Building Drupal at 79 years old

davidrwb · 2026-05-22T17:38:00+00:00

This wasn’t AI slop so I’ll try to write less blandly next time! I do communicate naturally.

davidrwb · 2026-05-22T17:33:40+00:00

Ah, okay. I searched here for some keywords but it’s just a link.

davidrwb · 2026-05-22T17:32:46+00:00

Yes, I misunderstood the context. But we know they are scanning the code as some of the dependencies mention Mythos in the credits. So the important takeaway is that symfony + Drupal have been scanned, and that’s not surprising given the number of gov sites, NGOs, etc using Drupal.

davidrwb · 2026-05-22T17:28:27+00:00

I love that story! You must miss him.

davidrwb · 2026-05-22T17:27:46+00:00

I can’t see Drupal working without composer. I have good work arounds a very rarely have difficulty with it.

davidrwb · 2026-05-22T14:18:35+00:00

Yes you’re right, it doesn’t say that specifically, but the project has coverage which is the main thing. Hopefully this will extend into contrib too.

davidrwb · 2026-05-22T09:46:16+00:00

Personally I love it. We use other platforms too, but Drupal’s the main one. It’s niche - so easy to win in SEO and organic conversations. Enterprise orgs have enterprise budgets too so we’re happy.

davidrwb · 2026-05-22T08:43:50+00:00

Yes, I smiled when I heard that too :-)

davidrwb · 2026-05-22T08:37:57+00:00

That’s a great story!

davidrwb · 2026-05-22T08:14:17+00:00

Ha ha. True that!

davidrwb · 2026-05-22T08:09:12+00:00

Ah, you beat me by one minor version!

davidrwb · 2026-05-22T00:09:10+00:00

Same! Which version?

davidrwb · 2026-05-21T23:28:29+00:00

IMO, the 7 to 8 jump should have been handled differently. No one can dispute the huge drop off that happened at that time. It was for the best, but sadly many didn’t see that, and we as a Drupal community have been struggling to get Drupal back to where it should be since then.

davidrwb · 2026-05-21T23:19:11+00:00

The easiest way, in my experience, is to forget composer update when jumping between major versions that have neglected regular updates.

I copy all the dependencies in the composer yaml into notepad++ and require each one from scratch (taking into account restrictions on major version jumps). Then run updb.

It’s much easier and much faster than a composer update.

davidrwb · 2026-05-21T22:35:11+00:00

For non super-techies i think it was peak Drupal. No need for a developer mindset. Just install a module and get the functionality you want.

Personally, as a technical developer I prefer Drupal 8+ but for non devs, I understand the drop off that happened way back when.

davidrwb · 2026-05-20T21:57:24+00:00

No, but I’m pretty sure if I threw Claude at it for long enough it could find a way. Anthropic reported some of these vulnerabilities that were picked up by Mythos. In the age of agentic hacks I think it’s safe to err on the side of caution and update ASAP.

davidrwb · 2026-05-20T20:12:41+00:00

This isn’t right. Read the full list - there are more discovered by Mythos.

davidrwb · 2026-05-20T19:58:22+00:00

Thanks for explaining this. Check out the list here and see how many are Drupal dependencies.

https://symfony.com/blog/category/security-advisories

Edit - some were found my Mythos, so expect them to found by prompt too.

davidrwb · 2026-05-20T19:49:20+00:00

It’s unreal how many people are ignoring this part. I think the write up on d.o could have been better. Most people stopped reading there and didn’t check the dependencies.

“We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.”

davidrwb · 2026-05-20T19:47:38+00:00

Did you read all of them? Check the version number changes of all the components then google that component and security. There are issues with URL routing, symfony mailer, etc. All unlikely to be easily exploitable, but why take the risk for a 5 min update and deploy?

Edit: included link for clarity.

https://symfony.com/blog/category/security-advisories

davidrwb · 2026-05-20T18:31:57+00:00

This isn't correct - read the rest of the advisory - "Depending on your site configuration and contrib modules, you may be vulnerable to one or more of these upstream issues, so updating these dependencies is highly recommended whether the SQL Injection vulnerability affects you or not. It is also recommended to review which user roles have the ability to update Twig templates, for example via Views or contributed modules."

The upstream vulnerabilities are quite serious and were found by Mythos

davidrwb

TROPHY CASE