Skip to main content

What's new for developers? (February 2026)

· 6 min read
Victor Jimenez
Victor Jimenez
Software Engineer & AI Agent Builder

February 2026 feels like the month where the industry admitted two things at once: security assumptions were wrong, and "AI everywhere" still does not mean "useful everywhere." The signal is in practical changes, not launch videos.

Google API Keys Weren't Secrets. But then Gemini Changed the Rules.

The old rule ("browser keys are fine if restricted") broke when key scopes and product boundaries blurred. If a key pattern that was safe for Maps can now expose Gemini-powered billable and sensitive operations, your key governance model is outdated overnight.

Quoting Benedict Evans

The "capability gap" framing is polite language for weak day-to-day product fit. This matters because model demos are no longer the bottleneck; habit-forming product design is.

tldraw issue: Move tests to closed source repo

Open tests can become replication blueprints for commercial competitors. Harsh, but real: if tests encode product behavior comprehensively, they are strategic IP, not just QA assets.

Responsive Favicons (SA-CONTRIB-2026-019)

Persistent XSS from admin-entered text reminds us that "admin input" is still untrusted input. Internal users are still attack paths.

SAML SSO - Service Provider (SA-CONTRIB-2026-018)

Critical reflected XSS in an auth-adjacent module is high-risk by default. Identity plumbing is the worst place to gamble on sanitization shortcuts.

Drupal Canvas (SA-CONTRIB-2026-017)

SSRF plus information disclosure is a classic combo for lateral movement. Any module that fetches remote resources needs strict outbound controls.

Islandora (SA-CONTRIB-2026-016)

Arbitrary file upload plus XSS is the kind of chain that turns "content management" into "incident response." DAM integrations need hard file validation and execution boundaries.

CAPTCHA (SA-CONTRIB-2026-015)

Access bypass via weak token invalidation means anti-bot controls can become theater. Security controls fail quietly when token lifecycle logic is sloppy.

Anti-Spam by CleanTalk (SA-CONTRIB-2026-014)

Reflected XSS with complex conditions is still exploitable in real-world mixed environments. "Uncommon" is not the same as "ignorable."

Tagify (SA-CONTRIB-2026-013)

Impact: XSS risk is highest anywhere Tagify values can be attacker-controlled and then rendered back into admin or editorial interfaces. Patch strategy: update to the fixed contrib release immediately, backport the escaping/sanitization change only if upgrade is blocked, and clear caches to ensure updated assets are served. Regression checks: confirm tags with payloads like <img src=x onerror=alert(1)> render as inert text, verify add/edit/autocomplete flows still work, and rerun smoke tests on forms that use Tagify widgets.

Theme Negotiation by Rules (SA-CONTRIB-2026-012)

CSRF on configuration-related behavior is dangerous because it changes presentation logic that can influence trust and workflow. Theme-level logic is not "just cosmetic."

Material Icons (SA-CONTRIB-2026-011)

Route permission mistakes remain one of the most boring and most common Drupal security failures. Boring failures are still expensive.

Claude Code Remote Control

Remote-control sessions from web/mobile clients are useful, but early reliability friction shows the usual enterprise rollout gap: feature exists, entitlement path is messy.

I vibe coded my dream macOS presentation app

Great case study in "build exactly what you need tonight." Also a reminder that one-off internal tools are becoming the new superpower for small teams.

#206 – Jonathan Desrosiers on WordPress sustainability and releases

Tying releases to community events sounds nice until time zones, holidays, and contributor availability collide. Governance logistics are product strategy, not admin overhead.

Open WebUI + Docker Model Runner

Zero-config local model wiring lowers self-hosting friction significantly. The real win is not "open source AI" branding, it is operational simplicity for teams.

mark.ie: "Let's work on WebMCP for Drupal"

WebMCP interest shows where things are heading: protocolized agent-tool interaction inside CMS workflows. Early, but worth tracking.

mark.ie: Drupal Workspaces Revisited

Workspaces are powerful but still cognitively expensive. Better guidance and defaults matter more than adding another feature flag.

What's New in WebGPU (Chrome 146)

Compatibility mode on OpenGL ES 3.1 and transient attachments improve practical portability and memory behavior. This is infrastructure progress, not headline hype.

PHP 8.4 latest patch release

Patch-level updates still matter because ecosystems quietly depend on them for stability and security. "No new feature" does not mean "no urgency."

Quoting Kellan Elliott-McCrea

Coding was never the full job; agency was. This framing matters now because AI changes implementation speed, not the need for judgment and responsibility.

Linear walkthroughs (Agentic Engineering Patterns)

Structured codebase walkthroughs are becoming a core onboarding pattern. If an agent can explain architecture quickly, team ramp-up gets cheaper.

Tag1 Insights: What I Learned Using AI for Drupal Development

The useful part is not "AI replaced dev work," it is where AI reduced grind in specific module tasks. Pragmatic adoption beats ideology.

What I Learned Using AI for Drupal Development (duplicate coverage)

Same lesson reinforced: applied AI wins come from bounded, testable tasks, not from asking for magic.

How we rebuilt Next.js with AI in one week

The interesting part is not the speed claim; it is measurable outcomes (build time, bundle size, deployment path). Benchmarkable claims are the only claims that matter.

How to turn off AI features in Firefox

User-choice controls for AI are now a competitive feature. Consent and configurability are product differentiators, not legal afterthoughts.

Iframed Editor Changes in WordPress 7.0

Switching to checking only inserted blocks for iframe eligibility is a practical compatibility improvement. Fewer global assumptions, fewer accidental regressions.

go-size-analyzer

Treemap-driven Go binary analysis is exactly the kind of tooling that improves engineering decisions fast. Visibility into size costs should be standard in CI.

Multi-agent workflows often fail. Here’s how to engineer ones that don’t.

Most failures are architecture failures, not model failures. Reliability comes from orchestration patterns, constraints, and clear handoffs.

Node.js 25.7.0 (Current)

Current line keeps moving fast, which is useful for experimentation but still risky for conservative production stacks.

Node.js 24.14.0 (LTS)

LTS updates remain the sane default for teams that value predictability over novelty. Stability is a feature.

From the Captain’s Chair: Kristiyan Velkov

Community leadership content is useful when it shows operational practice, not just personal branding. Docker’s ecosystem strength is still education-driven.

First run the tests (Agentic Engineering Patterns)

With coding agents, tests are no longer optional guardrails. They are the contract that keeps fast iteration from becoming fast damage.

Specbee: Drupal agency vs general web agency

Stack specialization still matters because platform-specific failure modes are expensive. "Any web agency can do it" is often procurement optimism.

Joachim's blog: Release more code: the technical stuff

Releasing custom code as contrib is less about heroics and more about packaging discipline, abstraction, and maintenance readiness. Open source starts with cleanup work.

Conclusion: the main takeaway.

The pattern this month is simple: security assumptions are shifting, governance and tooling decisions are getting more strategic, and AI value appears where teams apply structure, tests, and clear constraints. Hype is loud; operational rigor is winning.