Drupal is a registered trademark of Dries Buytaert
cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)! drupal 11.3.8 Update released for Drupal core (11.3.8)! drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)!
← All modules

cwv

8 sites Security covered
View on drupal.org

Real-user Core Web Vitals for Drupal.

Captures LCP, CLS, INP, FCP, and TTFB from real visitor browsers using the standard web-vitals JS. Stores them in two tables: cwv_beacons for real-user data, cwv_probes for cron-driven synthetic observations. Renders correlation panels at /admin/reports/cwv that join each metric to backend signals.

What you can answer out of the box:

  • Does Drupal's page cache hit rate predict LCP on this route?
  • Are slow INP outliers concentrated on logged-in pages?
  • Did the count of "poor" beacons shift after the deploy on Tuesday?
  • Which routes have the worst p75 TTFB?

No third-party service. No JS calls to external endpoints. Data stays in your database.

Privacy and hardening. Capture is off after install. Sampling defaults to 0.1. Per-IP flood protection and a configurable table-size guard defend the endpoint. Three URL-storage policies (hash, path-only, full) cover the GDPR / CCPA exposure the site can tolerate. Outlier filtering is on by default for new installs and drops obvious non-RUM noise (backgrounded-tab artefacts, broken-page beacons) before storage. SECURITY.md and PERFORMANCE.md in the repo cover the full posture and sizing tables.

Built as a substrate. A frozen, security-advisory-covered collector contract with four shapes (synchronous, async-decoration, probe, panel-contribution) lets sibling modules add their own context fields and report panels via a single tagged service. Built-in collectors ship the Drupal cache state, render-tree size, backend cache hit/miss, database query count, OPcache and APCu runtime health, edge-cache state across the major CDN vendors, and upstream / CDN request-ID correlation.

Roadmap in ROADMAP.md. Contract design in docs/collector-contract.md.

Activity

Total releases
23
First release
Apr 2026
Latest release
3 weeks ago
Release cadence
1 day
Stability
43% stable

Release Timeline

Releases

Version Type Release date
1.5.0-beta1 Pre-release May 19, 2026
1.4.4 Stable May 19, 2026
1.4.3 Stable May 19, 2026
1.4.2 Stable May 11, 2026
1.4.1 Stable May 11, 2026
1.4.0 Stable May 11, 2026
1.3.0 Stable May 11, 2026
1.2.0 Stable May 11, 2026
1.1.0 Stable May 11, 2026
1.1.0-alpha3 Pre-release May 11, 2026
1.0.1 Stable May 10, 2026
1.0.0 Stable May 10, 2026
1.0.0-beta1 Pre-release Apr 30, 2026
1.0.0-alpha10 Pre-release Apr 30, 2026
1.0.0-alpha9 Pre-release Apr 29, 2026
1.0.0-alpha8 Pre-release Apr 29, 2026
1.0.0-alpha7 Pre-release Apr 29, 2026
1.0.0-alpha6 Pre-release Apr 28, 2026
1.0.0-alpha5 Pre-release Apr 27, 2026
1.0.0-alpha4 Pre-release Apr 27, 2026
1.0.0-alpha3 Pre-release Apr 27, 2026
1.0.0-alpha2 Pre-release Apr 26, 2026
1.0.0-alpha1 Pre-release Apr 26, 2026