Drupal Security Advisories Now Integrated with OSV Database

Since 2005, Drupal users have relied on mailing lists, RSS feeds, and in-system notifications to stay informed about critical security updates. Tools such as the Update module and Composer's audit command have provided site-specific insights, but each has limitations in scope and accessibility. With the rise of multi-package project dependencies and increasingly automated workflows, there has been growing demand for a more unified and ecosystem-agnostic vulnerability tracking approach.

OSV.dev, an open source vulnerability database maintained by Google and community collaborators, offers a standardized format that supports a wide range of package managers and ecosystems. By publishing Drupal advisories to this platform, site maintainers can now use tools like OSV-Scanner to generate comprehensive reports that span both PHP and non-PHP components, such as npm packages. This approach reduces noise, minimizes manual tracking, and enables faster awareness of critical issues, regardless of the underlying technology stack.

The initiative was developed through joint efforts involving contributors from Google, Ackama, the Drupal Association, and the Drupal Security Team. Key individuals including Gold, Gareth Jones, Greg Knaddison, Dave Long, Peter Wolanin, and Neil Drumm played active roles in automation and maintenance planning. This work builds on foundational infrastructure shaped over many years, including contributions by Derek Wright to the Update module and API systems on Drupal.org that now power OSV integration.

Publishing to OSV.dev is expected to streamline security operations across Drupal’s diverse user base and lower the barrier for adopting automated vulnerability scanning. It also opens opportunities for tighter integration between Drupal and external projects that already leverage OSV data. The move reflects a broader shift toward transparency, collaboration, and shared tooling in the open source security landscape, offering site builders and maintainers a more robust way to ensure their projects remain secure and up to date. Find more details here.