Suggestion for: (3469565) Security Team Members

This issue queue is for changes that should be done in documentation pages.

What described here is not related to https://www.drupal.org/node/3469565 → , as the title suggests. It is rather a support request about getting a list of modules to which subscribe to get email updates, which can be answered in Drupal slack → or in the forums → .

Ciao Alberto,

Thank you for your reply. I am not a developer myself, but I work in a security role overseeing multiple Drupal websites—currently tracking 311 contributed modules.

I've have subscribed to emails, but keeping track of module versions, deprecated projects, and security coverage is challenging. Mostly the emails have "Bug report", "Feature request", "Support request", etc. Specifically, I am interested in:

- Identifying obsolete/deprecated modules.
- Monitoring the latest versions and update timelines.
- Knowing which modules are not covered by the Drupal security advisory policy—those flagged as “Use at your own risk!”

Since web scraping isn’t allowed on the drupal.org website, I manually maintain a Microsoft List for tracking, but it quickly becomes outdated. My columns include things like the module name, latest versions (D7, D9, D10), release dates, security coverage, project type, and notes.

A process improvement suggestion that could add value to the Drupal community:
Would Drupal.org consider offering a custom module tracking dashboard? This would allow subscribed users to view all their selected contributed modules in one place, with filters for security status, deprecated projects, or unsupported versions (e.g., D7 modules not available in D10/11).

A centralized Drupal Module Status Dashboard would significantly enhance security tracking and maintenance for customers managing multiple sites.

Thanks again, Alberto! I’d love to hear your thoughts and if you have any suggestions on where I can post this request.

This sounds like it could go into Drupal.org Customization as a new feature for the website or at least perhaps some additions to the Update Status module in Drupal Core.

Re-opening and transferring queue for a proper review.

I can not run a script to scrape the data of the Drupal.org website.

Why not? (This data is available via various API's) (I'm not saying making everyone do this is the best method, however I'm sure this would be asked so should at least have an answer for the D.O. developers ready).

I recommend using composer audit, which will include advisories from Drupal.org, and elsewhere for your non-Drupal dependencies.

Thanks avpaderno, cmlara, and Drumm -

I am not a developer or a sys admin, but in a security role between management and the development team. We basically use a in house private Platform as a Service (PaaS). (So I can not run commands on PHP, I don't have access to the LAMP stack, etc.) My main role is with security compliance, documentation, processes, etc.

I have built a Microsoft SharePoint List of the modules manually getting the modules from the configuration files I got from our code management solution. (I uploaded a screenshot of what I built for tracking.) This took hours of work and is quickly outdated as modules are updated (both on our websites, and on the Drupal.org side.) I have subscribed to all the 300+ project emails but the emails don't easily provide the data that I am looking for. (Feature Request and bug tracking, etc.)

I did try to see if I could scrape the data of the 300+ modules via the project pages using Microsoft Powershell (since it is included on all Windows systems and I do not have administrator rights to my Government computer. But the websites will give an error about using methods such as this to try and scrape the data. I was not aware of any APIs or composer audit.

The API could be preferred solution since I could possibly create a csv file of the data needed and then use it (maybe with Microsoft Power Automate) to update the SharePoint List.

My goal are to track/know:

1. The modules we use in our organization and on what system those modules are used on.
2. The latest information on the module such as the latest supported version, latest update date.
3. What Drupal versions are supported on the module.
4. If module is obsolete and/or if the module is deprecated.
5. If the project is not covered by the Drupal security advisory policy.

I think it would be great if the Drupal Security dashboard would allow me to have a table 2-5. If there was a way to put my own notes in, (or my own tags) I could mark #1 - so I could tell what sites have the modules.

If you can provide me details on how to use the API to get the data, I might be able to script a solution to save the data to Microsoft Excel.

The API Composer uses for security advisories is described at https://packagist.org/apidoc#list-security-advisories if you need to implement it outside of using Composer. Drupal.org packages are installed via packages.drupal.org, so the API endpoint is for example https://packages.drupal.org/8/security-advisories/?packages[]=drupal/core

The APIs used by Composer also have additional metadata, for example https://packages.drupal.org/files/packages/8/p2/drupal/token.json.

Update status used by Drupal is backed by API requests like https://updates.drupal.org/release-history/token/current