Releases for Drupal core

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Important update information

Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Known issues

Search the issue queue for known issues.

Release type: Bug fixes

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• Drupal core's yarn dependency constraints for production dependencies have been changed to only allow patch-level updates. This allows yarn upgrades to be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies. The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

Known issues

Search the issue queue for known issues.

Changes since 9.3.12

• Issue #3278163 by xjm, nod_, lauriii: yarn upgrade for latest security vulnerabilities
• Issue #3266912 by nod_, Wim Leers, lauriii, xjm, mmjvb: Review version constraints for production yarn dependencies
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Revert "Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second"
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #3270709 by Shashwat Purav, Chi, apaderno: Remove reference to contextual_pre_render_placeholder() function
• Issue #3277309 by phjou, mradcliffe, benjifisher, markie: Update links to Drupal documentation pages in Umami
• Issue #2995367 by quietone, xjm, Lendude: Fix update module test fixture names for 8.2.0-rc2 sample data
• Issue #3277274 by richardrobinson, saki007ster, ApocalypticJake, bnjmnm, [email protected], mcolebank, joshmiller, markie, mradcliffe, pilot3, W01F: Dialog css references nonexistient --color-whitesmoke css variable
• Issue #3277743 by xjm, RainbowArray: Update contributor name and username in MAINTAINERS.txt
• Issue #3228691 by Wim Leers, lauriii, nod_: Restrict allowed additional attributes to prevent self XSS
• Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled
• Issue #3261599 by hooroomoo, Wim Leers, lauriii: Use CKEditor 5's native <ol start> support (and also support <ol reversed>)
• Issue #3277405 by Wim Leers, nod_: Update @ckeditor/ckeditor5-list to v34.0.1
• Issue #3231334 by Wim Leers, bnjmnm: Global attributes (<* lang> and <* dir="ltr rtl">): validation + support (fix data loss)
• Issue #3229078 by scott_euser, Wim Leers, hooroomoo, brentg, yogeshmpawar, catch: Unit tests for all @CKEditor5Plugin plugin classes
• Issue #3248425 by nod_, yogeshmpawar, Wim Leers, lauriii, bnjmnm, marcvangend: Ensure that all classes and functions in Drupal-specific CKEditor 5 plugins are documented
• Issue #3269085 by alexpott, larowlan, danflanagan8, Matroskeen: [random test failure] Random test fail in EntityAutocompleteTest
• Issue #3276627 by Wim Leers, hooroomoo: CKEditor5::shouldHaveVisiblePluginSettingsForm() does not correctly handle configurable CKE5 plugin that has a filter condition
• Issue #3276670 by hooroomoo, Wim Leers: Some configurations of allowed view modes cause CKE to fail to initialize
• Issue #2717921 by gaurav.kapoor, drnikki, subhashuyadav, pratik_specbee, hmendes, jhodgdon, joachim, effulgentsia, shashikant_chauhan, Wim Leers, larowlan: undocumented #has_garbage_value property of render elements
• Issue #3245720 by hooroomoo, nod_, Wim Leers, lauriii, yash.rode: [drupalMedia] Support choosing a view mode for
• Issue #3261943 by bnjmnm, lauriii, Wim Leers, andreasderijcke, ifrik: Confusing behavior after pressing "Apply changes to allowed tags" with invalid value
• Issue #3230230 by bnjmnm, johnwebdev, Wim Leers, lauriii, Anna_CKSource, Reinmar: Enable table captions; override CKE5's default downcast to generate <table><caption></table> instead of <figure><table><figcaption></figure>
• Issue #3272035 by mherchel, andy-blum: Add "linktext" and "canvastext" to cspell dictionary.
• Issue #3273056 by kmonahan, mherchel, Johnny Santos, rkoller, ckrina: Active and hover state of skip to main content has a too low color contrast
• Issue #3130305 by mherchel, cindytwilliams, bnjmnm, saschaeggi, andrewmacpherson: Ensure all of Claro's background images are visible in forced colors mode
• Issue #3269341 by mherchel, KurtTrowbridge: Claro element not rendering properly in forced colors
• Back to dev.
• Merged 9.3.12.
• Issue #3269091 by gambry, yogeshmpawar, jonathanshaw, joachim, alexpott: Undocumented behaviour for Schema::findTables() when an underscore is used
• Issue #3273325 by Dom., Wim Leers, andregp, ifrik: CKE5 and contrib: better "next action" description on upgrade path messages
• Issue #3274278 by Wim Leers, jcnventura, yogeshmpawar, andregp, bnjmnm: Migrate "codetag" contrib CKEditor 4 plugin to built-in equivalent in core's CKEditor 5

Release type: Bug fixes

This is an alpha release for the next minor (feature) release of Drupal 9. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on June 15, 2022.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.4 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Important changes for this release

• Drupal 9.4's minimum PHP requirement has been increased from PHP 7.3 to 7.4. Sites on PHP 7.3 may still be installed and updated (with a warning), but their security coverage is not guaranteed unless they update to at least PHP 7.4. For more information, see the PHP requirements handbook page.

  PHP 8.1 is now the recommended PHP version to use with Drupal 9.4 and above.

• The root .htaccess file now has a section for PHP 8 settings. This brings .htaccess files into alignment with Drupal’s supported PHP version.

  If you have a custom .htaccess file and its PHP settings are working, you can keep using your existing .htaccess file unchanged. If you are upgrading from PHP 7 to PHP 8, you should copy the custom settings that you need from the PHP 7 section to the PHP 8 section.

• Drupal core will begin warning in the status report if a database connection doesn't support JSON, in preparation for this becoming an installation requirement in Drupal 10.

API changes

• Select query extenders are now managed through backend-overridable services. When extending a query, consuming code need to switch from hardcoding the extension class to calling the extender service with the type of extension required. Contrib and custom database drivers overriding the extenders need to implement their own service. See https://www.drupal.org/node/3218001

• ImageStyleStorageInterface now extends ConfigEntityStorageInterface. If you are directly implementing ImageStyleStorageInterface you will need to ensure you also implement methods from ConfigEntityStorageInterface. Refer to the storage interface change record for more information.

• Code that extends Symfony's Serializer component has been updated with stricter typehints and an additional argument for compatibility with Symfony 6.1 and future releases. For more information, review the change record: Context argument added in code that extends from Symfony's Serializer component.

Changes to the Standard and Umami Demo profiles

• The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

PHP Dependency updates

The following dependencies have been changed or updated since 9.3.

• Drupal 10 will switch its PSR-17 implementation from laminas/laminas-diactoros to Guzzle. It should not be necessary to make any changes unless you are directly referencing Diactoros classes. If your project does depend directly on any Diactoros code (uncommon), you should make sure it is declared as a dependency in your composer.json or change the code to use Guzzle.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

JavaScript Dependency updates Production dependencies

• The Backbone and Underscore core JavaScript dependencies are deprecated and will no longer be provided as public core libraries in Drupal 10. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• The CKEditor 5 module now uses version 34.0.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

• The CKEditor 5 ckeditor5.list library has been updated to 34.0.1.

• Shepherd.js is updated to 9.0.0. According to its release note, there should be no breaking changes that affect our usage.

• Popper.js has been updated from 2.11.2 to 2.11.5.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

Development dependencies

• Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core’s Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core’s JavaScript development dependencies with npm or yarn.

• The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

• Eslint is updated to 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

• Stylelint has been updated to version 14, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

• All of Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Changed coding standards

• JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core’s ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

Search the issue queue for known issues.

All changes since Drupal 9.3

Core commit log on GitLab.

Release type: Bug fixesNew features

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Additionally, Drupal core's JavaScript development dependencies have been updated to the latest minor and patch releases to address security issues.

Finally, the pinned versions of the composer/composer development dependency have been updated to address a security issue.

This alpha includes many changes that are also included in Drupal 9.4.0-alpha1.

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not available in 10.0.0-alpha4:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. Various core modules and themes will be moved to contributed projects.

3. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 in 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes, the Drupal 10.0.0-alpha2 release notes, and the Drupal 10.0.0-alpha3 release notes for additional changes from 9.4.x.

Changes to the Standard and Umami Demo profiles

• The Standard profile now use Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

Deprecated API removals

• The public Backbone and Underscore core libraries have been removed, and the JavaScript dependencies are deprecated and for internal use only. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha3:

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades can be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• asm89/stack-cors has been updated from version 1.3.0 to 2.0.5. Enabling CORS now preserves cacheability whenever possible.

  Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

• Popper.js has been updated from 2.11.2 to 2.11.5.

• The deprecated Backbone and Underscore dependencies have received patch level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases. The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported for Drupal 10.

• The Nightwatch testing library has been updated to version 2.1.3. Reference the Nightwatch developer guide for a list of high level changes in the 2.0.0 release.

• Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

Known issues

Search the issue queue for known issues.

All changes since10.0.0-alpha3

• Issue #3278162 by longwave, xjm, mallezie, Spokje: Update Composer dependencies to the latest minor and patch versions
• Issue #3278163 by xjm, nod_, lauriii: yarn upgrade for latest security vulnerabilities
• Issue #3278732 by Spokje, lauriii: Remove Claro block configuration from Umami
• Issue #3278696 by Spokje: Rename Oliveros block.block.book_navigation.yml and block.block.primary_admin_actions.yml confirm standard
• Issue #3278215 by Spokje, lauriii, eojthebrave, Berdir: (Not so) Random test failures SettingsTrayIntegrationTest
• Issue #3278565 by lauriii, Spokje: Remove Claro block configuration from Standard
• Issue #3266912 by nod_, Wim Leers, lauriii, xjm, mmjvb: Review version constraints for production yarn dependencies
• Issue #3269143 by longwave, catch: Remove deprecated theme key stylesheets-remove
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #3265617 by nod_, longwave: Update Nightwatch to 2.x
• Revert "Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second"
• Issue #3230541 by cliddell, jday, yogeshmpawar, neclimdul, cmlara, Charlie ChX Negyesi: Queue items only reserved by cron for 1 second
• Issue #2958358 by Mile23, alexpott: Remove Drupal\Component\Utility's dependency on Drupal\Component\Render
• Issue #3276195 by mondrake, catch: Symfony\Component\Serializer\Normalizer\NormalizerInterface::supportsEncoding/supportsDecoding will require a new "array $context" argument in the next major version
• Issue #3272516 by Wim Leers, yogeshmpawar, bnjmnm, catch: Deprecate FilterInterface::getHTMLRestrictions()' forbidden_tags functionality
• Issue #3270709 by Shashwat Purav, Chi, apaderno: Remove reference to contextual_pre_render_placeholder() function
• Issue #3226016 by Gauravmahlawat, Libbna: Olivero: use multi-class array for adding multiple classes in form--search-block-form.html.twig template
• Issue #3195193 by andregp, paulocs, andypost, quietone, catch: Remove Shepherd shim code from Tour
• Issue #3269152 by yogeshmpawar, longwave, catch: Remove element_settings BC layer in ajax.js
• Issue #3277809 by baddysonja, mherchel: Use Drupal.displace()'s new CSS variables to place Olivero's fixed header
• Issue #3277309 by phjou, mradcliffe, benjifisher, markie: Update links to Drupal documentation pages in Umami
• Issue #2995367 by quietone, xjm, Lendude: Fix update module test fixture names for 8.2.0-rc2 sample data
• Issue #3277274 by richardrobinson, saki007ster, ApocalypticJake, bnjmnm, [email protected], mcolebank, joshmiller, markie, mradcliffe, pilot3, W01F: Dialog css references nonexistient --color-whitesmoke css variable
• Issue #2168711 by yogeshmpawar, droplet, mariancalinro, bnjmnm, peterpoe, lauriii, Kgaut, nod_, benjifisher: Modernizr.touchevents use can lead to scenarios that break contextual links
• Issue #3206217 by mglaman, lauriii, alexpott: Allow starterkit themes to control how the theme is generated
• Issue #3268078 by Spokje, TR: DBLogResource is no longer being tested
• Issue #3219959 by marcoscano, Gábor Hojtsy, eojthebrave, Spokje, mherchel, geekygnr, catch, m4olivei, tstoeckler, lauriii, larowlan, Meenakshi_j, webchick, Berdir, ckrina, xjm, Amber Himes Matz, bnjmnm: Update standard profile so Olivero is the default theme
• Revert "Revert "Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled""
• Revert "Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled"
• Issue #3277743 by xjm, RainbowArray: Update contributor name and username in MAINTAINERS.txt
• Issue #3228691 by Wim Leers, lauriii, nod_: Restrict allowed additional attributes to prevent self XSS
• Issue #3276974 by hooroomoo, Wim Leers: [drupalMedia] Media View Modes don't work if alignment not enabled
• Issue #3266216 by mherchel, rkoller: The section-titles in the preview section on views edit pages have a too low contrast
• Issue #3277405 by Wim Leers, nod_: Update @ckeditor/ckeditor5-list to v34.0.1
• Issue #3261599 by hooroomoo, Wim Leers, bnjmnm: Use CKEditor 5's native <ol start> support (and also support <ol reversed>)
• Issue #3276618 by catch, mherchel, eojthebrave, Gábor Hojtsy: Olivero sets inconsistent classes for active trail between menu and book
• Issue #3276620 by catch, Spokje: Change NoJavaScriptAnonymousTest to use stark theme
• Issue #3229078 by scott_euser, Wim Leers, hooroomoo, brentg, yogeshmpawar, catch: Unit tests for all @CKEditor5Plugin plugin classes
• Issue #3248425 by nod_, yogeshmpawar, Wim Leers, lauriii, bnjmnm, marcvangend: Ensure that all classes and functions in Drupal-specific CKEditor 5 plugins are documented
• Issue #3269085 by alexpott, larowlan, danflanagan8, Matroskeen: [random test failure] Random test fail in EntityAutocompleteTest
• Issue #3276627 by Wim Leers, hooroomoo: CKEditor5::shouldHaveVisiblePluginSettingsForm() does not correctly handle configurable CKE5 plugin that has a filter condition
• Issue #3276670 by hooroomoo, Wim Leers: Some configurations of allowed view modes cause CKE to fail to initialize
• Issue #3087701 by markdorison, shaal, Ruchi Joshi, benjifisher, markconroy, webchick, effulgentsia, johnwebdev, xjm, DyanneNova: Enable Claro as the admin theme in Umami
• Issue #3277057 by Gábor Hojtsy, tedbow, lauriii, ckrina, saschaeggi, bnjmnm: Make Claro the default admin theme in Standard profile
• Issue #3277053 by Gábor Hojtsy, ckrina, saschaeggi, lauriii, bnjmnm: Mark Claro as Stable
• Issue #3081489 by kostyashupenko, mherchel, justafish, andy-blum, yogeshmpawar, lauriii, bnjmnm, huzooka, webchick: Remove duplicate code from veritcal-tabs.js in Claro
• Issue #2717921 by gaurav.kapoor, drnikki, subhashuyadav, pratik_specbee, hmendes, jhodgdon, joachim, effulgentsia, shashikant_chauhan, Wim Leers, larowlan: undocumented #has_garbage_value property of render elements
• Issue #3231334 by Wim Leers, bnjmnm: Global attributes (<* lang> and <* dir="ltr rtl">): validation + support (fix data loss)
• Issue #3020418 by antoineh, ckrina, bnjmnm, fhaeberle, saschaeggi, andregp, ravi.shankar, priyanka.sahni, rkoller, huzooka, balsama, cindytwilliams, modulist, lauriii, antonellasevero: Update Placeholder styles so that contrast ratio passes guidelines
• Issue #3266739 by beatrizrodrigues, joachim: FunctionalTestSetupTrait::prepareEnvironment() is protected when its docs say it should be private
• Issue #3272737 by danflanagan8: Workspaces tests should not rely on Classy
• Issue #3272734 by danflanagan8: Statistics tests should not rely on Classy
• Issue #3269154 by longwave: Remove BC layers from the theme system
• Issue #3271507 by danflanagan8, nod_: Block tests should not rely on Classy
• Issue #3275464 by HEBL, danflanagan8: Remove obsolete test method FrontPageTest::testAdminFrontPage
• Issue #3230230 by bnjmnm, johnwebdev, Wim Leers, lauriii, Anna_CKSource, Reinmar: Enable table captions; override CKE5's default downcast to generate <table><caption></table> instead of <figure><table><figcaption></figure>
• Issue #3261943 by bnjmnm, lauriii, Wim Leers, andreasderijcke, ifrik: Confusing behavior after pressing "Apply changes to allowed tags" with invalid value
• Issue #3273056 by kmonahan, mherchel, Johnny Santos, rkoller, ckrina: Active and hover state of skip to main content has a too low color contrast
• Issue #3271666 by mherchel, cindytwilliams: Olivero pager's next/prev icons don't properly adapt in forced colors
• Issue #3276615 by catch, mherchel: Remove olivero_form_comment_form_alter() comment button label override
• Issue #3256768 by mherchel, nod_, andregp, andy-blum: Drupal.displace() should set CSS Variables indicating displacement values
• Issue #3275216 by akoepke, larowlan: Fix UpdateSettingsForm dependency injection
• Issue #3275114 by Wim Leers, lauriii, bnjmmn: Add subsystem maintainers for CKEditor 5
• Issue #2236983 by quietone, DenEwout: Not at all clear how/when Database::addConnectionInfo should be called
• Issue #3272537 by danflanagan8: Help and Help Topics tests should not rely on Classy
• SA-CORE-2022-009 by kristiaanvandeneynde, larowlan, acbramley, xjm, longwave, catch, jibran, benjifisher
• SA-CORE-2022-008 by mxr576, xjm, effulgentsia, mxr576, larowlan
• Issue #3271305 by m4olivei, mherchel, rafuel92, yogeshmpawar, andy-blum, cindytwilliams: Claro's radio buttons and checkboxes are unusable in high-contrast / forced colors mode
• Issue #3270941 by quietone, ravi.shankar, yogeshmpawar, murilohp, bbrala, andypost: Remove Color module from the Standard profile
• Issue #3256549 by cilefen, murilohp, longwave, catch, Spokje: Remove core/drupal.date asset library
• Issue #3269091 by gambry, yogeshmpawar, jonathanshaw, joachim, alexpott: Undocumented behaviour for Schema::findTables() when an underscore is used
• Issue #3265664 by nod_, longwave, lauriii: Update jsdom to latest major release
• Issue #3225706 by joachim, Gauravmahlawat: rewrite ComposerProjectTemplatesTest::testMinimumStabilityStrictness() so failures say which package fails
• Issue #3270395 by murilohp, nod_, mradcliffe, xjm, Wim Leers: Remove use of underscore from editor.admin.js and filter.filter_html.admin.js
• Issue #3273325 by Dom., Wim Leers, andregp, ifrik: CKE5 and contrib: better "next action" description on upgrade path messages
• Issue #3274278 by Wim Leers, jcnventura, yogeshmpawar, andregp, bnjmnm: Migrate "codetag" contrib CKEditor 4 plugin to built-in equivalent in core's CKEditor 5
• Issue #3233491 by hooroomoo, xjm, lauriii, nod_, justafish, droplet, effulgentsia: Create process for reviewing changes in 3rd party JavaScript dependencies
• Issue #3248295 by danflanagan8, xjm, dww, mglaman: Taxonomy tests should not rely on Classy
• Issue #3274066 by danflanagan8: Node tests should not rely on Classy
• Issue #3274096 by danflanagan8, cliddell: Link Tests should not rely on Classy
• Issue #3274265 by Johnny Santos, danflanagan8: Locale Tests should not rely on Classy
• Issue #3013802 by andregp, yogeshmpawar, gaurav.kapoor, nikitas, Charlie ChX Negyesi, SourabhBhalerao, alexpott, joachim: Improve error message on unrouted URLs
• Issue #3245720 by hooroomoo, nod_, Wim Leers, lauriii, yash.rode: [drupalMedia] Support choosing a view mode for
• Issue #3275180 by xjm, larowlan: Update composer/composer dev dependency version
• Back to dev.

Release type: Bug fixesNew features

Unsupported development snapshot for the 9.5.x release series.

The 9.5.x branch is now open for new development. 9.5.0 is scheduled for release in December 2022.

Those interested in testing the upcoming 9.4.0 releases of Drupal core should continue to work with the 9.4.x branch until 9.4.0 is released on June 15, 2022.

See the current development schedule for information on current and upcoming releases.

Release type: Bug fixesNew features

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.3.x will receive security coverage until December 8, 2022 when Drupal 9.5.0 is released.
• Sites on 9.2.x or earlier should update immediately to Drupal 9.2.18 instead of this release.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Important update information

Composer is a development dependency and tool used by Drupal. Today the Composer project released a security advisory.

This Drupal release updates Composer to the latest version as a security hardening. The locked version of the composer/composer package has been updated from 2.1.12 to 2.2.12.

No other changes are included.

It is also recommended that site owners update the version of Composer they use on the command line. To see which version of Composer is in use, run:

composer --version

To update Composer 1:

composer self-update 1.10.26

To update Composer 2.0 through 2.2:

composer self-update 2.2.12

To update Composer 2.3:

composer self-update 2.3.5 Known issues

Search the issue queue for known issues.

Release type: Bug fixesInsecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

Composer is a development dependency and tool used by Drupal. Today the Composer project released a security advisory.

This Drupal release updates Composer to the latest version as a security hardening. The locked version of the composer/composer package has been updated from 2.1.12 to 2.2.12.

No other changes are included. (Note that Drupal 9.3.10 was also released today, so refer to the 9.3.10 release notes for all changes since the last bugfix release.)

It is also recommended that site owners update the version of Composer they use on the command line. To see which version of Composer is in use, run:

composer --version

To update Composer 1:

composer self-update 1.10.26

To update Composer 2.0 through 2.2:

composer self-update 2.2.12

To update Composer 2.3:

composer self-update 2.3.5 Known issues

Search the issue queue for known issues.

Release type: Bug fixesInsecure

9.3.10

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x10 will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• The beta experimental CKEditor 5 module now uses version 34.0.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

• Previously, jQuery UI was an emeritus (unsupported) project. However, it recently began receiving support again. Therefore, Drupal core has replaced its fork of jQuery UI with jQuery UI itself, to make it easier to keep it up to date. Additionally, core's jQuery UI package dependencies have been updated to jQuery UI 1.13.1. The unminified source code is kept in core to allow easy audit during future library updates.

Known issues

Search the issue queue for known issues.

All changes since 9.3.9

• Issue #3248423 by nod_, Wim Leers, lauriii: Decide how CKEditor 5-provided types should be referenced
• Issue #3248448 by hooroomoo, lauriii, Wim Leers: Dialog loading text is unstyled
• Issue #3270765 by Wim Leers, lauriii: Add test coverage for createDropdown in drupalElementStyles
• Issue #3260857 by Wim Leers, lauriii: Expand SourceEditingRedundantTagsConstraintValidator to also check attributes and attribute values
• Issue #3268318 by lauriii, Wim Leers, tim.plunkett: [drupalMedia] with GHS allowed attributes downcast wraps data-caption with
• Issue #3263384 by nod_, Wim Leers, lauriii: Add ckeditor5-code-block package and CodeBlock plugin
• Issue #3222757 by lauriii, Wim Leers, nod_, rachel_norfolk, itmaybejj, mgifford, ckrina, andrewmacpherson, solideogloria, Luke.Leber: [drupalImage] Make image alt text required or strongly encouraged
• Issue #3269868 by lauriii, andregp, ravi.shankar, Wim Leers: [drupalImage] Some Image attributes are lost in edge cases where image upcasts into inline image
• Issue #3274767 by nod_, lauriii: Update to CKEditor 5 v34.0.0
• Issue #3263935 by huzooka, danflanagan8, quietone: system_site migrates default 403, 404 and front page paths as forward slash (/)
• Issue #3265626 by bnjmnm, Wim Leers, nod_, lauriii, alexpott, andregp: Changes to "Manually editable HTML tags" lost if form is submitted without triggering AJAX
• Issue #3273626 by xjm, dww, Spokje: Drupal Media JavaScript test suite causes database locks on SQLite
• Issue #3203604 by Eli-T, snig, justafish, kuldeep_mehra27, Matroskeen, Finn Lewis, shaal, ckrina, dawehner, diarcastro: Add a new recipe to Umami - Borscht with pork ribs
• Issue #3270940 by quietone: Move all non migration Color tests to the module in preparation of removal
• Issue #3173159 by sardara, JeroenT: Block add form ajax callback implementation issues
• Issue #3273527 by joevagyok, Wim Leers: Upgrade path never configures the ckeditor5_heading plugin to allow
  
• Issue #3272797 by bnjmnm, phenaproxima, xjm: [random test failure] Restore LayoutBuilderTest::testConfigurableLayoutSections()
• Issue #3273312 by Wim Leers, Dom., ifrik, mpp, seanB, lauriii: Upgrading from CKEditor 4 for a text format that has FilterInterface::TYPE_MARKUP_LANGUAGE filters enabled
• Issue #3273332 by Wim Leers, DieterHolvoet: Merging cells in tables is possible in UI, but lost upon saving
• Issue #3265929 by jonathanshaw, yogeshmpawar, quietone, xjm: Rewrite examples of form options to be less culturally specific
• Issue #2779999 by shashikant_chauhan, guilhermevp, dww, joachim, xjm: Document checkboxes and radios element can have individual descriptions
• Issue #3112547 by andypost, dww, yogeshmpawar, Lendude, bnjmnm, danflanagan8, mglaman, joachim: Views UI tests should not rely on Classy
• Issue #3272746 by Shashwat Purav, danflanagan8: Layout Discovery tests should not rely on Classy
• Issue #3272731 by Shashwat Purav, danflanagan8: jsonapi tests should not rely on Classy
• Issue #3268307 by lauriii, Wim Leers: $block wildcard resolves into a superset of the actual $block tags
• Issue #3268680 by phenaproxima, xjm, Spokje, ravi.shankar, bnjmmn: [random test failure] Restore and fix LayoutBuilderDisableInteractionsTest::testFormsLinksDisabled()
• Issue #3265723 by nevergone: Duplicate word: directly
• Issue #3230829 by mohit_aghera, marcvangend, Wim Leers, Kristen Pol: editor_form_filter_format_form_alter() does not remove "editor_plugin" from form state when needed
• Issue #3219921 by nironan, kostyashupenko, javi-er, Gauravmahlawat, jens.de.geit, mchameddie, Kristen Pol, timohuisman, andy-blum, ckrina: Claro: display the vertical scrollbar when many results are returned by linkit
• Issue #2873732 by vijaycs85, GaëlG: Array to string conversion in CacheContextsManager::convertTokensToKeys() because of the 'cookies' cache context
• Issue #3115054 by chr.fritsch, vsujeetkumar, Vidushi Mehta, sergiuteaca, janmejaig, ranjith_kumar_k_u, phenaproxima: Media library widget forgets ordering when adding or removing items
• Issue #3268860 by lauriii, Wim Leers: Elements wrapping are not retained
• Merge 9.3.9, resolve merge conflicts, and update lockfile and dev versions.
• Issue #3259443 by marcvangend, bnjmnm, Abhijith S: Plugin settings do not appear when a configurable plugin is added AFTER removing all buttons
• Issue #3270108 by bnjmnm, Wim Leers: Editor does not load when using Edge + WHCM
• Revert "Issue #2636086 by Matroskeen, jian he, Sweetchuck, dawehner, Lendude: Add extra test coverage for operators of views date filters"
• Issue #2636086 by Matroskeen, jian he, Sweetchuck, dawehner, Lendude: Add extra test coverage for operators of views date filters
• Issue #3231328 by Wim Leers, nod_: SmartDefaultSettings should select the CKE5 plugin that minimizes creation of HTML restriction supersets
• Issue #3270110 by bnjmnm, Wim Leers: Toolbar config items missing "press arrow to do {x}" instructions for screenreaders
• Issue #3270112 by bnjmnm, Wim Leers: Excessive aria-live announcing from ckeditor5-admin-help-message live region
• Issue #3260869 by lauriii, Wim Leers, bnjmnm, alexpott, catch: Resolve mismatch between <$block> interpretation by CKEditor 5 and Drupal
• Back to dev.
• Merged 9.3.8.
• Issue #3231337 by lauriii, Wim Leers: [drupalMedia] Remove manual dataDowncast from DrupalMediaEditing
• Issue #3248228 by lauriii, Wim Leers: Unable to change selection after linking inline media when manual decorators have been defined
• Revert "Issue #3269064 by lauriii, xjm, Wim Leers: Update to CKEditor 5 v33.0.0"
• Issue #3268174 by Wim Leers, nod_, catch, lauriii: Bug in CKE 4 → 5 upgrade path "format" does not always map to "heading", it could map to "codeBlock" too, or both, or neither
• Issue #3162228 by longwave, Spokje, freelock, jackson.cooper, phenaproxima, xjm: Composer 2 Fatal error Call to undefined method Composer\DependencyResolver\Operation\UpdateOperation::getJobType() in /home/mysite/public_html/core/lib/Drupal/Core/Composer/Composer.php:170
• Issue #2911473 by Maouna, joachim, adinac, dhirendra.mishra, ravi.shankar, MaskOta, ranjith_kumar_k_u, kuldeep_mehra27, mahtab_alam, fabienly, carolpettirossi, joelpittet, jenlampton, dww: Selected yet disabled individual options from checkboxes element don't persist through save
• Issue #3266443 by quietone: Rename StateFileExists to StateFileExistsTest
• Issue #3269064 by lauriii, xjm, Wim Leers: Update to CKEditor 5 v33.0.0
• Issue #3226716 by beatrizrodrigues, joachim, xjm, lucienchalom: Missing return value documentation for TranslatableInterface::addTranslation()
• Issue #3267124 by longwave, alexpott: Temporarily skip failing tests
• Issue #3252562 by rlhawk, mikelutz, benjifisher, danflanagan8: In Callback Migrate process, document how to use functions that accept no argument as callable
• Issue #3248430 by nod_, Wim Leers, lauriii: Improve Drupal.ckeditor5 documentation
• Issue #3268272 by sayco: TypeError: strpos(): Argument #1 ($haystack) must be of type string, int given in strpos()
• Issue #3268368 by lauriii, xjm, Wim Leers: Robustify and restore \Drupal\Tests\ckeditor5\FunctionalJavascript\MediaLibraryTest::testButton
• Issue #3041900 by ankithashetty, Krzysztof Domański, yogeshmpawar, longwave: The element selector type "CSS, XPath" in JSWebAssert should be lowercase
• Issue #3267705 by xjm, longwave: Fix error message when 'yarn check -s' fails in the commit check script
• Issue #3265652 by nod_, xjm, lauriii, Wim Leers, Gábor Hojtsy: Unfork jQuery UI
• Issue #3264727 by lauriii, Wim Leers, benjifisher, andregp, AaronMcHale, kimberlly_amaral, rkoller, ckrina, worldlinemine, Antoniya, victoria-marina, shaal, tmaiochi: [drupalMedia|drupalImage] Allow removing data-align in the UI, and making an image inline
• Issue #3264775 by lauriii, Wim Leers: [drupalMedia] Toolbar should be visible when element inside is focused
• Issue #3194084 by bnjmnm, Wim Leers, lauriii, hooroomoo, Gábor Hojtsy: Support functionality equivalent to ckeditor_stylesheets
• Issue #3260853 by Wim Leers, bnjmnm: [GHS] Partial wildcard attributes (<foo data-*>, <foo *-bar-*>, <foo *-bar>) and attribute values (<h2 id="jump-*">) not yet supported
• Issue #3260032 by longwave, bnjmnm, Wim Leers, samuel.mortenson: CKEditor 5 adds ie11.user.warnings library to every page, triggering a FOUC even for anonymous users
• Issue #3261600 by lauriii, hooroomoo, Wim Leers: Update to CKEditor5 v32.0.0
• Issue #3268070 by xjm: Temporarily skip even more failing tests
• Issue #3263201 by manuel.adan: Missing argument type on hook_shortcut_default_set declaration
• Issue #3267644 by danflanagan8, mglaman: Custom Block (block_content) tests should not rely on Classy
• Issue #3250397 by alexpott, mondrake, ressa, daffie, xjm: DbLog triggers PHP deprecation on PHP8.1 when running from CLI
• Issue #3267823 by alexpott, Spokje: \Drupal\Tests\quickedit\FunctionalJavascript\QuickEditIntegrationTest::testCustomBlock(). is failing on latest chromedriver
• Issue #3267754 by lauriii: AjaxTest is failing
• Issue #2797141 by Driskell, daffie, andypost, Charlie ChX Negyesi, benjifisher: Remove the methods tableExists() and fieldExists() from Drupal\Core\Database\Driver\mysql\Schema

Release type: Bug fixesInsecure

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005
• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not available in 10.0.0-alpha2:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. Various core modules and themes will be moved to contributed projects.

3. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 in 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes and the Drupal 10.0.0-alpha2 release notes for additional changes from 9.4.x.

Removed core modules

The following modules have been removed from core in 10.0.0-alpha2:

• The Aggregator module has been removed from Drupal 10 and is available as a contributed module. Fewer than 5% of existing Drupal sites use the Aggregator module.

• The HAL module was introduced during the development of Drupal 8, but never received much traction in the decoupled scene due to the vague specification and issues with the implementation. As a result, few sites use HAL in production.Additionally, JSON:API in core offers a superset of features over HAL.

  Therefore, HAL is deprecated in Drupal 9.4 and has been removed from Drupal 10.0. It is instead available as the HAL contributed project instead. If you need the functionality provided by HAL, read more on using the HAL contributed module.

Numerous other modules and themes will be removed prior to 10.0.0-beta1.

Deprecated API removals

Numerous deprecated core APIs have been removed since 10.0.0-alpha2. Many more will be removed between 10.0.0-alpha3 and 10.0.0-beta1.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha2:

• New Drupal 10 site development now requires composer/installers version 2.0 or higher (up from version 1.9), and the default version is now 2.0.1.

• psr/log version 2 is now required. The package has been updated from version 1.1.4 to 2.0.0.

• The symfony/console component has been updated from version 5.4.3 to 6.0.5. Drupal 10 requires version 6.0 or higher. Additionally, Drupal core's development dependency requirement for the composer/composer package has been increased from 2.2.4 to 2.3.0.

• The CKEditor 5 module now uses version 34.0.0 of the CKEditor 5 JavaScript library, which fixes several critical issues.

• The Shepherd.js JavaScript package has been updated to 9.0.0. According to Shepherd.js 9.0.0's release note there should be no breaking changes that affect Drupal core usage.

• Previously jQuery UI was an emeritus (unsupported) project. However, it recently began receiving support again. Therefore, Drupal core has replaced its fork of jQuery UI with jQuery UI itself, to make it easier to keep it up to date. Additionally, core's jQuery UI package dependencies have been updated to jQuery UI 1.13.1. The unminified source code is kept in core to allow easy audit during future library updates.

• Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core's Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core's JavaScript development dependencies with npm or yarn.

• The ESLint JavaScript development dependency has been updated to version 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

• The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

• The temporary direct development dependency on the Acorn JavaScript package that was added in 10.0.0-alpha2 has been removed. (It is still an indirect development dependency for core development.)

Added dependencies

• Drupal core now has a direct dependency on the guzzlehttp/psr7 package (previously an indirect dependency) since it is used for the default implementation of several core services for PSR-17.

• The Mink dev dependencies friends-of-behat/mink and friends-of-behat/mink-browserkit-driver (originally added in Drupal 9.2) have been switched back to their upstream versions at behat/mink and behat/mink-browserkit-driver respectively now that upstream has resolved Symfony 6 compatibility issues.

Removed dependencies

• The Backbone and Underscore core JavaScript dependencies are no longer provided as public core libraries. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0. Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed or custom module itself.

• The Laminas Feed Composer package has been removed as a core dependency.

• The jQuery Joyride third-party JavaScript library has been removed as a core dependency.

Changed coding standards

• JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core's ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

Search the issue queue for known issues.

All changes since10.0.0-alpha2

• Issue #3274938 by xjm, nod_: Remove deprecated public Backbone and Underscore libraries
• Issue #3268318 by lauriii, Wim Leers, tim.plunkett: [drupalMedia] with GHS allowed attributes downcast wraps data-caption with
• Issue #3210435 by javi-er, kostyashupenko, sagarchauhan, mherchel, bnjmnm, Kristen Pol, ckrina, saschaeggi: Consistent Navigation violation with secondary tabs
• Issue #3274767 by nod_, lauriii: Update to CKEditor 5 v34.0.0
• Issue #3269341 by mherchel, KurtTrowbridge: Claro element not rendering properly in forced colors
• Issue #3269417 by mherchel, cindytwilliams: Claro: Breadcrumb divider icon not always visible in forced colors
• Issue #3130305 by mherchel, cindytwilliams, bnjmnm, saschaeggi, andrewmacpherson: Ensure all of Claro's background images are visible in forced colors mode
• Issue #3173180 by heddn, edysmp, chrisfree, andypost, markdorison, anmolgoyal74, kiwimind, rkoller, ranjith_kumar_k_u, nod_, Fabianx, prudloff, quietone: Add UI for 'loading' html attribute to images
• Issue #1948572 by quietone, joachim: Document #region_callback in Field UI
• Issue #3266397 by quietone, murilohp, dww, AaronMcHale, benjifisher, Antoniya, andregp, rkoller, kimberlly_amaral, ckrina: Highlight non-stable modules on the admin/modules/uninstall form
• Issue #3067299 by andypost, iyyappan.govind, quietone, mrinalini9, benjifisher, ravi.shankar, yogeshmpawar, longwave, danflanagan8: Move actions migrations and tests to system module
• Issue #3259188 by alexpott, dww, chr.fritsch: Extend post update system to provide themes a way to install newly-required dependencies
• Issue #3263935 by huzooka, danflanagan8, quietone: system_site migrates default 403, 404 and front page paths as forward slash (/)
• Issue #3265626 by bnjmnm, Wim Leers, nod_, lauriii, alexpott, andregp: Changes to "Manually editable HTML tags" lost if form is submitted without triggering AJAX
• Issue #3258931 by nod_, hooroomoo, xjm, catch, effulgentsia, Wim Leers: Deprecate backbone and tag it internal
• Issue #3203604 by Eli-T, snig, justafish, kuldeep_mehra27, Matroskeen, Finn Lewis, shaal, ckrina, dawehner, diarcastro: Add a new recipe to Umami - Borscht with pork ribs
• Issue #3270940 by quietone: Move all non migration Color tests to the module in preparation of removal
• Issue #2807241 by Stefdewa, jhodgdon, Lendude, droplet, pjbaert, alexpott: Funky code in Views UI to make Add display list doesn't work in non-English languages
• Issue #3173159 by sardara, JeroenT: Block add form ajax callback implementation issues
• Issue #3273527 by joevagyok, Wim Leers: Upgrade path never configures the ckeditor5_heading plugin to allow
  
• Issue #3260928 by mondrake, mallezie, neclimdul, mglaman: Move more PHPStan global ignore patterns to baseline
• Issue #3274016 by Eli-T, longwave, mondrake: Remove \Drupal\Core\Test\AssertMailTrait::verboseEmail() from Drupal 10
• Issue #3270886 by drumm: Remove outdated note in drupalci.yml
• Issue #3272797 by bnjmnm, phenaproxima, xjm: [random test failure] Restore LayoutBuilderTest::testConfigurableLayoutSections()
• Issue #3273312 by Wim Leers, Dom., ifrik, mpp, seanB, lauriii: Upgrading from CKEditor 4 for a text format that has FilterInterface::TYPE_MARKUP_LANGUAGE filters enabled
• Issue #3273332 by Wim Leers, DieterHolvoet: Merging cells in tables is possible in UI, but lost upon saving
• Issue #3273626 by xjm, dww, Spokje: Drupal Media JavaScript test suite causes database locks on SQLite
• Issue #3265929 by jonathanshaw, yogeshmpawar, quietone, xjm: Rewrite examples of form options to be less culturally specific
• Issue #3273072 by svenryen: Typo in Block module's tour
• Issue #3112547 by andypost, dww, yogeshmpawar, Lendude, bnjmnm, danflanagan8, mglaman, joachim: Views UI tests should not rely on Classy
• Issue #3272746 by Shashwat Purav, danflanagan8: Layout Discovery tests should not rely on Classy
• Issue #3272731 by Shashwat Purav, danflanagan8: jsonapi tests should not rely on Classy
• Issue #3272872 by nod_: deprecate underscore and mark it internal
• Issue #3268105 by murilohp, bbrala, catch, TR, Spokje: Bring back RestRegisterUserTest into user module (without HAL)
• Issue #3268443 by danflanagan8, ravi.shankar, dww, longwave: Configuration Manager (config) tests should not rely on Classy
• Issue #3270765 by Wim Leers, lauriii: Add test coverage for createDropdown in drupalElementStyles
• Issue #3067697 by javi-er, Hardik_Patel_12, mherchel, andy-blum, huzooka, yogeshmpawar, Sakthivel M, bnjmnm, DamienMcKenna, Gauravmahlawat, ranjith_kumar_k_u, chetanbharambe, s-jack, Kristen Pol, ckrina: Dropbutton breaks when text is split to multiple lines
• Issue #3272727 by mherchel, nod_: Nightwatch's drupalModuleInstall() doesn't handle test modules or modules w underscores in machine name
• Issue #2636086 by Matroskeen, Spokje, jian he, ravi.shankar, larowlan, Lendude, dawehner, Sweetchuck: Add extra test coverage for operators of views date filters
• Issue #3027653 by clayfreeman, tim.plunkett, Pavel Ruban, raman.b, ankithashetty, cboyden, larowlan, mpotter, phenaproxima: Allow block and layout plugins to determine if they are being previewed
• Issue #3222757 by lauriii, Wim Leers, nod_, rachel_norfolk, mgifford, itmaybejj, Luke.Leber, andrewmacpherson, ckrina, solideogloria: [drupalImage] Make image alt text required or strongly encouraged
• Issue #3267513 by quietone, andregp, danflanagan8: Handle migration tests for removing RDF
• Issue #3264903 by murilohp, Spokje, ravi.shankar, catch, longwave: Switch from friends-of-behat/mink back to behat/mink once it's Symfony 6 compatible
• Issue #3271046 by xjm: Move integration test for CKEditor 4 and Inline Form Errors into CKEditor 4
• Issue #3264120 by catch: Hotfix database dumps for Aggregator module removal and Postgres/SQLite driver changes.
• Issue #3270905 by quietone, bbrala: Move Color help topics to Color module
• Issue #3270897 by quietone, yogeshmpawar, bbrala: Handle migration tests for removing Color
• Issue #3264918 by Spokje, xjm: Update symfony/console to Symfony 6
• Issue #3268307 by lauriii, Wim Leers: $block wildcard resolves into a superset of the actual $block tags
• Issue #3269517 by danflanagan8, dww: Datetime and Datetime Range tests should not rely on Classy
• Issue #3264120 by Spokje, catch, Taran2L, danflanagan8, xjm, quietone, ckrina: Remove aggregator module and our dependency on Laminas Feed
• Issue #3268680 by phenaproxima, xjm, Spokje, ravi.shankar, bnjmmn: [random test failure] Restore and fix LayoutBuilderDisableInteractionsTest::testFormsLinksDisabled()
• Issue #2616814 by dpi, Xano, geek-merlin, Hardik_Patel_12, jofitz, alexpott, Fabianx, catch, joachim, andypost, dawehner, daffie, cweagans, neclimdul: Delegate all hook invocations to ModuleHandler
• Issue #2760659 by lauriii, yogeshmpawar, vmachado, anya_m, alexpott, Fabianx, joelpittet, xjm: Allow the use of callbacks instead of global functions in preprocess function callbacks
• Issue #2845571 by quietone, aerozeppelin, robertwb, Lendude: ViewsJoin ignores operator in configuration
• Issue #3258321 by darvanen, AaronMcHale, dww, mstrelan, lauriii, Gábor Hojtsy, benjifisher, hmendes, rkoller, shaal, worldlinemine: Cancel account button on user form triggers server-side validation
• Issue #3269267 by danflanagan8, dww: dblog tests should not rely on Classy
• Issue #3269502 by danflanagan8, dww: Field and Field UI tests should not rely on Classy
• Issue #3271050 by xjm, Wim Leers, bbrala: Update REST and JSON:API Editor tests to rely on CKEditor 5 instead of CKEditor
• Issue #3270835 by xjm, Wim Leers, lauriii: Move BigPipe's CKEditor 4 regression test to the CKEditor module
• Issue #3265723 by nevergone: Duplicate word: directly
• Issue #3171728 by jasonfelix, katherined, mherchel, DyanneNova, tanubansal, mgifford: Claro Select form element needs Windows High Contrast mode improvements
• Issue #3272035 by mherchel, andy-blum: Add "linktext" and "canvastext" to cspell dictionary.
• Issue #3261611 by xjm, andregp, ranjith_kumar_k_u, Suresh Prabhu Parkala, ravi.shankar, quietone, Gábor Hojtsy: Fix PHP requirements link and standardize the strings that reference it
• Issue #3264911 by bserem, lauriii, arismag, xjm, vensires: Core CSS files contain reference to suspicious website
• Issue #3219921 by nironan, kostyashupenko, javi-er, Gauravmahlawat, jens.de.geit, mchameddie, Kristen Pol, timohuisman, andy-blum, ckrina: Claro: display the vertical scrollbar when many results are returned by linkit
• Issue #3209903 by IndrajithKB, aaron.ferris, Gauravmahlawat, Abhijith S, tushar_sachdeva, Kristen Pol, larowlan: Image overlaps in layout builder with +Add block +Add section
• Issue #2779999 by shashikant_chauhan, guilhermevp, dww, joachim, xjm: Document checkboxes and radios element can have individual descriptions
• Issue #3269716 by andy-blum, mherchel: Olivero: Search is unusable in desktop Safari (at wide widths)
• Revert "Issue #3269716 by andy-blum, mherchel: Olivero: Search is unusable in desktop Safari (at wide widths)"
• Issue #3269716 by andy-blum, mherchel: Olivero: Search is unusable in desktop Safari (at wide widths)
• Issue #3270574 by catch, andregp, mherchel: Olivero comment template breaks 'new' indicator/anchor
• Issue #3260857 by Wim Leers, lauriii: Expand SourceEditingRedundantTagsConstraintValidator to also check attributes and attribute values
• Issue #3031271 by mstrelan, larowlan, bbrala, PQ, lois.chabrand, acbramley, drs2034, Kristen Pol, Wim Leers, Roensby: Support version negotiation for any entity type (currently only Node & Media are supported)
• Issue #3269868 by lauriii, ravi.shankar, andregp, Wim Leers: [drupalImage] Some Image attributes are lost in edge cases where image upcasts into inline image
• Issue #3268860 by lauriii, Wim Leers: Elements wrapping are not retained
• Issue #3268932 by danflanagan8, mondrake, dww, xjm, longwave, alexpott, larowlan: Add methods to assert status messages to WebAssert
• Revert "Issue #3267870 by heddn, Fabianx: Order image mappings by breakpoint ID and numeric multiplier"
• Issue #3270323 by Spokje, murilohp, catch, xjm, longwave: ModuleConfigureRouteTest::testModuleConfigureRoutes fails for modules which have a configure route and are deprecated
• Issue #3261585 by longwave, ankithashetty, Wim Leers: Remove IE11 warning for CKEditor 5 in Drupal 10, since Drupal 10 does not support IE anyway
• Issue #3230829 by mohit_aghera, marcvangend, Wim Leers, Kristen Pol: editor_form_filter_format_form_alter() does not remove "editor_plugin" from form state when needed
• Issue #3270882 by xjm: Drupal 10 uses guzzlehttp/psr7 for PSR-17 services and therefore it should be a direct dependency
• Issue #3267870 by heddn, Fabianx: Order image mappings by breakpoint ID and numeric multiplier
• Issue #3263384 by nod_, Wim Leers: Add ckeditor5-code-block package and CodeBlock plugin
• Issue #3270323 by Spokje, murilohp, xjm: ModuleConfigureRouteTest::testModuleConfigureRoutes fails for modules which have a configure route and are deprecated
• SA-CORE-2022-006 by JeroenT, DamienMcKenna, xjm, pwolanin, alexpott, larowlan, greggles
• Issue #3239838 by longwave, Spokje, nod_, xjm: Update core eslint configuration to remove unused React and JSX rules
• Issue #3259443 by marcvangend, bnjmnm, Abhijith S: Plugin settings do not appear when a configurable plugin is added AFTER removing all buttons
• Issue #3270108 by bnjmnm, Wim Leers: Editor does not load when using Edge + WHCM
• Revert "Issue #2636086 by Matroskeen, jian he, Sweetchuck, dawehner, Lendude: Add extra test coverage for operators of views date filters"
• Issue #2636086 by Matroskeen, jian he, Sweetchuck, dawehner, Lendude: Add extra test coverage for operators of views date filters
• Issue #3231328 by Wim Leers, nod_: SmartDefaultSettings should select the CKE5 plugin that minimizes creation of HTML restriction supersets
• Issue #3270110 by bnjmnm, Wim Leers: Toolbar config items missing "press arrow to do {x}" instructions for screenreaders
• Issue #3270112 by bnjmnm, Wim Leers: Excessive aria-live announcing from ckeditor5-admin-help-message live region
• Issue #3269266 by danflanagan8, longwave: Contextual Links tests should not rely on Classy
• Issue #3266308 by dww, murilohp, Vinodhini.E, alexpott, Kristen Pol: %extensions placeholder not extension names printed on the Status report warning about obsolete extensions
• Issue #3264122 by Spokje, Taran2L, ankithashetty, quietone, catch, xjm, daffie: Move all non migration aggregator tests to the module in preparation of removal in d10
• Issue #3260869 by lauriii, Wim Leers, bnjmnm, alexpott, catch: Resolve mismatch between <$block> interpretation by CKEditor 5 and Drupal
• Issue #3232494 by bircher, NigelCunningham, alexpott: Optimise StorageCopyTrait for slow write operations
• SA-CORE-2022-005 by jbogdanski, Wim Leers, xjm, larowlan
• Issue #3231337 by lauriii, Wim Leers: [drupalMedia] Remove manual dataDowncast from DrupalMediaEditing
• Issue #3248228 by lauriii, Wim Leers: Unable to change selection after linking inline media when manual decorators have been defined
• Issue #3267721 by nod_, Wim Leers: Add DrupalCI step for ensuring that CKEditor 5 build files are build correctly
• Issue #3261248 by paulocs, andregp, andypost, longwave, quietone: Remove deprecated user.module functions
• Issue #3261517 by andypost: Clean-up stale reference to drupal_get_schema()
• Issue #3268174 by Wim Leers, nod_, catch, lauriii: Bug in CKE 4 → 5 upgrade path "format" does not always map to "heading", it could map to "codeBlock" too, or both, or neither
• Issue #3077703 by longwave, catch, xjm: Remove pre-8.7.7 core compatibility checks in extension parsing
• Issue #3267274 by quietone, xjm, danflanagan8: Use aggregator fixture instead of migrate_drupal fixture in d6/MigrateBlockTest
• Issue #3162228 by longwave, Spokje, freelock, jackson.cooper, phenaproxima, xjm: Composer 2 Fatal error Call to undefined method Composer\DependencyResolver\Operation\UpdateOperation::getJobType() in /home/mysite/public_html/core/lib/Drupal/Core/Composer/Composer.php:170
• Issue #3265325 by xjm, Wim Leers, daffie: Raise a warning instead of an error when installing on MINIMUM_SUPPORTED_PHP
• Issue #2911473 by Maouna, joachim, adinac, dhirendra.mishra, ravi.shankar, MaskOta, ranjith_kumar_k_u, kuldeep_mehra27, mahtab_alam, fabienly, carolpettirossi, joelpittet, jenlampton, dww: Selected yet disabled individual options from checkboxes element don't persist through save
• Issue #3269064 by lauriii, xjm, Wim Leers: Update to CKEditor 5 v33.0.0
• Issue #3226716 by beatrizrodrigues, joachim, xjm, lucienchalom: Missing return value documentation for TranslatableInterface::addTranslation()
• Issue #3267791 by murilohp, mradcliffe: Remove deprecated jquery.cookie shim
• Issue #3256003 by andregp, ranjith_kumar_k_u, Satyajit1990, Gauravmahlawat, Kristen Pol: Olivero: tour module popup close button size issue
• Issue #3268550 by longwave, Spokje: Remove deprecated jquery-once
• Issue #3268708 by danflanagan8, longwave: Contact tests should not rely on Classy
• Issue #3252562 by rlhawk, mikelutz, benjifisher, danflanagan8: In Callback Migrate process, document how to use functions that accept no argument as callable
• Issue #3248430 by nod_, Wim Leers, lauriii: Improve Drupal.ckeditor5 documentation
• Issue #3268272 by sayco: TypeError: strpos(): Argument #1 ($haystack) must be of type string, int given in strpos()
• Issue #3060875 by pavnish, Dakwamine, martin107, Neslee Canil Pinto, mikelutz, Berdir: ImageStyleStorage should extend ConfigEntityStorageInterface
• Issue #3268368 by lauriii, xjm, Wim Leers: Robustify and restore \Drupal\Tests\ckeditor5\FunctionalJavascript\MediaLibraryTest::testButton
• Issue #3268228 by murilohp, Feuerwagen: Remove Jquery joyride
• Issue #3266443 by quietone: Rename StateFileExists to StateFileExistsTest
• Issue #3267653 by danflanagan8, mglaman: Comment tests should not rely on Classy
• Issue #3247694 by danflanagan8, mglaman: User tests should not rely on Classy
• Issue #3041900 by ankithashetty, Krzysztof Domański, yogeshmpawar, longwave: The element selector type "CSS, XPath" in JSWebAssert should be lowercase
• Issue #3267705 by xjm, longwave: Fix error message when 'yarn check -s' fails in the commit check script
• Issue #3265652 by nod_, xjm, lauriii, Wim Leers, Gábor Hojtsy: Unfork jQuery UI
• Issue #3258782 by murilohp, quietone, dww, catch, Spokje, xjm, daffie, benjifisher, benjifisher, rkoller, AaronMcHale, andregp, Antoniya, ckrina, guilherme-rabelo, guilherme-rabelo, kimberlly_amaral, victoria-mar: Do not display obsolete modules at admin/modules
• Issue #3090187 by ilya.no, andypost, AdamPS, abx: Mechanism to disable preprocessing of base fields in comment entity type so they can be configured via the field UI
• Issue #3261600 by lauriii, hooroomoo, Wim Leers: Update to CKEditor5 v32.0.0
• Issue #3211131 by longwave, neclimdul, mondrake: Call to an undefined static method PHPUnit\Util\ErrorHandler::handleError() in DrupalStandardsListenerTrait
• Issue #3268070 by xjm: Temporarily skip even more failing tests
• Issue #3263201 by manuel.adan: Missing argument type on hook_shortcut_default_set declaration
• Issue #3267644 by danflanagan8, mglaman: Custom Block (block_content) tests should not rely on Classy
• Issue #3250397 by alexpott, mondrake, ressa, daffie, xjm: DbLog triggers PHP deprecation on PHP8.1 when running from CLI
• Issue #3253059 by Spokje, longwave, xjm: Upgrade to composer/installers 2
• Issue #3267823 by alexpott, Spokje: \Drupal\Tests\quickedit\FunctionalJavascript\QuickEditIntegrationTest::testCustomBlock(). is failing on latest chromedriver
• Issue #3267754 by lauriii: AjaxTest is failing
• Issue #3266525 by alexpott, quietone, xjm, daffie, longwave: MINIMUM_SUPPORTED_PHP is less than MINIMUM_PHP
• Issue #2797141 by Driskell, daffie, andypost, Charlie ChX Negyesi, benjifisher: Remove the methods tableExists() and fieldExists() from Drupal\Core\Database\Driver\mysql\Schema
• Issue #3194084 by bnjmnm, Wim Leers, lauriii, hooroomoo, Gábor Hojtsy: Support functionality equivalent to ckeditor_stylesheets
• Issue #3267508 by quietone, Spokje: Use aggregator fixture in migrate Functional tests
• Issue #3261734 by Wim Leers, longwave, lauriii, effulgentsia, Mixologic, droplet: Require Node.js 16
• Issue #3260032 by longwave, bnjmnm, Wim Leers, samuel.mortenson: CKEditor 5 adds ie11.user.warnings library to every page, triggering a FOUC even for anonymous users
• Issue #3262320 by tstoeckler: Remove obsolete region override in ContextualLinksTest
• Issue #3264727 by lauriii, Wim Leers, benjifisher, andregp, AaronMcHale, kimberlly_amaral, rkoller, ckrina, worldlinemine, Antoniya, victoria-marina, shaal, tmaiochi: [drupalMedia|drupalImage] Allow removing data-align in the UI, and making an image inline
• Issue #3264775 by lauriii, Wim Leers: [drupalMedia] Toolbar should be visible when element inside is focused
• Issue #3259928 by tstoeckler, Berdir, m4olivei, marcoscano, Gábor Hojtsy: Change various tests that test with "all themes" to also include Olivero
• Issue #3260853 by Wim Leers, bnjmnm: [GHS] Partial wildcard attributes (, , ) and attribute values (
  ) not yet supported
• Issue #3265424 by quietone, daffie, danflanagan8: Move migrate related aggregator tests to the module in preparation of removal in d10
• Issue #3267052 by quietone, daffie: Move aggregator help topics to aggregator module
• Issue #3265483 by quietone, danflanagan8, daffie: Handle block migration for modules moved to contrib
• Issue #3267124 by longwave, alexpott: Temporarily skip failing tests
• Issue #3267078 by alexpott, Berdir: Add return typehint to TwigExtension::getFileUrl()
• Issue #3254245 by kim.pepper, Jeya sundhar, mrweiner, bakulahluwalia, Berdir, catch, newaytech, Summit: TypeError: Argument 1 passed to Drupal\Core\File\FileUrlGenerator::generateString() must be of the type string, null given
• Issue #2873648 by idebr, andregp, mfb, swentel: With many languages, content_translation_page_attachments adds too many alternate links to the response headers crashing varnish (503)
• Issue #3266310 by bnjmnm, Wim Leers, longwave: IE11 user warning has ungraceful failures
• Issue #3262384 by manuel.adan: Assigned shortcut set is not cleaned on user removal
• Issue #3265619 by andregp, longwave, lauriii, nod_: Update Shepherd.js to 9.x
• Issue #3265618 by longwave, nod_, lauriii: Update to eslint 8
• Issue #3227822 by lauriii, Wim Leers: [GHS] Ensure GHS works with our custom plugins, to allow adding additional attributes

Release type: InsecureBug fixesNew features

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.3.x will receive security coverage until December 8, 2022.
• Sites on 9.2.x or earlier should update immediately to Drupal 9.2.16 instead of this release.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.3.x will receive security coverage until December 8, 2022.
• Sites on 9.2.x or earlier should update immediately to Drupal 9.2.15 instead of this release.
• Versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Important update information

Drupal core's JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address a few security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their node_modules directory and re-run yarn install from within the core/ directory.

Known issues

Search the issue queue for known issues.

All changes since 9.2.13

• Issue #3268070 by xjm, lauriii: Temporarily skip even more failing tests
• Issue #3267124 by longwave, alexpott: Temporarily skip failing tests
• Issue #3267823 by alexpott, Spokje: \Drupal\Tests\quickedit\FunctionalJavascript\QuickEditIntegrationTest::testCustomBlock(). is failing on latest chromedriver
• Issue #3267754 by lauriii: AjaxTest is failing
• Issue #3262573 by longwave, nod_, xjm, Spokje, alexpott, lauriii, catch: Update our yarn dev dependencies to the extent allowed by current constraints

Release type: Bug fixesInsecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• 9.3.7 Fixes an issue where an error is triggered executing update user_update_9301 when updating to Drupal 9.3 on a MySQL database with the system variable sql_require_primary_key set to "ON". Sites that have experienced this bug should attempt to update again.
• Drupal core's JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address a few security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their node_modules directory and re-run yarn install from within the core/ directory.

Known issues

Search the issue queue for known issues.

All changes since 9.3.6

• Issue #3262573 by longwave, nod_, xjm, Spokje, alexpott, lauriii: Update our yarn dev dependencies to the extent allowed by current constraints
• Issue #3267078 by alexpott, Berdir: Add return typehint to TwigExtension::getFileUrl()
• Issue #3254245 by kim.pepper, Jeya sundhar, mrweiner, bakulahluwalia, Berdir, catch, newaytech, Summit: TypeError: Argument 1 passed to Drupal\Core\File\FileUrlGenerator::generateString() must be of the type string, null given
• Issue #3266310 by bnjmnm, Wim Leers, longwave: IE11 user warning has ungraceful failures
• Issue #3262384 by manuel.adan: Assigned shortcut set is not cleaned on user removal
• Issue #3227822 by lauriii, Wim Leers: [GHS] Ensure GHS works with our custom plugins, to allow adding additional attributes
• Issue #3239738 by Theresa.Grannum, danflanagan8, Wim Leers: BigPipe FunctionalJavascript tests should not rely on Classy
• Issue #2833864 by RoSk0, colan, ressa, Chi, alexpott, joachim, loopy1492, zoiosilva: Unmet installation requirements may contain render elements
• Issue #3246365 by lauriii, ankithashetty, Wim Leers: [drupalMedia] Show the Image Media's default alt text that is being overridden
• Issue #3088730 by Spokje, anmolgoyal74, ankithashetty, Mile23, longwave, naresh_bavaskar, greg.1.anderson, Mixologic, klausi: Include 'composer' directory in phpcs scans
• Issue #3264512 by nod_, ankithashetty, catch, Wim Leers: Enable aggregation for CKEditor 5 assets
• Issue #3255419 by alexpott, Bart Vanhoutte, daffie, catch, sam-elayyoub, roberto.muzzano, quietone, tstoeckler: Updating to Drupal 9.3 fails when sql_require_primary_key MySQL system variable is ON
• Issue #3261538 by andregp, dww, joachim, alexpott: BundleClassInheritanceException incorrectly thrown when a bundle class does not exist
• Issue #2821009 by ZeiP, quietone, Dinesh18, shashikant_chauhan, chx, joachim, Berdir, tim.plunkett, Lendude: unclear terminology in EntityAccessCheck::access()
• Issue #3154962 by alexpott, vijaycs85, bbrala, Berdir, Wim Leers: TemporaryJsonapiFileFieldUploader::checkFileUploadAccess() checks for bundle
• Issue #3246385 by lauriii, nod_, Wim Leers: [drupalMedia] Support captions on
• Issue #3213556 by Sakthivel M, ranjith_kumar_k_u, manojithape, chetanbharambe, vikashsoni, Kristen Pol, tushar_sachdeva, Devashish Jangid, Satyajit1990, larowlan: Input field description is not visible in Configure dialog box of layout builder
• Issue #3259493 by Wim Leers, lauriii, larowlan: [GHS] Unable to limit attribute values: ::allowedElementsStringToHtmlSupportConfig() does not generate configuration that CKEditor 5 expects
• Issue #2730227 by kellyimagined, izus, swarad07, Sonal.Sangale, snehi, ZeiP, mohit_aghera, quietone, impalash, joachim, jhodgdon: inaccurate docs for hook_field_views_data()
• Issue #3248440 by lauriii, Wim Leers, nod_: [drupalMedia] Media embed attributes are rendered in container div in editing view
• Issue #3265802 by daffie, alexpott: user_update_9301() causes data loss and a broken site on SQL Server
• Issue #3265230 by bnjmnm, Wim Leers: Refactor ie11.filter.warnings.es6.js to simpler structure & other improvements
• Issue #3123811 by sd9121, lauriii, codewithlakshay, kostyashupenko, priyanka.sahni, hansa11, obmsmith, ckrina, xjm, saschaeggi, rkoller: Grey text in Claro theme failed accessibility
• Issue #3224652 by Wim Leers, hooroomoo, vlyalko, lauriii, bnjmnm, huzooka: [drupalImage] Add ckeditor5-image's imageresize plugin to allow image resizing
• Issue #3248239 by ckrina, thejimbirch, mherchel: Links in the tour tip body are visually the same as the rest of the text - Claro theme
• Revert "Issue #3255887 by murilohp, heddn, catch, neclimdul, Berdir, daffie: MediaThumbnailFormatter => Calling ImageFormatter::__construct() without the $file_url_generator argument is deprecated in drupal:9.3.0"
• Issue #3265291 by xjm, neclimdul, longwave, Spokje: QuickStartTest: The waiting is the hardest part
• Issue #3261049 by Gauravmahlawat, elber, Elena Chechulina, longwave, Chi, Kristen Pol: Remove duplicated margin properties from typography CSS
• Issue #3228464 by nod_, Wim Leers, lauriii, Reinmar: API for contrib projects to load CKEditor translations
• Issue #3264862 by mglaman, ankithashetty, longwave: ContextAwarePluginBase class not annotated as deprecated
• Issue #3255887 by murilohp, heddn, catch, neclimdul, Berdir, daffie: MediaThumbnailFormatter => Calling ImageFormatter::__construct() without the $file_url_generator argument is deprecated in drupal:9.3.0
• Issue #3265377 by xjm: Fix LocaleTranslatedSchemaDefinitionTest when MINIMUM_SUPPORTED_PHP is used
• Issue #3265378 by xjm: Fix NoPreExistingSchemaUpdateTest when MINIMUM_SUPPORTED_PHP is used
• Issue #3265376 by xjm: Fix UpdateScriptTest when MINIMUM_SUPPORTED_PHP is used
• Issue #3221507 by mxr576: mkdir can fail in Drupal\TestTools\PhpUnitCompatibility\PhpUnit8::flushAlteredCodeToFile() because of a race condition
• Issue #3265419 by andypost: Improve deprecation message for RequestStack::getMasterRequest()
• Issue #2861376 by chiranjeeb2410, tvb, vacho, Mile23, mr.baileys, dawehner, mondrake: ToolkitGdTest uses checkRequirements() incorrectly
• Issue #3263886 by JeroenT, Spokje: Copy drupal-9.3.0.bare.standard.php.gz and drupal-9.3.0.filled.standard.php.gz from the Drupal 10 branch
• Issue #3264451 by Wim Leers, bnjmnm: ImageTest::testWidth() has wrong selector, but no assertion: increases DrupalCI by 20 seconds
• Issue #3255809 by nod_, lauriii, xjm, hooroomoo: Add nightwatch tests for toolbar
• Issue #3262492 by lauriii, Wim Leers: Refactor isMediaUrl to more generic API that supplies frontend metadata about media entities
• Issue #3228334 by Wim Leers, larowlan, lauriii, DieterHolvoet, beatrizrodrigues: Refactor HTMLRestrictionsUtilities to a HtmlRestrictions value object
• Back to dev.
• Merged 9.3.6.
• Issue #3261942 by hooroomoo, lauriii, Wim Leers: Compatibility issues with inline form errors
• Issue #3166449 by ravi.shankar, adamzimmermann, mmatsoo, walangitan, joshua.boltz, Cottser: Improve wording around twig.cache setting for production environments
• Issue #3259807 by idebr, anneke_vde: #type => 'toolbar_item' without a tab triggers a deprecation notice on PHP8.1
• Issue #3264153 by neclimdul: Fix missing sprintf argument in CKEditor5ImageController
• Issue #3264050 by neclimdul, andypost: Fuzzed tag values to EntityAutocompleteController::handleAutocomplete can cause deprecation warning
• Revert "Issue #3255809 by nod_, lauriii, hooroomoo: Add nightwatch tests for toolbar"
• Issue #3255809 by nod_, lauriii, hooroomoo: Add nightwatch tests for toolbar
• Issue #3262160 by nod_, lauriii: Simplify code in assets.js, remove mix of await and promise code
• Issue #2949457 by idebr, jibran, Wim Leers, dungahk, fago, kim.pepper, neclimdul, ravi.shankar, Suresh Prabhu Parkala, Sam152, joshua1234511, Kristen Pol, kualee, MiroslavBanov, acbramley, alexpott, Fabianx: Enhance Toolbar's subtree caching so that menu links with CSRF token do not need one subtree cache item per session
• Issue #3250191 by nod_, Wim Leers, lauriii, rkoller, Joachim Namyslo: Translation of toolbar button tooltips not working when text part language plugin is enabled
• Issue #3260554 by lauriii, hooroomoo, Wim Leers, nod_: [drupalMedia] Support alignment on
• Issue #3231321 by bnjmnm, nod_, lauriii: Improve keyboard accessibility in a particular edge case
• Revert "Issue #3231321 by bnjmnm, nod_, lauriii: Improve keyboard accessibility in a particular edge case"
• Issue #3231321 by bnjmnm, nod_, lauriii: Improve keyboard accessibility in a particular edge case
• Issue #3254727 by Leon Kessler, ranjith_kumar_k_u, cmlara, andileco: File links with query parameters no longer work
• Issue #3065574 by Charlie ChX Negyesi, quietone, amateescu: getUntranslated() doesn't refer to anything
• Issue #3262500 by catch, andypost: Mark drupal_find_theme_functions() @internal in Drupal 9
• Issue #3172166 by Pooja Ganjage, ekes, Megha_kundar, xjm, alexpott, tstoeckler, mbovan, Spokje: Element::properties() produces notices if given an array with integer keys
• Merge 9.3.5, resolve merge conflicts, and update lockfile and dev versions.
• Issue #3249592 by hooroomoo, vlyalko, Wim Leers, lauriii: [drupalImage] upcast assumes HTML5: px unit, but HTML4 allowed % unit
• Issue #3248469 by nod_, lauriii, Wim Leers, longwave: Research if the CKE off-canvas CSS reset could be optimized
• Back to dev.

Release type: Bug fixesInsecure

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Changes have been made to user_update_7020(), however sites that have already successfully run this update should not need to run it again.

This release includes improved support for PHP 8.1, but there may still be problems not revealed by Drupal core's test suite, especially on sites with contrib (and custom) modules. Please test, and report any problems in the appropriate issue queue.

Drupal 7's core tests now pass with PostgreSQL (in addition to MySQL and SQLite).

Many thanks to everyone that contributed to this release of Drupal 7.

Changes since 7.88:

• #3264750 by mcdruid, poker10: FileFieldWidgetTestCase::testMultiValuedWidget missing upload form causes fails on PostgreSQL
• #3264826 by poker10, mcdruid: FieldInfoTestCase::testFieldMap array order causes test fail on PostgreSQL
• #3264866 by poker10, mcdruid: BasicMinimalUpdatePath::testBasicMinimalUpdate checks wrong key name on PostgreSQL
• #3264471 by mcdruid, poker10: DatabaseUpdateTestCase::testExpressionUpdate assertion on number of affected rows fails in PostgreSQL
• #3265522 by mcdruid: Skip Upgrade tests for PostgreSQL
• #3265579 by poker10: DatabaseSelectTestCase::testUnion - inconsistent result order causing test failure on PostgreSQL
• #3264845 by poker10: AggregatorUpdatePathTestCase::testAggregatorUpdate - inconsistent array order causing test to fail on PostgreSQL
• #3264345 by poker10: PollCreateTestCase - invalid input syntax for integer on PostgreSQL
• #3264353 by poker10: NodeCreationTestCase fails on PostgreSQL
• #3264314 by mcdruid, poker10: DatabaseReservedKeywordTestCase and DatabaseTablePrefixTestCase using wrong fully qualified table name in PostgreSQL
• #3262341 by Liam Morland, mcdruid, poker10: Database test table TEST_UPPERCASE causes PostgreSQL tests to fail
• #998898 by stefan.r, Damien Tournoud, mradcliffe, mcdruid, sylus, poker10, RoSk0, bzrudi71, Josh Waihi, Stevel, chalet16, chx, cmonnow, webchick, jhedstrom: Make sure that the identifiers are not more the 63 characters on PostgreSQL
• #1835754 by mcdruid, Fabianx, mfb, izmeez, hargobind: Tweak user_update_7020() for sites with an existing user.changed field and/or index"
• #3258313 by beatrizrodrigues, mcdruid, Liam Morland, poker10, steinmb: [PHP 8.1] strlen(): Passing null to parameter #1 ($string) of type string is deprecated in theme_file_upload_help()
• #3259482 by Liam Morland, poker10: [PHP 8.1] fwrite(): Passing null to parameter #2 ($data) of type string is deprecated in InsertQuery_pgsql->execute()
• #3258185 by poker10, beatrizrodrigues, mcdruid, Liam Morland, MustangGB: [PHP 8.1] Undefined array key "sequence_name" in pgsql driver
• #3255068 by joelpittet, mcdruid, Mulambo: [PHP 8.1] system_modules(): Deprecated function: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated
• #3254699 by joelpittet, Liam Morland, joseph.olstad: [PHP 8.1] Passing null to parameter #1 check_plain()

Release type: Bug fixes

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003
• Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not available in 10.0.0-alpha2:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. Various core modules and themes will be moved to contributed projects.

3. Numerous JavaScript libraries and APIs will be removed.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 in 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.4.x and earlier branches. 10.0.x will be nearly identical to 9.4.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.4.x branch.

Important update information

Refer to the Drupal 10.0.0-alpha1 release notes for additional changes from 9.4.x.

Drupal 10 platform requirement changes PHP requirements

Drupal 10 now requires PHP 8.1. (We will publish a broader announcement about this requirement in the near future, including recommendations for sites that do not yet have PHP 8.1 available to them.)

PostgreSQL requirements

Drupal 10's PostgreSQL database driver requires PostgreSQL 12 with the pg_trgm extension enabled. A requirements error is now displayed when installing or updating a PostgreSQL site without this extension enabled.

SQLite requirements

Drupal 10's SQLite database drives requires SQLite 3.26 with the json1 extension. In Drupal 9.4, site owners will receive warnings if this extension is not available. In Drupal 10, Drupal cannot be installed or updated without the extension. (Refer to the change record for information on checking for JSON support with other computational database drivers.)

Note that the MySQL database server requirements are unchanged from Drupal 9. (More information on Drupal 10's database server requirements.)

Data updates before 9.3.0 have been removed

Data updates added prior to Drupal 9.3.0 have been removed from Drupal 10.0.x. To update to Drupal 10, you must first ensure your site is running Drupal 9.3.0 or a later release. We recommend updating to the most recent core 9.x release, as well as updating all of your contributed modules to their latest releases, prior to updating to Drupal 10.

Removed core modules

The following modules have been removed from core in 10.0.0-alpha2:

• Entity Reference: If this module is installed on your site for some reason, simply uninstall it. (It is an obsolete, empty stub with no impact on site functionality.)

• Migrate Drupal Multilingual: This functionality is now provided by the core Migrate Drupal module. If this module is installed on your site for some reason, simply uninstall it. (It is an obsolete, empty stub with no impact on site functionality.)

Numerous other modules and themes will be removed prior to 10.0.0-beta1.

Per-table prefixing support removed

Drupal previously supported per-table prefixing for complex multisite setups. This functionality has been deprecated since Drupal 8.2. Warnings are displayed on the status reports of sites that still use this functionality from Drupal 9.3.0 on, and the functionality has been removed from Drupal 10. See the change record for alternatives to per-table prefixing.

SimpleTest support removed from the core test runner

The SimpleTest module was moved to contrib prior to Drupal 9.0.0. Drupal 10 removes support for SimpleTest from the core test runner. Projects that use SimpleTest should convert their tests to PHPUnit.

Deprecated API removals

Numerous deprecated core APIs have been removed since 10.0.0-alpha1. Many more will be removed between 10.0.0-alpha2 and 10.0.0-beta1.

Change to hook_entity_view_mode_alter()

hook_entity_view_mode_alter() no longer receives the $context argument, which was always empty arra. Existing implementations of hook_entity_view_mode_alter() should remove the $context argument. See the hook_entity_view_mode_alter() change record for more details.

Dependency updates

The following dependencies have been changed or updated since 10.0.0-alpha1:

Symfony

Symfony has been updated from Symfony 5.4 to 6.0, except for the symfony/console component which will remain at version 5.4 until an upstream Composer issue is resolved.

Twig

Drupal 10's Twig version requirement has been increased from 3.0 to 3.3.8 to address a security vulnerability in Twig. (The vulnerability required advanced, administrator-level permissions to exploit in Drupal.)

Development dependencies

• Drupal's composer/composer development dependency is now required to be at least version 2.2.4 to support the Automatic Updates initiative. (2.3 may be required before 10.0.0 to resolve an upstream bug, and composer/composer may also become a production dependency.)

• The Stylelint development dependency has been updated to version 14, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

• Drupal core's JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address a few security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their node_modules directory and re-run yarn install from within the core/ directory.

  Additionally, acorn has been temporarily added as a direct development dependency of core to work around an upstream bug in Terser. Acorn will be removed as a direct dependency again once Terser creates a new release with a fix for the bug.

Added dependencies

• The PHPStan static analysis library has been added to Drupal core and is run against all core patches and merge requests.

Removed dependencies

• Drupal 10 core no longer depends on the TYPO3/phar-stream-wrapper library, because this library is only needed for PHP 7.3 and earlier.

More backend and frontend dependency changes will be made prior to beta1.

What's next?

We may release further alpha versions as needed. There are two remaining release scenarios for Drupal 10. If we complete all Drupal 10.0.0 beta requirements by the May 13, the first beta will be released on the week of May 16 and Drupal 10.0.0 will be released on August 17, 2022. If the beta requirements are not completed by May 13, a later beta window will be used.

Known issues

• Drush is not yet compatible with Symfony 6.

Search the issue queue for known issues.

All changes since 10.0.0-alpha1

• Issue #3265094 by xjm, longwave: Update our composer/composer dev dependency to the required minimum for Automatic Updates
• Issue #3228464 by nod_, Wim Leers, lauriii, Reinmar: API for contrib projects to load CKEditor translations
• Issue #3203193 by murilohp, ankithashetty, Gábor Hojtsy, daffie, catch: Fail install if JSON is not supported by the database in Drupal 10
• Issue #3252757 by catch, longwave, Gábor Hojtsy, xjm, daffie, andypost, dww: Update Drupal 10 to depend on Symfony 6.0
• Issue #3255809 by nod_, lauriii, xjm, hooroomoo: Add nightwatch tests for toolbar
• Issue #3262492 by lauriii, Wim Leers: Refactor isMediaUrl to more generic API that supplies frontend metadata about media entities
• Issue #3224652 by Wim Leers, hooroomoo, vlyalko, lauriii, bnjmnm, huzooka: [drupalImage] Add ckeditor5-image's imageresize plugin to allow image resizing
• Issue #3228334 by Wim Leers, larowlan, lauriii, DieterHolvoet, beatrizrodrigues: Refactor HTMLRestrictionsUtilities to a HtmlRestrictions value object
• Issue #3264451 by Wim Leers, bnjmnm: ImageTest::testWidth() has wrong selector, but no assertion: increases DrupalCI by 20 seconds
• Issue #1777270 by aries, quietone, AkashKumar07, shetpooja04, Devin Carlson, dermario, joshua1234511, ZeiP, smokris, David_Rothstein, danjro, smiletrl, longwave, balintk, Kristen Pol, larowlan, borisson_: Write tests for: Users with passwords over 60 characters cannot log in via the user login block
• Issue #3263793 by naveenvalecha: Move tracker help topics to tracker module
• Issue #3264819 by xjm: Require PHP 8.1 for Drupal 10.0.0-alpha2
• Issue #3261244 by andypost, longwave: Remove deprecated layout_builder module functions
• Fix coding standards issue from security advisory.
• SA-CORE-2022-004 by samuel.mortenson, xjm, nod_, effulgentsia, phenaproxima, mcdruid, Wim Leers, tedbow, longwave, dww, larowlan, pandaski
• SA-CORE-2022-003 by ciss, xjm, larowlan, benjy, mcdruid, jenlampton, quicksketch, Fabianx, effulgentsia
• Issue #3255887 by murilohp, heddn, neclimdul, Berdir: MediaThumbnailFormatter => Calling ImageFormatter::__construct() without the $file_url_generator argument is deprecated in drupal:9.3.0
• Issue #2966859 hotfix by andypost, xjm, catch: Remove the self.version references to the module.
• Issue #3264435 by catch, Spokje: Help topics and rest don't filter out deprecated modules when testing
• Issue #3188858 by andypost, longwave, Gábor Hojtsy: Remove the entity_reference module entirely on the Drupal 10 branch
• Issue #3261942 by hooroomoo, lauriii, Wim Leers: Compatibility issues with inline form errors
• Issue #3257127 by bbrala, quietone, murilohp, Spokje, anabpv, catch, xjm, Gábor Hojtsy, daffie, dww: Trigger a deprecation message when a deprecated module or theme is enabled
• Issue #3214922 by murilohp, daffie: Add a requirements error in Drupal 10 when PostgreSQL is used and the pg_trgm extension is not installed or created
• Issue #3166449 by ravi.shankar, adamzimmermann, mmatsoo, walangitan, joshua.boltz, Cottser: Improve wording around twig.cache setting for production environments
• Issue #2940025 by andypost, nickolaj, quietone: Remove deprecated functions from file module
• Issue #3254723 by mondrake, murilohp, longwave: Remove SimpletestUiPrinter
• Issue #3259807 by idebr, anneke_vde: #type => 'toolbar_item' without a tab triggers a deprecation notice on PHP8.1
• Issue #3264061 by andypost: Remove deprecated functions from image module
• Issue #3264067 by andypost: Remove deprecated code from session namespace
• Issue #2966859 by longwave, ravi.shankar, heddn, quietone: Remove Migrate Drupal Multilingual module in Drupal 10
• Issue #3244802 by andypost, Spokje, catch, dww: Remove BC layers in entity system
• Issue #3254198 by longwave: Remove Media Entity compatibility check from media_install()
• Issue #3264057 by andypost, daffie, quietone: Remove deprecated media system functions
• Issue #3264153 by neclimdul: Fix missing sprintf argument in CKEditor5ImageController
• Issue #3263395 by longwave: Remove deprecated code from asset library system
• Issue #3264062 by andypost: Remove deprecated functions from editor module
• Issue #3264072 by andypost: Remove deprecated code from Drupal\Core\Archiver
• Issue #3264050 by neclimdul, andypost: Fuzzed tag values to EntityAutocompleteController::handleAutocomplete can cause deprecation warning
• Issue #3264073 by andypost: Remove deprecated code from Drupal\Core\Condition
• Issue #3259953 by andregp, paulocs, benjifisher, AaronMcHale, vikashsoni, sonvir249, anmolgoyal74, ranjith_kumar_k_u, Abhijith S, Rinku Jacob 13, Sivaji_Ganesh_Jojodae, Gábor Hojtsy, alexpott, djsagar, worldlinemine, webchick, tanubansal, tedbow: Status report should be near the top of the Reports menu
• Issue #3263126 by longwave, bbrala: Avoid unnecessary installs when testing JSON:API on config entities
• Issue #3263391 by longwave: Remove deprecated code from book.module
• Revert "Issue #3255809 by nod_, lauriii, hooroomoo: Add nightwatch tests for toolbar"
• Issue #3255809 by nod_, lauriii, hooroomoo: Add nightwatch tests for toolbar
• Issue #2949457 by idebr, jibran, Wim Leers, dungahk, fago, kim.pepper, neclimdul, ravi.shankar, Suresh Prabhu Parkala, Sam152, joshua1234511, Kristen Pol, kualee, MiroslavBanov, acbramley, alexpott, Fabianx: Enhance Toolbar's subtree caching so that menu links with CSRF token do not need one subtree cache item per session
• Issue #3262937 by mallezie, alexpott, catch, mondrake, mglaman: PHPStan fails when @legacy tests call deprecated code
• Issue #3262853 by longwave, daffie: [Symfony 6] Drop support for services as container parameters
• Issue #3262160 by nod_, lauriii: Simplify code in assets.js, remove mix of await and promise code
• Issue #3250191 by nod_, Wim Leers, lauriii, rkoller, Joachim Namyslo: Translation of toolbar button tooltips not working when text part language plugin is enabled
• Issue #3261239 by andypost, longwave: Remove deprecations from search module
• Revert "Issue #3217699 by mondrake, daffie, alexpott, andypost: Convert select query extenders to backend-overrideable services"
• Issue #3261251 by ravi.shankar, andypost, longwave, daffie: Remove deprecated node module functions
• Issue #3260554 by lauriii, hooroomoo, Wim Leers, nod_: [drupalMedia] Support alignment on
• Issue #3262931 by voleger, andypost: Remove drupal_required_modules() and mentions
• Issue #3261486 by catch, longwave, dww: Remove core updates added prior to 9.3.0 and adjust test coverage
• Issue #3254726 follow-up by catch: adjust phpstan baseline.
• Issue #3261241 by andypost, longwave: Remove deprecated field module functions
• Issue #3231321 by bnjmnm, nod_, lauriii: Improve keyboard accessibility in a particular edge case
• Issue #3124382 by mondrake, daffie, alexpott, catch: Remove per-table prefixing
• Issue #3248879 by alexpott: UpdatePathTestTrait doesn't test what it thinks it does
• Issue #3254726 by longwave, mondrake: Remove SimpleTest support from run-tests.sh, TestDiscovery and TestRunnerKernel
• Issue #3254727 by Leon Kessler, ranjith_kumar_k_u, cmlara, andileco: File links with query parameters no longer work
• Issue #3262805 by andypost, ravi.shankar, voleger: Deprecate drupal_required_modules()
• Issue #3261243 by andypost, longwave: Remove deprecated comment module functions
• Issue #3261252 by andypost: Remove deprecated system.module functions
• Issue #3164210 by jungle, sylus, Akhildev.cs, dww: Refactor array_merge() usage in loops as possible for performance
• Issue #3262500 by andypost: Remove leftover mentions of drupal_find_theme_functions() in Drupal 10
• Issue #3260781 by andypost: Remove deprecated module.inc functions
• Issue #2807949 by kunal.sachdev, tim.plunkett, tedbow, Dropa: update.module is incorrectly only responding when modules are installed
• Issue #3097889 by longwave, paulocs, anushrikumari, SenthilMohith, andypost, Gábor Hojtsy, catch, lauriii, Wim Leers: Remove deprecated theme functions
• Revert "Issue #3262500 by catch, andypost: Mark drupal_find_theme_functions() @internal in Drupal 9"
• Issue #3065574 by Charlie ChX Negyesi, quietone, amateescu: getUntranslated() doesn't refer to anything
• Issue #3262500 by catch, andypost: Mark drupal_find_theme_functions() @internal in Drupal 9
• Issue #3260615 by andypost, voleger, quietone, longwave: Remove deprecated schema.inc
• Issue #3172166 by Pooja Ganjage, ekes, Megha_kundar, xjm, alexpott, tstoeckler, mbovan, Spokje: Element::properties() produces notices if given an array with integer keys
• Issue #3262583 by xjm, neclimdul, bnjmnm, catch: Update Twig to 2.14.11
• Issue #3261957 by longwave, quietone, andypost: Properly deprecate migrate_drupal_multilingual for future removal
• Issue #3262183 by daffie, longwave: Remove DrupalKernelLegacyTest
• Issue #3262227 by daffie, longwave: Suppress deprecation message for Symfony 6
• Issue #3260765 by andypost, quietone, xjm: Remove deprecated code from menu-related subsystems
• Issue #3262190 by daffie, longwave: Add miscellaneous return type hints for Symfony 6
• Issue #3258030 by hooroomoo, lauriii, andregp, Wim Leers, rkoller: Text fields using CKEditor 5 do not get visual error indicator
• Issue #3248469 by nod_, lauriii, Wim Leers, longwave: Research if the CKE off-canvas CSS reset could be optimized
• Issue #3248423 by nod_, lauriii: Decide how CKEditor 5-provided types should be referenced
• Issue #3261262 by mondrake: Remove PHPUnit 8 warnings conversion to deprecations
• Issue #3261265 by andypost, longwave: Remove deprecated MimeTypeGuesser code
• Issue #3261253 by andypost, longwave: Remove deprecated path.module functions
• Issue #3261250 by andypost, longwave: Remove deprecated update.module functions
• Issue #3261264 by andypost: Remove deprecated code from \Drupal\Core\Cache\DatabaseCacheTagsChecksum
• Issue #3249592 by hooroomoo, vlyalko, Wim Leers, lauriii: [drupalImage] upcast assumes HTML5: px unit, but HTML4 allowed % unit
• Issue #3258435 by ravi.shankar, alexpott, longwave: Remove deprecated feed.reader.* and feed.writer.* services from the container
• Issue #3261629 by catch: Database dumps are no longer driver-agnostic
• Issue #3261743 by Spokje: Remove @composer require phpspec/prophecy-phpunit:^2 from "drupal-phpunit-upgrade"
• Issue #3261712 by Wim Leers, bnjmnm: Expand SmartDefaultSettingsTest to also test a format + editor with media embedding
• Issue #3232550 by Wim Leers, hooroomoo, xjm, ravi.shankar: Improve messaging about Internet Explorer 11
• Issue #3259532 by mondrake, murilohp: Add a kernel test for Connection::hasJson
• Issue #3258276 by Spokje: Remove deprecated flag --no-suggest from drupal-phpunit-upgrade composer script
• Issue #3254347 by murilohp, joachim, danflanagan8, quietone: Add the process plugin ID to migration exception message
• Issue #3259110 by longwave, mglaman: Fix undefined variables where files are included
• Issue #3115054 by chr.fritsch, vsujeetkumar, Vidushi Mehta, sergiuteaca, janmejaig, ranjith_kumar_k_u, phenaproxima: Media library widget forgets ordering when adding or removing items
• Issue #3256433 by andregp, Abhijith S, awangsetyawan, DuneBL, mherchel: wide-image class should not be added for user pictures
• Issue #3174402 by beatrizrodrigues, shetpooja04, ravi.shankar, ayushmishra206, longwave, catch: Fix unused variable $unpublished in TrackerTest.php
• Issue #3258642 by ilgnerfagundes, asishsajeev, Chi: Fix documentation for _toolbar_get_subtrees_hash()
• Issue #3258969 by heddn: Wrong argument for @message in ModuleInstaller::install call to watchdog_exception
• Issue #3261613 by mglaman: Ignore transliteration data when scanning with PHPStan
• Issue #3261539 by catch: Don't scan gzips
• Issue #3261357 by xjm: Increase Drupal 10's RECOMMENDED_PHP to 8.1 now
• Revert "Issue #3172166 by Pooja Ganjage, ekes, Megha_kundar, tstoeckler, mbovan, Spokje, alexpott: Element::properties() produces notices if given an array with integer keys"
• Issue #3259674 by longwave, andypost: [Symfony 6] Drupal\Core\Routing\Router::matchCollection(): Return value must be of type array, null returned
• Issue #3254149 by andypost, longwave, Spokje: Remove config.autoloader-suffix from composer.json
• Issue #3227265 by mondrake, murilohp: Remove the legacy assert traits
• Issue #3258918 by Spokje, longwave: Remove deprecated 'cache.null' service
• Issue #3210931 by andypost: Remove deprecated update.inc functions
• Issue #3260780 by andypost: Remove deprecated code from common.inc
• Issue #3260806 by andypost: Remove deprecated code from core/lib/Drupal/Core/Config
• Issue #3260801 by andypost: Remove deprecated code from core/lib/Drupal/Component/Utility
• Issue #3260778 by andypost, daffie: Remove deprecated code from bootstrap.inc
• Issue #3259024 by longwave: Remove deprecated 'app.root' and 'site.path' services
• Issue #3260805 by andypost: Remove deprecated code from core/lib/Drupal/Core/Routing
• Issue #3260520 by TR: GenericEvent is used improperly
• Issue #3260766 by andypost: Remove deprecated file.inc and its mentions
• Issue #3259380 by lauriii, Wim Leers, DamienMcKenna, hooroomoo, bnjmnm: CKEditor 5's toolbar occludes Drupal's toolbar if and only if CKEditor 5 has focus
• Back to dev.

Release type: Bug fixesNew features

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

No other fixes are included.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update