- Please use dependency injection in place of static calls to different services like database. - You should use a constant or configuration for the BASE_URL of the external URL (https://my.sendinblue.com). This should not be hardcoded at multiple places in code. - sendinblue_page_attachments(): why do you add you admin library to every page? You should only add it on the render array of admin pages? - SendinblueManager: do not call mail() directly, use Drupal's configured mail system instead. This is currently a blocker because developers expect that on a dev site no emails go out if they have configured a dev mail system. If you are using mail() directly then you are bypassing that assumption and a developer might send unintended mails from their dev site. - SignupAccessControlHandler: a default of allowing access at the end of the checkAccess() method is not a good idea. A default to deny access to avoid any access bypass problems is more secure. - class Signup: the doc blocks seems copied from an example module? Please replace all wrong example docs with real docs about your entity. - ConfigurationSendinblueForm::validateForm(): Du not change configuration in a validation method, that should be done in the submit method. - ConfigurationSendinblueForm::validateForm(): do not flush caches in a validation method, should also be done on submit only. drupal_flush_all_caches() s expensive, can you only flush the menu related caches? - class RegisteringUserForm: doc block talks about SMTP, but it looks like the class is dealing with user registrations? Please update all your class doc comments. - I double checked that the D7 permission related vulnerability is fixed on the 7.x-1.x branch, so we should be good there. - I fix all Drupal and DrupalPractice PHPCS