Feed aggregator

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

• Drupal 9.4 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6), or 7.4.4 or higher (up from 7.4.3).

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

• SA-CORE-2022-011 by GHaddon, JeroenT, yivanov, Heine, longwave, DamienMcKenna, mlhess, cilefen, xjm, benjifisher
• Issue #3281438 by tinto, deviantintegral, catch: Update CKEditorTest to not use Bartik and Seven
• Issue #3284502 by effulgentsia, alexpott: [regression] Drupal 9.4 breaks BC via incorrect autoloading of \Drupal\Driver\* overrides of core db drivers

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

No other fixes are included.

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released. Update to Drupal 9.3.x soon to continue receiving security coverage.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

• Drupal 9.2 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6).

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

No other fixes are included.

• Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
• Sites on 9.2.x or earlier should update immediately to Drupal 9.2.21 instead of this release (but update to 9.3 or higher soon).
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

• Drupal 9.3 core now requires guzzlehttp/guzzle 6.5.7 or higher (up from 6.5.6).

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022.

• The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

• Issue #3223264 by andy-blum, mherchel, Kristen Pol: Olivero: Messages can be malformed when JS creates messages and PHP messages already exist
• Issue #3247683 by Wim Leers, lauriii, bnjmnm, Reinmar: Disable CKEditor 5's automatic link decorators (in Drupal filters should be used instead)
• Issue #3273983 by Wim Leers, ifrik, lauriii: Do not assume that plugin supporting also supports in SourceEditingRedundantTags and upgrade path
• Issue #3284270 by alexpott, bircher: Reset \Drupal\Core\Config\ConfigImporter::$errors in ::validate() method
• Issue #3283795 by alexpott, bircher: ComposerHooksTest is broken on latest DrupalCI PHP container
• Issue #3274648 by nod_, Wim Leers: HTMLRestrictions::merge() and ::toGeneralHtmlSupportConfig() fail on allowed attribute values that can be interpreted as integers
• Issue #3276217 by lauriii, Wim Leers: [drupalMedia] add tests to confirm GHS attributes are retained in linked media
• Issue #3280985 by mherchel, andy-blum: Olivero's code block styling is slightly broken at various viewport widths

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

This alpha includes many changes that are also included in Drupal 9.4.0-beta1.

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not complete in 10.0.0-alpha4:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. The Backbone and Underscore core JavaScript dependencies are no longer provided as public core libraries. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0. Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

3. Various core modules and themes will be moved to contributed projects.

4. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 on December 14, 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, the Drupal 10.0.0-alpha3 release notes, and the Drupal 10.0.0-alpha4 release notes for additional changes from 9.4.x.

• The JavaScript ES6 build process is removed given that all browsers supported by Drupal Core are now ES6 compatible. This means that once the build tooling is removed from Drupal 10, core developers are no longer required to run the commands when they make changes to core JavaScript. This also means that babel/core and all related dependencies will no longer be included as core development dependencies.

• The minimum supported PHP version is now set dynamically based on the documented end-of-life date for each PHP version. After a PHP version is no longer supported, there will be warnings about the unsupported PHP version, but this won't prevent running, updating, or installing Drupal. In order to provide sites with the most complete information on which PHP versions are supported and recommended for their current installation, \Drupal::MINIMUM_SUPPORTED_PHP is deprecated and replaced by \Drupal\Core\PhpRequirements::minimumSupportedPhp(). Review the handbook documentation on unsupported PHP versions for more information.

• The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

• The range validator for entities now yields a more accurate 'value not in range' message, with its violation error code also more accurately being Range::NOT_IN_RANGE_ERROR.

• Code that extends Symfony's Serializer component has been updated with stricter typehints and an additional argument for compatibility with Symfony 6.1 and future releases. For more information, review the change record: Context argument added in code that extends from Symfony's Serializer component.

The following dependencies have been changed or updated since 10.0.0-alpha4:

• asm89/stack-cors has been updated from version 1.3.0 to 2.0.5.

  Enabling CORS now preserves cacheability whenever possible.

  Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

• The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility.

• The CKEditor 5 module now uses version 34.1.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

• Additionally:

  • Shepherd.js is updated to 9.1.0.
  • SortableJS is updated to 1.15.0.
  • tabbable is updated to 5.3.2.

  For all three of these updates, according to the projects' release notes, there should be no breaking changes that affect our usage.

Search the issue queue for known issues.

• Revert "Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions"
• Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions
• Issue #3223264 by andy-blum, mherchel, Kristen Pol: Olivero: Messages can be malformed when JS creates messages and PHP messages already exist
• Revert "Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions"
• Issue #3282315 by mondrake, mallezie, alexpott: Update phpstan/phpstan and mglaman/phpstan-drupal to latest versions
• Issue #3261245 by andypost, andregp, paulocs, longwave, catch, daffie, quietone: Remove deprecated views module functions
• Issue #3247683 by Wim Leers, lauriii, bnjmnm, Reinmar: Disable CKEditor 5's automatic link decorators (in Drupal filters should be used instead)
• Issue #3273983 by Wim Leers, ifrik, lauriii: Do not assume that plugin supporting also supports in SourceEditingRedundantTags and upgrade path
• Issue #3284270 by alexpott, bircher: Reset \Drupal\Core\Config\ConfigImporter::$errors in ::validate() method
• Issue #3283795 by alexpott, bircher: ComposerHooksTest is broken on latest DrupalCI PHP container
• Issue #3274648 by nod_, Wim Leers: HTMLRestrictions::merge() and ::toGeneralHtmlSupportConfig() fail on allowed attribute values that can be interpreted as integers
• Issue #3276217 by lauriii, Wim Leers: [drupalMedia] add tests to confirm GHS attributes are retained in linked media
• Issue #3227431 by mherchel, kostyashupenko, andy-blum, Kristen Pol, andrewmacpherson, cindytwilliams, alexpott, mgifford, dww, shaal, rkoller: Tabledrag icon doesn't adapt to forced-colors mode
• Issue #3280985 by mherchel, andy-blum: Olivero's code block styling is slightly broken at various viewport widths
• Issue #3257274 by andy-blum, mherchel, mglaman, xjm, alexpott, mgifford, shaal, benjifisher, tim.plunkett, AaronMcHale, Antoniya, worldlinemine, tmaiochi, rkoller, andregp, ckrina: Implement color changing theme settings for Olivero
• Issue #3274651 by Wim Leers, nod_, alexpott: Impossible to enable
  
  or
  
  with GHS: switch to List's successor, DocumentList
• Issue #3279192 by daffie, ravi.shankar, geek-merlin, alexpott: Change the method Drupal\Core\DrupalKernel::handle() to make it work for the Swoole module
• Issue #3261447 by xjm, lauriii, ravi.shankar, Wim Leers, alexpott, tedbow, daffie: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules
• Issue #3281578 by Wim Leers, quietone, xjm, catch: Increase Composer dependency constraints to latest minors for forward-compatibility
• Revert "Issue #3261447 by xjm, lauriii, ravi.shankar, Wim Leers, alexpott, tedbow, daffie: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules"
• Issue #3265140 by Spokje, bnjmnm, lauriii, mstrelan, dww, Wim Leers, xjm, murilohp, daffie: Move QuickEditImageController from image to quickedit
• Issue #3277438 by Wim Leers, bnjmnm, lauriii, xjm, nod_, Reinmar: Update to CKEditor 5 v34.1.0
• Issue #3261447 by xjm, lauriii, ravi.shankar, Wim Leers, alexpott, tedbow, daffie: Add an API for dynamically setting recommended and supported PHP versions based on known and predicted PHP release schedules
• Issue #3282395 by alexpott, mallezie: Latest versions of PHPStan and mglaman/phpstan-drupal cannot find PhpUnitVersionDependentTestCompatibilityTrait
• Issue #3282342 by xjm: Forward-port Guzzle updates, because the private testrunner doesn't like me today
• Issue #3281863 by alexpott, Wim Leers, nod_, hestenet, xjm, huzooka, Mixologic: Nightwatch tests failing >50% of test runs on PHP 7.3 in 9.4.x and 9.5.x, as well as PHP 8.1 on 10.0.x
• Issue #3279703 by VIGHNESH SADAGOPAL, Binoli Lalani, Stockfoot, Maninders, Ruturaj Chaubey, mherchel, Libbna, ckrina, longwave: Change "Welcome to " to "Welcome!" on the initial install screen
• Issue #3246755 by mherchel, yogeshmpawar, Libbna, cindytwilliams, zenimagine: Olivero main/user account menu layout struggles with long menus
• Issue #3279693 by mherchel, andy-blum: Olivero: Hyperlinks with "button" or "button--primary" do not have proper styling when nested in a "text-content" container
• Issue #2513524 by andregp, JeroenT, Bill Choy, TR, tstoeckler, dawehner, Wim Leers, xjm: ExtensionDiscovery is unable to find modules that have a comment at the end of the type property in a .info.yml file
• Issue #3260007 by mondrake, yogeshmpawar, daffie, andypost: Decouple Connection from the wrapped PDO connection to allow alternative clients
• Issue #3274080 by mherchel, andy-blum, lauriii: Olivero's mobile menu experience doesn't properly adapt to forced colors
• Issue #3270842 by javi-er, sharayurajput, ckrina, WagnerMelo, saschaeggi: Define Red color scale for Claro
• Issue #3245553 by quietone, danflanagan8: Fix migration of localized D6 menu links
• Issue #2580723 by AdamPS, Berdir, andypost, darvanen, larowlan, alexpott, effulgentsia, catch, dawehner: Fix token system confusion, with new function Token::replacePlain()
• Issue #3270936 by Spokje, quietone, andypost, lauriii: Deprecate Color module
• Issue #3281755 by mondrake: PHPStan baseline broken again in head (hopefully for the last time?)
• Issue #3261266 by mondrake, longwave, daffie: Remove deprecated code from the testing framework (base classes, listeners, etc)
• Issue #3269149 by longwave, catch, alexpott: Remove deprecated settings
• Issue #3058409 by guilhermevp, joachim, ravi.shankar, quietone, init90, andregp: TermStorage::loadTree() doesn't document what the return array is keyed by
• Issue #3280882 by mondrake, mallezie: KernelTestBase::tearDown() cleanup prevents good typehinting practices
• Issue #3262874 by Spokje, longwave, ankithashetty, catch, andypost: Update Coder to 8.3.15
• Issue #3269140 by longwave: Remove deprecated config.storage.staging service
• Issue #3232714 by paulocs, vsujeetkumar, mondrake, longwave, quietone, larowlan: Replace, in tests, mocks that do not configure doubles with their actual objects
• Issue #3268746 by quietone, xjm: Fix missing newlines for 'Drupal.Commenting.DocComment.ShortSingleLine'
• Issue #3272956 by xjm, Wim Leers, tedbow, dww: Hardcode security coverage EOL dates for Drupal 9.4 and 9.5 (as was done for 8.8 and 8.9)
• Issue #3280602 by larowlan, DanielVeza, Wim Leers, mstrelan: Exceptions for CKEditor 5 plugin definitions containing wildcard tags when PHP is built with libxml 2.9.14
• Issue #3259355 by mallezie, mondrake, catch, longwave, mglaman, alexpott, xjm, daffie, Mixologic: Always do a full phpstan analysis on DrupalCI
• Issue #3250582 by huzooka, Matroskeen, danflanagan8, ravi.shankar, quietone, erik.erskine: ResponsiveImageStyles source plugin must extend DrupalSqlBase
• Issue #3276565 by dww, larowlan: Add larowlan as maintainer of contextual.module
• Issue #3260920 by tstoeckler: Contact's MessageEntityTest wrongly uses 'edit' access operation on entities instead of 'update'
• Issue #332796 by voleger, dww, Steve Dondley, ykhadilkar, Dave Reid, ankithashetty, Anybody, benjifisher, mstrelan, David_Rothstein, phenaproxima, Bojhan: Add permissions to the update.module to hide warnings
• Issue #3112283 by ravi.shankar, mpdonadio, andregp, daffie, jhedstrom, alexpott, andypost, pifagor, vladbo, JeroenT, voleger, cliddell: Replace REQUEST_TIME in non-OO and non-module code
• Issue #2580263 by Berdir, nils.destoop, catch, Cottser, larowlan: Find a way to not run contextual_preprocess() on every template
• Issue #3280614 by Spokje: (Not so) Random test failures QuickEditFileTest
• Issue #3276196 by mondrake, catch, Spokje: The "Symfony\Component\Validator\Constraints\Range::$minMessage" property is considered final
• Issue #3278916 by mallezie, mondrake: Update phpstan/phpstan to latest version
• Issue #3277552 by Hebl, Asha Nair, rootwork, Charles Belov: Seven is missing focus in "Available buttons" and "Active toolbar" within CKEditor toolbar configuration Primary tab
• Issue #3279502 by webflo: Fix invalid @property annotations
• Issue #3218562 by bradjones1, yogeshmpawar, Lendude, catch: Fix typo in/rename SearchSimplifyTest
• Issue #3272581 by danflanagan8: Image tests should not rely on Classy
• Issue #3272336 by danflanagan8: File tests should not rely on Classy
• Issue #3272543 by danflanagan8, larowlan: History tests should not rely on Classy
• Issue #3276652 by andregp, eojthebrave, markie, catch, danflanagan8: AssertMenuActiveTrailTrait should not rely on classy/bartik
• Issue #3279103 by bradjones1: Test cleanup: Remove dead code from JsonApiFunctionalTest
• Issue #3272558 by danflanagan8: Content Translation tests should not rely on Classy
• Issue #3275530 by danflanagan8: Language Tests should not rely on Classy
• Issue #3278314 by acbramley: InlineBlockUsageInterface::getUsage can return FALSE but isn't documented
• Issue #3270081 by franck_lorancy, quietone, Cottser: Fix indentation in doc block \Drupal\Core\Render\RendererInterface::render
• Issue #3276839 by Spokje, mondrake: Remove leftover dumpHeaders property
• Issue #3272354 by danflanagan8: Filter tests should not rely on Classy
• Issue #3277557 by galactus86, mherchel, rootwork: Olivero: Progress indicator percentage label does not have proper spacing
• Issue #3278032 by andregp, bkline@rksystems.com: Remove dead code from ContentTranslationController
• Issue #3269153 by andregp, longwave, catch: Remove BC layers from the extension system
• Issue #2314443 by olli, Lendude, immaculatexavier, dawehner: Changing view name does not update page title in views ui
• Issue #2917239 by Lendude, dww, iStryker: Form is built when not using fields
• Issue #3276218 by lauriii: Follow-up to #3268318: Enable link manual decorator unrestricted test case
• Issue #3277311 by nod_, Wim Leers, catch, larowlan: Deprecate and mark internal contextual JS API
• Issue #3252100 by amateescu, catch, Tim Bozeman: Set revision_default when publishing
• Issue #3280359 by bnjmnm: Make jQuery.form internal
• Issue #3279840 by Spokje, mallezie, alexpott: Update mglaman/phpstan-drupal
• Issue #3279840 by Spokje, mallezie, alexpott: Fix \Drupal\Tests\quickedit\FunctionalJavascript\SettingsTrayIntegrationTest::createBlockContent()
• Issue #3259593 by hooroomoo, Dom., Wim Leers, lauriii: Alignment being available as separate buttons AND in dropdown is confusing
• Issue #3277744 by Taran2L, catch, nod_: Actually remove deprecated jquery_ui libraries from core
• Issue #3279850 by alexpott, dww, lauriii: Theme post updates are not recognised when the theme is used in the installer
• Issue #3101922 by bnjmnm, nod_, lauriii: Find replacement for Modernizr touchevent test and deprecate
• Issue #3278786 by lauriii, nod_: Update production JavaScript dependencies to latest minors
• Issue #3253286 by lauriii, ckrina, bnjmnm, xjm: Remove unnecessary template overrides and associated code from starterkit theme
• Issue #3206226 by Wim Leers, mglaman, lauriii, alexpott: Make updating changes from starterkit themes to generated themes easier
• Issue #3278052 by Spokje, mondrake: Fix added core/phpstan-baseline.neon error suppresion for core/modules/dblog/tests/src/Functional/DbLogResourceTest.php
• Issue #3278782 by mondrake: PHPStan baseline is out of sync
• Issue #3269657 by hooroomoo, Wim Leers: [drupalMedia] The CKEditor 4 → 5 upgrade path for the media_embed filter should not forcefully allow the `data-view-mode` attribute on ``
• Issue #3278246 by lauriii, alexpott, nod_, justafish: Deprecate core/scripts/js/babel-es6-build.js for removal from 10.0.x
• Issue #3279788 by alexpott: PHP 7.3 testing on Drupal 9.4.x and 9.5.x is broken due to \Drupal\Tests\RequirementsPageTrait::assertRequirementSummaries() assuming Seven is the update.php theme
• Issue #3279640 by alexpott, Spokje, mherchel, lauriii, catch: Standard install profile uses Olivero for update.php
• Issue #3251709 by cindytwilliams, andregp, ankithashetty, ckrina, saschaeggi: Define Blue scale for Claro
• Issue #3253955 by benjifisher, kristiaanvandeneynde, AaronMcHale: Let modules opt in to the bundle-specific permissions form
• Issue #3275237 by hooroomoo, lauriii, Wim Leers, nod_: Don't convert, instead use response.entity_type in DrupalImageUploadEditing
• Issue #3278394 by Wim Leers, bnjmnm: HTMLRestrictions' diff operation bug: diff(, ) should return an empty result
• Back to dev.