STY Drupal Module Feeds

This is an incremental release of ctools, designed to support Drupal 9 and 10, dropping some legacy Drupal 8 services.

Note, some ctools dependent modules may need to be updated to work with 4.x, which will require sites to remain on 8.x-3.8 until those modules are updated to support Drupal 10 and ctools 4.

Otherwise, this release is relatively similar to 8.x-3.8. If you're using a supported version of Drupal, you're encouraged to update to this version of ctools.

All changes since 8.x-3.7:

• Issue #3293702 by japerry: Bulk documentation phpcs fixes
• Issue #2992362 by thalles, Daniel Korte, sagannotcarl, baikho, osman, japerry, stevekeiretsu: Wizards should be using PrivateTempStore not SharedTempStore, otherwise all users end up sharing the same cached form values
• Issue #3118178 by Kate.Yemelyanenka, andregp, prabha1997, alanmoreira, swatichouhan012, andrey.troeglazov: use dependency injection for renderer in FormWizardBase
• Issue #3272682 by japerry, n4r3n, Berdir: Make module compatible with Drupal 10
• Issue #2866323 by andrewbelcher: Fatal error on empty entity reference relationship
• Issue #2691875 by acbramley, Chris Matthews: FormWizardBase::actions doesn't add actions type so buttons aren't moved by prepareDialogButtons
• Issue #2982425 by manuel.adan: Support computed fields
• Issue #3134416 by AndrewsizZ: Replace assert*() involving equality comparison operators with assert(Not)(Equals|Same)
• Issue #3113234 by thalles: Fix subclassing and stop overriding constructors in ctools_views\Plugin\Display\Block
• Issue #3259348 by joelpittet: Remove Drupal 8 compatibility in info.yml
• Issue #3261579 by beatrizrodrigues, paulocs, joelpittet: Update readme file link about installation
• Issue #3259348 by joelpittet: update composer.json for Drupal 9 || 10 support
• Issue #3192405 by Pooja Ganjage, thalles, joelpittet: Declaring ::setUp without a void return typehint
• Issue #3259348 by paulocs, joelpittet, beatrizrodrigues, lhridley: Remove Drupal 8 compatibility in info.yml
• Partial revert #3178203-2
• Revert "Issue #3192405 by Pooja Ganjage, thalles, joelpittet: Declaring ::setUp without a void return typehint"
• This reverts commit 3f2620818732c473d060af7a3be9b60debc81bae.
• Issue #2857279 by Berdir, manuel.adan, malcomio: Duplicate node type visibility condition in block settings
• Issue #3101650 by andregp, Suresh Prabhu Parkala, thalles, guilhermevp, adalbertov, joelpittet: Standards on Form/RequiredContextDelete.php
• Issue #2799283 by drunken monkey, paulocs, pifagor, rhovland: If only sort is exposed, the exposed form is not display
• Issue #3168866 by kekkis, codebymikey: Ctools blocks derivatives should only be removed from the Layout Builder, not the Block UI
• Issue #3192405 by Pooja Ganjage, thalles, joelpittet: Declaring ::setUp without a void return typehint
• Issue #3212600 by guilhermevp, marcusvsouza: drupalPostForm is deprecated, use $this->submitForm() instead
• Issue #3255751 by Manthan.Chauhan: PHP syntax error in ctools_help()
• Issue #3064664 by thalles, raman.b, Chris Matthews, mrinalini9, andrey.troeglazov, librekid: Clean-up code in AjaxFormTrait
• Issue #3191270 by thalles, joelpittet, guilhermevp: Declare $modules property protected
• Issue #3220480 by mstrelan, acbramley: [PHP8] TypeError : uasort(): Argument #1 ($array) must be of type array, null given
• Issue #3213728 by paulocs, guilhermevp: Fix tests in dev branch

Release type: Bug fixesNew features

This is an incremental bug and feature release for ctools on Drupal 8.9 and 9.

Note, this is the last feature release for ctools in the 3.x branch. All new features should be tested against 4.x. The 3.x branch is now in only critical bug and security mode.

All changes since 8.x-3.7:

• Issue #3293702 by japerry: Bulk documentation phpcs fixes
• Issue #2992362 by thalles, Daniel Korte, sagannotcarl, baikho, osman, japerry, stevekeiretsu: Wizards should be using PrivateTempStore not SharedTempStore, otherwise all users end up sharing the same cached form values
• Issue #3118178 by Kate.Yemelyanenka, andregp, prabha1997, alanmoreira, swatichouhan012, andrey.troeglazov: use dependency injection for renderer in FormWizardBase
• Issue #2866323 by andrewbelcher: Fatal error on empty entity reference relationship
• Issue #2691875 by acbramley, Chris Matthews: FormWizardBase::actions doesn't add actions type so buttons aren't moved by prepareDialogButtons
• Issue #2982425 by manuel.adan: Support computed fields
• Issue #3134416 by AndrewsizZ: Replace assert*() involving equality comparison operators with assert(Not)(Equals|Same)
• Issue #3113234 by thalles: Fix subclassing and stop overriding constructors in ctools_views\Plugin\Display\Block
• Issue #3261579 by beatrizrodrigues, paulocs, joelpittet: Update readme file link about installation
• Issue #2857279 by Berdir, manuel.adan, malcomio: Duplicate node type visibility condition in block settings
• Issue #3101650 by andregp, Suresh Prabhu Parkala, thalles, guilhermevp, adalbertov, joelpittet: Standards on Form/RequiredContextDelete.php
• Issue #2799283 by drunken monkey, paulocs, pifagor, rhovland: If only sort is exposed, the exposed form is not display
• Issue #3168866 by kekkis, codebymikey: Ctools blocks derivatives should only be removed from the Layout Builder, not the Block UI
• Issue #3192405 by Pooja Ganjage, thalles, joelpittet: Declaring ::setUp without a void return typehint
• Issue #3212600 by guilhermevp, marcusvsouza: drupalPostForm is deprecated, use $this->submitForm() instead
• Issue #3255751 by Manthan.Chauhan: PHP syntax error in ctools_help()
• Issue #3064664 by thalles, raman.b, Chris Matthews, mrinalini9, andrey.troeglazov, librekid: Clean-up code in AjaxFormTrait
• Issue #3191270 by thalles, joelpittet, guilhermevp: Declare $modules property protected
• Issue #3220480 by mstrelan, acbramley: [PHP8] TypeError : uasort(): Argument #1 ($array) must be of type array, null given
• Issue #3213728 by paulocs, guilhermevp: Fix tests in dev branch

Release type: Bug fixesNew features

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

• CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
• 
  Change in port should be considered a change in origin

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• Drupal core now requires guzzlehttp/guzzle 6.5.8 or higher (up from 6.5.7).

  The latest guzzle versions also require guzzlehttp/psr7 1.9 or higher (up from 1.8.5), so that package is updated as well.

  Since the above change to guzzlehttp/psr7 requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.

  Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.3.16

• Issue #3291780 by longwave, xjm: guzzlehttp/guzzle 6.5.8 requires guzzlehttp/psr7 ^1.9
• Issue #3285193 by Lendude, xjm: Temporarily skip random test failures that hide real test failures, part 4
• Merge 9.3.16, resolve merge conflicts, and update lockfile and dev versions.
• Issue #3247683 by Wim Leers, lauriii, bnjmnm, Reinmar: Disable CKEditor 5's automatic link decorators (in Drupal filters should be used instead)
• Issue #3273983 by Wim Leers, ifrik, lauriii: Do not assume that plugin supporting also supports in SourceEditingRedundantTags and upgrade path
• Issue #3283795 by alexpott, bircher: ComposerHooksTest is broken on latest DrupalCI PHP container

Release type: Bug fixes

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

• CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
• 
  Change in port should be considered a change in origin

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

Drupal 9.4.x will receive security coverage until June 2023.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.4.0 release notes before upgrading to this release.

Important update information

• Drupal core now requires guzzlehttp/guzzle 6.5.8 or higher (up from 6.5.7), or 7.4.5 or higher (up from 7.4.4).

  The latest guzzle versions also require guzzlehttp/psr7 1.9 or higher (up from 1.8.5), so that package is updated as well.

  Since the above change to guzzlehttp/psr7 requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.

  Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.4.0

• Issue #3291780 by longwave, xjm: guzzlehttp/guzzle 6.5.8 requires guzzlehttp/psr7 ^1.9
• Issue #1645328 by Liam Morland, darvanen, shravan sonkar, andregp, mandar.harkare, jhedstrom, sun: Add test to ensure fieldset allows any non-empty-string #title
• Issue #3145738 by andrewmacpherson, quietone, Mile23, mmjvb: Incorrect composer update instructions for Drupal core metapackages
• Issue #3283235 by TR: Fix a comment typo in FileFieldWidgetTest
• Issue #3283794 by mondrake, longwave: Fix 'should return {type} but return statement is missing' PHPStan L0 errors in test code
• Issue #3164699 by jungle, ravi.shankar, andregp, kishor_kolekar, sulfikar_s, ankithashetty, paulocs, Abhijith S, WagnerMelo, quietone: Fix or ignore 15 words used in Help Topics
• Issue #3291265 by Spokje: \Drupal\Testsorum\Functional\ForumNodeAccessTest doesn't use tracker module
• Issue #3280033 by hmendes, rajandro, dpi, Ayesh: PHP 8.2 compatibility: ${} string interpolation deprecated
• Issue #3283498 by Mile23, alexpott: Scaffold ReplaceOp::copyScaffold() throws an error for empty files
• Issue #3257600 by tstoeckler, rpayanm: SettingsTrayBlockFormTest needlessly overrides getTestThemes
• Issue #2747273 by quietone, mayurjadhav, talhaparacha: Example given on FormBuilder::submitForm API Page is not working
• Issue #2430379 by quietone, znerol, larowlan: Add explicit test for session based language negotiation
• Issue #3268244 by Spokje, xjm, Wim Leers: [random test failure] Un-skip and fix QuickEditIntegrationTest::testArticleNode()

Release type: Bug fixes

Issue queue placeholder branch 101.x development, for issues deferred from 9.5.x and 10.0.x.

This branch does not yet contain the actual 10.1.x codebase and is not intended for use for anything other than the Drupal core issue queue version selector.

Release type: Bug fixesNew features

This is a minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backward compatibility and experimental module policies.

Minor releases may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022.

9.2.x and 8.9.x will no longer receive security support, so sites on a Drupal 8 or 9 version earlier than 9.2.x should upgrade to a supported release as soon as possible.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.4 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Changes to site-owner-managed files

• The root .htaccess file now has a section for PHP 8 settings. This brings .htaccess files into alignment with Drupal’s supported PHP version.

  If you have a custom .htaccess file and its PHP settings are working, you can keep using your existing .htaccess file unchanged. If you are upgrading from PHP 7 to PHP 8, adopt the new .htaccess file and adopt the custom settings that you need from your existing .htaccess file PHP 7 section to the new PHP 8 section.

• The theme used when update.php is run and there is no maintenance_theme selected in settings.php has changed:

  1. If Claro is installed, it will be used as the maintenance theme.
  2. If Seven is installed and Claro is not, Seven will be used as the maintenance theme.
  3. If neither Claro nor Seven are installed, the default theme is used.

  Review the change record on the maintenance theme changes for more information.

Platform requirements changes Minimum supported PHP version increased to PHP 7.4; PHP 8.1 recommended

• Drupal 9.4's minimum PHP requirement has been increased from PHP 7.3 to 7.4. Sites on PHP 7.3 may still be installed and updated (with a warning), but their security coverage is not guaranteed unless they update to at least PHP 7.4. For more information, see the PHP requirements handbook page.

  PHP 8.1 is now the recommended PHP version to use with Drupal 9.4 and above.

Database JSON support warning

• Drupal core will begin warning in the status report if a database connection doesn't support JSON, in preparation for this becoming an installation requirement in Drupal 10. The most common MySQL/MariaDB/Percona databases used with Drupal already had this requirement for Drupal 9.0, so this new warning is likely to appear only for SQLite and PostgreSQL users.

The drupal/core-recommended package now allows patch-level updates

The drupal/core-recommended metapackage now allows patch-level updates for dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package. Site owners should test patch-level updates before deploying them. Instructions for managing dependency updates with the updated drupal/core-recommended metapackage.

Note that egulias/email-validator has a wider constraint due to the name of its most recent supported version, so site owners may wish to add a specific constraint to avoid updates to version 3.3 or higher in the future.

The CKEditor 5 experimental module is nearly (but not quite) stable

CKEditor 4 will be end-of-life in 2023. The CKEditor 5 experimental module will replace CKEditor 4 in Drupal 10. CKEditor 5 differs significantly from CKEditor 4, so we strongly recommend sites and modules begin testing with it now in preparation for Drupal 10's release later this year. Only a few issues remain until the new module can be marked stable, including a critical data loss bug for custom tags when using Full HTML text format, support for inserting externally hosted images, support for Styles Combo (which blocks some contributed projects), and a number of accessibility issues. Most of these are blocked on upstream improvements, and we're working closely with the CKEditor team!

Testing CKEditor 5

Back up your site data and configuration before beginning testing.

1. The automatic content upgrade path: Under Configuration > Content Authoring > Text formats and editors, configure a text format and change its "text editor" setting from "CKEditor" to "CKEditor 5". (This will happen automatically when upgrading to Drupal 10.)

   You will get the equivalent CKEditor 5 configuration created automatically: toolbar, plugin settings, and so on. Messages will appear upon switching that explain what happened and why. Verify that the messages and generated configuration are correct.

2. The editing experience: Verify that the default CKEditor 5 configuration works as you need and expect. For example, the linking experience should be improved, uploading images is much faster, and so on.

3. Your existing content: When you edit existing content with CKEditor 5 and you save it, verify that the resulting markup looks as you expect, and that no data is lost.

Upgrading contributed modules to CKEditor 5

The module can be also used for making modules extending CKEditor 4 to become compatible with CKEditor 5.

• Meta issue of contrib modules being ported: #3207845: [META] Port some initial CKEditor 4 plugin integration modules to CKEditor 5
• Examples of complex CKEditor 4 modules updating to CKEditor 5 compatibility:
  • #3232190: Drupal 10 & CKEditor 5 readiness
  • #3232052: Drupal 10 & CKEditor 5 readiness

Deprecated modules

The following core modules are deprecated in Drupal 9.4 and will be moved to contributed projects in Drupal 10:

• Color
• Aggregator
• HAL
• The Entity Reference and SimpleTest stubs

Sites will receive warning messages when deprecated modules are in use. Review the deprecated module documentation on the steps to take if your site uses any of these modules.

API changes

• Module uninstall validators are now run during configuration import validation. Validators should implement interface \Drupal\Core\Extension\ConfigImportModuleUninstallValidatorInterface to differentiate between a config import validation and a regular module uninstall. (Note: This is a new change since 9.4.0-rc2.)

• ImageStyleStorageInterface now extends ConfigEntityStorageInterface. If you are directly implementing ImageStyleStorageInterface you will need to ensure you also implement methods from ConfigEntityStorageInterface.

• The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

• ​​The JavaScript API for Contextual module has been marked internal (except for the drupalContextualLinkAdded event, which is still public API), and various parts of this will be refactored and/or removed in Drupal 10. Contributed modules should interact with contextual module only via the PHP API.

• The Modernizr.touchevents browser feature detection check has been deprecated. In addition, Modernizr is no longer responsible within Drupal for detecting touch devices and adding the touchevents/no-touchevents classes to the HTML element based on the detection result. The specific functionality of adding classes based on touch device detection is now provided via a core library: core/drupal.touchevents-test. The detection method used is identical to Modernizr's.

  Themes relying on the selector do not need to change, but code calling Modernizr directly should be updated.

Changes to the Standard and Umami Demo profiles

• The Standard profile now uses Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

Backend dependency updates

The following dependencies have been changed or updated since 9.3.

• Sites are able to install Guzzle 7 due to a widening of Drupal core's composer constraints. This allows for more complete PHP 8.1 support. Contributed modules should continue to provide Guzzle 6 support since both the drupal/core-recommended package and tarballs continue to provide Guzzle 6.

  • Site owners who are using drupal/core-recommended and wish to use Guzzle 7 will need to change their site to depend on drupal/core directly. Note that your Composer dependencies will no longer be locked to specific patch or minor release versions after this change, so you will need to take care to avoid accidentally updating dependencies before your site is ready.

    Test thoroughly before deploying an update to Guzzle 7, as some contributed and custom projects may be incompatible with it.

  • Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

• Drupal 10 will switch its PSR-17 implementation from laminas/laminas-diactoros to Guzzle. It should not be necessary to make any changes unless you are directly referencing Diactoros classes. If your project does depend directly on any Diactoros code (uncommon), you should make sure it is declared as a dependency in your composer.json or change the code to use Guzzle.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

  Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

Backend development dependencies

• Coder has been updated to 8.3.15. This version will automatically set up Drupal coding standards sniffs in PHP_CodeSniffer thanks to a new dependency on dealerdirect/phpcodesniffer-composer-installer.

Frontend dependency updates Frontend production dependencies

• The Backbone and Underscore core JavaScript dependencies are deprecated and will no longer be provided as public core libraries in Drupal 10. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

  Both these deprecated dependencies have also received patch-level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

• Drupal 10 will drop support for Internet Explorer 11. This includes removing all polyfills in Drupal 10. If you plan to continue supporting Internet Explorer 11 even when used with Drupal 10, your project will have to depend on any required polyfills directly. If you plan to support Internet Explorer 11 only until the end-of-life of Drupal 9, you don’t have to do anything until Drupal 9 is end-of-life.

  For a full list of polyfills being removed, reference the draft Drupal 10 change records for removing Internet Explorer 11 polyfills and removing Drupal's custom <details> fieldset collapse script.

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades to be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• Shepherd.js has been updated from 8.3.1 to 9.1.0. According to its release note, there should be no breaking changes that affect our usage.

• SortableJS has been updated from 1.14.0 to 1.15.0. According to its release note, there should be no breaking changes that affect our usage.

• tabbable has been updated from 5.2.1 to 5.3.2. According to its release note, there should be no breaking changes that affect our usage.

• Popper.js has been updated from 2.11.2 to 2.11.5.

Frontend development dependencies

• Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core's Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core's JavaScript development dependencies with npm or yarn.

• The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

• Eslint has been updated from 7.32.0 to 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

• Stylelint has been updated from 13.13.1 to 14.8.2, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

• All of Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Changed coding standards

• JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core’s ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

• #3285724: [regression] Drupal 9.4 breaks BC of \Drupal\Driver\* overriding core drivers during installation and parsing connection URLs
• #3287251: Error updating from 9.3.16 to 9.4.0 with Autoupdates: Class 'Drupal\sqlite\Driver\Database\sqlite\Truncate' not found
• #3290924: [regression] With Drupal 9.4, can no longer call Database::getConnection() from within settings.php due to driver classes not yet in autoloader
• #3290936: Argument #1 ($database) must be of type Drupal\Core\Database\Driver\mysql\Connection, Drupal\mysql\Driver\Database\mysql\Connection given
• #3290992: EntityViewDisplay::load in hook_field_info_max_weight can cause endless loop

Search the issue queue for known issues.

All changes since Drupal 9.4.0-rc2

• Issue #3285696 by sardara, alexpott, longwave: Legacy random session ID generation is incompatible with symfony/http-foundation v4.4.42
• Issue #3198340 by alexpott, xjm, cilefen, Mile23, mmjvb, catch, longwave, mfb, Mixologic, effulgentsia, larowlan, Warped, quietone, greg.1.anderson: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available
• Issue #3285572 by alexpott, longwave: Update dependencies to latest patch releases for 9.4.x / 9.5.x
• Issue #3265429 by neclimdul, eleonel: Fix array keys in MailManagerTest
• Issue #3277025 by Spokje, longwave: For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code
• Issue #2430133 by JeroenT, znerol, mgifford: BlockLanguageTest tests non-existing pages
• Issue #3265492 by dww, Spokje, Amber Himes Matz, quietone: Fix inaccuracies in quickedit help topic (after the split from settings_tray)
• Issue #3277148 by rpayanm, andregp, joachim, Farnoosh, Athrylith, Jingting: ResourceResponse should document that the route it is used with must define the _format requirement
• Issue #2392815 by alexpott, pooja saraah, bircher, cilefen, pratik_specbee, catch, fago: Module uninstall validators are not used to validate a config import
• Issue #3283619 by eleonel: Fix a comment typo in common.inc
• Issue #3283599 by eleonel: Fix a typo in Help message on ckeditor5.module
• Issue #3281443 by _shY: Update Taxonomy tests to not use Bartik and Seven
• Issue #3281451 by tinto: Update Ajax FunctionalJavascript test to not use Bartik and Seven
• Issue #3269215 by slucero, dpi: EntityTypeInterface::getKey() is typehinted as possibly returning bool, but never returns true
• Issue #3284970 by alexpott: Reduce complexity in \Drupal\Core\Site\Settings::initialize
• Issue #3280398 by alexpott, mherchel, quietone: Theme's post updates within update.php refer to themes as "module"
• Issue #3285193 by Lendude, xjm: Temporarily skip random test failures that hide real test failures, part 4

Release type: Bug fixesNew features

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important update information from 9.4.0-rc1

• Drupal 9.4 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6), or 7.4.4 or higher (up from 7.4.3).

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.4.0-rc1

• SA-CORE-2022-011 by GHaddon, JeroenT, yivanov, Heine, longwave, DamienMcKenna, mlhess, cilefen, xjm, benjifisher
• Issue #3281438 by tinto, deviantintegral, catch: Update CKEditorTest to not use Bartik and Seven
• Issue #3284502 by effulgentsia, alexpott: [regression] Drupal 9.4 breaks BC via incorrect autoloading of \Drupal\Driver\* overrides of core db drivers

Release type: Security updateBug fixes

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released. Update to Drupal 9.3.x soon to continue receiving security coverage.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• Drupal 9.2 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6).

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
• Sites on 9.2.x or earlier should update immediately to Drupal 9.2.21 instead of this release (but update to 9.3 or higher soon).
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• Drupal 9.3 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6).

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022.

Important changes since Drupal 9.4.0-beta1

• The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

All changes since 9.4.0-beta1

• Issue #3223264 by andy-blum, mherchel, Kristen Pol: Olivero: Messages can be malformed when JS creates messages and PHP messages already exist
• Issue #3247683 by Wim Leers, lauriii, bnjmnm, Reinmar: Disable CKEditor 5's automatic link decorators (in Drupal filters should be used instead)
• Issue #3273983 by Wim Leers, ifrik, lauriii: Do not assume that plugin supporting also supports in SourceEditingRedundantTags and upgrade path
• Issue #3284270 by alexpott, bircher: Reset \Drupal\Core\Config\ConfigImporter::$errors in ::validate() method
• Issue #3283795 by alexpott, bircher: ComposerHooksTest is broken on latest DrupalCI PHP container
• Issue #3274648 by nod_, Wim Leers: HTMLRestrictions::merge() and ::toGeneralHtmlSupportConfig() fail on allowed attribute values that can be interpreted as integers
• Issue #3276217 by lauriii, Wim Leers: [drupalMedia] add tests to confirm GHS attributes are retained in linked media
• Issue #3280985 by mherchel, andy-blum: Olivero's code block styling is slightly broken at various viewport widths

Release type: Bug fixesNew features

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

This alpha includes many changes that are also included in Drupal 9.4.0-beta1.

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not complete in 10.0.0-alpha4:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. The Backbone and Underscore core JavaScript dependencies are no longer provided as public core libraries. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0. Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

3. Various core modules and themes will be moved to contributed projects.

4. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 on December 14, 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, the Drupal 10.0.0-alpha3 release notes, and the Drupal 10.0.0-alpha4 release notes for additional changes from 9.4.x.

• The JavaScript ES6 build process is removed given that all browsers supported by Drupal Core are now ES6 compatible. This means that once the build tooling is removed from Drupal 10, core developers are no longer required to run the commands when they make changes to core JavaScript. This also means that babel/core and all related dependencies will no longer be included as core development dependencies.

• The minimum supported PHP version is now set dynamically based on the documented end-of-life date for each PHP version. After a PHP version is no longer supported, there will be warnings about the unsupported PHP version, but this won't prevent running, updating, or installing Drupal. In order to provide sites with the most complete information on which PHP versions are supported and recommended for their current installation, \Drupal::MINIMUM_SUPPORTED_PHP is deprecated and replaced by \Drupal\Core\PhpRequirements::minimumSupportedPhp(). Review the handbook documentation on unsupported PHP versions for more information.

• The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

• The range validator for entities now yields a more accurate 'value not in range' message, with its violation error code also more accurately being Range::NOT_IN_RANGE_ERROR.

• Code that extends Symfony's Serializer component has been updated with stricter typehints and an additional argument for compatibility with Symfony 6.1 and future releases. For more information, review the change record: Context argument added in code that extends from Symfony's Serializer component.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha4:

• asm89/stack-cors has been updated from version 1.3.0 to 2.0.5.

  Enabling CORS now preserves cacheability whenever possible.

  Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

• The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility.

• The CKEditor 5 module now uses version 34.1.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

• Additionally:

  • Shepherd.js is updated to 9.1.0.
  • SortableJS is updated to 1.15.0.
  • tabbable is updated to 5.3.2.

  For all three of these updates, according to the projects' release notes, there should be no breaking changes that affect our usage.

Known issues

Search the issue queue for known issues.

All changes since 10.0.0-alpha4

• Revert "Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions"
• Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions
• Issue #3223264 by andy-blum, mherchel, Kristen Pol: Olivero: Messages can be malformed when JS creates messages and PHP messages already exist
• Revert "Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions"
• Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions
• Issue #3261245 by andypost, andregp, paulocs, longwave, catch, daffie, quietone: Remove deprecated views module functions
• Issue #3247683 by Wim Leers, lauriii, bnjmnm, Reinmar: Disable CKEditor 5's automatic link decorators (in Drupal filters should be used instead)
• Issue #3273983 by Wim Leers, ifrik, lauriii: Do not assume that plugin supporting also supports in SourceEditingRedundantTags and upgrade path
• Issue #3284270 by alexpott, bircher: Reset \Drupal\Core\Config\ConfigImporter::$errors in ::validate() method
• Issue #3283795 by alexpott, bircher: ComposerHooksTest is broken on latest DrupalCI PHP container
• Issue #3274648 by nod_, Wim Leers: HTMLRestrictions::merge() and ::toGeneralHtmlSupportConfig() fail on allowed attribute values that can be interpreted as integers
• Issue #3276217 by lauriii, Wim Leers: [drupalMedia] add tests to confirm GHS attributes are retained in linked media
• Issue #3227431 by mherchel, kostyashupenko, andy-blum, Kristen Pol, andrewmacpherson, cindytwilliams, alexpott, mgifford, dww, shaal, rkoller: Tabledrag icon doesn't adapt to forced-colors mode
• Issue #3280985 by mherchel, andy-blum: Olivero's code block styling is slightly broken at various viewport widths
• Issue #3257274 by andy-blum, mherchel, mglaman, xjm, alexpott, mgifford, shaal, benjifisher, tim.plunkett, AaronMcHale, Antoniya, worldlinemine, tmaiochi, rkoller, andregp, ckrina: Implement color changing theme settings for Olivero
• Issue #3274651 by Wim Leers, nod_, alexpott: Impossible to enable
  
  or
  
  with GHS: switch to List's successor, DocumentList
• Issue #3279192 by daffie, ravi.shankar, geek-merlin, alexpott: Change the method Drupal\Core\DrupalKernel::handle() to make it work for the Swoole module
• Issue #3261447 by xjm, lauriii, ravi.shankar, Wim Leers, alexpott, tedbow, daffie: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules
• Issue #3281578 by Wim Leers, quietone, xjm, catch: Increase Composer dependency constraints to latest minors for forward-compatibility
• Revert "Issue #3261447 by xjm, lauriii, ravi.shankar, Wim Leers, alexpott, tedbow, daffie: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules"
• Issue #3265140 by Spokje, bnjmnm, lauriii, mstrelan, dww, Wim Leers, xjm, murilohp, daffie: Move QuickEditImageController from image to quickedit
• Issue #3277438 by Wim Leers, bnjmnm, lauriii, xjm, nod_, Reinmar: Update to CKEditor 5 v34.1.0
• Issue #3261447 by xjm, lauriii, ravi.shankar, Wim Leers, alexpott, tedbow, daffie: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules
• Issue #3282395 by alexpott, mallezie: Latest versions of PHPStan and mglaman/phpstan-drupal cannot find PhpUnitVersionDependentTestCompatibilityTrait
• Issue #3282342 by xjm: Forward-port Guzzle updates, because the private testrunner doesn't like me today
• Issue #3281863 by alexpott, Wim Leers, nod_, hestenet, xjm, huzooka, Mixologic: Nightwatch tests failing >50% of test runs on PHP 7.3 in 9.4.x and 9.5.x, as well as PHP 8.1 on 10.0.x
• Issue #3279703 by VIGHNESH SADAGOPAL, Binoli Lalani, Stockfoot, Maninders, Ruturaj Chaubey, mherchel, Libbna, ckrina, longwave: Change "Welcome to " to "Welcome!" on the initial install screen
• Issue #3246755 by mherchel, yogeshmpawar, Libbna, cindytwilliams, zenimagine: Olivero main/user account menu layout struggles with long menus
• Issue #3279693 by mherchel, andy-blum: Olivero: Hyperlinks with "button" or "button--primary" do not have proper styling when nested in a "text-content" container
• Issue #2513524 by andregp, JeroenT, Bill Choy, TR, tstoeckler, dawehner, Wim Leers, xjm: ExtensionDiscovery is unable to find modules that have a comment at the end of the type property in a .info.yml file
• Issue #3260007 by mondrake, yogeshmpawar, daffie, andypost: Decouple Connection from the wrapped PDO connection to allow alternative clients
• Issue #3274080 by mherchel, andy-blum, lauriii: Olivero's mobile menu experience doesn't properly adapt to forced colors
• Issue #3270842 by javi-er, sharayurajput, ckrina, WagnerMelo, saschaeggi: Define Red color scale for Claro
• Issue #3245553 by quietone, danflanagan8: Fix migration of localized D6 menu links
• Issue #2580723 by AdamPS, Berdir, andypost, darvanen, larowlan, alexpott, effulgentsia, catch, dawehner: Fix token system confusion, with new function Token::replacePlain()
• Issue #3270936 by Spokje, quietone, andypost, lauriii: Deprecate Color module
• Issue #3281755 by mondrake: PHPStan baseline broken again in head (hopefully for the last time?)
• Issue #3261266 by mondrake, longwave, daffie: Remove deprecated code from the testing framework (base classes, listeners, etc)
• Issue #3269149 by longwave, catch, alexpott: Remove deprecated settings
• Issue #3058409 by guilhermevp, joachim, ravi.shankar, quietone, init90, andregp: TermStorage::loadTree() doesn't document what the return array is keyed by
• Issue #3280882 by mondrake, mallezie: KernelTestBase::tearDown() cleanup prevents good typehinting practices
• Issue #3262874 by Spokje, longwave, ankithashetty, catch, andypost: Update Coder to 8.3.15
• Issue #3269140 by longwave: Remove deprecated config.storage.staging service
• Issue #3232714 by paulocs, vsujeetkumar, mondrake, longwave, quietone, larowlan: Replace, in tests, mocks that do not configure doubles with their actual objects
• Issue #3268746 by quietone, xjm: Fix missing newlines for 'Drupal.Commenting.DocComment.ShortSingleLine'
• Issue #3272956 by xjm, Wim Leers, tedbow, dww: Hardcode security coverage EOL dates for Drupal 9.4 and 9.5 (as was done for 8.8 and 8.9)
• Issue #3280602 by larowlan, DanielVeza, Wim Leers, mstrelan: Exceptions for CKEditor 5 plugin definitions containing wildcard tags when PHP is built with libxml 2.9.14
• Issue #3259355 by mallezie, mondrake, catch, longwave, mglaman, alexpott, xjm, daffie, Mixologic: Always do a full phpstan analysis on DrupalCI
• Issue #3250582 by huzooka, Matroskeen, danflanagan8, ravi.shankar, quietone, erik.erskine: ResponsiveImageStyles source plugin must extend DrupalSqlBase
• Issue #3276565 by dww, larowlan: Add larowlan as maintainer of contextual.module
• Issue #3260920 by tstoeckler: Contact's MessageEntityTest wrongly uses 'edit' access operation on entities instead of 'update'
• Issue #332796 by voleger, dww, Steve Dondley, ykhadilkar, Dave Reid, ankithashetty, Anybody, benjifisher, mstrelan, David_Rothstein, phenaproxima, Bojhan: Add permissions to the update.module to hide warnings
• Issue #3112283 by ravi.shankar, mpdonadio, andregp, daffie, jhedstrom, alexpott, andypost, pifagor, vladbo, JeroenT, voleger, cliddell: Replace REQUEST_TIME in non-OO and non-module code
• Issue #2580263 by Berdir, nils.destoop, catch, Cottser, larowlan: Find a way to not run contextual_preprocess() on every template
• Issue #3280614 by Spokje: (Not so) Random test failures QuickEditFileTest
• Issue #3276196 by mondrake, catch, Spokje: The "Symfony\Component\Validator\Constraints\Range::$minMessage" property is considered final
• Issue #3278916 by mallezie, mondrake: Update phpstan/phpstan to latest version
• Issue #3277552 by Hebl, Asha Nair, rootwork, Charles Belov: Seven is missing focus in "Available buttons" and "Active toolbar" within CKEditor toolbar configuration Primary tab
• Issue #3279502 by webflo: Fix invalid @property annotations
• Issue #3218562 by bradjones1, yogeshmpawar, Lendude, catch: Fix typo in/rename SearchSimplifyTest
• Issue #3272581 by danflanagan8: Image tests should not rely on Classy
• Issue #3272336 by danflanagan8: File tests should not rely on Classy
• Issue #3272543 by danflanagan8, larowlan: History tests should not rely on Classy
• Issue #3276652 by andregp, eojthebrave, markie, catch, danflanagan8: AssertMenuActiveTrailTrait should not rely on classy/bartik
• Issue #3279103 by bradjones1: Test cleanup: Remove dead code from JsonApiFunctionalTest
• Issue #3272558 by danflanagan8: Content Translation tests should not rely on Classy
• Issue #3275530 by danflanagan8: Language Tests should not rely on Classy
• Issue #3278314 by acbramley: InlineBlockUsageInterface::getUsage can return FALSE but isn't documented
• Issue #3270081 by franck_lorancy, quietone, Cottser: Fix indentation in doc block \Drupal\Core\Render\RendererInterface::render
• Issue #3276839 by Spokje, mondrake: Remove leftover dumpHeaders property
• Issue #3272354 by danflanagan8: Filter tests should not rely on Classy
• Issue #3277557 by galactus86, mherchel, rootwork: Olivero: Progress indicator percentage label does not have proper spacing
• Issue #3278032 by andregp, bkline@rksystems.com: Remove dead code from ContentTranslationController
• Issue #3269153 by andregp, longwave, catch: Remove BC layers from the extension system
• Issue #2314443 by olli, Lendude, immaculatexavier, dawehner: Changing view name does not update page title in views ui
• Issue #2917239 by Lendude, dww, iStryker: Form is built when not using fields
• Issue #3276218 by lauriii: Follow-up to #3268318: Enable link manual decorator unrestricted test case
• Issue #3277311 by nod_, Wim Leers, catch, larowlan: Deprecate and mark internal contextual JS API
• Issue #3252100 by amateescu, catch, Tim Bozeman: Set revision_default when publishing
• Issue #3280359 by bnjmnm: Make jQuery.form internal
• Issue #3279840 by Spokje, mallezie, alexpott: Update mglaman/phpstan-drupal
• Issue #3279840 by Spokje, mallezie, alexpott: Fix \Drupal\Tests\quickedit\FunctionalJavascript\SettingsTrayIntegrationTest::createBlockContent()
• Issue #3259593 by hooroomoo, Dom., Wim Leers, lauriii: Alignment being available as separate buttons AND in dropdown is confusing
• Issue #3277744 by Taran2L, catch, nod_: Actually remove deprecated jquery_ui libraries from core
• Issue #3279850 by alexpott, dww, lauriii: Theme post updates are not recognised when the theme is used in the installer
• Issue #3101922 by bnjmnm, nod_, lauriii: Find replacement for Modernizr touchevent test and deprecate
• Issue #3278786 by lauriii, nod_: Update production JavaScript dependencies to latest minors
• Issue #3253286 by lauriii, ckrina, bnjmnm, xjm: Remove unnecessary template overrides and associated code from starterkit theme
• Issue #3206226 by Wim Leers, mglaman, lauriii, alexpott: Make updating changes from starterkit themes to generated themes easier
• Issue #3278052 by Spokje, mondrake: Fix added core/phpstan-baseline.neon error suppresion for core/modules/dblog/tests/src/Functional/DbLogResourceTest.php
• Issue #3278782 by mondrake: PHPStan baseline is out of sync
• Issue #3269657 by hooroomoo, Wim Leers: [drupalMedia] The CKEditor 4 → 5 upgrade path for the media_embed filter should not forcefully allow the `data-view-mode` attribute on ``
• Issue #3278246 by lauriii, alexpott, nod_, justafish: Deprecate core/scripts/js/babel-es6-build.js for removal from 10.0.x
• Issue #3279788 by alexpott: PHP 7.3 testing on Drupal 9.4.x and 9.5.x is broken due to \Drupal\Tests\RequirementsPageTrait::assertRequirementSummaries() assuming Seven is the update.php theme
• Issue #3279640 by alexpott, Spokje, mherchel, lauriii, catch: Standard install profile uses Olivero for update.php
• Issue #3251709 by cindytwilliams, andregp, ankithashetty, ckrina, saschaeggi: Define Blue scale for Claro
• Issue #3253955 by benjifisher, kristiaanvandeneynde, AaronMcHale: Let modules opt in to the bundle-specific permissions form
• Issue #3275237 by hooroomoo, lauriii, Wim Leers, nod_: Don't convert, instead use response.entity_type in DrupalImageUploadEditing
• Issue #3278394 by Wim Leers, bnjmnm: HTMLRestrictions' diff operation bug: diff(, ) should return an empty result
• Back to dev.

Release type: Bug fixesNew features

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• CKEditor 5 has been updated from 34.0.1 to 34.1.0, which fixes several bugs affecting Drupal core.

Known issues

Search the issue queue for known issues.

All changes since 9.3.13

• Issue #3274648 by nod_, Wim Leers: HTMLRestrictions::merge() and ::toGeneralHtmlSupportConfig() fail on allowed attribute values that can be interpreted as integers
• Issue #3276217 by lauriii, Wim Leers: [drupalMedia] add tests to confirm GHS attributes are retained in linked media
• Issue #3280985 by mherchel, andy-blum: Olivero's code block styling is slightly broken at various viewport widths
• Issue #3274651 by Wim Leers, nod_, alexpott: Impossible to enable <ol type> or <ul type> with GHS: switch to List's successor, DocumentList
• Issue #3277438 by Wim Leers, bnjmnm, lauriii, xjm, nod_, Reinmar: Update to CKEditor 5 v34.1.0
• SA-CORE-2022-010 by mayela, mxr576, xjm, cilefen, greggles, benjifisher, alexpott
• Issue #2513524 by andregp, JeroenT, Bill Choy, TR, tstoeckler, dawehner, Wim Leers, xjm: ExtensionDiscovery is unable to find modules that have a comment at the end of the type property in a .info.yml file
• Issue #3275237 by hooroomoo, lauriii, Wim Leers, nod_: Don't convert, instead use response.entity_type in DrupalImageUploadEditing
• Issue #3058409 by guilhermevp, joachim, ravi.shankar, quietone, init90, andregp: TermStorage::loadTree() doesn't document what the return array is keyed by
• Issue #3232714 by paulocs, vsujeetkumar, mondrake, longwave, quietone, larowlan: Replace, in tests, mocks that do not configure doubles with their actual objects
• Issue #3268746 by quietone, xjm: Fix missing newlines for 'Drupal.Commenting.DocComment.ShortSingleLine'
• Issue #3280602 by larowlan, DanielVeza, Wim Leers, mstrelan: Exceptions for CKEditor 5 plugin definitions containing wildcard tags when PHP is built with libxml 2.9.14
• Issue #3259593 by hooroomoo, Dom., Wim Leers, bnjmnm, lauriii: Alignment being available as separate buttons AND in dropdown is confusing
• Issue #3250582 by huzooka, Matroskeen, danflanagan8, ravi.shankar, quietone, erik.erskine: ResponsiveImageStyles source plugin must extend DrupalSqlBase
• Issue #3260920 by tstoeckler: Contact's MessageEntityTest wrongly uses 'edit' access operation on entities instead of 'update'
• Issue #3278394 by Wim Leers, bnjmnm: HTMLRestrictions' diff operation bug: diff(<tag attr="A B">, <tag attr>) should return an empty result
• Issue #2580263 by Berdir, nils.destoop, catch, Cottser, larowlan: Find a way to not run contextual_preprocess() on every template
• Issue #3280614 by Spokje: (Not so) Random test failures QuickEditFileTest
• Issue #3272336 by danflanagan8: File tests should not rely on Classy
• Issue #3279502 by webflo: Fix invalid @property annotations
• Issue #3218562 by bradjones1, yogeshmpawar, Lendude, catch: Fix typo in/rename SearchSimplifyTest
• Issue #3272543 by danflanagan8, larowlan: History tests should not rely on Classy
• Issue #3279103 by bradjones1: Test cleanup: Remove dead code from JsonApiFunctionalTest
• Issue #3278314 by acbramley: InlineBlockUsageInterface::getUsage can return FALSE but isn't documented
• Issue #3270081 by franck_lorancy, quietone, Cottser: Fix indentation in doc block \Drupal\Core\Render\RendererInterface::render
• Issue #2314443 by olli, Lendude, immaculatexavier, dawehner: Changing view name does not update page title in views ui
• Issue #2917239 by Lendude, dww, iStryker: Form is built when not using fields
• Issue #3276218 by lauriii: Follow-up to #3268318: Enable link manual decorator unrestricted test case
• Issue #2636086 by Matroskeen, Spokje, jian he, ravi.shankar, quietone, larowlan, Lendude, dawehner, Sweetchuck: Add extra test coverage for operators of views date filters
• Issue #3252100 by amateescu, catch, Tim Bozeman: Set revision_default when publishing
• Issue #3269657 by hooroomoo, Wim Leers: [drupalMedia] The CKEditor 4 → 5 upgrade path for the media_embed filter should not forcefully allow the data-view-mode attribute on <drupal-media>

Release type: Bug fixes

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

A change has been made to the .htaccess file that Drupal generates to prevent PHP execution in files directories. See the Change Record for more details of how to ensure your site's .htaccess files are up-to-date.

This release includes improved support for PHP 8.1 (and other recent PHP releases), but there may still be problems not revealed by Drupal core's test suite, especially on sites with contrib (and custom) modules. Please test, and report any problems in the appropriate issue queue.

This release also includes some major performance improvements for PostgreSQL. Special thanks to poker10 for providing several backports that make a significant difference.

As always, many thanks to everyone that contributed to this release of Drupal 7.

Major changes in 7.90:

• Editing a comment in D7 no longer changes the creation date
• D7 adds a "X-Content-Type-Options: nosniff" header to cached page responses
• D7's Field API now supports entity ids that are strings (the entity system already did)
• D7 no longer accepts trailing dots in entity_ids which may affect some URLs
• CSRF token added to admin/reports/status/run-cron in Drupal 7
• Added PHP 8 support to .htaccess files in Drupal 7

All changes:

• #3283311 by poker10, hubaishan, daffie, andypost, alexpott, jhmnieuwenhuis, lamigo, xekon, x0r1x, puddyglum, qdelance: D7 backport support for Postgresql 12
• #2819535 by mcdruid, Kingdutch, SumeetJaggi, cafuego, liannario, David_Rothstein, Diego_Mow, Fabianx: x-content-type-options nosniff ignored for anonymous cached pages
• #2828455 by poker10, klausi: User mail token PHP notices for anonymous
• #3212398 by jake_milburn: [D7] Field API assumes serial/integer entity IDs, but the entity system does not
• #3270543 by mcdruid, poker10: PHP 8.1 preg_split(): Passing null to parameter #2 ($subject) of type string is deprecated in _locale_parse_js_file()
• #3270881 by poker10, mfb: PHP 8.1 strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in text_summary()
• #1973278 by mcdruid, drasgardian, alesr, AaronBauman: Error in image_styles when an effect has no definition
• #2830428 by telecjose, mcdruid, ansebul, Rajender Rajan, Fabianx: Fix behaviour of entity_load when passed ids with a trailing dot
• #3265842 by poker10: Backport DatabaseSchema_pgsql::findTables() improvements
• #2370593 by poker10, daffie, joseph.olstad, nathanweeks, Sivaji_Ganesh_Jojodae, bzrudi71, webchick, mcdruid, Fabianx: Database::tableExists optimization for PostgreSQL
• #1374090 by droplet, mcdruid, Pancho, G.I.Joe, marthinal, brenda003, lmeurs, asirjacques, jfhovinne, dcam, pfrenssen, opdavies, andypost, webchick, lokapujya, diqidoq, le72, drumm, ofauravi, TD44, mgifford, mpv, David_Rothstein, rob.barnett, izmeez, xanderol, matt_c, Fabianx, cachee, rodrigoaguilera, wryz, stefan.r, tvn: Editing a comment still changes creation date
• #2823488 by poker10, mradcliffe, mcdruid: Backport DatabaseSchema_pgsql::queryTableInformation() improvements
• #2431283 by willzyx, salvis, David_Rothstein, thalles, Berdir, Fabianx, tstoeckler, alexpott, Dave Reid, mcdruid: Cron CSRF vulnerability
• #3281663 by mcdruid: D7 backport: Fix htaccess files for PHP 8
• #3266018 by poker10: Backport Make core aware of Nginx and PHP-FPM to D7
• #3281772 by mcdruid: Hide the "Only For Testing" package by default on the modules admin page
• #3182785 by mcdruid, mar4ehk0, elsteff1385, John Franklin: PHP 7.4 notice in /modules/system/system.admin.inc when a module has an invalid configure path
• #2112325 by mfb, lazysoundsystem: Warning: gzinflate(): data error in drupal_serve_page_from_cache()
• #2790857 by poker10, dalin, richardcanoe, mcdruid, yogeshmpawar, Rishi Kulshreshtha: Log completely unusable when an entry has corrupt serialized data
• #3270546 by mcdruid, poker10, mfb: PHP 8.1 str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in filter_xss()
• #3265837 by poker10, mcdruid, Fabianx: Backport DatabaseSchema_pgsql::fieldExists() improvements
• #3166668 by akhilavnair, arx-e, poker10, mcdruid, igorbarato, Fabianx: PHP 7.4 and empty entity_keys for taxonomy term result in notices

Release type: Bug fixesNew features

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important changes since Drupal 9.4.0-alpha1

• The minimum supported PHP version is now set dynamically based on the documented end-of-life date for each PHP version. After a PHP version is no longer supported, there will be warnings about the unsupported PHP version, but this won't prevent running, updating, or installing Drupal. In order to provide sites with the most complete information on which PHP versions are supported and recommended for their current installation, \Drupal::MINIMUM_SUPPORTED_PHP is deprecated and replaced by \Drupal\Core\PhpRequirements::minimumSupportedPhp(). Review the handbook documentation on unsupported PHP versions for more information.

• The theme used when update.php is run and there is no maintenance_theme selected in settings.php has changed. If Claro is installed it will be used, if not Seven is used if it is installed. If neither Claro and Seven are installed, the default theme is used. Review the change record on the maintenance theme changes for more information.

• The Modernizr.touchevents test has been deprecated. In addition, Modernizr is no longer responsible within Drupal for detecting touch devices and adding the touchevents/no-touchevents classes to the HTML element based on the detection result. The specific functionality of adding classes based on touch device detection is now provided via a core library: core/drupal.touchevents-test. The detection method used is identical to Modernizr's.

  Themes relying on the selector do not need to change, but code calling Modernizr directly should be updated.

• ​​The JavaScript API for Contextual module has been marked internal, and various parts of this will be refactored and/or removed in Drupal 10. Contributed modules should interact with contextual module only via the PHP API.

• Color module is deprecated. Review deprecation documentation for more information.

Backend dependencies

• Sites are able to install Guzzle 7 due to a widening of Drupal core's composer constraints. This allows for more complete PHP 8.1 support. Contributed modules should continue to provide Guzzle 6 support since both the drupal/core-recommended package and core tarballs continue to provide Guzzle 6.

  Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. In the latest snapshot channel of Composer, it is possible to use:

  composer update --with=guzzlehttp/guzzle:^6 -W

  You can update to the snapshot channel by re-running composer self-update after updating to the current stable release (2.3.5). You can roll back to a stable version at any time by using composer self-update --rollback.

  In current stable releases of Composer, a workaround is to temporarily add a top-level requirement on the exact version of Guzzle you which to install, e.g.:

  composer require guzzlehttp/guzzle:6.5.6 composer update

  ...and then remove the specific guzzle requirement from the top-level composer.json for your project.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

  Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

• The following packages have received minor-level updates since alpha1:

  • egulias/email-validator, from 3.1.2 to 3.2.
  • laminas/laminas-diactoros, from 2.10.0 to 2.11.0.
  • twig/twig, from 2.14.13 to 2.15.1.

• The composer/xdebug-handler dependency has received a major version update that removes support for PHP versions not supported for Drupal 10.

Frontend dependencies

• CKEditor 5 has been updated from 34.0.0 to 34.1.0, which fixes several bugs affecting Drupal core.

Additionally:

• Shepherd.js is updated to 9.1.0.
• SortableJS is updated to 1.15.0.
• tabbable is updated to 5.3.2.

For all three of these updates, according to the projects' release notes, there should be no breaking changes that affect our usage.

Development dependencies

• Coder has been updated to 8.3.15. This version will automatically set up Drupal coding standards sniffs in PHP_CodeSniffer thanks to a new dependency on dealerdirect/phpcodesniffer-composer-installer.

All changes since 9.4.0-alpha1

• Issue #3274651 by Wim Leers, nod_, alexpott: Impossible to enable <ol type> or <ul type> with GHS: switch to List's successor, DocumentList
• Issue #3283093 by alexpott, daffie: Update PHP dependencies for minor and patch versions
• Issue #3261447 by xjm, lauriii, ravi.shankar, pingwin4eg, Wim Leers, alexpott, daffie, tedbow: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules
• Issue #3281578 by Wim Leers, quietone, xjm, catch: Increase Composer dependency constraints to latest minors for forward-compatibility
• Issue #3265140 by Spokje, bnjmnm, lauriii, mstrelan, dww, Wim Leers, xjm, murilohp, daffie: Move QuickEditImageController from image to quickedit
• Issue #3277438 by Wim Leers, bnjmnm, lauriii, xjm, nod_, Reinmar: Update to CKEditor 5 v34.1.0
• Issue #3282342 follow-up: Forward-port Guzzle updates, because the private testrunner doesn't like me today
• Issue #3282395 by alexpott, mallezie: Latest versions of PHPStan and mglaman/phpstan-drupal cannot find PhpUnitVersionDependentTestCompatibilityTrait
• Issue #3282342 by xjm: Forward-port Guzzle updates, because the private testrunner doesn't like me today
• Issue #3281863 by alexpott, Wim Leers, nod_, hestenet, xjm, huzooka, Mixologic: Nightwatch tests failing >50% of test runs on PHP 7.3 in 9.4.x and 9.5.x, as well as PHP 8.1 on 10.0.x
• Issue #3282050 by Spokje: Failing HEAD on PHP 7.3 on ComposerIntegrationTest::testComposerLockHash
• Issue #3279703 by VIGHNESH SADAGOPAL, Binoli Lalani, Stockfoot, Maninders, Ruturaj Chaubey, mherchel, Libbna, ckrina, longwave: Change "Welcome to " to "Welcome!" on the initial install screen
• Issue #3246755 by mherchel, yogeshmpawar, Libbna, cindytwilliams, zenimagine: Olivero main/user account menu layout struggles with long menus
• Issue #3279693 by mherchel, andy-blum: Olivero: Hyperlinks with "button" or "button--primary" do not have proper styling when nested in a "text-content" container
• Issue #2513524 by andregp, JeroenT, Bill Choy, TR, tstoeckler, dawehner, Wim Leers, xjm: ExtensionDiscovery is unable to find modules that have a comment at the end of the type property in a .info.yml file
• Issue #3274080 by mherchel, andy-blum, lauriii: Olivero's mobile menu experience doesn't properly adapt to forced colors
• Issue #3270842 by javi-er, sharayurajput, ckrina, WagnerMelo, saschaeggi: Define Red color scale for Claro
• Issue #3245553 by quietone, danflanagan8: Fix migration of localized D6 menu links
• Issue #2580723 by AdamPS, Berdir, andypost, darvanen, larowlan, alexpott, effulgentsia, catch, dawehner: Fix token system confusion, with new function Token::replacePlain()
• Issue #3270936 by Spokje, quietone, andypost, lauriii: Deprecate Color module
• Issue #3058409 by guilhermevp, joachim, ravi.shankar, quietone, init90, andregp: TermStorage::loadTree() doesn't document what the return array is keyed by
• Issue #3225966 by claudiu.cristea, xjm, Mixologic, neclimdul, alexpott, longwave, Berdir, effulgentsia: Consider loosening our constraint to allow sites to install Guzzle 6 or 7, or otherwise handle PHP 8.1 deprecations for Guzzle 6
• Issue #3280882 by mondrake, mallezie: KernelTestBase::tearDown() cleanup prevents good typehinting practices
• Issue #3262874 by Spokje, longwave, ankithashetty, catch, andypost: Update Coder to 8.3.15
• Issue #3232714 by paulocs, vsujeetkumar, mondrake, longwave, quietone, larowlan: Replace, in tests, mocks that do not configure doubles with their actual objects
• Issue #3268746 by quietone, xjm: Fix missing newlines for 'Drupal.Commenting.DocComment.ShortSingleLine'
• Issue #3272956 by xjm, Wim Leers, tedbow, dww: Hardcode security coverage EOL dates for Drupal 9.4 and 9.5 (as was done for 8.8 and 8.9)
• Issue #3280602 by larowlan, DanielVeza, Wim Leers, mstrelan: Exceptions for CKEditor 5 plugin definitions containing wildcard tags when PHP is built with libxml 2.9.14
• Issue #3250582 by huzooka, Matroskeen, danflanagan8, ravi.shankar, quietone, erik.erskine: ResponsiveImageStyles source plugin must extend DrupalSqlBase
• Issue #3276565 by dww, larowlan: Add larowlan as maintainer of contextual.module
• Issue #3260920 by tstoeckler: Contact's MessageEntityTest wrongly uses 'edit' access operation on entities instead of 'update'
• Issue #332796 by voleger, dww, Steve Dondley, ykhadilkar, Dave Reid, ankithashetty, Anybody, benjifisher, mstrelan, David_Rothstein, phenaproxima, Bojhan: Add permissions to the update.module to hide warnings
• Issue #3112283 by ravi.shankar, mpdonadio, andregp, daffie, jhedstrom, alexpott, andypost, pifagor, vladbo, JeroenT, voleger, cliddell: Replace REQUEST_TIME in non-OO and non-module code
• Issue #2580263 by Berdir, nils.destoop, catch, Cottser, larowlan: Find a way to not run contextual_preprocess() on every template
• Issue #3280614 by Spokje: (Not so) Random test failures QuickEditFileTest
• Issue #3277552 by Hebl, Asha Nair, rootwork, Charles Belov: Seven is missing focus in "Available buttons" and "Active toolbar" within CKEditor toolbar configuration Primary tab
• Issue #3279502 by webflo: Fix invalid @property annotations
• Issue #3218562 by bradjones1, yogeshmpawar, Lendude, catch: Fix typo in/rename SearchSimplifyTest
• Issue #3272581 by danflanagan8: Image tests should not rely on Classy
• Issue #3272336 by danflanagan8: File tests should not rely on Classy
• Issue #3272543 by danflanagan8, larowlan: History tests should not rely on Classy
• Issue #3276652 by andregp, eojthebrave, markie, catch, danflanagan8: AssertMenuActiveTrailTrait should not rely on classy/bartik
• Issue #3279103 by bradjones1: Test cleanup: Remove dead code from JsonApiFunctionalTest
• Issue #3272558 by danflanagan8: Content Translation tests should not rely on Classy
• Issue #3275530 by danflanagan8: Language Tests should not rely on Classy
• Issue #3278314 by acbramley: InlineBlockUsageInterface::getUsage can return FALSE but isn't documented
• Issue #3270081 by franck_lorancy, quietone, Cottser: Fix indentation in doc block \Drupal\Core\Render\RendererInterface::render
• Issue #3276839 by Spokje, mondrake: Remove leftover dumpHeaders property
• Issue #3272354 by danflanagan8: Filter tests should not rely on Classy
• Issue #3277557 by galactus86, mherchel, rootwork: Olivero: Progress indicator percentage label does not have proper spacing
• Issue #3278032 by andregp, bkline@rksystems.com: Remove dead code from ContentTranslationController
• Issue #2314443 by olli, Lendude, immaculatexavier, dawehner: Changing view name does not update page title in views ui
• Issue #2917239 by Lendude, dww, iStryker: Form is built when not using fields
• Issue #3276218 by lauriii: Follow-up to #3268318: Enable link manual decorator unrestricted test case
• Issue #3277311 by nod_, Wim Leers, catch, larowlan: Deprecate and mark internal contextual JS API
• Issue #3252100 by amateescu, catch, Tim Bozeman: Set revision_default when publishing
• Issue #3280359 by bnjmnm: Make jQuery.form internal
• Issue #3279840 by Spokje, mallezie, alexpott: Fix \Drupal\Tests\quickedit\FunctionalJavascript\SettingsTrayIntegrationTest::createBlockContent()
• Issue #3259593 by hooroomoo, Dom., Wim Leers, lauriii: Alignment being available as separate buttons AND in dropdown is confusing
• Issue #3101922 by bnjmnm, nod_, lauriii: Find replacement for Modernizr touchevent test and deprecate
• Issue #3278786 by lauriii, nod_: Update production JavaScript dependencies to latest minors
• Issue #3279850 by alexpott, dww, lauriii: Theme post updates are not recognised when the theme is used in the installer
• Issue #3253286 by lauriii, ckrina, bnjmnm, xjm: Remove unnecessary template overrides and associated code from starterkit theme
• Issue #3206226 by Wim Leers, mglaman, lauriii, alexpott: Make updating changes from starterkit themes to generated themes easier
• Issue #3269657 by hooroomoo, Wim Leers: [drupalMedia] The CKEditor 4 → 5 upgrade path for the media_embed filter should not forcefully allow the `data-view-mode` attribute on ``
• Issue #3278246 by lauriii, alexpott, nod_, justafish: Deprecate core/scripts/js/babel-es6-build.js for removal from 10.0.x
• Issue #3279788 by alexpott: PHP 7.3 testing on Drupal 9.4.x and 9.5.x is broken due to \Drupal\Tests\RequirementsPageTrait::assertRequirementSummaries() assuming Seven is the update.php theme
• Issue #3251709 by cindytwilliams, andregp, ankithashetty, ckrina, saschaeggi: Define Blue scale for Claro
• Issue #3279640 by alexpott, Spokje, mherchel, lauriii, catch: Standard install profile uses Olivero for update.php
• Issue #3253955 by benjifisher, kristiaanvandeneynde, AaronMcHale: Let modules opt in to the bundle-specific permissions form
• Revert "Revert "Issue #3254866 by benjifisher, alexpott: Update the deprecation notices related to "Manage Permissions" pages""
• Revert "Revert "Issue #2934995 by benjifisher, larowlan, paulocs, AaronMcHale, vikashsoni, danflanagan8, Berdir, SKAUGHT, alexpott: Add a "Manage permissions" tab for each bundle that has associated permissions""
• Issue #3275237 by hooroomoo, lauriii, Wim Leers, nod_: Don't convert, instead use response.entity_type in DrupalImageUploadEditing
• Issue #3278394 by Wim Leers, bnjmnm: HTMLRestrictions' diff operation bug: diff(, ) should return an empty result

Release type: Bug fixesNew features

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
• Sites on 9.2.x or earlier should update immediately to Drupal 9.2.20 instead of this release.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Important update information

Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Known issues

Search the issue queue for known issues.

Release type: Bug fixes

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• Drupal core's yarn dependency constraints for production dependencies have been changed to only allow patch-level updates. This allows yarn upgrades to be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies. The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

Known issues

Search the issue queue for known issues.

Changes since 9.3.12

• Issue #3278163 by xjm, nod_, lauriii: yarn upgrade for latest security vulnerabilities
• Issue #3266912 by nod_, Wim Leers, lauriii, xjm, mmjvb: Review version constraints for production yarn dependencies
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Revert "Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second"
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #3270709 by Shashwat Purav, Chi, apaderno: Remove reference to contextual_pre_render_placeholder() function
• Issue #3277309 by phjou, mradcliffe, benjifisher, markie: Update links to Drupal documentation pages in Umami
• Issue #2995367 by quietone, xjm, Lendude: Fix update module test fixture names for 8.2.0-rc2 sample data
• Issue #3277274 by richardrobinson, saki007ster, ApocalypticJake, bnjmnm, sjothivelu@valleywater.org, mcolebank, joshmiller, markie, mradcliffe, pilot3, W01F: Dialog css references nonexistient --color-whitesmoke css variable
• Issue #3277743 by xjm, RainbowArray: Update contributor name and username in MAINTAINERS.txt
• Issue #3228691 by Wim Leers, lauriii, nod_: Restrict allowed additional attributes to prevent self XSS
• Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled
• Issue #3261599 by hooroomoo, Wim Leers, lauriii: Use CKEditor 5's native <ol start> support (and also support <ol reversed>)
• Issue #3277405 by Wim Leers, nod_: Update @ckeditor/ckeditor5-list to v34.0.1
• Issue #3231334 by Wim Leers, bnjmnm: Global attributes (<* lang> and <* dir="ltr rtl">): validation + support (fix data loss)
• Issue #3229078 by scott_euser, Wim Leers, hooroomoo, brentg, yogeshmpawar, catch: Unit tests for all @CKEditor5Plugin plugin classes
• Issue #3248425 by nod_, yogeshmpawar, Wim Leers, lauriii, bnjmnm, marcvangend: Ensure that all classes and functions in Drupal-specific CKEditor 5 plugins are documented
• Issue #3269085 by alexpott, larowlan, danflanagan8, Matroskeen: [random test failure] Random test fail in EntityAutocompleteTest
• Issue #3276627 by Wim Leers, hooroomoo: CKEditor5::shouldHaveVisiblePluginSettingsForm() does not correctly handle configurable CKE5 plugin that has a filter condition
• Issue #3276670 by hooroomoo, Wim Leers: Some configurations of allowed view modes cause CKE to fail to initialize
• Issue #2717921 by gaurav.kapoor, drnikki, subhashuyadav, pratik_specbee, hmendes, jhodgdon, joachim, effulgentsia, shashikant_chauhan, Wim Leers, larowlan: undocumented #has_garbage_value property of render elements
• Issue #3245720 by hooroomoo, nod_, Wim Leers, lauriii, yash.rode: [drupalMedia] Support choosing a view mode for
• Issue #3261943 by bnjmnm, lauriii, Wim Leers, andreasderijcke, ifrik: Confusing behavior after pressing "Apply changes to allowed tags" with invalid value
• Issue #3230230 by bnjmnm, johnwebdev, Wim Leers, lauriii, Anna_CKSource, Reinmar: Enable table captions; override CKE5's default downcast to generate <table><caption></table> instead of <figure><table><figcaption></figure>
• Issue #3272035 by mherchel, andy-blum: Add "linktext" and "canvastext" to cspell dictionary.
• Issue #3273056 by kmonahan, mherchel, Johnny Santos, rkoller, ckrina: Active and hover state of skip to main content has a too low color contrast
• Issue #3130305 by mherchel, cindytwilliams, bnjmnm, saschaeggi, andrewmacpherson: Ensure all of Claro's background images are visible in forced colors mode
• Issue #3269341 by mherchel, KurtTrowbridge: Claro element not rendering properly in forced colors
• Back to dev.
• Merged 9.3.12.
• Issue #3269091 by gambry, yogeshmpawar, jonathanshaw, joachim, alexpott: Undocumented behaviour for Schema::findTables() when an underscore is used
• Issue #3273325 by Dom., Wim Leers, andregp, ifrik: CKE5 and contrib: better "next action" description on upgrade path messages
• Issue #3274278 by Wim Leers, jcnventura, yogeshmpawar, andregp, bnjmnm: Migrate "codetag" contrib CKEditor 4 plugin to built-in equivalent in core's CKEditor 5

Release type: Bug fixes

This is an alpha release for the next minor (feature) release of Drupal 9. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.4 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Important changes for this release

• Drupal 9.4's minimum PHP requirement has been increased from PHP 7.3 to 7.4. Sites on PHP 7.3 may still be installed and updated (with a warning), but their security coverage is not guaranteed unless they update to at least PHP 7.4. For more information, see the PHP requirements handbook page.

  PHP 8.1 is now the recommended PHP version to use with Drupal 9.4 and above.

• The root .htaccess file now has a section for PHP 8 settings. This brings .htaccess files into alignment with Drupal’s supported PHP version.

  If you have a custom .htaccess file and its PHP settings are working, you can keep using your existing .htaccess file unchanged. If you are upgrading from PHP 7 to PHP 8, you should copy the custom settings that you need from the PHP 7 section to the PHP 8 section.

• Drupal core will begin warning in the status report if a database connection doesn't support JSON, in preparation for this becoming an installation requirement in Drupal 10.

API changes

• Select query extenders are now managed through backend-overridable services. When extending a query, consuming code need to switch from hardcoding the extension class to calling the extender service with the type of extension required. Contrib and custom database drivers overriding the extenders need to implement their own service. See https://www.drupal.org/node/3218001

• ImageStyleStorageInterface now extends ConfigEntityStorageInterface. If you are directly implementing ImageStyleStorageInterface you will need to ensure you also implement methods from ConfigEntityStorageInterface. Refer to the storage interface change record for more information.

• Code that extends Symfony's Serializer component has been updated with stricter typehints and an additional argument for compatibility with Symfony 6.1 and future releases. For more information, review the change record: Context argument added in code that extends from Symfony's Serializer component.

Changes to the Standard and Umami Demo profiles

• The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

PHP Dependency updates

The following dependencies have been changed or updated since 9.3.

• Drupal 10 will switch its PSR-17 implementation from laminas/laminas-diactoros to Guzzle. It should not be necessary to make any changes unless you are directly referencing Diactoros classes. If your project does depend directly on any Diactoros code (uncommon), you should make sure it is declared as a dependency in your composer.json or change the code to use Guzzle.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

JavaScript Dependency updates Production dependencies

• The Backbone and Underscore core JavaScript dependencies are deprecated and will no longer be provided as public core libraries in Drupal 10. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• The CKEditor 5 module now uses version 34.0.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

• The CKEditor 5 ckeditor5.list library has been updated to 34.0.1.

• Shepherd.js is updated to 9.0.0. According to its release note, there should be no breaking changes that affect our usage.

• Popper.js has been updated from 2.11.2 to 2.11.5.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

Development dependencies

• Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core’s Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core’s JavaScript development dependencies with npm or yarn.

• The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

• Eslint is updated to 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

• Stylelint has been updated to version 14, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

• All of Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Changed coding standards

• JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core’s ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

Search the issue queue for known issues.

All changes since Drupal 9.3

Core commit log on GitLab.

Release type: Bug fixesNew features

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Additionally, Drupal core's JavaScript development dependencies have been updated to the latest minor and patch releases to address security issues.

Finally, the pinned versions of the composer/composer development dependency have been updated to address a security issue.

This alpha includes many changes that are also included in Drupal 9.4.0-alpha1.

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not available in 10.0.0-alpha4:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. Various core modules and themes will be moved to contributed projects.

3. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 in 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, and the Drupal 10.0.0-alpha3 release notes for additional changes from 9.4.x.

Changes to the Standard and Umami Demo profiles

• The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

Deprecated API removals

• The public Backbone and Underscore core libraries have been removed, and the JavaScript dependencies are deprecated and for internal use only. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha3:

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• asm89/stack-cors has been updated from version 1.3.0 to 2.0.5. Enabling CORS now preserves cacheability whenever possible.

  Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

• Popper.js has been updated from 2.11.2 to 2.11.5.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

• The Nightwatch testing library has been updated to version 2.1.3. Reference the Nightwatch developer guide for a list of high level changes in the 2.0.0 release.

• Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

Known issues

Search the issue queue for known issues.

All changes since10.0.0-alpha3

• Issue #3278162 by longwave, xjm, mallezie, Spokje: Update Composer dependencies to the latest minor and patch versions
• Issue #3278163 by xjm, nod_, lauriii: yarn upgrade for latest security vulnerabilities
• Issue #3278732 by Spokje, lauriii: Remove Claro block configuration from Umami
• Issue #3278696 by Spokje: Rename Oliveros block.block.book_navigation.yml and block.block.primary_admin_actions.yml confirm standard
• Issue #3278215 by Spokje, lauriii, eojthebrave, Berdir: (Not so) Random test failures SettingsTrayIntegrationTest
• Issue #3278565 by lauriii, Spokje: Remove Claro block configuration from Standard
• Issue #3266912 by nod_, Wim Leers, lauriii, xjm, mmjvb: Review version constraints for production yarn dependencies
• Issue #3269143 by longwave, catch: Remove deprecated theme key stylesheets-remove
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #3265617 by nod_, longwave: Update Nightwatch to 2.x
• Revert "Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second"
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #2958358 by Mile23, alexpott: Remove Drupal\Component\Utility's dependency on Drupal\Component\Render
• Issue #3276195 by mondrake, catch: Symfony\Component\Serializer\Normalizer\NormalizerInterface::supportsEncoding/supportsDecoding will require a new "array $context" argument in the next major version
• Issue #3272516 by Wim Leers, yogeshmpawar, bnjmnm, catch: Deprecate FilterInterface::getHTMLRestrictions()' forbidden_tags functionality
• Issue #3270709 by Shashwat Purav, Chi, apaderno: Remove reference to contextual_pre_render_placeholder() function
• Issue #3226016 by Gauravmahlawat, Libbna: Olivero: use multi-class array for adding multiple classes in form--search-block-form.html.twig template
• Issue #3195193 by andregp, paulocs, andypost, quietone, catch: Remove Shepherd shim code from Tour
• Issue #3269152 by yogeshmpawar, longwave, catch: Remove element_settings BC layer in ajax.js
• Issue #3277809 by baddysonja, mherchel: Use Drupal.displace()'s new CSS variables to place Olivero's fixed header
• Issue #3277309 by phjou, mradcliffe, benjifisher, markie: Update links to Drupal documentation pages in Umami
• Issue #2995367 by quietone, xjm, Lendude: Fix update module test fixture names for 8.2.0-rc2 sample data
• Issue #3277274 by richardrobinson, saki007ster, ApocalypticJake, bnjmnm, sjothivelu@valleywater.org, mcolebank, joshmiller, markie, mradcliffe, pilot3, W01F: Dialog css references nonexistient --color-whitesmoke css variable
• Issue #2168711 by yogeshmpawar, droplet, mariancalinro, bnjmnm, peterpoe, lauriii, Kgaut, nod_, benjifisher: Modernizr.touchevents use can lead to scenarios that break contextual links
• Issue #3206217 by mglaman, lauriii, alexpott: Allow starterkit themes to control how the theme is generated
• Issue #3268078 by Spokje, TR: DBLogResource is no longer being tested
• Issue #3219959 by marcoscano, Gábor Hojtsy, eojthebrave, Spokje, mherchel, geekygnr, catch, m4olivei, tstoeckler, lauriii, larowlan, Meenakshi_j, webchick, Berdir, ckrina, xjm, Amber Himes Matz, bnjmnm: Update standard profile so Olivero is the default theme
• Revert "Revert "Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled""
• Revert "Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled"
• Issue #3277743 by xjm, RainbowArray: Update contributor name and username in MAINTAINERS.txt
• Issue #3228691 by Wim Leers, lauriii, nod_: Restrict allowed additional attributes to prevent self XSS
• Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled
• Issue #3266216 by mherchel, rkoller: The section-titles in the preview section on views edit pages have a too low contrast
• Issue #3277405 by Wim Leers, nod_: Update @ckeditor/ckeditor5-list to v34.0.1
• Issue #3261599 by hooroomoo, Wim Leers, bnjmnm: Use CKEditor 5's native <ol start> support (and also support <ol reversed>)
• Issue #3276618 by catch, mherchel, eojthebrave, Gábor Hojtsy: Olivero sets inconsistent classes for active trail between menu and book
• Issue #3276620 by catch, Spokje: Change NoJavaScriptAnonymousTest to use stark theme
• Issue #3229078 by scott_euser, Wim Leers, hooroomoo, brentg, yogeshmpawar, catch: Unit tests for all @CKEditor5Plugin plugin classes
• Issue #3248425 by nod_, yogeshmpawar, Wim Leers, lauriii, bnjmnm, marcvangend: Ensure that all classes and functions in Drupal-specific CKEditor 5 plugins are documented
• Issue #3269085 by alexpott, larowlan, danflanagan8, Matroskeen: [random test failure] Random test fail in EntityAutocompleteTest
• Issue #3276627 by Wim Leers, hooroomoo: CKEditor5::shouldHaveVisiblePluginSettingsForm() does not correctly handle configurable CKE5 plugin that has a filter condition
• Issue #3276670 by hooroomoo, Wim Leers: Some configurations of allowed view modes cause CKE to fail to initialize
• Issue #3087701 by markdorison, shaal, Ruchi Joshi, benjifisher, markconroy, webchick, effulgentsia, johnwebdev, xjm, DyanneNova: Enable Claro as the admin theme in Umami
• Issue #3277057 by Gábor Hojtsy, tedbow, lauriii, ckrina, saschaeggi, bnjmnm: Make Claro the default admin theme in Standard profile
• Issue #3277053 by Gábor Hojtsy, ckrina, saschaeggi, lauriii, bnjmnm: Mark Claro as Stable
• Issue #3081489 by kostyashupenko, mherchel, justafish, andy-blum, yogeshmpawar, lauriii, bnjmnm, huzooka, webchick: Remove duplicate code from veritcal-tabs.js in Claro
• Issue #2717921 by gaurav.kapoor, drnikki, subhashuyadav, pratik_specbee, hmendes, jhodgdon, joachim, effulgentsia, shashikant_chauhan, Wim Leers, larowlan: undocumented #has_garbage_value property of render elements
• Issue #3231334 by Wim Leers, bnjmnm: Global attributes (<* lang> and <* dir="ltr rtl">): validation + support (fix data loss)
• Issue #3020418 by antoineh, ckrina, bnjmnm, fhaeberle, saschaeggi, andregp, ravi.shankar, priyanka.sahni, rkoller, huzooka, balsama, cindytwilliams, modulist, lauriii, antonellasevero: Update Placeholder styles so that contrast ratio passes guidelines
• Issue #3266739 by beatrizrodrigues, joachim: FunctionalTestSetupTrait::prepareEnvironment() is protected when its docs say it should be private
• Issue #3272737 by danflanagan8: Workspaces tests should not rely on Classy
• Issue #3272734 by danflanagan8: Statistics tests should not rely on Classy
• Issue #3269154 by longwave: Remove BC layers from the theme system
• Issue #3271507 by danflanagan8, nod_: Block tests should not rely on Classy
• Issue #3275464 by HEBL, danflanagan8: Remove obsolete test method FrontPageTest::testAdminFrontPage
• Issue #3230230 by bnjmnm, johnwebdev, Wim Leers, lauriii, Anna_CKSource, Reinmar: Enable table captions; override CKE5's default downcast to generate <table><caption></table> instead of <figure><table><figcaption></figure>
• Issue #3261943 by bnjmnm, lauriii, Wim Leers, andreasderijcke, ifrik: Confusing behavior after pressing "Apply changes to allowed tags" with invalid value
• Issue #3273056 by kmonahan, mherchel, Johnny Santos, rkoller, ckrina: Active and hover state of skip to main content has a too low color contrast
• Issue #3271666 by mherchel, cindytwilliams: Olivero pager's next/prev icons don't properly adapt in forced colors
• Issue #3276615 by catch, mherchel: Remove olivero_form_comment_form_alter() comment button label override
• Issue #3256768 by mherchel, nod_, andregp, andy-blum: Drupal.displace() should set CSS Variables indicating displacement values
• Issue #3275216 by akoepke, larowlan: Fix UpdateSettingsForm dependency injection
• Issue #3275114 by Wim Leers, lauriii, bnjmmn: Add subsystem maintainers for CKEditor 5
• Issue #2236983 by quietone, DenEwout: Not at all clear how/when Database::addConnectionInfo should be called
• Issue #3272537 by danflanagan8: Help and Help Topics tests should not rely on Classy
• SA-CORE-2022-009 by kristiaanvandeneynde, larowlan, acbramley, xjm, longwave, catch, jibran, benjifisher
• SA-CORE-2022-008 by mxr576, xjm, effulgentsia, mxr576, larowlan
• Issue #3271305 by m4olivei, mherchel, rafuel92, yogeshmpawar, andy-blum, cindytwilliams: Claro's radio buttons and checkboxes are unusable in high-contrast / forced colors mode
• Issue #3270941 by quietone, ravi.shankar, yogeshmpawar, murilohp, bbrala, andypost: Remove Color module from the Standard profile
• Issue #3256549 by cilefen, murilohp, longwave, catch, Spokje: Remove core/drupal.date asset library
• Issue #3269091 by gambry, yogeshmpawar, jonathanshaw, joachim, alexpott: Undocumented behaviour for Schema::findTables() when an underscore is used
• Issue #3265664 by nod_, longwave, lauriii: Update jsdom to latest major release
• Issue #3225706 by joachim, Gauravmahlawat: rewrite ComposerProjectTemplatesTest::testMinimumStabilityStrictness() so failures say which package fails
• Issue #3270395 by murilohp, nod_, mradcliffe, xjm, Wim Leers: Remove use of underscore from editor.admin.js and filter.filter_html.admin.js
• Issue #3273325 by Dom., Wim Leers, andregp, ifrik: CKE5 and contrib: better "next action" description on upgrade path messages
• Issue #3274278 by Wim Leers, jcnventura, yogeshmpawar, andregp, bnjmnm: Migrate "codetag" contrib CKEditor 4 plugin to built-in equivalent in core's CKEditor 5
• Issue #3233491 by hooroomoo, xjm, lauriii, nod_, justafish, droplet, effulgentsia: Create process for reviewing changes in 3rd party JavaScript dependencies
• Issue #3248295 by danflanagan8, xjm, dww, mglaman: Taxonomy tests should not rely on Classy
• Issue #3274066 by danflanagan8: Node tests should not rely on Classy
• Issue #3274096 by danflanagan8, cliddell: Link Tests should not rely on Classy
• Issue #3274265 by Johnny Santos, danflanagan8: Locale Tests should not rely on Classy
• Issue #3013802 by andregp, yogeshmpawar, gaurav.kapoor, nikitas, Charlie ChX Negyesi, SourabhBhalerao, alexpott, joachim: Improve error message on unrouted URLs
• Issue #3245720 by hooroomoo, nod_, Wim Leers, lauriii, yash.rode: [drupalMedia] Support choosing a view mode for
• Issue #3275180 by xjm, larowlan: Update composer/composer dev dependency version
• Back to dev.

Release type: Bug fixesNew features