Releases for Drupal core

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major, non-backwards-compatible new functionality).

No security fixes are included in this release.

This release is the first where D7 core's test suite passes tests in PHP 8.1. However, there may be remaining problems with PHP 8 in core, and it's very likely that there are problems in contrib. Please test, and report any problems in the appropriate issue queue.

No changes have been made to the .htaccess, web.config or robots.txt files in this release, so upgrading custom versions of those files is not necessary.

There are multiple changes in default.settings.php

There is at least one change to the database schema, so database updates need to be run either via update.php or e.g. drush updb.

Major changes in Drupal 7.83:

• Drupal 7 now has a "changed" property on the user entity - database schema update required
• Drupal 7 now has a date-based default for the directory that file uploads are saved to
• Drupal 7 now has a skip_permissions_hardening setting
• The has_js cookie has been removed from Drupal 7
• Drupal 7 no longer strips leading www. from cookie domain by default because that leaks session cookies to subdomains - sites may want to set $cookie_domain in settings.php to opt out of this change
• Changes to password reset process in Drupal 7 to prevent email or username enumeration
• Link tags with duplicate href attributes and different hreflang attributes are now supported in Drupal 7

All changes:

• #3063048 by mcdruid, darkodev, asvira: Error 500 when requesting partial image style paths
• #2802159 by hgoto, David_Rothstein, mcdruid, bircher, Fabianx, Berdir, catch, chx, mr.baileys, pwolanin, webchick, larowlan, hussainweb, cilefen, dawehner, greggles: SQL $match_operator is vulnerable to injection attack
• #1768622 by guilhermevp, no2e, quietone: Dzongkha language is missing (wrongly labeled as "Bhutani")
• #2907409 by ZeiP, preksha: Fix the typo in hook_node_validate() documentation
• #2789723 by mcdruid, pcambra: drupal_mkdir does not set permissions on directories it created recursively
• #1835754 by tamarpe, Alex Bukach, Cauliflower, joseph.olstad: Add last 'changed' property to user entity
• #2128055 by slashrsm, anavarre, timhilliard, estoyausente, nielsvm, effulgentsia, zopa, rteijeiro, rootwork, stijntilleman, vijaycs85, jonhattan, DamienMcKenna, Crell, webchick, Dave Reid, attiks, Fidelix, toamit, Pls, meba, YesCT, saltednut, erwangel: Files should be uploaded to per year/month directories by default
• #2522002 by mcdruid, pwolanin, mvc, Patil_kunal27, fgm, znerol, alexpott: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains
• #3025439 by joelpittet: list_allowed_values_string() warning when list options are determined by 'allowed_values_function'
• #3249605 by mcdruid, demeritcowboy: Fix regression in color module
• #3002101 by jenlampton: Ajax upload with validation can cause PHP notice on PHP 7
• #1232572 by deviantintegral, mcdruid, joachim, cweagans, Lennard Westerveld, kenorb, hanoii, webflo, bleen, esod, johnennew, Elijah Lynn, ron_s, csmdgl, sriharsha.uppuluri, cman9090, Berdir, catch, q0rban, alexpott, anavarre: Backport skip_permissions_hardening
• #3142821 by amjad1233, mcdruid, craigra, larowlan: PDO Exception - Column weight cannot be null in menu.inc
• #3248997 by mcdruid, alexpott, Gábor Hojtsy, andypost, catch, longwave, daffie: [PHP 8.1] Add PDO::ATTR_STRINGIFY_FETCHES to MySQL connection options
• #3248756 by mcdruid: [PHP 8.1] Return type of SkipDotsRecursiveDirectoryIterator methods deprecation fix
• #3248752 by mcdruid: [PHP 8.1] Implicit conversion from float to int loses precision
• #3241427 by Ayesh, mcdruid: [PHP 8.1] Database classes signature mismatch fixes
• #3241422 by mcdruid, Ayesh: [PHP 8.1] Passing null to internal functions deprecation fixes
• #3241412 by Ayesh: [PHP 8.1] DrupalCacheArray deprecation notices due to tentative return types
• #3247935 by mfb: drupal_add_html_head_link(): URL in link HTTP header should not be HTML-encoded
• #3231530 by mcdruid: DrupalWebTestCase->storeSetupCache() error: time() expects exactly 0 parameters, 1 given
• #3209417 by jedihe, mcdruid, DamienMcKenna, Fabianx, Berdir, pietmarcus, mikran, David_Rothstein: Backport from D8: run-tests.sh should allow single test methods to be run
• #3200198 by mcdruid, Ronino, izmeez, darrenwh, jozzy_a, cjgratacos, aerozeppelin, quietone, lomasr, ravi.shankar, zuhair_ak, tar_inet, sokru, robpowell, mangy.fox, mjpa, Carsten Müller, AlanHDev, cilefen, Sophie.SK, Spokje, kim.pepper, izus, dww, Vivek Panicker, ashu1629, Aunion, ankitgarg, Leeteq, David_Rothstein, no2e, longwave, markpavlitski, acbramley, anagp, penyaskito, pdrake, klausi, claudiu.cristea, jlbellido, larowlan, dpi, mohit1604, matteodem, luismagr, gordon, jain_deepak, nginex, ronald.garcia, YesCT, alexpott, Kristen Pol, Elendev, webchuck, C-Logemann: [D7] password reset form prevent revealing email or username in use
• #229825 by nod_, mcdruid, sun, ApacheEx, lightsurge, legovaer, pounard, RobLoach, Frederikvho, Robin Monks, cburschka, yched, keith.smith, Kiphaas7, treksler, jbrauer, catch, Dave Reid, aspilicious, Damien Tournoud, Wim Leers, giupenni, ressa, Fabianx, webchick: backport "$_COOKIE['has_js'] must die" patch to 7.x
• #3217445 by Beakerboy: Remove DatabaseUpdateTestCase::testPrimaryKeyUpdate() - backport from D8
• #3210215 by Mulambo: [PHP 8] Error: TypeError: round() in parse_size function
• #3090214 by dalin: PHP 7.2 Warning: count(): Parameter must be an array or an object that implements Countable in taxonomy_form_term_submit() in taxonomy.admin.inc
• #3165377 by MaxMendez, Eugene Bocharov, joseph.olstad, MustangGB: element_property() causes a notice in 7.4 if $key is an integer
• #3102159 by mcdruid: Add tests for Archive_Tar
• #3247738 by mcdruid: sync system.tar.inc with Archive_Tar 1.4.14
• #2959727 by mfb, mcdruid, ejanus, msankhala, Fabianx: drupal_add_html_head_link() needs to allow multiple hreflang tags to point to one URL

Release type: Bug fixesNew features

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.3.x contains new features, and should be the target for new site development. Drupal 9.2.x will continue to have security support until June 2022.

Drupal 8.9.x security coverage ended in November 2021, so if you are using Drupal 8, you must upgrade as soon as possible to Drupal 9.2.x or Drupal 9.3.x to keep your site secure.

Important update information

If you are updating from 9.2.x or earlier, also read:

• 9.3.0-alpha1 update information
• 9.3.0-beta1 update information
• 9.3.0-beta2 update information
• 9.3.0-beta3 update information

Drupal's recommended PHP version has been raised to PHP 8.0. Sites on PHP 7.4 or lower will begin to see suggestions to upgrade in the status report.

Dependency updates since 9.2.0-beta3 Production dependencies

• egulias/email-validator has been updated to version 3.1.2, this will result in stricter validation of e-mail addresses, for example [email protected]& which would previously have been valid with egulias/email-validator 2 will now be rejected.

Known issues

Search the issue queue for known issues.

Release type: Bug fixesNew features

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.1.x will receive security coverage until December 8, 2021 when Drupal 9.3.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.1.0 release notes before upgrading to this release.

If your site is on 8.8.x or earlier, you may wish to upgrade to Drupal 8.9.13 instead. Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

This release updates Symfony components to 4.4.35 (where applicable). Note that the Symfony CVE fixed by 4.4.35 does not affect Drupal core, so this is being released as a regular patch release.

Known issues

Search the issue queue for known issues.

Release type: Bug fixes

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

This release updates Symfony components to 4.4.35 (where applicable). Note that the Symfony CVE fixed by 4.4.35 does not affect Drupal core, so this is being released as a regular patch release.

Known issues

Search the issue queue for known issues.

Release type: Bug fixes

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.3.x contains new features, and should be the target for new site development. Drupal 9.2.x will continue to have security support until June 2022. Security support for 9.1.x ends with the release of 9.3.0 on December 8.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 7

Drupal 6 and 7 users can continue to migrate to 9.3 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Dependency updates

This release updates various dependencies in preparation for the 9.3.0 release candidate, including Symfony 4.4.35. Note that the CVE for Symfony 4.4.35 does not affect Drupal core.

+------------------------------------+--------------+------------+ | Production Changes | From | To | +------------------------------------+--------------+------------+ | symfony/console | v4.4.33 | v4.4.34 | | symfony/dependency-injection | v4.4.33 | v4.4.34 | | symfony/deprecation-contracts | v2.4.0 | v2.5.0 | | symfony/error-handler | v4.4.30 | v4.4.34 | | symfony/event-dispatcher | v4.4.30 | v4.4.34 | | symfony/event-dispatcher-contracts | v1.1.9 | v1.1.11 | | symfony/http-client-contracts | v2.4.0 | v2.5.0 | | symfony/http-foundation | v4.4.33 | v4.4.34 | | symfony/http-kernel | v4.4.33 | v4.4.35 | | symfony/mime | v5.4.0-BETA1 | v5.4.0-RC1 | | symfony/process | v4.4.30 | v4.4.35 | | symfony/routing | v4.4.30 | v4.4.34 | | symfony/serializer | v4.4.33 | v4.4.35 | | symfony/service-contracts | v2.4.0 | v2.5.0 | | symfony/translation | v4.4.32 | v4.4.34 | | symfony/translation-contracts | v2.4.0 | v2.5.0 | | symfony/validator | v4.4.33 | v4.4.35 | | symfony/var-dumper | v5.4.0-BETA2 | v5.4.0-RC1 | | symfony/yaml | v4.4.29 | v4.4.34 | +------------------------------------+--------------+------------+ +------------------------+--------------+------------+ | Dev Changes | From | To | +------------------------+--------------+------------+ | composer/spdx-licenses | 1.5.5 | 1.5.6 | | symfony/phpunit-bridge | v5.4.0-BETA2 | v5.4.0-RC1 | +------------------------+--------------+------------+

All changes since 9.3.0-beta2:

• Drupal 9.3.0-beta3
• #3251000 by alexpott, andypost: Update dependencies for 9.1.x/9.2.x/9.3.x/9.4.x
• #3032275 by alexpott, dww, bendeguz.csirmaz, tedbow: Create a fault-tolerant method for interacting with links and fields in Javascript tests
• #3061074 by longwave, cilefen, chr.fritsch, acbramley, jungle, larowlan: egulias/EmailValidator prior to 2.1.22 allows addresses with a space in the domain part
• #3250743 by alexpott, longwave: [PHP 8.1] NumberFieldTest fails
• #3184619 by neclimdul, quietone: Fix unreachable logic in UrlGenerator::getRoute
• #3247414 by anagomes, Beakerboy: Incorrect docblock types for $statementClass and $statementWrapperClass properties in Connection
• #3250482 by quietone, daffie: The docblock of \Drupal\views\Plugin\views\cache\CachePluginBase::cacheSetMaxAge() is wrong
• #3250587 by lauriii, bnjmnm: \Drupal\Tests\ckeditor5\FunctionalJavascript\CKEditor5Test::testEditorFileReferenceIntegration fails on PostgreSQL
• #3250629 by paulocs, longwave: MockBuilder::setMethods is deprecated in PHPUnit8 and removed from PHPUnit10
• #3138078 by mondrake, larowlan, longwave, xjm: [D9.3 beta - w/c Nov 8, 2021] Add a 'void' return typehint to custom assert* methods
• #3171570 by kostyashupenko, mherchel: Remove Olivero's custom hard-coding of the image style within article content type's full view mode
• #3231040 by alexpott, Anul, longwave, bbrala, catch: (revert) Remove DependencySerializationTrait from JSON API exceptions
• #3250349 by alexpott: \Drupal\Core\Datetime\Element\Datelist::processDatelist() does not use trusted callbacks - #date_date_callbacks only partially converted to TrustedCallbackInterface in 9.3.x
• #3250335 by alexpott, beatrizrodrigues, paulocs, longwave: #date_date_callbacks is broken in Drupal 9.3
• #3221082 by Wim Leers, lauriii, bnjmnm: Build Drupal's CKEditor 5 plugins as part of core's `yarn build`
• #3207567 by Spokje, quietone, guilhermevp, yogeshmpawar, daffie, alexpott: Fix Drupal.Commenting.FunctionComment.MissingParamComment
• #3248014 by daffie, andypost: [Symfony 6] The Drupal\Tests\media\Kernel\OEmbedIframeControllerTest fails
• Back to dev.

Release type: Bug fixesNew features

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This release fixes security vulnerabilities present in Drupal 9.3.0-beta1. Sites are urged to update immediately after reading the security announcement and notes below:

• Drupal core - Critical - Third-party library - SA-CORE-2021-011

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.3.x contains new features, and should be the target for new site development. Drupal 9.2.x will continue to have security support until June 2022. Security support for 9.1.x ends with the release of 9.3.0 on December 8.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 7

Drupal 6 and 7 users can continue to migrate to 9.3 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Dependency updates

• CKEditor 4 has been updated from 4.16.2 to 4.17.1 to address a security vulnerability.
• In preparation for the upcoming Symfony 5.4 release, Drupal's dependencies for symfony/phpunit-bridge, symfony/var-dumper, and symfony/mime have been updated from Symfony 5.3.0 to 5.4.0-beta2. These components will be updated to Symfony 5.4.0 prior to the release of Drupal 9.3.0.
• sebastian/exporter and laminas/laminas-stdlib have also received patch-level updates.

All changes since 9.3.0-beta1

• SA-CORE-2021-011 by jbogdanski, Wim Leers, xjm, greggles, lauriii, tedbow
• Issue #3056409 by rkostov, larowlan, maximpodorov: BlockRepository::contextHandler is created dynamically
• Issue #3248810 by daffie: [Symfony 6] The Drupal\Tests\jsonapi\Kernel\EventSubscriber\ResourceObjectNormalizerCacherTest fails with Symfony 5
• Issue #3248816 by bsuttis, danflanagan8, quietone: ResponsiveImageFieldUiTest.php should be moved to tests directory
• Issue #3248013 by daffie, longwave: [Symfony6] The Drupal\Tests\views\Unit\Pluginrgument_default\QueryParameterTest fails for Symfony 5.4
• Issue #3248809 by daffie, larowlan: [Symfony 6] The Drupal\Testsile\Kernel\FileItemValidationTest fails with Symfony 5
• Issue #3248801 by daffie, rakesh.gectcr, bbrala, longwave: [Symfony 6] The Drupal\Tests\jsonapi\Functional\JsonApiFunctionalTest fails with Symfony 5
• Issue #2707163 by quietone, chishah92, jhodgdon, AndrewHD, xjm, dww, jdelvillar01, alexpott: core/USAGE.TXT -- API section talks only about hooks and functions
• Issue #3249240 by alexpott, andypost, Wim Leers: HTMLRestrictionsUtilities:: providedElementsAttributes() causes deprecations on PHP 8.1
• Issue #3249233 by longwave: Update 9.3's Symfony 5 components to 5.4
• Issue #3249263 by alexpott, andypost, Wim Leers: CKEditor 5 needs validate the filters in the correct order - CKEditor 5 tests fail locally
• Issue #3231781 by longwave, mondrake, Feuerwagen, larowlan, TR, nlisgo, xxAlHixx, DuaelFr, GoZ, benjy, no_angel, Mac_Weber: [D9.3 beta - w/c Nov 8, 2021] Remove remaining uses of t() in tests
• Issue #3222769 by bbrala, alexpott, longwave, Matroskeen: [November 8, 2021] Replace all list (array destructuring) assignment to the array syntax
• Issue #3222251 by bbrala, longwave: [November 8, 2021] Replace all isset constructs with the null coalescing operator

Release type: Bug fixesNew features

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-011

No other fixes are included.

Which release do I choose? Security coverage information

• Sites on 8.9.x should update immediately to this release, and upgrade to Drupal 9 as soon as possible afterward because Drupal 8 is now end-of-life and no further Drupal 8 updates will be provided.
• Versions of Drupal prior to 9.1.x are end-of-life and do not receive security coverage.

Important update information

• CKEditor 4 has been updated to 4.17.1.
• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-011

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.1.x will receive security coverage until December 8, 2020 when 9.3.0 is released.
• Sites on 8.9.x should update immediately to Drupal 8.9.20 instead of this release, and then upgrade to Drupal 9 as soon as possible afterward because Drupal 8 is now end-of-life.
• Versions of Drupal prior to 9.1.x are end-of-life and do not receive security coverage.

Important update information

• CKEditor 4 has been updated to 4.17.1.
• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-011

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Sites on 9.1.x or earlier should update immediately to Drupal 9.1.14 instead of this release, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
• Sites on 8.9.x should update immediately to Drupal 8.9.20 instead of this release, and then upgrade to Drupal 9 as soon as possible afterward because Drupal 8 is now end-of-life.
• Versions of Drupal prior to 9.1.x are end-of-life and do not receive security coverage.

Important update information

• CKEditor 4 has been updated to 4.17.1.
• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.3.x contains new features, and should be the target for new site development. Drupal 9.2.x will continue to have security support until June 2022. Security support for 9.1.x ends with the release of 9.3.0 on December 8.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.3 and later.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 7

Drupal 6 and 7 users can continue to migrate to Drupal 8.9, or 9.3 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

CKEditor 5 added as a new experimental module

CKEditor 4 will be end-of-life in 2023. An experimental module for CKEditor 5 has been added and will replace CKEditor 4 in Drupal 10.

CKEditor 5 differs significantly from CKEditor 4, so sites and modules should begin testing with it now in preparation for Drupal 10's release next year. The module is experimental and therefore not yet intended for production use.

Testing CKEditor 5

Back up your site data and configuration before beginning testing.

1. The automatic content upgrade path: Under Configuration > Content Authoring > Text formats and editors, configure a text format and change its "text editor" setting from "CKEditor" to "CKEditor 5". (This will happen automatically when upgrading to Drupal 10.)

   You will get the equivalent CKEditor 5 configuration created automatically: toolbar, plugin settings, and so on. Messages will appear upon switching that explain what happened and why. Verify that the messages and generated configuration are correct.

2. The editing experience: Verify that the default CKEditor 5 configuration works as you need and expect. For example, the linking experience should be improved, uploading images is much faster, and so on.

3. Your existing content: When you edit existing content with CKEditor 5 and you save it, verify that the resulting markup looks as you expect, and that no data is lost.

Upgrading contributed modules to CKEditor 5

The module can be also used for making modules extending CKEditor 4 to become compatible with CKEditor 5.

• Meta issue of contrib modules being ported: #3207845: [META] Port some initial CKEditor 4 plugin integration modules to CKEditor 5
• Examples of complex CKEditor 4 modules updating to CKEditor 5 compatibility:
  • #3232190: Drupal 10 & CKEditor 5 readiness
  • #3232052: Drupal 10 & CKEditor 5 readiness

Warning added for missing PostgreSQL requirement

In preparation for Drupal 10 PostgreSQL requirements, sites running PostgreSQL without the pg_trm extension will begin to see a warning in the status report when it is not installed.

Dependency updates

The symfony-cmf/routing and composer/composer dependencies have received patch-level updates to the latest versions.

All changes since 9.3.0-alpha1

• Issue #3231364 by Wim Leers, lauriii, bnjmnm, webchick, xjm, tim.plunkett, larowlan, Luke.Leber, catch, effulgentsia, longwave, gabesullice, caldenjacobs, Reinmar, anand.toshniwal93, Shoshana Mayden, zrpnr, yash.rode, nod_, rkoller, antojose, johnwebdev: Add CKEditor 5 module to Drupal core
• Issue #3248649 by alexpott: \Drupal\views\Plugin\views\display\PathPluginBase::alterRoutes() can become very slow on a site with lots of entities and JsonAPI
• Issue #3243041 by Gábor Hojtsy: Mark Olivero stable
• Issue #3244621 by mherchel, rikki_iki, catch, cathwaldron, rachel_norfolk, alexpott, Gábor Hojtsy: Olivero: JS error when secondary tabs are present
• Issue #3248600 by andypost, longwave: Update dependencies for 9.3.x
• Issue #2975461 by quietone, Matroskeen, Lendude: Convert query string to array for d6 menu_link migration
• Issue #3247901 by danflanagan8, longwave: ContentTranslationUITestBase should not rely on Classy
• Issue #3158289 by alexpott, barboza: Deprecate hook_init for theme engines
• Issue #3231683 by daffie, longwave: [Symfony 6] A number of methods of the class Drupal\Core\TypedData\Validation\ExecutionContext are considered internal and Drupal should not override them
• Issue #3214921 by daffie, xurizaemon, alexpott, mondrake, andypost, Taran2L, Mixologic, longwave: Add a requirements warning in Drupal 9 when PostgreSQL is used and the pg_trgm extension is not created
• Issue #3248156 by alexpott, longwave: Update dependencies prior to 9.3.0 beta
• Issue #3028837 by quietone, joachim, alexpott: views_hooks group has nothing in it
• Issue #3212891 by vaish, [email protected], srilakshmier, mikelutz, quietone, alexpott: Incorrect type declaration in docblock for class property
• Issue #3239509 by hooroomoo, larowlan, bnjmnm, lauriii: Add String.includes polyfill to support IE11 and Opera Mini
• Issue #3087332 by quietone, huzooka, amateescu, danflanagan8: Deprecate the 'd6_url_alias_language' migration process plugin
• Issue #3163663 by mpp, chrisolof, alexpott, quietone: Too many open files issue with migrating multiple files using "download" process plugin
• Issue #3245820 by paul121, dww, eojthebrave: Remove references to removed node publish actions
• Issue #3246595 by andypost: Update dependencies for 9.3.x
• Issue #3213644 by Beakerboy, daffie: StatementWrapperLegacyTest::testClientStatementMethod() should be less specific
• Issue #2569381 by alx_benjamin, init90, vasi, deepakaryan1988, Munavijayalakshmi, Lendude, DuaelFr, alexpott, dawehner: Drupal\views\Plugin\viewsrea\Result does an unnecessary XSS::adminFilter()
• Issue #3227821 by wtrv: Broken svg element with "Auto convert linebreaks" (autop) filter
• Issue #3246053 by quietone: Fix file_managed table for ds9.txt
• Issue #3214170 by Sakthivel M, manojithape, mitthukumawat, tushar_sachdeva: Claro:The cancel button is not center-aligned in the layout builder
• Issue #3186992 by hinal05, djsagar, kiran.kadam911, hitvika_verma, tushar_sachdeva, chetanbharambe, ranjith_kumar_k_u, bnjmnm, BhumikaVarshney, Sakthivel M, Abhijith S, babusaheb.vikas, lauriii: Nav menu items can overflow outside of container

Release type: Bug fixesNew features

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

Known issues

Search the issue queue for known issues.

Changes since 9.2.7

• Issue #3208849 by yogeshmpawar, cilefen, phenaproxima, mohit_aghera, larowlan, danflanagan8: OEmbedWidget does not display the field's help text, only its own message
• Issue #2945033 by longwave, yobottehg, TMWagner, vdsh, jlatorre, catch: HtmlHeadLink processing does not allow for duplicated alternate hreflang links
• Issue #2763075 by raman.b, Martijn de Wit, anon, borisson_: Adding new text format gives Uncaught TypeError: f.format_tags.split is not a function
• Issue #3203745 by darienmh, Abhijith S, chetanbharambe: Claro theme is incompatible with the Themable Forms module
• Issue #3244156 by daffie: Update the Drupal\KernelTests\CoretitytityQueryAggregateTest::testAggregation() a little to make it pass for SQL Server
• Issue #3083561 by Grimreaper, raman.b, ankithashetty, mglaman, bbrala, Wim Leers, quietone: Add explicit test coverage for JSON:API filtering on a datetime field
• Issue #3073294 by Wim Leers, oknate: Remove obsolete @todo for "Undo bug when first inserting media into unfocused CKEditor"
• Issue #2957953 by alexpott, sleitner, pobster, Berdir, mohit_aghera, kishor_kolekar, joegraduate, trackleft2, bappa.sarkar, acbramley, ankithashetty, paulocs, batkor, dhirendra.mishra, seanB, priyanka.sahni, Abhijith S, chetanbharambe, vikashsoni, anmolgoyal74, Webbeh, larowlan, hudri, ryan.gibson, amietpatial, ddhuri, capysara, runeasgar, saranya ashokkumar, shimpy, nikitagupta: Editing menus user-experience has regressed
• Issue #990218 by Lendude, sun, tim.plunkett, mr.baileys, joachim: Machine name field throws notices if before source field
• Issue #3205866 by danflanagan8, phenaproxima: media_requirements() should report missing source fields
• Issue #3225227 by Matroskeen, quietone, Kristen Pol: Fix source plugin documentation
• Issue #3020876 by alex_optim, sakiland, batkor, pfrenssen, mohit_aghera, i-trokhanenko, drclaw, iamdroid, Grayle, tim.plunkett, gun_dose, acbramley, Chris Burge, Sam152, longwave: Contextual links of reusable content blocks are not displayed when rendering entities built via Layout Builder
• Issue #3241318 by alexpott: core/tests/Drupal/Tests/Composer/Plugin/Scaffold/fixtures/scripts/disable-git-bin/git is an odd file and it has the file mode 755
• Issue #3116481 by joachim, daffie: Convert EntityViewsDataTest from a unit test to a kernel test
• Issue #3203009 by quietone, Gauravmahlawat, joachim, catch: the methods in FieldableEntity should document how they are meant to be used
• Issue #3231861 by Lendude, GuyPaddock: PHP errors when overriding the query settings
• Issue #2784783 by RytoEX, quietone, jofitz, Charlotte17, Anybody, tomhollevoet, catch, Grevil: Migration of nodes with cck nodereferrer fields fails (SQL error)
• Issue #3088917 by quietone, gbirch, marvil07, Wim Leers: Map text_plain field formatter to basic_string for long text fields
• Issue #3232681 by Matroskeen, danflanagan8, kpaxman, quietone: FieldLink process plugin treats protocol-relative external URLs as internal ones
• Issue #3187616 by quietone, huzooka, Wim Leers, danflanagan8: Fix TermTranslation query and add missing source plugin test
• Issue #3199578 by quietone, danflanagan8, huzooka: Fix EntityReferenceTranslationDeriver process pipeline
• Issue #3219140 by danflanagan8, huzooka, quietone, Wim Leers: d7_language_content_comment_settings triggers MigrateException if the source bundle is longer than 32 chars: use migration_lookup
• Issue #2909805 by googletorp, fgm, dagmar, ankithashetty: LogMessageParser breaks messages containing braces
• Issue #3227370 by pfrenssen: Toolbar menu theme override omits the 'menu_name' variable
• Issue #2974156 by MegaChriz, k4v, John.nie, jian he, darrenwh, jurgenhaas, daffie, DuneBL, alexpott: TypeError: Argument 1 passed to _editor_get_file_uuids_by_field() must implement interface Drupal\CoretitytityInterface
• Issue #3212670 by Sakthivel M, shashwat-tiwari, kiran.kadam911, Gauravmahlawat, mherchel: Olivero: Z-index issue with the search bar
• Issue #3242469 by mherchel, andy-blum, scorbine: Insufficient contrast on Olivero's inactive vertical form labels
• Issue #3242456 by mherchel, andy-blum, scorbine: Insufficient contrast on Olivero's fieldset elements
• Issue #3223271 by mherchel, bnjmnm, pjudge, lauriii, javi-er, andrewmacpherson: Olivero: Select dropdown icons need more contrast in Windows High Contrast mode
• Issue #3223281 by mherchel, andy-blum, andrewmacpherson, mgifford, mikemai2awesome: Olivero: Primary nav search icon invisible in forced-colors mode in MS Edge
• Issue #2936067 by pfrenssen, bradjones1, nod_, eiriksm, DuaelFr, Clemens Sahs, AndyF, alexpott, lauriii, idimopoulos: CSS aggregation fails on many variations of @import
• Issue #3219340 by lauriii, bnjmnm, mherchel: Vertical tabs with #parents are broken in Claro
• Issue #3228000 by bbrala, larowlan, GuyPaddock, Wim Leers, bradjones1, alexpott, catch, e0ipso: Users deleted via JSON:API DELETE don't follow the site-wide cancel_method in the user settings
• Issue #3192365 by Symbioquine, tbradbury, mxr576, alexpott, longwave: Race Condition in 'public://simpletest' mkdir Call

Release type: InsecureBug fixes

Unsupported development snapshot for the 9.4.x release series.

The 9.4.x branch is now open for new development. 9.4.0 is scheduled for release in June 2022.

Those interested in testing the upcoming 9.3.0 releases of Drupal core should continue to work with the 9.3.x branch until 9.3.0 is released on December 8, 2021.

See the current development schedule for information on current and upcoming releases.

Release type: Bug fixesNew features

This is an alpha release for the next minor (feature) release of Drupal 9. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.3.x contains new features, and should be the target for new site development. Drupal 9.2.x will continue to have security support until June 2022. Security support for 9.1.x ends with the release of 9.3.0 on December 8, 2021, and security support for Drupal 8 ends November 3, 2021.

Beta testing program

The Drupal Association and the Drupal core maintainers are partnering with agencies and site owners in an official beta testing program for Drupal core minor releases. The program aims to identify and minimize regressions in minor releases. Participating in the program is a way to contribute to the Drupal project and will be credited accordingly.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 8.9, or 9.3 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Important changes for this release

Note that release highlights will be contained in a separate post on Drupal.org, the following are changes for existing sites to be aware of.

• drupal_internal__target_id has been added to JSON:API responses, see the change record for more information.
• Field labels can now be up to 255 characters long. This has no impact on the API, but requires attention in admin themes to account for the longer possible label length.
• Shortcut icons are now output as <link rel="icon"> as per the HTML spec instead of <link rel="shortcut icon">.
  Change record.
• Each user role now depends on the modules that provide the role's permissions. This means that permissions will be automatically cleaned up when a module is uninstalled. Additionally, if a custom or contributed module uses a permission callback, see how to add additional dependency to the callback's return value. Existing roles will be updated to remove permissions that do not exist and dependencies will be added.
• In order to limit Drupal core's dependency on jQuery for forward-compatibility with future versions, the eslint core-js-passing config now includes the eslint-plugin-jquery plugin.

  Currently, only a small number of the available rules in eslint-plugin-jquery are enabled; these are the rules that check for jQuery features not used by core. As core eliminates uses of a given jQuery feature (typically because modern ES6 JavaScript has native replacements), additional eslint-plugin-jquery rules can be enabled. This will prevent those jQuery features from being reintroduced.
  Change record.

• jquery.once has been deprecated, contributed modules should update to use the new once library. See the change record for details.
• ​​Submit buttons themed as <button type="submit"> elements now trigger AJAX within Views exposed forms, just like they do when themed as <input type="submit"> elements. This now matches the behavior of Drupal 7 Views, fixing a regression from Drupal 8 and earlier versions of Drupal 9.
• FunctionalJavascript tests now automatically check to see if any JavaScript errors have been thrown during the test's execution. In Drupal 10, this will cause the test to fail, while in Drupal 9.3, a deprecation warning is issued for tests that pass despite the presence of JavaScript errors. See the change record for details.
• Block plugin forms no longer get a 'block_theme' key in form state. See the change record for more details.
• GuzzleMiddlewarePass has been removed in favor of the generic TaggedHandlersPass, code interacting with GuzzleMiddlewarePass should use TaggedHandlersPass instead.
  Change record.
• While we do not normally remove Drupal core dependencies in minor releases, Drupal core's dependencies on fabpot/goutte and behat/mink-goutte-driver have been removed in 9.3 because core does not use them and because they prevent us from allowing forward-compatibility with Guzzle 7 and PHP 8.1. If your site or module uses either of these dependencies, be sure they are added to the project's composer.json.
  Change record.
• The package Doctrine/reflection is abandoned and the parts Drupal core relies on have been copied to Drupal\Component\Annotation\Doctrine. The package will be removed from Drupal 10. Contrib and custom code should update any code that uses the package and remove their dependency too.
  Change record
• field--node--title.html.twig, field--node--created.html.twig, and field--node--uid.html.twig have been modified to render these fields as they are configured by the site builder for sites that allow configuring the display of these fields. Themes that include these templates should add this change to them as well. See the change record for details.
• The users table will be updated to change the uid column to a true serial field. See the change record for more information.
• The Quick Edit module is slated for removal from core in Drupal 10. To this end, Quick Edit has been removed from the Standard profile in Drupal 9.3.0. This change does not affect existing sites, only new sites installing the Standard profile for the first time. For more information, see the change record on Quick Edit's removal from the Standard profile.
• Drupal-specific <link> tags have been removed from node and taxonomy term pages to improve performance. There are no known uses of these tags in the wild.

  <link rel="canonical"> and <link rel="shortlink"> tags remain, and have been extended to cover all entity types.

• Drupal core previously declared support for Opera Mini in 'Extreme Data Savings' mode, due to an issue with how CanIUse documents the browser's features. Drupal never actually supported this mode, so the declaration has been removed. Opera Mini in 'High Data Savings' mode, as well as Opera Mobile (a different browser altogether), are unaffected.
  Change record.

PHP Dependency updates | Prod Packages | Operation | Base | Target | |--------------------------------------|-----------|----------|--------------| | composer/installers | Upgraded | v1.11.0 | v1.12.0 | | doctrine/annotations | Upgraded | 1.13.1 | 1.13.2 | | drupal/core | Upgraded | 9.2.7 | 9.3.0-alpha1 | | drupal/core-project-message | Upgraded | 9.2.7 | 9.3.0-alpha1 | | drupal/core-vendor-hardening | Upgraded | 9.2.7 | 9.3.0-alpha1 | | guzzlehttp/promises | Upgraded | 1.4.1 | 1.5.1 | | guzzlehttp/psr7 | Upgraded | 1.8.2 | 1.8.3 | | laminas/laminas-diactoros | Upgraded | 2.6.0 | 2.8.0 | | laminas/laminas-escaper | Upgraded | 2.7.0 | 2.9.0 | | laminas/laminas-feed | Upgraded | 2.14.1 | 2.15.0 | | laminas/laminas-stdlib | Upgraded | 3.3.1 | 3.6.0 | | masterminds/html5 | Upgraded | 2.7.4 | 2.7.5 | | pear/pear-core-minimal | Upgraded | v1.10.10 | v1.10.11 | | symfony/console | Upgraded | v4.4.25 | v4.4.30 | | symfony/debug | Upgraded | v4.4.25 | v4.4.31 | | symfony/dependency-injection | Upgraded | v4.4.25 | v4.4.31 | | symfony/error-handler | Upgraded | v4.4.25 | v4.4.30 | | symfony/event-dispatcher | Upgraded | v4.4.25 | v4.4.30 | | symfony/http-foundation | Upgraded | v4.4.25 | v4.4.30 | | symfony/http-kernel | Upgraded | v4.4.25 | v4.4.32 | | symfony/mime | Upgraded | v5.3.0 | v5.3.8 | | symfony/polyfill-mbstring | Upgraded | v1.23.0 | v1.23.1 | | symfony/polyfill-php80 | Upgraded | v1.23.0 | v1.23.1 | | symfony/process | Upgraded | v4.4.25 | v4.4.30 | | symfony/psr-http-message-bridge | Upgraded | v2.1.0 | v2.1.1 | | symfony/routing | Upgraded | v4.4.25 | v4.4.30 | | symfony/serializer | Upgraded | v4.4.25 | v4.4.31 | | symfony/translation | Upgraded | v4.4.25 | v4.4.32 | | symfony/validator | Upgraded | v4.4.25 | v4.4.31 | | symfony/var-dumper | Upgraded | v5.3.0 | v5.3.8 | | symfony/yaml | Upgraded | v4.4.25 | v4.4.29 | | twig/twig | Upgraded | v2.14.6 | v2.14.7 | | typo3/phar-stream-wrapper | Upgraded | v3.1.6 | v3.1.7 | | laminas/laminas-zendframework-bridge | Removed | 1.2.0 | - | | Dev Packages | Operation | Base | Target | |------------------------------------|-----------|---------|---------| | behat/mink | Upgraded | v1.8.1 | v1.9.0 | | behat/mink-selenium2-driver | Upgraded | v1.4.0 | v1.5.0 | | composer/ca-bundle | Upgraded | 1.2.9 | 1.2.11 | | composer/composer | Upgraded | 2.1.0 | 2.1.9 | | composer/xdebug-handler | Upgraded | 2.0.1 | 2.0.2 | | instaclick/php-webdriver | Upgraded | 1.4.7 | 1.4.10 | | justinrainbow/json-schema | Upgraded | 5.2.10 | 5.2.11 | | mikey179/vfsstream | Upgraded | v1.6.8 | v1.6.10 | | phar-io/manifest | Upgraded | 2.0.1 | 2.0.3 | | phpdocumentor/reflection-docblock | Upgraded | 5.2.2 | 5.3.0 | | phpdocumentor/type-resolver | Upgraded | 1.4.0 | 1.5.1 | | phpspec/prophecy | Upgraded | 1.13.0 | 1.14.0 | | phpunit/php-code-coverage | Upgraded | 7.0.14 | 7.0.15 | | phpunit/php-file-iterator | Upgraded | 2.0.3 | 2.0.4 | | phpunit/phpunit | Upgraded | 8.5.15 | 8.5.21 | | seld/phar-utils | Upgraded | 1.1.1 | 1.1.2 | | sirbrillig/phpcs-variable-analysis | Upgraded | v2.11.0 | v2.11.2 | | squizlabs/php_codesniffer | Upgraded | 3.6.0 | 3.6.1 | | symfony/browser-kit | Upgraded | v4.4.25 | v4.4.27 | | symfony/css-selector | Upgraded | v4.4.25 | v4.4.27 | | symfony/dom-crawler | Upgraded | v4.4.25 | v4.4.30 | | symfony/filesystem | Upgraded | v4.4.25 | v4.4.27 | | symfony/finder | Upgraded | v4.4.25 | v4.4.30 | | symfony/lock | Upgraded | v4.4.25 | v4.4.27 | | symfony/phpunit-bridge | Upgraded | v5.3.0 | v5.3.8 | | theseer/tokenizer | Upgraded | 1.2.0 | 1.2.1 | | behat/mink-goutte-driver | Removed | v1.2.1 | - | | fabpot/goutte | Removed | v3.3.1 | - | Known issues

Search the issue queue for known issues.

All changes since Drupal 9.2

Core commit log on GitLab

Release type: Bug fixesNew features

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

Known issues

Search the issue queue for known issues.

Changes since 9.2.5

• Issue #3211622 by Gauravmahlawat, mherchel, kiran.kadam911, rikki_iki: Olivero: Text can be cut off at mobile if site-branding text goes to two lines
• Issue #3226010 by mariohernandez, kostyashupenko, Gauravmahlawat, mherchel: Olivero: Skip link fails accessibility color test on hover
• Issue #3194669 by andrewmacpherson, mherchel, m4olivei, lauriii, mgifford: Misuse of explicit colour for active pager item in -ms-high-contrast media query
• Issue #3228801 by mherchel, Indrajith KB, kostyashupenko, Gauravmahlawat, ckrina: Olivero's wide dropdown hover states are broken
• Issue #3229172 by kostyashupenko, rkoller, Wim Leers, yash.rode, lauriii: Underlined text in CKEditor 5 not rendered as underlined in Claro
• Issue #3230547 by larowlan, karishmaamin, amjad1233: \Drupal\media\Controller\OEmbedIframeController::render doesn't set a content-type header
• Issue #3132145 by mohit_aghera, codersukanta, osab, mashot7, Lendude: Views contextual filter: "allow multiple" doesn't work for user roles filter
• Issue #3238373: fix merge conflict.
• Issue #3229734 by quietone, danflanagan8, Kristen Pol: Improve test and add comments to ContentEntityTest
• Issue #3200534 by quietone, longwave, Kristen Pol: Use dataprovider for constructor test in ContentEntityTest
• Merge 9.2.6
• Issue #3230772 by larowlan, phenaproxima: OembedMediaController doesn't properly bubble cacheability metadata/attachments
• Issue #3085192 by Wim Leers, focus13, grasmash: Add index on source_ids_hash for migrate_message_* tables
• Issue #3214675 by el7cosmos, bbrala, hehongbo, larowlan, alexpott: JSON:API Cannot upload files to public file root (Gets 422 Unprocessable Entity)
• Issue #3130606 by shaktik, mondrake, KapilV, longwave, daffie: MockBuilder::setMethods is deprecated in PHPUnit8 and removed from PHPUnit10
• Issue #2556069 by claudiu.cristea, bnjmnm, lauriii, pfrenssen, Tim Bozeman, marcvangend, ikeigenwijs, Wim Leers, kevinquillen, esclapes, nod_: JS error with elements in "allowed HTML tags" that can't be direct descendants of a div
• Issue #3211395 by Gauravmahlawat, andy-blum, aaron.ferris, Sakthivel M, kiran.kadam911, mherchel, tushar_sachdeva, xjm: Comment form save button has incorrect background color and contrast ratio violation on hover
• Issue #3190537 by kostyashupenko, mherchel, bnjmnm, xjm: Mobile search input in IE11 does not visually respond to keypress
• Issue #2938969 by msankhala, dhirendra.mishra, paulocs, TR, MerryHamster, alexpott, jofitz, longwave, Manuel Garcia, tameeshb, boaloysius, Yasiru Nilan, xjm, wturrell, ritzz, ZeiP, darrenwh: Replace drupal_render() in docblock and comments outside of @param, @return, @link, @see and outside of @code - @endcode
• Issue #2016739 by richardbporter, larowlan, aalamaki, afox, wroxbox, mark_fullmer, mohit_aghera, ayushmishra206, rakesh.gectcr, NikolaAt, rteijeiro, tanubansal, amietpatial, jibran, alexpott, Wim Leers: Links with "@" are converted into email addresses even if there is no domain suffix present
• Issue #2928882 by mkalkbrenner, neclimdul, manuel.adan, yogeshmpawar, Berdir, alexpott: HAL links are broken if diffferent domains, protocols or ports are used in multisite or multi-domain setup
• Issue #3139409 by mondrake, nitesh624, ridhimaabrol24, shobhit_juyal, paulocs, mohrerao, Hardik_Patel_12, ravi.shankar, munish.kumar, longwave, mrinalini9, daffie: Replace usages of AssertLegacyTrait::assertRaw, that is deprecated
• Issue #3104980 by danflanagan8, acbramley: layout_builder_system_breadcrumb_alter doesn't check for a null route object
• Issue #3230690 by Anul: Incorrect documentation in Drupal
  iews\Plugin
  iews\display::viewExposedFormBlocks)()
• Issue #3231263 by xjm, effulgentsia, longwave: Add ckrina, quietone, and bnjmnm as provisional committers in MAINTAINERS.txt
• Issue #3229094 by mherchel, rikki_iki, Gauravmahlawat: Olivero: Titles should wrap around images in teaser when necessary
• Issue #3211616 by mherchel, Gauravmahlawat, lauriii, bnjmnm, ckrina, xjm, rikki_iki, jwitkowski79: Olivero: a11y color contrast test fail for primary button on hover
• Issue #3225034 by bbrala: Simplify ResourceTypeRepository control flow for returning cached data

Release type: Bug fixesInsecure

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-008
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-009
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

No other fixes are included.

Which release do I choose? Security coverage information

• Sites on 8.9.x should update immediately to this release, but update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks! Starting in November 2021, Drupal 8 sites will no longer receive security updates. It is essential to update your Drupal 8 sites as soon as possible.
• Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-010

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.1.x will receive security coverage until December 8, 2021 when 9.3.0 is released.
• Sites on 8.9.x should update immediately to Drupal 8.9.19 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-010

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Sites on 9.1.x or earlier should update immediately to Drupal 9.1.13 instead of this release, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
• Sites on 8.9.x should update immediately to Drupal 8.9.19 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

Known issues

Search the issue queue for known issues.

Changes since 9.2.4

• Issue #3228634 by Spokje, xjm, paulocs, tim.plunkett, Lendude: Move tests for integrations between QuickEdit and other modules into QuickEdit so that it can more easily be moved into contrib
• Revert "Issue #3228634 by Spokje, xjm, paulocs, tim.plunkett, Lendude: Move tests for integrations between QuickEdit and other modules into QuickEdit so that it can more easily be moved into contrib"
• Issue #3228634 by Spokje, xjm, paulocs, tim.plunkett, Lendude: Move tests for integrations between QuickEdit and other modules into QuickEdit so that it can more easily be moved into contrib
• Issue #3221748 by Dane Powell, longwave, alexpott: drupal/core is implicitly allowed by scaffold
• Issue #3229012 by mlncn, wolcen: Fix copy-paste mistake in code comment
• Issue #3228963 by el7cosmos: Wrong path for Exception message in ThemeExtensionList
• Issue #3203416 by guilhermevp, joachim: docs for FormValidator::doValidateForm() should explain $form_id can detect recursion
• Issue #3018091 by guilhermevp, vacho, shubhangi1995, joachim, longwave, wolffereast: TaggedHandlersPass::process() doesn't document some of its features
• Revert "Issue #3022910 by quietone, juampynr, chandrashekhar_srijan, alisonjo315, heddn, benjifisher: Prevent migrated files from having an incorrect value at file_managed.filename"
• Issue #3228656 by bradjones1, Spokje: Remove outdated @todo in HtmlResponseAttachmentsProcessor
• Issue #3221715 by nod_, brianperry: Add brianperry as coordinator for the decoupled menus initiative
• Issue #3212120 by kiran.kadam911, kostyashupenko, tushar_sachdeva, chetanbharambe, ranjith_kumar_k_u, mherchel, aaron.ferris: Blockquote's content font size should be decreased when it is placed into the sidebar in the Olivero theme
• Issue #3226704 by mherchel, Abhijith S, lauriii, Gauravmahlawat, Indrajith KB: Olivero's top-level primary menu's hover states are not correct
• Issue #3221871 by mherchel, Gauravmahlawat, W01F, nod_: Olivero: Mobile menu prevents scroll & obscures page after click if menu item contains link to anchor on same page
• Issue #3223268 by javi-er, dhirendra.mishra, mherchel: Olivero: IE11 primary menu submenus have horizontal scrollbar when submenu item has focus
• Issue #3227427 by mherchel, Gauravmahlawat: Olivero: focus state is invisible in Windows high contrast
• Issue #3228396 by paul121: Update link to ChromeDriver site
• Revert "Issue #3202145 by kuldeep_mehra27, phenaproxima, bkosborne, Chris Burge: oEmbed resource fetcher needs to set a reasonable connection timeout"
• Issue #3228145 by Gauravmahlawat, mherchel: Remove misleading "toggle" phrase from Olivero's wide search form disclosure button
• Issue #3218978 by effulgentsia, daffie, mcdruid, Wim Leers: MySQL driver allows settings.php to remove ANSI_QUOTES from sql_mode, but doesn't work when it is
• Issue #3228237 by DamienMcKenna, quietone: Always sort tables in db-tools.php dump
• Issue #3190070 by Spokje: Incorrect comment indentation in default.services.yml
• Issue #3202145 by kuldeep_mehra27, phenaproxima, bkosborne, Chris Burge: oEmbed resource fetcher needs to set a reasonable connection timeout
• Issue #3227945 by cilefen, Wim Leers: Remove bender-runner.config.json from CKEditor builds
• Back to dev.
• Merged 9.2.4.
• Issue #3225188 by mherchel, dipakmdhrm, Gauravmahlawat, jwitkowski79: Olivero: Ensure proper visual hierarchy between headings
• Issue #3022910 by quietone, juampynr, chandrashekhar_srijan, alisonjo315, heddn, benjifisher: Prevent migrated files from having an incorrect value at file_managed.filename
• Issue #3220255 by Spokje, mondrake, longwave: Convert assertions involving use of xpath on links to WebAssert
• Issue #3224466 by andy-blum, mherchel: Olivero: elements are not inheriting theme's font
• Issue #3226008 by longwave, mondrake: Remove simple uses of t() in assertEquals() calls
• Issue #3170396 by mondrake, ankithashetty, longwave, catch: [backport] Remove uses of t() and switch to pageTextContains() in assert(No)Raw() calls
• Issue #3227060 by mondrake, ankithashetty, daffie, catch: [backport] Replace usages of AssertLegacyTrait::assertNoRaw, that is deprecated
• Issue #2989893 by ankithashetty, srilakshmier, quietone, firfin, longwave: Remove redundant source: key in Substr example
• Issue #2047119 by fago, msankhala, LinL: Remove deprecated documentation in DataType annotation
• Issue #3191935 by mondrake, tedbow, paulocs, ankithashetty, longwave, xjm, catch, alexpott: Replace usages of AssertLegacyTrait::assertNoText, which is deprecated
• Issue #3224414 by alexpott, varshith, dagmar, daffie: Installing the syslog module uses its configuration before it is written
• Issue #3222616 by phenaproxima, vsujeetkumar, labboy0276, hmendes, cilefen: YouTube PlayLists can't be added to Remote Video due to regex issue
• Issue #3063343 by phenaproxima, Wim Leers, larowlan, seanB, effulgentsia: Make MediaLibraryState implement CacheableDependencyInterface to remove the need for hardcoding a cache context

Release type: Bug fixesInsecure