Coming Soon: Tag1’s First Public Drupal 7 Core Release from D7ES
November 7, 2025
Keeping Drupal 7 Secure Beyond End of Life
Even as Drupal 7 reached end-of-life support January 2025, thousands of organizations continue to rely on it for mission-critical websites. Tag1’s Drupal 7 Extended Support (D7ES), program helps those teams maintain security and stability.
This month marks an important milestone: our first Drupal 7 core security release will be made available to the public, through the D7ES Announcements Page
This release is more than a patch, it represents Tag1’s continued commitment to the Drupal community and the open-source values that built it.
What’s in This Release
This update, already available to D7ES customers, introduces two key changes:
-
A security fix for a vulnerability in JavaScript prototypes that can pollute all objects in an application
-
PHP 8.4 compatibility updates, ensuring Drupal 7 sites continue running securely on modern infrastructure
“This was our first official Drupal 7 core release under D7ES, a significant milestone that included both a critical security vulnerability fix and coordinated PHP 8.4 compatibility updates. This is important to me because releasing them together, the community only needs to regression test once.”
Lucas Hedding — D7ES Security Lead, Tag1 Consulting
Why This Release Matters
Many organizations depend on Drupal 7 for active production environments. Without extended support, those sites are exposed to:
-
Publicly known exploits (since vulnerabilities are disclosed on Drupal.org after fixes)
-
Compliance failures tied to outdated PHP versions
-
Dependency vulnerabilities from libraries like jQuery BBQ or CKEditor 4 (now end-of-life)
Tag1’s D7ES program bridges that gap by offering:
- Immediate access to verified, production-tested security patches
- Ongoing support for Drupal 7 core and key contrib modules
- Proactive compatibility updates for modern PHP versions
- One-on-one support for complex enterprise environments
Why Tag1 Publishes Its Patches
While D7ES customers receive all security updates first, Tag1 believes in balancing business continuity with open-source stewardship. That’s why we publish D7ES patches publicly one month after customer release, a commitment that reflects our belief in transparency and community responsibility.
“Even though it might be stronger business to keep them private, we think transparency and open collaboration make Drupal stronger overall”
Luke Pekrul — Project Manager, Tag1 Consulting
Why This Release Matters
Tag1 is the only D7ES provider sharing its patches publicly, helping ensure the entire Drupal 7 ecosystem remains more secure, even for those outside our customer base.
Stay Informed
You can follow future advisories and announcements here:
About Tag1’s D7ES Program
Tag1 Consulting is one of the official providers of Drupal 7 Extended Support (D7ES), a select group authorized by the Drupal Association to offer long-term support beyond end of life.
We help organizations:
- Keep Drupal 7 sites secure and compliant
- Maintain PHP and infrastructure compatibility
- Transition safely to modern Drupal or other platforms
If your organization still runs Drupal 7, you don’t have to choose between risk and rebuild. Tag1 D7ES keeps your site secure while you plan what’s next.