Drupal

drupal 9.3.17

Tue, 06/21/2022 - 16:59

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information
  • Drupal core now requires guzzlehttp/guzzle 6.5.8 or higher (up from 6.5.7).

    The latest guzzle versions also require guzzlehttp/psr7 1.9 or higher (up from 1.8.5), so that package is updated as well.

    Since the above change to guzzlehttp/psr7 requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.

    Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.3.16 Release type: Bug fixes

drupal 9.4.1

Tue, 06/21/2022 - 16:56

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

Drupal 9.4.x will receive security coverage until June 2023.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.4.0 release notes before upgrading to this release.

Important update information
  • Drupal core now requires guzzlehttp/guzzle 6.5.8 or higher (up from 6.5.7), or 7.4.5 or higher (up from 7.4.4).

    The latest guzzle versions also require guzzlehttp/psr7 1.9 or higher (up from 1.8.5), so that package is updated as well.

    Since the above change to guzzlehttp/psr7 requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.

    Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.4.0 Release type: Bug fixes

drupal 10.1.x-dev

Mon, 06/20/2022 - 11:01

Issue queue placeholder branch 101.x development, for issues deferred from 9.5.x and 10.0.x.

This branch does not yet contain the actual 10.1.x codebase and is not intended for use for anything other than the Drupal core issue queue version selector.

Release type: Bug fixesNew features

drupal 9.4.0

Wed, 06/15/2022 - 12:35

This is a minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backward compatibility and experimental module policies.

Minor releases may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022.

9.2.x and 8.9.x will no longer receive security support, so sites on a Drupal 8 or 9 version earlier than 9.2.x should upgrade to a supported release as soon as possible.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.4 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Changes to site-owner-managed files
  • The root .htaccess file now has a section for PHP 8 settings. This brings .htaccess files into alignment with Drupal’s supported PHP version.

    If you have a custom .htaccess file and its PHP settings are working, you can keep using your existing .htaccess file unchanged. If you are upgrading from PHP 7 to PHP 8, adopt the new .htaccess file and adopt the custom settings that you need from your existing .htaccess file PHP 7 section to the new PHP 8 section.

  • The theme used when update.php is run and there is no maintenance_theme selected in settings.php has changed:

    1. If Claro is installed, it will be used as the maintenance theme.
    2. If Seven is installed and Claro is not, Seven will be used as the maintenance theme.
    3. If neither Claro nor Seven are installed, the default theme is used.

    Review the change record on the maintenance theme changes for more information.

Platform requirements changes Minimum supported PHP version increased to PHP 7.4; PHP 8.1 recommended
  • Drupal 9.4's minimum PHP requirement has been increased from PHP 7.3 to 7.4. Sites on PHP 7.3 may still be installed and updated (with a warning), but their security coverage is not guaranteed unless they update to at least PHP 7.4. For more information, see the PHP requirements handbook page.

    PHP 8.1 is now the recommended PHP version to use with Drupal 9.4 and above.

Database JSON support warning
  • Drupal core will begin warning in the status report if a database connection doesn't support JSON, in preparation for this becoming an installation requirement in Drupal 10. The most common MySQL/MariaDB/Percona databases used with Drupal already had this requirement for Drupal 9.0, so this new warning is likely to appear only for SQLite and PostgreSQL users.

The drupal/core-recommended package now allows patch-level updates

The drupal/core-recommended metapackage now allows patch-level updates for dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package. Site owners should test patch-level updates before deploying them. Instructions for managing dependency updates with the updated drupal/core-recommended metapackage.

Note that egulias/email-validator has a wider constraint due to the name of its most recent supported version, so site owners may wish to add a specific constraint to avoid updates to version 3.3 or higher in the future.

The CKEditor 5 experimental module is nearly (but not quite) stable

CKEditor 4 will be end-of-life in 2023. The CKEditor 5 experimental module will replace CKEditor 4 in Drupal 10. CKEditor 5 differs significantly from CKEditor 4, so we strongly recommend sites and modules begin testing with it now in preparation for Drupal 10's release later this year. Only a few issues remain until the new module can be marked stable, including a critical data loss bug for custom tags when using Full HTML text format, support for inserting externally hosted images, support for Styles Combo (which blocks some contributed projects), and a number of accessibility issues. Most of these are blocked on upstream improvements, and we're working closely with the CKEditor team!

Testing CKEditor 5

Back up your site data and configuration before beginning testing.

  1. The automatic content upgrade path: Under Configuration > Content Authoring > Text formats and editors, configure a text format and change its "text editor" setting from "CKEditor" to "CKEditor 5". (This will happen automatically when upgrading to Drupal 10.)

    You will get the equivalent CKEditor 5 configuration created automatically: toolbar, plugin settings, and so on. Messages will appear upon switching that explain what happened and why. Verify that the messages and generated configuration are correct.

  2. The editing experience: Verify that the default CKEditor 5 configuration works as you need and expect. For example, the linking experience should be improved, uploading images is much faster, and so on.

  3. Your existing content: When you edit existing content with CKEditor 5 and you save it, verify that the resulting markup looks as you expect, and that no data is lost.

Upgrading contributed modules to CKEditor 5

The module can be also used for making modules extending CKEditor 4 to become compatible with CKEditor 5.

Deprecated modules

The following core modules are deprecated in Drupal 9.4 and will be moved to contributed projects in Drupal 10:

  • Color
  • Aggregator
  • HAL
  • The Entity Reference and SimpleTest stubs

Sites will receive warning messages when deprecated modules are in use. Review the deprecated module documentation on the steps to take if your site uses any of these modules.

API changes Changes to the Standard and Umami Demo profiles
  • The Standard profile now uses Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

    This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

  • Standard profile will no longer enable the Color module when installed.

Backend dependency updates

The following dependencies have been changed or updated since 9.3.

  • Sites are able to install Guzzle 7 due to a widening of Drupal core's composer constraints. This allows for more complete PHP 8.1 support. Contributed modules should continue to provide Guzzle 6 support since both the drupal/core-recommended package and tarballs continue to provide Guzzle 6.

    • Site owners who are using drupal/core-recommended and wish to use Guzzle 7 will need to change their site to depend on drupal/core directly. Note that your Composer dependencies will no longer be locked to specific patch or minor release versions after this change, so you will need to take care to avoid accidentally updating dependencies before your site is ready.

      Test thoroughly before deploying an update to Guzzle 7, as some contributed and custom projects may be incompatible with it.

    • Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

  • Drupal 10 will switch its PSR-17 implementation from laminas/laminas-diactoros to Guzzle. It should not be necessary to make any changes unless you are directly referencing Diactoros classes. If your project does depend directly on any Diactoros code (uncommon), you should make sure it is declared as a dependency in your composer.json or change the code to use Guzzle.

  • Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

    Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

Backend development dependencies
  • Coder has been updated to 8.3.15. This version will automatically set up Drupal coding standards sniffs in PHP_CodeSniffer thanks to a new dependency on dealerdirect/phpcodesniffer-composer-installer.

Frontend dependency updates Frontend production dependencies
  • The Backbone and Underscore core JavaScript dependencies are deprecated and will no longer be provided as public core libraries in Drupal 10. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

    Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

    Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

    Both these deprecated dependencies have also received patch-level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

  • Drupal 10 will drop support for Internet Explorer 11. This includes removing all polyfills in Drupal 10. If you plan to continue supporting Internet Explorer 11 even when used with Drupal 10, your project will have to depend on any required polyfills directly. If you plan to support Internet Explorer 11 only until the end-of-life of Drupal 9, you don’t have to do anything until Drupal 9 is end-of-life.

    For a full list of polyfills being removed, reference the draft Drupal 10 change records for removing Internet Explorer 11 polyfills and removing Drupal's custom <details> fieldset collapse script.

  • The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades to be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

    The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

  • Shepherd.js has been updated from 8.3.1 to 9.1.0. According to its release note, there should be no breaking changes that affect our usage.

  • SortableJS has been updated from 1.14.0 to 1.15.0. According to its release note, there should be no breaking changes that affect our usage.

  • tabbable has been updated from 5.2.1 to 5.3.2. According to its release note, there should be no breaking changes that affect our usage.

  • Popper.js has been updated from 2.11.2 to 2.11.5.

Frontend development dependencies
  • Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core's Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core's JavaScript development dependencies with npm or yarn.

  • The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

  • Eslint has been updated from 7.32.0 to 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

  • Stylelint has been updated from 13.13.1 to 14.8.2, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

  • The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

  • All of Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Changed coding standards
  • JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core’s ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

Search the issue queue for known issues.

All changes since Drupal 9.4.0-rc2 Release type: Bug fixesNew features

drupal 9.4.0-rc2

Fri, 06/10/2022 - 15:21

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important update information from 9.4.0-rc1
  • Drupal 9.4 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6), or 7.4.4 or higher (up from 7.4.3).

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.4.0-rc1 Release type: Security updateBug fixes

drupal 9.2.21

Fri, 06/10/2022 - 15:13

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released. Update to Drupal 9.3.x soon to continue receiving security coverage.
  • Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
  • Versions of Drupal 8 are end-of-life and do not receive security coverage.
Important update information
  • Drupal 9.2 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6).

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security update

drupal 9.3.16

Fri, 06/10/2022 - 15:13

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
  • Sites on 9.2.x or earlier should update immediately to Drupal 9.2.21 instead of this release (but update to 9.3 or higher soon).
  • Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
  • Versions of Drupal 8 are end-of-life and do not receive security coverage.
Important update information
  • Drupal 9.3 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6).

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

drupal 9.4.0-rc1

Wed, 06/08/2022 - 21:56

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022.

Important changes since Drupal 9.4.0-beta1
  • The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

All changes since 9.4.0-beta1 Release type: Bug fixesNew features

drupal 10.0.0-alpha5

Wed, 06/08/2022 - 17:08

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

This alpha includes many changes that are also included in Drupal 9.4.0-beta1.

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not complete in 10.0.0-alpha4:

  1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

  2. The Backbone and Underscore core JavaScript dependencies are no longer provided as public core libraries. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0. Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.
  3. Various core modules and themes will be moved to contributed projects.

  4. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 on December 14, 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

  1. Deprecated code will be removed, including entire deprecated modules.
  2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, the Drupal 10.0.0-alpha3 release notes, and the Drupal 10.0.0-alpha4 release notes for additional changes from 9.4.x.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha4:

  • asm89/stack-cors has been updated from version 1.3.0 to 2.0.5.

    Enabling CORS now preserves cacheability whenever possible.

    Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

  • The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

  • Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility.

  • The CKEditor 5 module now uses version 34.1.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

  • Additionally:

    For all three of these updates, according to the projects' release notes, there should be no breaking changes that affect our usage.

Known issues

Search the issue queue for known issues.

All changes since 10.0.0-alpha4 Release type: Bug fixesNew features

drupal 9.3.15

Wed, 06/01/2022 - 11:49

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information
  • CKEditor 5 has been updated from 34.0.1 to 34.1.0, which fixes several bugs affecting Drupal core.

Known issues

Search the issue queue for known issues.

All changes since 9.3.13 Release type: Bug fixes

drupal 7.90

Wed, 06/01/2022 - 05:47

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

A change has been made to the .htaccess file that Drupal generates to prevent PHP execution in files directories. See the Change Record for more details of how to ensure your site's .htaccess files are up-to-date.

This release includes improved support for PHP 8.1 (and other recent PHP releases), but there may still be problems not revealed by Drupal core's test suite, especially on sites with contrib (and custom) modules. Please test, and report any problems in the appropriate issue queue.

This release also includes some major performance improvements for PostgreSQL. Special thanks to poker10 for providing several backports that make a significant difference.

As always, many thanks to everyone that contributed to this release of Drupal 7.

Major changes in 7.90: All changes: Release type: Bug fixesNew features

drupal 9.4.0-beta1

Mon, 05/30/2022 - 15:07

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important changes since Drupal 9.4.0-alpha1 Backend dependencies
  • Sites are able to install Guzzle 7 due to a widening of Drupal core's composer constraints. This allows for more complete PHP 8.1 support. Contributed modules should continue to provide Guzzle 6 support since both the drupal/core-recommended package and core tarballs continue to provide Guzzle 6.

    Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. In the latest snapshot channel of Composer, it is possible to use:

    composer update --with=guzzlehttp/guzzle:^6 -W

    You can update to the snapshot channel by re-running composer self-update after updating to the current stable release (2.3.5). You can roll back to a stable version at any time by using composer self-update --rollback.

    In current stable releases of Composer, a workaround is to temporarily add a top-level requirement on the exact version of Guzzle you which to install, e.g.:

    composer require guzzlehttp/guzzle:6.5.6 composer update

    ...and then remove the specific guzzle requirement from the top-level composer.json for your project.

  • Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

    Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

  • The following packages have received minor-level updates since alpha1:

    • egulias/email-validator, from 3.1.2 to 3.2.
    • laminas/laminas-diactoros, from 2.10.0 to 2.11.0.
    • twig/twig, from 2.14.13 to 2.15.1.
  • The composer/xdebug-handler dependency has received a major version update that removes support for PHP versions not supported for Drupal 10.

Frontend dependencies
  • CKEditor 5 has been updated from 34.0.0 to 34.1.0, which fixes several bugs affecting Drupal core.

Additionally:

For all three of these updates, according to the projects' release notes, there should be no breaking changes that affect our usage.

Development dependencies
  • Coder has been updated to 8.3.15. This version will automatically set up Drupal coding standards sniffs in PHP_CodeSniffer thanks to a new dependency on dealerdirect/phpcodesniffer-composer-installer.

All changes since 9.4.0-alpha1 Release type: Bug fixesNew features

drupal 9.2.20

Wed, 05/25/2022 - 15:07

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
  • Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
  • Versions of Drupal 8 are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security update

drupal 9.3.14

Wed, 05/25/2022 - 15:07

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
  • Sites on 9.2.x or earlier should update immediately to Drupal 9.2.20 instead of this release.
  • Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
  • Versions of Drupal 8 are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security update

drupal 9.2.19

Wed, 05/11/2022 - 17:59

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Important update information

Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Known issues

Search the issue queue for known issues.

Release type: Bug fixes

drupal 9.3.13

Wed, 05/11/2022 - 05:26

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information
  • Drupal core's yarn dependency constraints for production dependencies have been changed to only allow patch-level updates. This allows yarn upgrades to be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies. The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

  • Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

  • The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

Known issues

Search the issue queue for known issues.

Changes since 9.3.12 Release type: Bug fixes

drupal 9.4.0-alpha1

Fri, 05/06/2022 - 16:29

This is an alpha release for the next minor (feature) release of Drupal 9. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.4 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Important changes for this release
  • Drupal 9.4's minimum PHP requirement has been increased from PHP 7.3 to 7.4. Sites on PHP 7.3 may still be installed and updated (with a warning), but their security coverage is not guaranteed unless they update to at least PHP 7.4. For more information, see the PHP requirements handbook page.

    PHP 8.1 is now the recommended PHP version to use with Drupal 9.4 and above.

  • The root .htaccess file now has a section for PHP 8 settings. This brings .htaccess files into alignment with Drupal’s supported PHP version.

    If you have a custom .htaccess file and its PHP settings are working, you can keep using your existing .htaccess file unchanged. If you are upgrading from PHP 7 to PHP 8, you should copy the custom settings that you need from the PHP 7 section to the PHP 8 section.

  • Drupal core will begin warning in the status report if a database connection doesn't support JSON, in preparation for this becoming an installation requirement in Drupal 10.

API changes
  • Select query extenders are now managed through backend-overridable services. When extending a query, consuming code need to switch from hardcoding the extension class to calling the extender service with the type of extension required. Contrib and custom database drivers overriding the extenders need to implement their own service. See https://www.drupal.org/node/3218001

  • ImageStyleStorageInterface now extends ConfigEntityStorageInterface. If you are directly implementing ImageStyleStorageInterface you will need to ensure you also implement methods from ConfigEntityStorageInterface. Refer to the storage interface change record for more information.

  • Code that extends Symfony's Serializer component has been updated with stricter typehints and an additional argument for compatibility with Symfony 6.1 and future releases. For more information, review the change record: Context argument added in code that extends from Symfony's Serializer component.

Changes to the Standard and Umami Demo profiles
  • The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

    This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

  • Standard profile will no longer enable the Color module when installed.

PHP Dependency updates

The following dependencies have been changed or updated since 9.3.

  • Drupal 10 will switch its PSR-17 implementation from laminas/laminas-diactoros to Guzzle. It should not be necessary to make any changes unless you are directly referencing Diactoros classes. If your project does depend directly on any Diactoros code (uncommon), you should make sure it is declared as a dependency in your composer.json or change the code to use Guzzle.

  • Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

JavaScript Dependency updates Production dependencies
  • The Backbone and Underscore core JavaScript dependencies are deprecated and will no longer be provided as public core libraries in Drupal 10. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

    Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

    Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

  • The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

    The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

  • The CKEditor 5 module now uses version 34.0.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

  • The CKEditor 5 ckeditor5.list library has been updated to 34.0.1.

  • Shepherd.js is updated to 9.0.0. According to its release note, there should be no breaking changes that affect our usage.

  • Popper.js has been updated from 2.11.2 to 2.11.5.

  • The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

Development dependencies
  • Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core’s Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core’s JavaScript development dependencies with npm or yarn.

  • The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

  • Eslint is updated to 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

  • Stylelint has been updated to version 14, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

  • The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

  • All of Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Changed coding standards
  • JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core’s ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

Search the issue queue for known issues.

All changes since Drupal 9.3

Core commit log on GitLab.

Release type: Bug fixesNew features

drupal 10.0.0-alpha4

Fri, 05/06/2022 - 16:20

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

Additionally, Drupal core's JavaScript development dependencies have been updated to the latest minor and patch releases to address security issues.

Finally, the pinned versions of the composer/composer development dependency have been updated to address a security issue.

This alpha includes many changes that are also included in Drupal 9.4.0-alpha1.

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not available in 10.0.0-alpha4:

  1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

  2. Various core modules and themes will be moved to contributed projects.

  3. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 in 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

  1. Deprecated code will be removed, including entire deprecated modules.
  2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, and the Drupal 10.0.0-alpha3 release notes for additional changes from 9.4.x.

Changes to the Standard and Umami Demo profiles
  • The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

    This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

  • Standard profile will no longer enable the Color module when installed.

Deprecated API removals
  • The public Backbone and Underscore core libraries have been removed, and the JavaScript dependencies are deprecated and for internal use only. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

    Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

    Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha3:

  • The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

    The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

  • asm89/stack-cors has been updated from version 1.3.0 to 2.0.5. Enabling CORS now preserves cacheability whenever possible.

    Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

  • Popper.js has been updated from 2.11.2 to 2.11.5.

  • The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

  • Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

  • The Nightwatch testing library has been updated to version 2.1.3. Reference the Nightwatch developer guide for a list of high level changes in the 2.0.0 release.

  • Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

  • The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

Known issues

Search the issue queue for known issues.

All changes since10.0.0-alpha3 Release type: Bug fixesNew features

drupal 9.5.x-dev

Fri, 04/29/2022 - 15:28

Unsupported development snapshot for the 9.5.x release series.

The 9.5.x branch is now open for new development. 9.5.0 is scheduled for release in December 2022.

Those interested in testing the upcoming 9.4.0 releases of Drupal core should continue to work with the 9.4.x branch until 9.4.0 is released on June 15, 2022.

See the current development schedule for information on current and upcoming releases.

Release type: Bug fixesNew features

drupal 9.3.12

Wed, 04/20/2022 - 10:58

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
  • Sites on 9.2.x or earlier should update immediately to Drupal 9.2.18 instead of this release.
  • Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
  • Versions of Drupal 8 are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security update

Pages