupal community is actively exploring how artificial intelligence can help streamline and automate accessibility tasks. This isn't about outsourcing responsibility, but rather empowering content authors and site administrators with smarter tools that make it easier to create and maintain an accessible web.

One of the most promising areas is the use of AI to generate high-quality alt text. While human review remains essential for context, AI-powered modules can significantly reduce the manual effort required for this critical task, particularly for sites with large image libraries.

  • AI Image Alt Text: Modules like this one leverage machine learning vision models to automatically generate descriptive alt text for images. They provide a human-in-the-loop workflow, allowing content creators to review and edit the suggested text before publishing. This not only improves efficiency but also helps maintain consistency across large libraries of images.
  • Limitations and Human Responsibility: It's important to understand that AI is a tool, not a solution. AI might describe an image as "A person standing on a stage," but a human content author can provide the context: "Drupal founder Dries Buytaert giving a keynote at DrupalCon." The human provides the meaning, which is the ultimate goal of accessibility.

Community-Driven Best Practices and Contributed Tools

Beyond core and AI, the Drupal ecosystem offers a wealth of resources and contributed modules that further enhance accessibility. This collaborative environment is key to keeping Drupal at the forefront of digital inclusion.

Some Accessibility-Focused Modules

  • Alt Text Validation: Scans and validates image alt text site-wide and on save, with customizable rules that can warn or prevent saving.
  • Block ARIA Landmark Roles: Adds ARIA landmark role assignment to block configuration forms.
  • Editoria11y Accessibility Checker: An automatic, inline checker that helps authors create accessible content by marking issues, offering fixes, and tracking progress.
  • Node Link Report: Scans and reports on link status (broken, redirected, good) and accessibility errors (indiscernible text, missing alt/aria-labels).

Also see this list from Smart Bees or on this article on OpenSource.com 

The Power of a Community Initiative

The Drupal community's accessibility team works tirelessly to ensure core code is accessible. They have established a "needs accessibility review" process in the issue queue, inviting specialists to review patches and new features before they are committed to core. This rigorous process is a testament to the community's commitment to making accessibility a fundamental part of Drupal's DNA. They also hold regular Accessibility Office Hours to help new and experienced contributors alike.

The Role of the Site Builder and Content Author

Ultimately, technology is only part of the solution. A fully accessible website requires a commitment from the humans building and managing it.

  • Start with an Accessible Foundation: Use Drupal's core and themes like Olivero to ensure your site is built on a solid, compliant base.
  • Empower Content Authors: Train content creators on the importance of semantic headings, clear links, and providing meaningful alt text. Tools like Editoria11y can be invaluable in this process.
  • Test, Test, Test: Don't rely solely on automated tools. Manual testing using a keyboard, and testing with a screen reader, are essential to catch issues that automation can miss. Better still, involve real users with disabilities in your testing process. We have documented our recommended process.

Wikipedia & Country References

Rather than duplicating efforts to look at the country details of the EAA, we’ve tried to consolidate some of the findings into the Wikipedia page on the legislation. This way, the legislation can continue to be updated by the community. Like accessibility, we expect that there will be updates needed about how the EAA is being implemented in each member state.

Conclusion: A Continuous Journey

The new wave of digital accessibility regulations, including the EAA and updated ADA rules, are not a burden. They are a catalyst for building a more inclusive and user-friendly web for everyone. Drupal, with its strong core features, a powerful ecosystem of modules, and a dedicated community, is perfectly positioned to help organizations meet these new standards and go beyond mere compliance. By combining solid technology with a human-centric approach, we can work towards a digital world where accessibility isn't an afterthought but an integral and effortless part of the creation process.

Note: For state and local governments in the USA, new regulations under the Americans with Disabilities Act (ADA) have established WCAG 2.1 Level AA as the technical standard for web and mobile app accessibility. Many of the steps discussed here will also benefit your sites. You can find more information on these specific requirements on ADA.gov.

Some recent articles about Drupal & legislation

Here’s a curated list of articles and resources that explicitly connect Drupal with the latest accessibility legislation/standards and the technical solutions to meet them:

Legislation & standards → what they mean to Drupal

  • “Making sense of the European Accessibility Act, EN 301 549 and WCAG” (June 26, 2025) — Acquia
  • “The European Accessibility Act: What is it and do I need to worry about it?” (May 14, 2025) — Zoocha
  • “European Accessibility Act: What you need to know” (June 26, 2025) — Electric Citizen
  • “The European Accessibility Act: What it means for your website in 2025” (24 June 2025) — Annertech

Timbers Dev: September Round-Up - Exciting New Modules to Watch

Image removed.


September brought a fresh wave of contrib modules, and a few immediately caught our attention. Some are practical tools that could save administrators hours of work, others bring design polish or inspiration, and a couple are just plain fun. As always, we love seeing how the Drupal ecosystem keeps evolving - here’s our take on the ones worth a look this month.

Drupal AI Initiative: AI at BADCamp 2025: Hands-On, Community-Driven, and Happening Now

Image removed.

BADCamp has always been a community-first event where ideas, experimentation, and practical knowledge-sharing thrive. This year, it’s also where Drupal’s AI conversation gets very real.

From a focused, three-hour AI Summit to a range of practical sessions across the camp, AI is showing up in force at BADCamp 2025. Whether you're a site builder, developer, themer, or content strategist, there's something here for you.

The AI Summit: Community and Possibility

Friday morning, October 25, BADCamp is hosting a special three-hour AI Summit. This unconference-style session will give the Drupal community a space to explore how we’re using AI in the real world and where we want to take it next.

It’s not a keynote. It’s not a showcase. It’s a collaborative working session where the participants set the agenda. The goal is to move the conversation forward by grounding it in actual experience. What’s working, what isn’t, and what’s needed.

Details here: AI Summit at BADCamp

Drupal AI Initiative in the Spotlight

The Drupal AI Strategic Initiative will also be well represented. I'll be leading a hands-on session that shows how anyone can integrate private AI tools into their Drupal site without writing code:

Kristen Pol will provide a look at the bigger picture, including how the initiative is positioning Drupal for the future:

AI Topics Across the Camp

BADCamp isn’t just featuring AI. It’s threading it through the whole program. Here are some of the other sessions digging into what AI can do in and around Drupal:

AI is no longer on the sidelines. The Drupal community is actively shaping how open source, ethical, and privacy-respecting AI tools can work in real content workflows.

If you're curious about where Drupal and AI meet, BADCamp is the place to see it all in motion. This isn’t about someday. It’s about what you can do right now.

badcamp.org

File attachments:  badcamp-image.png

Dripyard Premium Drupal Themes: Talking Drupal Ep. 520: Dripyard

We’re excited to share that Dripyard was featured on Talking Drupal, Episode 520!

Andy and I joined the hosts to talk about why we launched Dripyard, what makes our themes different, and how Drupal’s modern tooling like Single Directory Components and Drupal CMS (Canvas + Recipes) have made this the perfect time to bring high-quality themes to the ecosystem.

Some highlights from the episode: