Drupal Planet

Today, Drupal is truly one of the top and most powerful CMS. The introduction of AI and the new features to Drupal reveal its capabilities and incredible prospects for business owners. All these advancements also significantly change the approach to web development and website optimization on the already popular Drupal platform. That is why today, we will discuss the topic of the AI ​​framework in Drupal together.

Over the past few years of working on large-scale Drupal projects for government and higher education, I have noticed how successful these new platforms are when developers include three key features in shaping the tech stack.

Rather than diving into the technical details, I want to share my thoughts on why these are essential tools for end-users and editors who manage content daily.

As a Delivery Manager, I’ve experienced the importance of having clear and accessible documentation in a project. Storybook is an open-source feature that allows teams to build and showcase components in isolation, making it easier to document and test for stakeholders. From my perspective, it is an excellent tool for stakeholders for the following reasons: 

• Component Library - It works like an always-up-to-date document. Each component is documented separately, and its behaviour and variations are well explained. This makes it easier for content editors to browse and understand the behaviours of different components.
• Trial before use (Experimenting) - Developers and stakeholders can interact with each component in isolation, allowing content editors to select the right component to fit the content, which is ideal for the end-user experience. Storybook also enables content editors to test how components display on various screen sizes, facilitating the testing process of multiple devices. 

Layout Builder is a game-changer for content editors. It works like building blocks. Editors drag and drop component blocks in the design system to fit with the content on a page. This feature allows editors to create and customise page layouts in the website without being locked to just a few pre-built templates. From my experience, it is a useful tool for organisations and users because it is: 

• Flexible - It gives content editors and admins more control over how content looks without needing a developer, so content management is faster. Users also benefit as content is better structured, which leads to more engagement and a better experience.
• Future proof - It supports scalability by allowing new components and features to be added over time. It ensures the website stays fresh without requiring a full redesign. In large organisations like universities and government departments, where content is constantly evolving, this level of control is unique and necessary.

Check out the work we’ve done for Cancer Australia using Layout Builder, Storybook and OpenSearch.

Search is a critical feature for any large-scale website. It helps organisations give users the best experience by ensuring they can quickly find the right information. So, what is the difference between an out-of-the-box search and OpenSearch? Think of an out-of-the-box search as looking for a book in a bookstore. You might easily find it if you have the title and author, so simple queries will lead you to the source. However, trying to find the best cycling route in a new town is an entirely different task. You’re not just after a title ‘keyword’ but a few additional parameters or ‘filters’ like distance, elevation and terrain. That type of customisation is exactly what OpenSearch offers. It understands the website’s content structure and the users’ queries, and returns the best content match. It's a powerful tool from a stakeholder perspective, because it:

• Organises information - Organisations can customise search results based on their needs. For example, they can rank articles higher than factsheets to prioritise the most critical content to appear first.
• Understands how people search - No two users search for information in the same way. Some use keywords, while others use complete sentences. OpenSearch supports these various behaviours by providing functionality such as autocomplete, synonyms, and spell check. This will ensure users find what they are looking for, even if they use misspelled words or incomplete sentences. 

While these are only a few key tools for elevating the user experience, I hope this blog has helped you understand more about some of the tools we use and why I consider them to be the backbone of all new projects. If you have any questions or would like a demonstration of how we can use them in your new website, please feel free to reach out! 

In our previous share out, we focused on why contributors might engage in a Marketplace and the kinds of value they’re looking for. Since then, we’ve turned our attention to something even more foundational—trust.

If we want the Marketplace to succeed, contributors, agencies, and end users must believe:

• Templates are high-quality and secure
• Contributors are treated fairly and transparently
• There are clear, enforceable standards for what gets listed

That’s the work we’re deep in now.

Across our first two surveys, last week’s Slack prompt, and the Hopes & Fears Jam conducted at the Quarterly Drupal Certified Partner Webinar, three critical trust signals have emerged:

Templates must meet defined standards for code quality, security, accessibility, and UX. Contributors want to know what “good” looks like before they invest time; end users want confidence before they adopt.

If the Marketplace becomes a dumping ground for mediocre or insecure templates, it will actually hurt Drupal.”
"Templates should be clearly rated on accessibility, code quality, and what modules they’re pre-styled for.”

The Week #5 prompt in #drupal-cms-marketplace dives directly into this question:
“What accessibility, security, or coding standards should be required for free and/or paid site template listings—and how should they be verified?”

We’d love to hear your thoughts!

Policy alone doesn’t build trust—clear enforcement and transparency do. People want to know someone is actively ensuring fairness and protecting the ecosystem.

Governance modeled after the Security Team would give me confidence someone’s watching the store.”
"What’s the dispute process if I think something’s plagiarized or violates guidelines?”

The Marketplace Working Group met last week to begin shaping a draft governance model grounded in your feedback. While still early, this work is focusing on:

• Who might set and enforce Marketplace rules
• How listings might be reviewed and approved
• How disputes and appeals may be handled

• What may be required to maintain a listing over time

The Marketplace must offer both recognition and a fair value exchange. Contributors want clear attribution, visibility for upstream maintainers, and thoughtful revenue models that strengthen—rather than undermine—Drupal’s open-source values.

I don’t mind people making money—but I want to know how it flows back to the people maintaining the ecosystem.”

The Marketplace Working Group’s emergent governance framework is designed to create a Marketplace that is socially, technically, and financially responsible—and deeply aligned with Drupal’s open-source mission.

The scope of the framework includes:

• Submission and Review Guidelines: Clear public standards for what qualifies as a free, certified, and/or paid template—including accessibility, security, and code quality.
• Monetization and Revenue Sharing Models: Exploring how paid listings can fairly compensate contributors while also supporting module maintainers, the DA, and the ecosystem as a whole.
• Security and Quality Assurance: Establishing review processes to certify templates and flag those that are outdated or poorly maintained—ensuring users can clearly see the trust signals they need.
• Dispute Resolution and Appeals: Drafting a lightweight, transparent approach to handling conflicts fairly and consistently.
• Transparency and Community Feedback: Creating a clear process for proposing and reviewing policy changes with full community input.

This work is just beginning, and ongoing feedback will help shape what comes next.

Your input is critical to shaping a Marketplace that reflects Drupal’s values and strengthens our ecosystem. Here’s how to get involved this week:

• Take Survey #3: Marketplace Governance and Community Values.
  Help us understand your expectations for fairness, openness, and revenue models.
• Join the Slack Discussion – Share your views on Slack in #drupal-cms-marketplace: 
  “What accessibility, security, or coding standards should be required for free and/or paid site template listings—and how should they be verified?”
• Participate in the Ecosystem Roundtable – Participate in the Drupal Certified Partner and Agency Roundtable to share your perspective directly:  15 May 2025 | 15:30 UTC Register now.

Welcome to the first episode of Talking Drupal Cafe.

Join Martin and Jake as they delve into an insightful conversation exploring the challenges and responsibilities associated with being a module maintainer. Discussing project types, the significance of sandbox modules, the impact of Drupal CMS, and the role of AI tools, they highlight issues around burnout, sustainability, and community support. Discover how the Drupal community can better support maintainers and the importance of continued contributions. This episode also touches on upcoming conferences and the significance of face-to-face interactions in the Drupal community.

Martin is a highly respected figure in the Drupal community, known for his extensive contributions as a developer, speaker, and advocate for open-source innovation. Based in London, Ontario, Canada, Martin began his career as a graphic designer before transitioning into web development. His journey with Drupal started in late 2005 when he was seeking a robust multilingual CMS solution, leading him to embrace Drupal's capabilities. (mandclu.com)

Martin holds the distinction of being the world's first Triple Drupal Grand Master, certified across Drupal 7, 8, and 9 as a Developer, Front-End Specialist, and Back-End Specialist. (TheDropTimes) He also possesses certifications in various Acquia products and is UX certified by the Nielsen Norman Group. (mandclu.com)

Currently serving as a Senior Solutions Engineer at Acquia, Martin has been instrumental in advancing Drupal's ecosystem. He has developed and maintains several contributed modules, including Smart Date and Search Overrides, and has been actively involved in the Drupal Recipes initiative, particularly focusing on event management solutions. (mandclu.com) His current work on the Event Platform aims to streamline the creation and management of event-based websites within Drupal. (TheDropTimes)

Beyond development, Martin is a prominent speaker and educator, having presented at numerous Drupal events such as DrupalCon Barcelona and EvolveDrupal. He is also a co-host of the "Talking Drupal" podcast, where he leads the "Module of the Week" segment, sharing insights on various Drupal modules. (mandclu.com) Martin's dedication to the Drupal community is evident through his continuous efforts to mentor, innovate, and promote best practices within the open-source landscape.(TheDropTimes)

Jacob is a prominent figure in the Drupal community, best known for developing and maintaining the Webform module—one of the most widely used and feature-rich form-building tools in the Drupal ecosystem. His work has significantly enhanced Drupal's capabilities in form creation, data collection, and user interaction.

Rockowitz began his Drupal journey while working as a consultant for Memorial Sloan Kettering Cancer Center (MSK), where he spent over 18 years. Facing the need for robust form functionality during MSK's early adoption of Drupal 8, he created YAML Form, which later evolved into the Webform module for Drupal 8 . This module has since become integral to many Drupal sites, offering extensive features for form management.(design4drupal.org)

Beyond Webform, Jacob has contributed to other projects like the Schema.org Blueprints module, aiming to improve structured content modeling in Drupal. He is also an advocate for open-source sustainability, often discussing the importance of community involvement and the challenges of maintaining large-scale open-source projects .(talkingdrupal.com, jrockowitz.com)

As an active member of the Drupal community, Rockowitz frequently speaks at events such as DrupalCon and New England Drupal Camp, sharing his insights on module development and community engagement . He maintains a personal blog at jrockowitz.com, where he writes about his experiences and thoughts on Drupal development.(Drupal)

For show notes visit: https://www.talkingDrupal.com/502

• Introduction to Project Maintenance
• Types of Projects and Their Significance
• Sandbox Modules and Work Projects
• Passion Projects and Inherited Projects
• Challenges in Managing Multiple Modules
• The Role of Recipes in Project Management
• AI and Automation in Project Maintenance
• The Future of Project Maintenance and Contributions
• Evolving Drupal and Community Contributions
• Enterprise Features and the Trash Module
• Marketplace and Site Templates
• AI and the Future of Web Development
• Contribution Credits and Bounties
• Guiding Users and Module Selection
• Drupal Adjacent Solutions
• Sustainability of Contribution
• The Importance of Community Engagement

Martin Anderson-Clutz - mandclu.com mandclu Jacob Rockowitz - jrockowitz.com jrockowitz

In my recent work on the Drupal Event Platform, one of the most ambitious changes has been changing the architecture to support multiple events. That means that an annual Drupal camp can retain the content of previous years while collecting session submissions for an upcoming event. It also means that the platform can support multiple events per year if needed, similar to events.drupal.org.

• Drupal

• Read more about Smart Menu Links: Drupal navigation with the power of Views
• Add new comment

If you've ever tried to make your site more accessible and felt overwhelmed—you're not alone. But if you're using or considering Drupal, I want to tell you: you're already ahead. Accessibility isn’t a bolt-on in Drupal. It’s baked in. From semantic HTML5 output to keyboard navigation and ARIA support, Drupal core is built to comply with WCAG 2.1 AA standards. It also ships with accessible-by-default themes like Olivero (for front-end users) and Claro (for administrators), both of which have been tested with real-world assistive technologies.

What really helps, though, are the contributed modules. Let me highlight a few I think are essential if you care about accessibility at a technical level. First, there’s Editoria11y—this is a game-changer for content teams. It sits quietly in the background while you're editing and alerts you in real time about things like missing alt text, contrast issues, or incorrect heading levels. You fix problems before they go live. If you're more technical, Accessibility Scanner is worth a look; it integrates with Deque's Axe tools to run site-wide scans. And developers can use the Accessibility Tools module to simulate different impairments, helping them design for real-world needs.

Drupal also supports the All in One Accessibility module, which offers a customizable accessibility widget—think screen reader support, text resizing, keyboard navigation toggles, and more, all in one place. It's especially helpful for public sector sites and high-traffic platforms with legal compliance goals. These tools aren’t about ticking boxes—they’re about making sure everyone can use your site, no matter their ability. As Kat Shaw, an accessibility expert in the Drupal community, puts it in an interview with The Drop Times: “Accessibility doesn’t block innovation—it enables it.” I couldn't agree more.

• I Made Accessibility Fixes—and Never Looked Back: Kat Shaw

• From Foot in the Door to Full-Time: The Human Impact of Palantir’s Drupal Fellowship Program
• Drupal Marketplace Initiative Outlines Value and Contributor Incentives
• DesignHammer Leads Relaunch of Triangle Drupal Users Group (TriDug) for Summer 2025

• Dotsquares Migrates 17 Samuel, Son & Co. Sites to Drupal 10 with Unified Architecture
• Talking Drupal 500: An Audio Time Capsule of Where Drupal Stands

• Stanford WebCamp 2025 Begins Today with Tools, Talks and Open Source Collaboration
• EvolveDrupal Summit Boston 2025 Opens Call for Speakers Ahead of June 6 Event
• Drupal GovCon 2025 Opens Call for Speakers Ahead of August Event in Maryland
• PHP Study Group Tokyo to Hold 176th Session on May 28
• Drupal Bulgaria Meetup Scheduled for May 22 in Sofia
• BADCamp 2025 Scheduled for September 25–26 in Oakland
• Keynote “The Web in 2035” Announced for DrupalCon Vienna 2025
• DrupalCon Vienna 2025 Opens Inclusion Fund and Scholarship Applications
• Registration Open for DrupalCon Vienna 2025, Taking Place October 14–17

We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now.

To get timely updates, follow us on LinkedIn, Twitter and Facebook. You can also join us on Drupal Slack at #thedroptimes.

Thank you, 

Sincerely,
Kazima Abbas
Sub-editor, The DropTimes.

Call me a radical, but I don't think a handful of billionaires controlling the majority of a country's wealth is a good thing. I don't think the ultra-wealthy need more benefits at the expense of everyone else.

In March 2025 the Drupal Security Team released https://www.drupal.org/sa-contrib-2025-021 (assigned CVE-2025-3169) which addressed a Remote Code Execution vulnerability in the Artificial Intelligence (AI) contributed module, which is included in Drupal CMS.

I discovered this vulnerability, and I think it's an interesting one that warrants a closer look.

The problem boils down to insufficient validation of unsafe input; specifically there are a few places where the module constructs commands that it passes to the shell and these needed more validation.

There are a couple of different ways that this vulnerability can be exploited; let's look at two interesting vectors.

The vulnerable code is in the AI Automators (sub)module. One of the workflows this provides involves using an LLM to analyse video. An example of how this might be used is explained in this video by Marcus Johansson - one of the AI module maintainers:

https://workflows-of-ai.com/workflow/automatic-video-editor (although some module names have changed, the functionality is mostly the same).

That workflow involves setting up a content type with a couple of file fields - one for an input video, and the other for the output video. There also needs to be a text field for a prompt for the LLM.

The idea is that a user might upload a video file and prompt the LLM to edit out certain parts; for example "cut out the adverts".

Behind the scenes, the module uses ffmpeg to do the video processing - to do so it generates shell commands including the path to the uploaded input file, and in some cases timestamps which are provided by the LLM.

An example of the vulnerable code:

There's certainly some unsafe input here, and it's not being suitably escaped for use in a shell command.

The timestamps used to edit video come from the output of the LLM, and it turns out that it's not hard to get the LLM to collude in achieving a Command Injection attack.

I tested using ChatGPT (4o-mini to be exact) - other providers and models are supported - and was able to exploit the vulnerability by including something like this in my prompt:

That prompt led the LLM to respond to one of the internal requests made by the module for a JSON string with start and end times for a section of video with the following:

The module then uses those start and end times to generate the following command line:

...which is passed to PHP's exec() without any escaping or sanitisation.

The result is successful Command Injection; using a webserver to return a suitable payload to the injected curl command, I got a reverse shell.

That was certainly interesting and fun, but there was at least one other way to achieve Command Injection here.

Drupal does not - by default - sanitise the filename given to an uploaded file, although it is capable of doing so.

It was possible to exploit the vulnerable calls to shell_exec / exec in the module using just a malicious filename for the input video.

In some cases browsers add escaping / encoding which might get in the way of supplying a Command Injection payload via an uploaded file, but an attacker could use a tool like BurpSuite to send the appropriate HTTP request without "help" from the browser.

Here's an example of part of a HTTP payload in burp:

In my tests with a vanilla install of Drupal CMS I ended up with an entry in the file_managed table like this:

...and that was enough to achieve Command Injection before there was any interaction with the LLM.

The command that was sent to exec in this case was:

Although it only becomes a problem if code processes it in an unsafe way, I don't think Drupal should allow this filename in the first place; I filed https://www.drupal.org/project/drupal/issues/3516706 to work on that.

So is that the end of the story?

Well, nearly... but there was also another closely related issue: https://www.drupal.org/sa-contrib-2025-022 (assigned CVE-2025-31693).

This is a "Gadget Chain" (aka POP chain) so it's not directly exploitable in isolation. However, were a bad actor to find a PHP Object Injection (aka unsafe deserialization) vulnerability in a Drupal application with (a vulnerable release of) the AI module installed, this could be exploited to achieve Arbitrary File Deletion, and possibly even Remote Code Execution.

The code in question was:

The problem here is that in a PHP Object Injection scenario, the attacker can control the value of the $tmpDir property.

A straightforward attack here might set that property to the path of a file the attacker wants to delete; perhaps a .htaccess file protecting a directory, or settings.php if the attacker wants to watch the world burn cause disruption.

However this code is not just deleting the file (e.g. with unlink() which is typically the case with File Deletion gadget chains), it's passing the value to a shell command without sanitisation. We've just seen what an attacker can do with that.

There is a call to file_exists() so whatever value the attacker supplies has to pass that check.

However, we've also just seen that Drupal will - by default - allow filenames that can be dangerous when handled in an unsafe manner.

So if the attacker can upload a file with a Command Injection payload embedded in the filename, they could use that to escalate the exploitation of this Gadget Chain to full Remote Code Execution.

In this case, no workflow has to be set up with the vulnerable automation; so long as the submodule is enabled the class should be autoloaded, and that's sufficient for the exploit to be viable (but - to emphasise again - this is only a problem if there's an insecure deserialisation vulnerability in the application in the first place).

There is - in fact - another Gadget Chain present in Drupal's dependencies that could be used to achieve this exploit even if the attacker cannot upload files.

The good news is that if the AI module is up-to-date (release 1.0.5 or newer) none of these vulnerabilities are present.

The fixes mostly involved using PHP's escapeshellarg (and related functions) to ensure that unsafe input is sanitised before being passed to the underlying shell.

I'd like to thank Marcus in particular for his help investigating and remediating the issues; his response to being contacted by the Drupal Security Team was exemplary.

OWASP cautions that:

Data from all potentially untrusted sources should be subject to input validation, including not only Internet-facing web clients but also backend feeds over extranets, from suppliers, partners, vendors or regulators, each of which may be compromised on their own and start sending malformed data.

Inputs coming from an LLM certainly should be considered "untrusted" in general, and this was quite an interesting illustration of that in the context of web application security.

These are the links and resources from my presentation at https://webcamp.stanford.edu/session/managing-drupal-like-salesforce. I'll link to the recording as soon as it's available.

The difference in the amount our dev team has been able to contribute before vs. after completing the customized
version of the training Mike Annello did for the University of Denver.

https://mediaspace.du.edu/media/D10%20Contribution%20Animation/1_x8yhqfz4

Join us as we celebrate our 500th episode with Drupal founder Dries Buytaert! Reflecting on 13 years of our podcast and Drupal's 24-year journey, Dries shares his motivations, strategies, and insights into the future of Drupal. From community contributions and AI strategy to the impact of Drupal on organizations worldwide, this episode is packed with exciting updates and heartfelt reflections.

For show notes visit: https://www.talkingDrupal.com/501

• Reflecting on Milestones
• The Urgency Behind Starshot
• Cobwebs

Dries Buytaert - dri.es dries

Nic Laflin - nLighteneddevelopment.com nicxvan Stephen Cross- @stephencross

Drupal, as a system that focuses on flexibility and a modern approach to content publishing, is rapidly adopting AI solutions. It offers tools for integrating with artificial intelligence models (including OpenAI), which allows automating many processes: from content generation to translation and language analysis. In this article, I’ll introduce the operation of AI modules for Drupal, demonstrating their use with examples from a practical demo. 

A high-level comparison of some of the most-widely used Bootstrap framework-focused base themes, including feedback from some of their maintainers.

With more than 150 Bootstrap compatible Drupal 10 contributed themes on Drupal.org, selecting the best Bootstrap-powered base theme for you, your development team, and your project can sometimes come down to a superficial popularity contest. The lack of a clear comparison between the most widely-used and/or most well-known options is frustrating.

Rather than attempting the futile task of comparing all 150+ themes, based on my experience and conversations, I have selected the six (of what I consider to be) leading Bootstrap 5 compatible base themes for this task.

As someone who is not a dedicated front-end or theme developer, but is somewhat comfortable with the Bootstrap framework, I've used several of the options included in this comparison. This very site uses the Bootstrap base theme, our DrupalEasy Academy curriculum site and the Drupal Career Online theming lessons uses Bootstrap Barrio, and our Single Directory Component workshop utilizes Radix.

Despite my experience with several of the Bootstrap 5-powered base themes, I still didn't have a clear understanding of which one I should use or recommend based on different projects and teams. Gaining clarity in this area is the goal of this blog post.

In addition to my own experiences and research, I also contacted the most active maintainer(s) of each base theme and asked each to provide some feedback about their projects.

The base themes I decided to compare in this blog post were based on previous experiences, usage numbers on drupal.org and comments on a social media post about this topic that I posted in early April, 2025.

*Note: It is not lost on me the potential confusion between the three base themes with "Bootstrap" in their name! 

*Commits on current release branch in 2025

From the data above, it is clear to see that Bootstrap has (by far) the most usage, half have had a release in the last six months (November 2024 - April 2025,) with the other half having no commits on the listed branch in 2025 yet.

One of the first things I do when evaluating a base theme is to take a look at how they handle CSS compiling. Generally, this falls into one of three categories:

• no built-in support (meaning the base theme is primarily designed for CSS, not Sass)
• Sass files provided along with CSS compilation tools (usually in the form of a package.json file)
• Sass files provided, but un-opinionated about compiling CSS (meaning it is up the developer)

Note: a developer or team's front-end tool chain can take many different forms, so this section is mostly geared towards folks not comfortable setting up their own toolchain.

For our contenders, here's what I found:

• Artisan: recommended subtheme includes Sass files and package.json featuring Laravel Mix.
• Bootstrap: provides both a CSS-only subtheme and a Sass-based subtheme that includes a package.json featuring Gulp.
• Bootstrap 5: recommended subtheme includes Sass files and a package.json file.
• Bootstrap Barrio: provides both a CSS-only subtheme and a Sass-based subtheme that includes a package.json featuring Gulp.
• Radix: recommended subtheme includes Sass files and package.json featuring Laravel Mix and BiomeJS
• UI Suite Bootstrap: recommended subtheme includes Sass files

With the Drupal community's love affair with single directory components (SDCs) not looking to wane anytime soon, it is becoming more-and-more common for base themes to include a useful set of components that can be utilized.

Ideally, (IMHO) SDCs should be entirely self-contained, not relying on libraries or Sass source files that don't reside in the SDC. Unfortunately, this is not always possible, but it is something that I definitely consider when doing my evaluation. Here's how our contenders incorporate SDCs:

• Artisan: includes components both in base theme and recommended subtheme
• Bootstrap: includes components in base theme
• Bootstrap 5: no components included
• Bootstrap Barrio: includes components in base theme
• Radix: includes components in base theme
• UI Suite Bootstrap: includes components in base theme

I honestly didn't consider this aspect until one of the base theme maintainers I interviewed mentioned it. Some base themes expose a lot of configuration options through Drupal's Appearance admin UI settings pages and some do not. Different theme developers might have different preferences - often those newer to theme development (or those for whom it is not a full-time job) prefer more configuration options exposed in the Drupal admin UI.

• Artisan: Many configuration options including colors, fonts and column widths. Many configurations utilize CSS variables.
• Bootstrap: Some configuration options including Color module and Bootswatch integration.
• Bootstrap 5: Few configuration options.
• Bootstrap Barrio: Many configuration options including Bootstrap grid classes.
• Radix: Very few configuration options.
• UI Suite Bootstrap: Very few configuration options.

For base themes, I find that a little bit of documentation goes a long way. I don't expect base theme contributors to document every single possible use case, but I do hope that enough documentation exists for a developer to understand the theme's pros and cons and provide enough step-by-step instructions to demonstrate (with examples) best practices when building out a subtheme.

• Artisan: Limited to project page and project README file.
• Bootstrap: Drupal.org doc pages
• Bootstrap 5: Limited to project page and project README file.
• Bootstrap Barrio: Many links from project page, but not all are up-to-date
• Radix: Dedicated documentation site
• UI Suite Bootstrap: Limited to project page and project README file.

About half-way through my research for this blog post, I realized that without direct experience with all of them (which I do not have,) it would be best if I gave each project's maintainers a chance to provide some feedback.

I contacted the most active maintainer(s) for each project (based on number of commits over the past six months) and asked them the same three questions:

1. What are the advantages of (your base theme) over other modern Drupal Bootstrap-based base themes?
2. What are the disadvantages?
3. Is your base theme designed for a particular level of front-end developer (beginner, intermediate, advanced?)

I considered asking an additional question about how well positioned each base theme is for integration with Experience Builder, but I decided against it as we're still at least 5 months away from its initial release and didn't think it was an entirely fair question.

I received responses from maintainers of Bootstrap, Bootstrap Barrio, Radix, and UI Suite Bootstrap, and have included summaries of each of their responses here.

Unfortunately, the maintainer didn't respond to my message.

Alberto Siles (hatuhay on drupal.org) is one of the maintainers of both Bootstrap and Bootstrap Barrio. He mentioned that he took over maintenance of Bootstrap after it was abandoned - originally only to provide updates to it, "but now it depends on the community if they embrace the new code or not." He will continue to maintain both base themes (wow!) and improvements to each will depend on feedback (and help) he receives in each issue queue.

About Bootstrap Barrio's advantages, he wrote, "Long term stability, proven code, but mostly, the theme is designed in a way that makes it easy to upgrade in both Bootstrap and Drupal major versions seamlessly. Now, the code is constantly updated for both Drupal and Bootstrap enhancements, this is also a modern theme in every aspect."

He also mentioned that Bootstrap Barrio is designed for developers of all skill levels, as it is the "subtheme that discriminates. The basic subtheme will let you work with predefined color pallets, Google fonts and other backend configuration and some css, while the Sass version will setup, in minutes, a custom compiled version of Bootstrap."

Vladimir Roudakov (vladimiraus on drupal.org) replied, "Janna (jannakha on drupal.org) and I created the Bootstrap 4 and consequently Bootstrap 5 themes as simple, non-prescriptive, and very flexible Bootstrap themes. At the time, 2020-2021, there were no lightweight Bootstrap-based themes, and the original Bootstrap theme was heavily outdated."

He also mentioned that this base theme is geared towards intermediate-level developers and requires "minor tweaking for Sass setup."

Sohail Lajevardi (doxigo on drupal.org) said that some of Radix's advantages include being one of the first Drupal base themes to include SDCs, the use of modern front-end tools (including Laravel Mix and BiomeJS), its own command-line utility, very good documentation (including YouTube videos), and an effort to minimize Drupal-isms.

Interestingly, he also mentioned that, "I always considered Radix to be a theme and not a configuration vehicle, so we do everything where it needs to be, in the theme. No configuration mix up." I found this an especially interesting contrast to several of the other contenders, notably Bootstrap Barrio and Artisan, both of which utilize a good number of configuration options in Drupal's Appearance settings.

He did mention a disadvantage being "Not easy to understand all the tools and bells of the theme for a newcomer." But he did reiterate Radix's documentation being a solution for this - especially for those new to it. 

This base theme is a bit of an outlier, as it is very closely tied to the UI Suite project. I don't have a good handle on how likely it would be for a team to decide to use this base theme if they aren't UI Suite module users as well.

Florent Torregrosa (grimreaper on drupal.org) stressed that this project is a "production ready, design-system-oriented-first theme." He went on to say that together with UI Suite, the base theme provides "tools to allow site builders to configure how they want the design system artifacts (components, styles, Icons, CSS variables, etc.) to fit their business needs. And so we have nothing hardcoded for specific content types or other content entities, bundles, or fields."

Michael Fanini (g4mbini on drupal.org) added that it "packages in one place all Bootstrap specification & designs artifacts (components, style utilities, icons, forms, …) with modern tools from core (SDC, Icon API)" and together with other UI Suite modules provides a no/low-code method for Site-builders to connect Drupal fields to Bootstrap components.

In fact, as I've learned more and more about the UI Suite eco-system of projects, the more it is evident that one of its primary goals is to make it as "design-system-oriented" as possible, as well as prioritize no/low code field-to-component mapping. Much of this means that rather than the Drupal developers providing the Drupal-y templates to the non-Drupal-y front-end developers, it is the front-end developers who provide the components to the Drupal developers to wire to Drupal entities, bundles, and fields. The UI Suite ecosystem maintainers refer to this concept as "inverting the workflow."

As for disadvantages, he notes that its current dependencies on other UI Suite ecosystem modules is less-than-ideal, but as each of the dependencies are at different stages of being added to Drupal core, this is likely a short-term issue. 

Ugh - I figured I'd have to write this section, even though I knew it would not be possible to have a single "I recommend using base theme X" statement. Instead, here's my one-line opinion for each:

• Artisan: With so many configuration options, this might be the best option for beginners or lower-budget sites. It is, however, not used by very many sites (yet?) and the documentation could be better.
• Bootstrap: Nothing compelling over any of the other contenders.
• Bootstrap 5: Less prescriptive than Bootstrap Barrio - could be a solid choice for more intermediate-level theme developers.
• Bootstrap Barrio: A comfortable and solid choice for me, despite a few annoyances (probably due to the fact that I currently use this project the most.) But, moving forward, I'd like to see this base theme leading the way into a no-Sass future. (One that utilizes PostCSS instead, perhaps?)
• Radix: I'm a sucker for good documentation and do appreciate the opinionated nature of Radix minimizing the configuration options. I like the fact that it is SDC-forward and will definitely consider using this for my next custom theme project.
• UI Suite Bootstrap: A very compelling option for those projects that are design-system first. The close ties to the UI Suite of modules could complicate things though. Finally, it's installation requires a few more manual steps than the other contenders. 

AI was used in the authoring of this blog post for the social media share image.

Working with content in a CMS on a daily basis can be time-consuming and challenging, from correcting typos to scheduling publications to testing the layout on different devices. Fortunately, Drupal offers ready-made modules that make content editors' lives much easier. Below you'll find 12 suggestions for free tools you can enable with a single click to make your content management system more efficient and convenient. This article is based on my video on the same topic, which you can see on our Nowoczesny Drupal channel. 

The default autocomplete widget for taxonomy terms in Drupal works, but it has limitations that affect user experience.

Users need to know what terms exist before they can search for them, and there’s no easy way to reorder selected terms.

Autocomplete Deluxe solves these problems by providing an enhanced widget with better usability.

This tutorial explains how to install and configure the Autocomplete Deluxe module to improve the tagging experience on Drupal sites.