If you build Drupal sites on Vortex(Opens in a new tab/window) - our open-source project template that ships the whole scaffolding a Drupal project needs, from local Docker to CI to hosting - this is a release you'll feel across every project you run. Vortex 1.40.0 is a standardise-and-harden release. It tidies up the tooling you type every day, and it quietly bolts a lot more safety onto the parts of your pipeline you don't think about until something goes wrong.
None of it asks much of you. The security and reporting improvements apply the next time you build, with no configuration. The renames are a quick pass through your config. Here's what actually matters.
Your CI now scans for secrets and insecure workflows - automatically
Two security scanners now run in the CI lint stage on every project: Zizmor(Opens in a new tab/window), which does static analysis of your GitHub Actions workflows and flags insecure patterns, and Gitleaks(Opens in a new tab/window), which scans the repository for committed secrets and fails the build if it finds one.
The important word there is "automatically." You don't wire anything up, you don't opt in, and you don't maintain a config. On your next build they're just there, watching two of the most common ways a project quietly leaks credentials or ships a workflow that a supply-chain attack can walk straight through. If you've ever found an API key in your git history six months too late, this is the guardrail you wish you'd had.
Test results show up on the pull request, not buried in a log
PHPUnit and Behat results are now published natively to the GitHub Checks UI. When a test fails, you see it inline on the pull request - the specific test, right there next to the diff - instead of scrolling through raw CI output hunting for the one red line.
It's a small thing to describe and a big thing to live with. Reviewers stop context-switching to the CI tab. Failures become obvious. And the loop between "push" and "oh, that's what broke" gets a lot shorter, which is really what good tooling is for.
Accessibility checks that cover the whole site
The Behat test suite now produces a site-wide accessibility report, and it captures animated screenshots when something fails. Accessibility is one of those things everyone agrees matters and almost nobody tests continuously - usually because it's fiddly to set up. Here it's just part of the suite you already run. You get a report across the site rather than a single page, and when a regression sneaks in, the animated screenshot shows you what the page was actually doing instead of leaving you to reproduce it by hand.
Single Directory Components, ready to go
Vortex now ships Single Directory Component (SDC) tooling out of the box: a sample button component to copy from, drupal/sdc_devel included in require, and a CI check that validates your components and fails when sdc-devel:validate reports problems.
SDCs are the direction Drupal theming is heading, and the annoying part has always been the setup - getting the dev tooling in place and wiring validation into CI before you've written a single component. That's done for you now. New projects start with a working baseline and a real component to learn from.
The database commands finally speak one language
This is the big one, and it's why the release touches so many files. The database tooling has been standardised and hardened. download-db is now fetch-db. There are dedicated import-db and export-db scripts that both the provision flow and Ahoy reuse, so there's one code path instead of three that drifted apart over the years. And a new platform-agnostic task runner sits behind hosting operations.
The practical upside is consistency. The commands read as a set now - fetch, import, export, push - instead of a pile of names that grew organically and never quite matched. Fewer surprises, fewer "wait, was it download or fetch?" moments. There's a migration cost, which we'll get to, but the day-to-day result is tooling that behaves the way you'd guess it behaves. That's worth a lot when you're three coffees deep and just want the database on your machine.
The smaller things worth knowing
A few changes won't headline the release, but they're genuinely useful:
- SSH host-key pinning for deployments. You can now pin the remote host key instead of switching off strict host-key checking, and the GitHub Actions
known_hostsis configurable per step. If your deploys have been living with strict checking turned off, this closes a real man-in-the-middle gap. - A label-driven deployment gate. Deployments can be gated behind a pull-request label - an explicit, auditable switch for when a branch is actually allowed to go out.
- A multi-version installer. The installer can scaffold either the current
1.xline or the upcoming2.x, and the documentation is now versioned per major line, so you're always reading the docs that match your version. - A report-only config policy. Config validation moved from
config.audittoconfig.policyfor report-only installs.
What you'll need to update
Vortex 1.40.0 has breaking changes, but don't let that word scare you - most of them are find-and-replace renames in your .env file and hosting environment variables. The theme running through all of them is dropping vendor-specific prefixes and unifying names, so the tooling reads as one coherent set.
The ones to know about:
DRUPAL_ENVIRONMENTis nowENVIRONMENT_TYPE.VORTEX_LOCALDEV_URLis nowLOCALDEV_URL.- Every
VORTEX_DOWNLOAD_DB_*andVORTEX_DOWNLOAD_DB2_*variable is nowVORTEX_FETCH_DB_*/VORTEX_FETCH_DB2_*. Theahoy fetch-dbcommand keepsdownload-dbas an alias, so scripted calls keep working - but the environment variables do need renaming. - Deploy types are now
artifact,webhook, andlagoon. The oldcontainer_registrytype is gone, and image publishing moved to a dedicatedpushcommand. upload-db-s3is nowpush-db-s3.ahoy reset hardis nowahoy reset --hard.VORTEX_LAGOON_AMAZEEIO_REGIONis removed - the amazee.io trusted-host pattern was simplified and no longer needs it.- Shipped tooling scripts are now prefixed with
vortex-, and the user-facing ones are exposed asvendor/bin/vortex-*. - PHPMD and the abandoned
oomphinc/composer-installers-extenderpackage have both been removed, and the deprecatedsid_length/sid_bits_per_characterkeys are gone fromservices.yml(Drupal 11 core no longer supports them).
None of these are hard. Set aside ten minutes, grep your .env and hosting config for the old names, swap them, and you're done.
Get the details
That's the shape of this release: less friction in the commands you type, more safety in the pipeline you rely on. Every one of these lands on your project the next time you update - the security scanners and test reporting apply with no work on your part, and the renames are a quick pass through your config.
The full changelog, with every entry and the exact variable names, is on the 1.40.0 release page(Opens in a new tab/window). And if you're new to Vortex and want to see what the template actually gives you, vortextemplate.com(Opens in a new tab/window) is the place to start.