Releases for Drupal core

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-008
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-009
• Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

No other fixes are included.

Which release do I choose? Security coverage information

• Sites on 8.9.x should update immediately to this release, but update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks! Starting in November 2021, Drupal 8 sites will no longer receive security updates. It is essential to update your Drupal 8 sites as soon as possible.
• Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-010

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.1.x will receive security coverage until December 8, 2021 when 9.3.0 is released.
• Sites on 8.9.x should update immediately to Drupal 8.9.19 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
• Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009
• Drupal core - Moderately critical - Access bypass - SA-CORE-2021-010

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Sites on 9.1.x or earlier should update immediately to Drupal 9.1.13 instead of this release, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
• Sites on 8.9.x should update immediately to Drupal 8.9.19 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

Known issues

Search the issue queue for known issues.

Changes since 9.2.4

• Issue #3228634 by Spokje, xjm, paulocs, tim.plunkett, Lendude: Move tests for integrations between QuickEdit and other modules into QuickEdit so that it can more easily be moved into contrib
• Revert "Issue #3228634 by Spokje, xjm, paulocs, tim.plunkett, Lendude: Move tests for integrations between QuickEdit and other modules into QuickEdit so that it can more easily be moved into contrib"
• Issue #3228634 by Spokje, xjm, paulocs, tim.plunkett, Lendude: Move tests for integrations between QuickEdit and other modules into QuickEdit so that it can more easily be moved into contrib
• Issue #3221748 by Dane Powell, longwave, alexpott: drupal/core is implicitly allowed by scaffold
• Issue #3229012 by mlncn, wolcen: Fix copy-paste mistake in code comment
• Issue #3228963 by el7cosmos: Wrong path for Exception message in ThemeExtensionList
• Issue #3203416 by guilhermevp, joachim: docs for FormValidator::doValidateForm() should explain $form_id can detect recursion
• Issue #3018091 by guilhermevp, vacho, shubhangi1995, joachim, longwave, wolffereast: TaggedHandlersPass::process() doesn't document some of its features
• Revert "Issue #3022910 by quietone, juampynr, chandrashekhar_srijan, alisonjo315, heddn, benjifisher: Prevent migrated files from having an incorrect value at file_managed.filename"
• Issue #3228656 by bradjones1, Spokje: Remove outdated @todo in HtmlResponseAttachmentsProcessor
• Issue #3221715 by nod_, brianperry: Add brianperry as coordinator for the decoupled menus initiative
• Issue #3212120 by kiran.kadam911, kostyashupenko, tushar_sachdeva, chetanbharambe, ranjith_kumar_k_u, mherchel, aaron.ferris: Blockquote's content font size should be decreased when it is placed into the sidebar in the Olivero theme
• Issue #3226704 by mherchel, Abhijith S, lauriii, Gauravmahlawat, Indrajith KB: Olivero's top-level primary menu's hover states are not correct
• Issue #3221871 by mherchel, Gauravmahlawat, W01F, nod_: Olivero: Mobile menu prevents scroll & obscures page after click if menu item contains link to anchor on same page
• Issue #3223268 by javi-er, dhirendra.mishra, mherchel: Olivero: IE11 primary menu submenus have horizontal scrollbar when submenu item has focus
• Issue #3227427 by mherchel, Gauravmahlawat: Olivero: focus state is invisible in Windows high contrast
• Issue #3228396 by paul121: Update link to ChromeDriver site
• Revert "Issue #3202145 by kuldeep_mehra27, phenaproxima, bkosborne, Chris Burge: oEmbed resource fetcher needs to set a reasonable connection timeout"
• Issue #3228145 by Gauravmahlawat, mherchel: Remove misleading "toggle" phrase from Olivero's wide search form disclosure button
• Issue #3218978 by effulgentsia, daffie, mcdruid, Wim Leers: MySQL driver allows settings.php to remove ANSI_QUOTES from sql_mode, but doesn't work when it is
• Issue #3228237 by DamienMcKenna, quietone: Always sort tables in db-tools.php dump
• Issue #3190070 by Spokje: Incorrect comment indentation in default.services.yml
• Issue #3202145 by kuldeep_mehra27, phenaproxima, bkosborne, Chris Burge: oEmbed resource fetcher needs to set a reasonable connection timeout
• Issue #3227945 by cilefen, Wim Leers: Remove bender-runner.config.json from CKEditor builds
• Back to dev.
• Merged 9.2.4.
• Issue #3225188 by mherchel, dipakmdhrm, Gauravmahlawat, jwitkowski79: Olivero: Ensure proper visual hierarchy between headings
• Issue #3022910 by quietone, juampynr, chandrashekhar_srijan, alisonjo315, heddn, benjifisher: Prevent migrated files from having an incorrect value at file_managed.filename
• Issue #3220255 by Spokje, mondrake, longwave: Convert assertions involving use of xpath on links to WebAssert
• Issue #3224466 by andy-blum, mherchel: Olivero: elements are not inheriting theme's font
• Issue #3226008 by longwave, mondrake: Remove simple uses of t() in assertEquals() calls
• Issue #3170396 by mondrake, ankithashetty, longwave, catch: [backport] Remove uses of t() and switch to pageTextContains() in assert(No)Raw() calls
• Issue #3227060 by mondrake, ankithashetty, daffie, catch: [backport] Replace usages of AssertLegacyTrait::assertNoRaw, that is deprecated
• Issue #2989893 by ankithashetty, srilakshmier, quietone, firfin, longwave: Remove redundant source: key in Substr example
• Issue #2047119 by fago, msankhala, LinL: Remove deprecated documentation in DataType annotation
• Issue #3191935 by mondrake, tedbow, paulocs, ankithashetty, longwave, xjm, catch, alexpott: Replace usages of AssertLegacyTrait::assertNoText, which is deprecated
• Issue #3224414 by alexpott, varshith, dagmar, daffie: Installing the syslog module uses its configuration before it is written
• Issue #3222616 by phenaproxima, vsujeetkumar, labboy0276, hmendes, cilefen: YouTube PlayLists can't be added to Remote Video due to regex issue
• Issue #3063343 by phenaproxima, Wim Leers, larowlan, seanB, effulgentsia: Make MediaLibraryState implement CacheableDependencyInterface to remove the need for hardcoding a cache context

Release type: Bug fixesInsecure

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-005

No other fixes are included.

Which release do I choose? Security coverage information

• Sites on 8.9.x should update immediately to this release, but update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in three months.
• Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-005

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.1.x will receive security coverage until December 8, 2021 when 9.3.0 is released.
• Sites on 8.9.x should update immediately to Drupal 8.9.18 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in three months.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecureInsecure

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-005

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Sites on 9.1.x or earlier should update immediately to Drupal 9.1.12 instead of this release, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
• Sites on 8.9.x should update immediately to Drupal 8.9.18 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in three months.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until June 2022 when Drupal 9.4.0 is released.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

Known issues

Search the issue queue for known issues.

Changes since 9.2.2:

• #3153469 by longwave, hmendes, Hardik_Patel_12: Remove uses of t() in clickLink() calls
• #2784203 by anmolgoyal74, gianani, rahulkhandelwal1990, Krzysztof Domański, gawaksh, kanav_7, fabienly, shubham.prakash, ravi.shankar, joachim, dgilles3, Chi, alexpott, catch: Entity query needs to clarify what 'current revision' means
• #3221312 by Spokje: ->willReturn(...) would make more sense here
• #3221062 by SylvainM, joachim: DocBlock for EntityDefinitionUpdateManagerInterface::getEntityType() missing NULL return
• #3222577 by alexpott, podarok, daffie: ServiceNotFoundException You have requested a non-existent service "language_negotiator" - hook_modules_installed()
• #3225351 by mglaman: bootstrap.php has incorrect comment about test trait namespace
• #3184184 by quietone, Wim Leers, marvil07: Test that the d7_entity_reference_translation follow-up migration runs not just for node entities
• #3224583 by daffie, dhirendra.mishra, longwave: The testbot does not run PHPCS on all files when core/phpcs.xml.dist is changed
• #3224861 by Spokje: PHPCS failure in /core/modules/tour/src/TourViewBuilder.php
• Merge 9.2.2, resolve merge conflicts, and update lockfile and dev versions.
• #3223270 by mherchel, javi-er: Olivero: Messages "close" icon not visible in IE11 High Contrast (and maybe others)
• #3160238 by JeroenT, phenaproxima, vsujeetkumar, ravi.shankar, snehalgaikwad, dishabhadra, vakulrai, gmercer, mitthukumawat, RoshaniBhangale, thalles, Abhijith S, chandu7929, janmejaig, tanubansal, manojithape, quietone: Media Library widget produces "This value should not be null" error when field is required
• #3223267 by alexpott, daffie: Remove some calls to drupal_flush_all_caches() in tests
• #2935654 by longwave, hctom: Use of undefined $languages variable in NodeListBuilder::buildRow()
• #3219198 by guilhermevp, hideaway, bradjones1: PHPdoc parameter mistype for QueryInterface::condition()
• #3185400 by mondrake, alexpott, daffie: Test upsert return value and ensure that they are consistent regardless of database type
• #3186415 by phenaproxima, Charlie ChX Negyesi, walangitan, pianomansam, dan2k3k4, Al Munnings, larowlan, philltran, cilefen, longwave, alexpott, pookmish, kaynen, Lendude, Gábor Hojtsy, rlnorthcutt, ksenzee: Make oEmbed resource fetcher more tolerant of unexpected Content-Type headers
• #3192585 by andypost, ankithashetty, Amber Himes Matz: Fix up topics to use new help_topic_link function
• #3221966 by guilhermevp, anweshasinha, Berdir: PathAliasTestTrait::assertPathAliasExists message argument default value is incompatible with assertTrue()
• #3080666 by phenaproxima, Upchuk, ieguskiza, larowlan, ravi.shankar, nikitagupta, zipymonkey, Bladedu, pameeela, b_sharpe, seanB, Spokje, mukesh.dev, Gauravmahlawat: oEmbed system doesn't work if thumbnail url does not have a file extension
• #3207111 by guilhermevp, swatichouhan012, joachim: Improve ScaffoldFilePath::__construct() documentation
• #3222980 by bbrala: Unneeded assignment in ResourceTestBase::getEntityDuplicate
• #3222313 by paulocs: Rename scripts.js to something more descriptive
• #3221933 by marcoscano, alexpott, owenbush: PHP Notice when using "left_formula" in views join
• #3220379 by guilhermevp, quietone, joachim: example code for NullCoalesce isn't formatted properly
• #2750925 by quietone, vakulrai, pavnish, Neslee Canil Pinto, ankithashetty, Meenakshi_j, nikitagupta, Suresh Prabhu Parkala, JvE, Gauravmahlawat, larowlan, Kristen Pol, paulocs, acbramley, catch: Text item sample generation fails if max length < 3
• #2834958 by huzooka, Chris Burge, alfaguru, Wim Leers, Lendude: file_validate_extensions() incorrectly assumes $file->filename contains the file's extension
• Revert "Issue #3080666 by phenaproxima, Upchuk, ieguskiza, ravi.shankar, nikitagupta, zipymonkey, larowlan, Bladedu, pameeela, Gauravmahlawat, Spokje, mukesh.dev, seanB: oEmbed system doesn't work if thumbnail url does not have a file extension"
• #3080666 by phenaproxima, Upchuk, ieguskiza, ravi.shankar, nikitagupta, zipymonkey, larowlan, Bladedu, pameeela, Gauravmahlawat, Spokje, mukesh.dev, seanB: oEmbed system doesn't work if thumbnail url does not have a file extension
• #1479220 by sudiptadas19, guilhermevp, InternetDevels, paulocs, David Jeyachandran, mondrake, jhodgdon, joachim: Add return documentation for Merge::execute()
• #3222783 by longwave, mondrake: Result of method PHPUnit\Framework\Assert::assertEquals() (void) is used

Release type: Bug fixesInsecure

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-004

No other fixes are included.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-004

No other fixes are included.

Which release do I choose? Security coverage information

• Sites on 8.9.x should update immediately to Drupal 8.9.17 instead, and update to Drupal 9 as soon as possible because Drupal 8 is end-of-life in three months.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-004

No other fixes are included.

Which release do I choose? Security coverage information

• Sites on 9.1.x or earlier should update immediately to Drupal 9.1.11 instead, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
• Sites on 8.9.x should update immediately to Drupal 8.9.17 instead, and update to Drupal 9 as soon as possible because Drupal 8 is end-of-life in three months.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecureInsecure

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Third-party library - SA-CORE-2021-004

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
• Sites on 9.1.x or earlier should update immediately to Drupal 9.1.11 instead, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
• Sites on 8.9.x should update immediately to Drupal 8.9.17 instead, and update to Drupal 9 as soon as possible because Drupal 8 is end-of-life in three months.
• Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal 9.2.x will receive security coverage until mid-2022 when Drupal 9.4.0 is released (exact date TBD).

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.2.0 release notes before upgrading to this release.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and later.

Known issues

Search the issue queue for known issues.

Changes since 9.2.0:

• #3173832 by Pooja Ganjage, mherchel, adamzimmermann, paulocs, KapilV, markdorison, Sakthivel M, Gauravmahlawat, nod_, kostyashupenko, sulfikar_s, bnjmnm: Ensure Olivero's JS documentation matches standards
• #3222009 by Jaypan: Fix documentation for hook_views_query_alter()
• #3195178 by mstrelan, Lendude, Graber, tobiberlin, texas-bronius: Views table format sorting + distinct results in a SQL error on some db engines
• #3218766 by tim.plunkett, gabesullice: Adding a SystemMainBlock to a layout builder layout causes a fatal error and should not be available
• #3211613 by Gauravmahlawat, Sakthivel M, chetanbharambe: Olivero: Inconsistent offset on close button within messages
• #3212700 by Sakthivel M, chetanbharambe, Gauravmahlawat: Olivero: focus state outline cut off from right in IE11
• #3212702 by Sakthivel M, Gauravmahlawat: Olivero: profile picture and comments are not aligned in IE11
• #3173010 by Gauravmahlawat, starshaped: Class clean up and add #0c0d0e and #171e23 as variables in Olivero's footer.pcss.css
• #3211889 by mherchel, Gauravmahlawat: Autoprefixer and PostCSS calc not generating proper IE11 grid syntax when repeat() function contains calc()
• #3210902 by mherchel, tushar_sachdeva, kostyashupenko, RenatoG, kiran.kadam911, Sakthivel M, marcusvsouza, guilhermevp, penyaskito, sulfikar_s: Blockquote can overflow into the sidebar in the Olivero theme
• #3213118 by Gauravmahlawat, Sakthivel M, Akhildev.cs, mherchel: Olivero: Mobile sub-navigation menus slightly offset subsequent menu links when hidden
• #3213957 by Gauravmahlawat, mitthukumawat, Indrajith KB: Umami demo: hover state of buttons is odd on quick edit
• #3211907 by Sakthivel M, tushar_sachdeva: On Mobile screens, tags label and tags item are misaligned
• #3212073 by Sakthivel M, kiran.kadam911, javi-er, Gauravmahlawat, ranjith_kumar_k_u, mherchel: Olivero: Primary navigation toggle button(plus/minus) is not vertically center below 1200 res
• #3213074 by mherchel, Indrajith KB, Gauravmahlawat: Olivero: Refactor second-level-navigation.es6.js to meet Drupal's JavaScript coding standards
• #3214140 by Gauravmahlawat, manojithape, mitthukumawat, tstoeckler: Olivero: Message icon has border radius in firefox browser
• Revert "Issue #3214140 by Gauravmahlawat, manojithape, mitthukumawat: Olivero: Message icon has border radius in firefox browser"
• #3212981 by mherchel, Indrajith KB, Gauravmahlawat, andy-blum, lauriii, thejimbirch: Olivero: Refactor navigation.es6.js to meet Drupal's JavaScript coding standards
• #3217175 by javi-er, mherchel: Olivero: Make IE11 close submenu when ESC key is pressed
• #3208372 by paulocs, mherchel, Gauravmahlawat: Olivero: Refactor comments.es6.js
• #3217717 by longwave, mondrake, xjm, tim.plunkett: Replace usages of the at() matcher, which is deprecated
• #3220183 by mondrake, longwave: Convert assertions involving use of xpath on labels to WebAssert
• #3202166 by xjm, vakulrai, paulocs, Neslee Canil Pinto, rubenvarela, Gauravmahlawat, Abhijith S, larowlan: Allow saving on menu LinkWidget
• #3216556 by sudiptadas19, mondrake, guilhermevp, daffie, andypost, longwave: Document that the $table argument of Connection::select() can be a subquery
• #3220922 by gabesullice: Remove gabesullice as Decoupled menus initiative coordinator
• #3220184 by bbrala, gabesullice, Wim Leers, e0ipso, xjm, dmsmidt: Add bbrala as sub-system maintainer for JSON:API
• #1478294 by quietone, dww, tedbow: Update manager XML test fixtures contain D7 links to D8 releases
• #3219881 by msnassar: Typo in the description of class MenuLinkContentAccessControlHandler
• #3217374 by bbrala, daffie: SIMPLETEST_BASE_URL does not validate scheme
• #3173008 by anmolgoyal74, mherchel, paulocs, kostyashupenko, FMB, andy-blum: [Code Review] wide image within article template a reusable component/class
• #3173022 by anmolgoyal74, mherchel, andy-blum, vsujeetkumar, hinal05, kostyashupenko: Figure out a clean way to manage the style of Olivero's menu block in the sidebar region
• #2719649 by Spokje, harsha012, jofitz, vprocessor, nikitagupta, cburschka, rasikap, hitesh-jain, quietone, longwave, mfernea, andypost, klausi, Malevi4, crazyrohila: Fix 'Drupal.Commenting.InlineComment.SpacingBefore' coding standard
• #3210199 by mherchel, Gauravmahlawat, bnjmnm, thejimbirch: Olivero: Adjustments to landmark regions
• #3218660 by alexpott: help_topics module can break during module uninstall
• #3220450 by xjm, phenaproxima: OEmbed ProviderRepositoryTest::testEmptyProviderList() does not interact with Guzzle's API correctly
• #3199741 by Matroskeen, quietone: Add documentation for remaining source plugins
• #3103031 by quietone, alexpott, heddn, Wim Leers: Add bundle to the sourceIDs to FieldOptionTranslation source plugin
• #3196583 by Matroskeen, Wim Leers, quietone, larowlan: MigrationLookup plugin overrides source values for multiple migrations
• #3209353 by Matroskeen, nishantghetiya, quietone: Add documentation for remaining node and taxonomy modules
• #3164520 by james.williams, Matroskeen, huzooka, raman.b, quietone, mikelutz: FieldableEntity::getFieldValues() does not guarantee that the returned field values are sorted by their delta
• #3095739 by jhodgdon, siddhant.bhosale, pratik_kamble, andypost, ayushmishra206, SenthilMohith, kleiton_rodrigues, daffie, catch, snehalgaikwad: Convert admin UI-related modules: contextual, help, inline_form_errors, quickedit, settings_tray, shortcut, toolbar, tour module hook_help() to topic(s)
• #3094482 by jhodgdon, shetpooja04, Amber Himes Matz, andypost, pritish.kumar, ankithashetty, batigolix, catch: Convert action module hook_help() to topic(s), including views bulk operations
• #3048848 by jmikii, carletex, andypost, sulfikar_s, mrinalini9, himanshu_sindhwani, anantjain60, guilhermevp, johnwebdev, alexpott, quietone: Syndicate block outputs wrong feed URL
• #3175718 by mondrake, alexpott, jungle, longwave: Random fails due to drupal-settings-json being counted as page text
• #3067727 by jhodgdon, batigolix, shetpooja04, NitinLama, Pooja Ganjage, anmolgoyal74, andypost, nitesh624, kishor_kolekar, iyyappan.govind, mrinalini9, Gayathri J, daffie, catch: Convert comment, node, path, taxonomy module hook_help() to topic(s)
• #3215143 by paulocs, daffie: Replace replace assertEqual() in some comments
• #2228087 by quietone, longwave, Kristen Pol, jungle, VladimirAus, phayes: PhpStreamWrapperInterface lacks docblocks
• #3097416 by b_sharpe, phenaproxima, Chris Burge, seanB, webchick, oknate: When embedding media, don't let authors choose view modes that are not enabled for that media type
• #3156396 by TR, pavnish, mondrake, longwave, catch, jungle: Use assertSameSize() to check same size of two countable variables
• #3053167 by quietone, marvil07: Move state entries out of migrate_drupal.migrate_drupal.yml
• #2879159 by Spokje, LoMo, ravi.shankar, quietone, mondrake: Some calls to assertEquals have expected/actual parameters reversed
• #3213734 by longwave, mondrake: AssertButtonsTrait has invalid PHP syntax
• #3213621 by huzooka: Fix D7 migration database fixture (to follow documentation) and update the same outdated doc

Release type: Bug fixesInsecure

This is a minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.2.x contains new features, and should be the target for new site development. Drupal 9.1.x will continue to have security support until December 2021.

9.0.x will no longer receive security support, so sites on a Drupal 9.0.x version should upgrade to a supported release as soon as possible.

Drupal 8.9.x security coverage ends in November 2021, before Drupal 9.3.0 will be released, so if you are using Drupal 8, you must upgrade to Drupal 9.2 before November to keep your site secure.

Important update information Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Upgrading from Drupal 7

Drupal 7 users should migrate to 9.2 directly. The upgrade path for multilingual sites is stable in both Drupal 8 and 9.

Changes to site-owner-managed files

The web.config file used by Microsoft's IIS server has been updated to remove unnecessary configuration. The commented out Erase HTTP_PROXY rule has been removed. PHP 7.3 and up is not vulnerable and this rule can be removed if you have enabled it.

Other important update information Changes to session generation and session ID handling

Drupal now uses PHPs built-in session generation. The change record details how custom and contributed code that relies on the session ID should be updated.

Changes to configuration file formats Configuration files with multi-line strings formatting has changed

Configuration files with multi-line strings will be exported using Symfony's multi-line literal block formatting option, improving readability and diffs. This will mean a configuration diff the first time a configuration file is re-exported.

Dangerous file extension handling

If you limit allowed extensions and want dangerous files to be uploaded and renamed, you must explicitly allow txt file uploads. This is mandated when configuring file fields through the user interface.

Change to Views' default display name

Views renamed the default display from "Master" to "Default". This does not affect existing Views, only ones created after this change. Additionally, the setting to hide/show the default display had its machine name changed from ui.show.master_display to ui.show.default_display. Review the change record on the default display name change for more information.

README.txt replaced with README.md

Drupal's README now focuses on shepherding new contributors into the Drupal ecosystem and uses the Markdown format. The usage information previously contained in the README.txt file has been extracted to a newly created USAGE.txt file in the core directory. Sites that are using the drupal/core-composer-scaffold plugin to exclude README.txt should update their configuration to exclude README.md instead.

Permissions policy header

A Permissions-Policy header has been introduced, to block Google’s Federated Learning of Cohorts. See the change record for more information.

Dependency updates Deprecated, changed, and removed dependencies

• The Goutte testing browser has been deprecated and replaced with a new mink driver client, using Guzzle. This should not require any changes to browser tests unless you are interacting with specific Goutte features. Review the change record on the Goutte driver replacement for more information.

• Drupal has replaced the behat/mink-browserkit-driver dependency with friends-of-behat/mink-browserkit-driver for PHP 8 and Symfony 5 compatibility.

• The tabbable library has been added to replace the functionality provided by for jQuery UI's :tabbable selector. A shim has been provided so all existing of uses of the :tabbable selector now use tabbable to query tabbable elements. See the change record for more information.

Added dependencies

• Drupal now uses Symfony's PHPUnit-Bridge polyfills for forward compatibility. This will allow developers to replace usages of deprecated assertions in preparation for PHPUnit 10. See the change record for more information.

• The core/once library, a standalone library that offers the same benefits as core/jquery.once but without the jQuery dependency, has been added to Drupal core.

• The projects psr/cache is added as a requirement dependency for doctrine/annotations.

Updated dependencies

CKEditor has been updated from 4.15.1 to 4.16.1, which includes numerous bugfixes and improvements.

The Sortable library has been updated to Sortable to 1.13.0

PHP dependency updates:

+--------------------------------------+---------+-----------+-------------------------------------------------------------------------------+ | Production Changes | From | To | Compare | +--------------------------------------+---------+-----------+-------------------------------------------------------------------------------+ | composer/installers | v1.9.0 | v1.10.0 | https://github.com/composer/installers/compare/v1.9.0...v1.10.0 | | composer/semver | 3.2.2 | 3.2.4 | https://github.com/composer/semver/compare/3.2.2...3.2.4 | | doctrine/annotations | 1.11.1 | 1.12.1 | https://github.com/doctrine/annotations/compare/1.11.1...1.12.1 | | drupal/core | 9.1.10 | 9.2.x-dev | | | drupal/core-project-message | 9.1.10 | 9.2.x-dev | | | drupal/core-vendor-hardening | 9.1.10 | 9.2.x-dev | | | egulias/email-validator | 2.1.22 | 2.1.25 | https://github.com/egulias/EmailValidator/compare/2.1.22...2.1.25 | | guzzlehttp/promises | 1.4.0 | 1.4.1 | https://github.com/guzzle/promises/compare/1.4.0...1.4.1 | | guzzlehttp/psr7 | 1.7.0 | 1.8.1 | https://github.com/guzzle/psr7/compare/1.7.0...1.8.1 | | laminas/laminas-feed | 2.13.0 | 2.14.0 | https://github.com/laminas/laminas-feed/compare/2.13.0...2.14.0 | | laminas/laminas-stdlib | 3.3.0 | 3.3.1 | https://github.com/laminas/laminas-stdlib/compare/3.3.0...3.3.1 | | laminas/laminas-zendframework-bridge | 1.1.1 | 1.2.0 | https://github.com/laminas/laminas-zendframework-bridge/compare/1.1.1...1.2.0 | | pear/pear_exception | v1.0.1 | v1.0.2 | https://github.com/pear/PEAR_Exception/compare/v1.0.1...v1.0.2 | | psr/container | 1.0.0 | 1.1.1 | https://github.com/php-fig/container/compare/1.0.0...1.1.1 | | symfony/console | v4.4.19 | v4.4.21 | https://github.com/symfony/console/compare/v4.4.19...v4.4.21 | | symfony/debug | v4.4.19 | v4.4.20 | https://github.com/symfony/debug/compare/v4.4.19...v4.4.20 | | symfony/dependency-injection | v4.4.19 | v4.4.21 | https://github.com/symfony/dependency-injection/compare/v4.4.19...v4.4.21 | | symfony/error-handler | v4.4.19 | v4.4.21 | https://github.com/symfony/error-handler/compare/v4.4.19...v4.4.21 | | symfony/event-dispatcher | v4.4.19 | v4.4.20 | https://github.com/symfony/event-dispatcher/compare/v4.4.19...v4.4.20 | | symfony/http-foundation | v4.4.19 | v4.4.20 | https://github.com/symfony/http-foundation/compare/v4.4.19...v4.4.20 | | symfony/http-kernel | v4.4.19 | v4.4.21 | https://github.com/symfony/http-kernel/compare/v4.4.19...v4.4.21 | | symfony/mime | v5.1.11 | v5.2.6 | https://github.com/symfony/mime/compare/v5.1.11...v5.2.6 | | symfony/polyfill-ctype | v1.20.0 | v1.22.1 | https://github.com/symfony/polyfill-ctype/compare/v1.20.0...v1.22.1 | | symfony/polyfill-iconv | v1.20.0 | v1.22.1 | https://github.com/symfony/polyfill-iconv/compare/v1.20.0...v1.22.1 | | symfony/polyfill-intl-idn | v1.20.0 | v1.22.1 | https://github.com/symfony/polyfill-intl-idn/compare/v1.20.0...v1.22.1 | | symfony/polyfill-intl-normalizer | v1.20.0 | v1.22.1 | https://github.com/symfony/polyfill-intl-normalizer/compare/v1.20.0...v1.22.1 | | symfony/polyfill-mbstring | v1.20.0 | v1.22.1 | https://github.com/symfony/polyfill-mbstring/compare/v1.20.0...v1.22.1 | | symfony/polyfill-php80 | v1.20.0 | v1.22.1 | https://github.com/symfony/polyfill-php80/compare/v1.20.0...v1.22.1 | | symfony/process | v4.4.19 | v4.4.20 | https://github.com/symfony/process/compare/v4.4.19...v4.4.20 | | symfony/psr-http-message-bridge | v2.0.2 | v2.1.0 | https://github.com/symfony/psr-http-message-bridge/compare/v2.0.2...v2.1.0 | | symfony/routing | v4.4.19 | v4.4.20 | https://github.com/symfony/routing/compare/v4.4.19...v4.4.20 | | symfony/serializer | v4.4.19 | v4.4.20 | https://github.com/symfony/serializer/compare/v4.4.19...v4.4.20 | | symfony/translation | v4.4.19 | v4.4.21 | https://github.com/symfony/translation/compare/v4.4.19...v4.4.21 | | symfony/validator | v4.4.19 | v4.4.21 | https://github.com/symfony/validator/compare/v4.4.19...v4.4.21 | | symfony/var-dumper | v5.1.11 | v5.2.6 | https://github.com/symfony/var-dumper/compare/v5.1.11...v5.2.6 | | symfony/yaml | v4.4.19 | v4.4.21 | https://github.com/symfony/yaml/compare/v4.4.19...v4.4.21 | | twig/twig | v2.14.1 | v2.14.4 | https://github.com/twigphp/Twig/compare/v2.14.1...v2.14.4 | | symfony/deprecation-contracts | NEW | v2.2.0 | | +--------------------------------------+---------+-----------+-------------------------------------------------------------------------------+ +-----------------------------------------+---------+---------+-------------------------------------------------------------------------------------+ | Dev Changes | From | To | Compare | +-----------------------------------------+---------+---------+-------------------------------------------------------------------------------------+ | behat/mink-browserkit-driver | v1.3.4 | REMOVED | | | composer/ca-bundle | 1.2.8 | 1.2.9 | https://github.com/composer/ca-bundle/compare/1.2.8...1.2.9 | | composer/spdx-licenses | 1.5.4 | 1.5.5 | https://github.com/composer/spdx-licenses/compare/1.5.4...1.5.5 | | composer/xdebug-handler | 1.4.4 | 1.4.6 | https://github.com/composer/xdebug-handler/compare/1.4.4...1.4.6 | | doctrine/instantiator | 1.3.1 | 1.4.0 | https://github.com/doctrine/instantiator/compare/1.3.1...1.4.0 | | drupal/coder | 8.3.10 | 8.3.12 | https://git.drupalcode.org/project/coder/compare/8.x-8.3....8.x-8.3. | | easyrdf/easyrdf | 1.0.0 | 1.1.1 | https://github.com/easyrdf/easyrdf/compare/1.0.0...1.1.1 | | myclabs/deep-copy | 1.10.1 | 1.10.2 | https://github.com/myclabs/DeepCopy/compare/1.10.1...1.10.2 | | phar-io/manifest | 1.0.3 | 2.0.1 | https://github.com/phar-io/manifest/compare/1.0.3...2.0.1 | | phar-io/version | 2.0.1 | 3.1.0 | https://github.com/phar-io/version/compare/2.0.1...3.1.0 | | phpspec/prophecy | 1.12.1 | 1.13.0 | https://github.com/phpspec/prophecy/compare/1.12.1...1.13.0 | | phpunit/php-code-coverage | 7.0.10 | 7.0.14 | https://github.com/sebastianbergmann/php-code-coverage/compare/7.0.10...7.0.14 | | phpunit/php-file-iterator | 2.0.2 | 2.0.3 | https://github.com/sebastianbergmann/php-file-iterator/compare/2.0.2...2.0.3 | | phpunit/php-timer | 2.1.2 | 2.1.3 | https://github.com/sebastianbergmann/php-timer/compare/2.1.2...2.1.3 | | phpunit/php-token-stream | 3.1.1 | 4.0.4 | https://github.com/sebastianbergmann/php-token-stream/compare/3.1.1...4.0.4 | | phpunit/phpunit | 8.5.8 | 8.5.15 | https://github.com/sebastianbergmann/phpunit/compare/8.5.8...8.5.15 | | sebastian/code-unit-reverse-lookup | 1.0.1 | 1.0.2 | https://github.com/sebastianbergmann/code-unit-reverse-lookup/compare/1.0.1...1.0.2 | | sebastian/comparator | 3.0.2 | 3.0.3 | https://github.com/sebastianbergmann/comparator/compare/3.0.2...3.0.3 | | sebastian/diff | 3.0.2 | 3.0.3 | https://github.com/sebastianbergmann/diff/compare/3.0.2...3.0.3 | | sebastian/environment | 4.2.3 | 4.2.4 | https://github.com/sebastianbergmann/environment/compare/4.2.3...4.2.4 | | sebastian/exporter | 3.1.2 | 3.1.3 | https://github.com/sebastianbergmann/exporter/compare/3.1.2...3.1.3 | | sebastian/global-state | 3.0.0 | 3.0.1 | https://github.com/sebastianbergmann/global-state/compare/3.0.0...3.0.1 | | sebastian/object-enumerator | 3.0.3 | 3.0.4 | https://github.com/sebastianbergmann/object-enumerator/compare/3.0.3...3.0.4 | | sebastian/object-reflector | 1.1.1 | 1.1.2 | https://github.com/sebastianbergmann/object-reflector/compare/1.1.1...1.1.2 | | sebastian/recursion-context | 3.0.0 | 3.0.1 | https://github.com/sebastianbergmann/recursion-context/compare/3.0.0...3.0.1 | | sebastian/resource-operations | 2.0.1 | 2.0.2 | https://github.com/sebastianbergmann/resource-operations/compare/2.0.1...2.0.2 | | sebastian/type | 1.1.3 | 1.1.4 | https://github.com/sebastianbergmann/type/compare/1.1.3...1.1.4 | | seld/jsonlint | 1.8.2 | 1.8.3 | https://github.com/Seldaek/jsonlint/compare/1.8.2...1.8.3 | | sirbrillig/phpcs-variable-analysis | v2.9.0 | v2.11.0 | https://github.com/sirbrillig/phpcs-variable-analysis/compare/v2.9.0...v2.11.0 | | symfony/browser-kit | v4.4.19 | v4.4.20 | https://github.com/symfony/browser-kit/compare/v4.4.19...v4.4.20 | | symfony/css-selector | v4.4.19 | v4.4.20 | https://github.com/symfony/css-selector/compare/v4.4.19...v4.4.20 | | symfony/dom-crawler | v4.4.19 | v4.4.20 | https://github.com/symfony/dom-crawler/compare/v4.4.19...v4.4.20 | | symfony/filesystem | v4.4.19 | v4.4.21 | https://github.com/symfony/filesystem/compare/v4.4.19...v4.4.21 | | symfony/finder | v4.4.19 | v4.4.20 | https://github.com/symfony/finder/compare/v4.4.19...v4.4.20 | | symfony/lock | v4.4.19 | v4.4.21 | https://github.com/symfony/lock/compare/v4.4.19...v4.4.21 | | symfony/phpunit-bridge | v5.1.11 | v5.2.6 | https://github.com/symfony/phpunit-bridge/compare/v5.1.11...v5.2.6 | | webmozart/assert | 1.9.1 | 1.10.0 | https://github.com/webmozarts/assert/compare/1.9.1...1.10.0 | | friends-of-behat/mink-browserkit-driver | NEW | v1.5.0 | | +-----------------------------------------+---------+---------+-------------------------------------------------------------------------------------+ Changes to coding standards

The following coding standards checks have been enabled in core:

Drupal.Semantics.RemoteAddress Drupal.Classes.PropertyDeclaration Drupal.Commenting.DocComment.ParamGroup Generic.Formatting.DisallowMultipleStatements Squiz.WhiteSpace.ScopeKeywordSpacing Drupal.Commenting.DocCommentAlignment Drupal.Commenting.FunctionComment.ParamMissingDefinition Drupal.Commenting.FunctionComment.InvalidTypeHint Drupal.Commenting.FunctionComment.IncorrectTypeHint Drupal.Commenting.HookComment Drupal.Classes.UseGlobalClass Drupal.Commenting.DocComment.TagGroupSpacing Drupal.Commenting.DocComment.ShortFullStop Known issues

Users of redirect_after_login module may experience issues after updating to 9.2.0, this is being resolved in an issue against that module.

Search the issue queue for known issues.

Changes since 9.2.0-rc1

Changes since 9.2.0-rc1:

• #3177415 by ramil g, joelpittet, jplana, kishor_kolekar: Vertical Tabs CSS classes applying to non-vertical tab detail element groups
• #3214395 by YesCT, paulocs: Add ModuleUninstallValidatorInterface hint to hook_uninstall docs
• #3064596 by neclimdul, quietone: Avoid format calls in DateTimePlus::createFromFormat
• #3217357 by Anandhi K, jungle, Rinku Jacob 13, longwave: Replace occurrences of outdated text "Extending Drupal 8" and its link
• #3092553 by amateescu, dixon_, shaal, xjm, ckrina, jrockowitz, webchick, worldlinemine: Add a row for switching to the live workspace in the Workspaces listing UI
• #3217861 by jhodgdon: Documentation needed in ConfigEntityDependency::getDependencies() to explain what the $type == module code is doing
• #3218658 by nod_: Update @drupal/once to 1.0.1
• #3187318 by sudiptadas19, eddie_c, huzooka, anmolgoyal74, quietone, Wim Leers, alexpott: ContentEntity source plugin should exclude user with uid "0"
• #3216552 by andypost, mondrake, Gauravmahlawat, daffie, joachim: Incorrect calls to Connection::select() in MenuTreeStorage
• #3215611 by alexpott, longwave: Service deprecations are only triggered on container build,not ::get()
• #2359675 by Grimreaper, jhedstrom, paulocs, anrikun, Lendude, larowlan, nicoloye, dww, alexpott: File field's Maximum upload size always passes validation
• #2716019 by joseph.olstad, rodrigoaguilera, _Archy_, Lendude, mdupont, anmolgoyal74, mpp, Krzysztof Domański, DamienMcKenna, adityasingh, Skymen, benelori, Suresh Prabhu Parkala, rensingh99, alexpott, paulocs, HeyJo, iiRealXz, dawehner, xjm, 5n00py, tstoeckler, Karsa, dbyers55, idebr: View titles in breadcrumb and metatag title don't get properly translated
• #3217706 by Spokje, longwave, guilhermevp, mondrake: Replace usages of assertFileNotExists(), that is deprecated
• #3218586 by mondrake: Missed one conversion to expectWarning()
• #3215198 by phma: Thumbnail updates read width and height from source image on save even if queued
• #3217732 by bnjmnm, Wim Leers: filterStatus behavior can't find settings markup after AJAX update
• #3217714 by mondrake, ravi.shankar, guilhermevp, longwave: Replace usages of expectException(Warning::class), that is deprecated
• #3218139 by gapple, longwave: Stop altering existing Permissions-Policy header in FinishResponseSubscriber
• #3012172 by acbramley: EntityViewBuilder::addContextualLinks assumes an entity's canonical rel is routed/internal
• #3217716 by sudiptadas19, Meenakshi_j, hmendes, guilhermevp, mondrake: Replace usages of expectException(Error::class), that is deprecated
• #3116804 by dww, tedbow, benjifisher, heddn, xjm, jungle: Add tedbow and dww as maintainers for Update Manager
• #3213616 by n4r3n, Wim Leers, quietone: Map all Datetime module's field formatters from D6/D7 to D8/D9
• #3134554 by Matroskeen, larowlan, paulocs, aluzzardi, phenaproxima, mark_fullmer, vierlex, hchonov, grathbone: Media fields with Media Library form widget trigger PHP 'Notice: Undefined index'
• #3218024 by Charlie ChX Negyesi, longwave, Berdir: Field called "link" breaks the RSS Views plugins
• #3217713 by guilhermevp, vsujeetkumar, mondrake, sudiptadas19, vikashsoni: Replace usages of assertFileNotIsWritable(), that is deprecated
• #2977495 by alexfarr, Sam152, Neslee Canil Pinto, timmillwood, alexpott: Content Moderation missing permission descriptions
• #3210898 by quietone, BhumikaVarshney: Combine tests using NormalizerDenormalizeExceptionsUnitTestBase
• #3084436 by longwave, simonminter, Spokje, alexpott, alisonjo315, pameeela, webel: Config export field should be cleared when config type changes
• #3214773 by jmsosso, Spokje: Wrong type hint for getActiveMultiple() and getCanonicalMultiple() in EntityRepositoryInterface
• #3217711 by Spokje, sudiptadas19, guilhermevp, mondrake: Replace usages of assertNotRegExp(), that is deprecated
• #3174200 by mondrake, longwave, alexpott: Use PHPUnit-bridge polyfills for forward compatibility layer
• #3217712 by sudiptadas19, mondrake: Replace usages of assertDirectoryNotIsWritable(), that is deprecated
• #3217709 by sudiptadas19, mondrake: Replace usages of assertRegExp(), that is deprecated
• #3122056 by Wim Leers, mohit_aghera, Kristen Pol: Do not track viewing history for unsaved entities, nor when previewing existing entities
• #3214487 by paulocs, vakulrai, vetal4ik, manojithape, nishantghetiya, quietone, Lendude: Remove 'reply' link from comment field when threading is disabled

Release type: Bug fixesNew featuresInsecure

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.2.x contains new features, and should be the target for new site development. Drupal 9.1.x will continue to have security support until December 2021.

Drupal 8.9.x security coverage ends in November 2021, before Drupal 9.3.0 will be released, so if you are using Drupal 8, you must upgrade before November to Drupal 9.2.x to keep your site secure.

Important update information

If you are updating from 9.1.x or earlier, also read:

• 9.2.0-alpha1 update information
• 9.2.0-beta1 update information
• 9.2.0-beta2 update information
• 9.2.0-beta3 update information

A number of contributed modules reported issues following #3162016: [Symfony 6] Retrieving a non-string value from "Symfony\Component\HttpFoundation\InputBag::get()" is deprecated (a change being made for Symfony 6 compatibility). This change has since been reverted.

Dependency updates since 9.1.0-beta3 Production dependencies

• Symfony 5 components have been updated from 5.3.0-RC1 to the 5.3.0 stable release.
• Symfony 4 components have been updated from 4.2.44 to 4.4.45.
• Various Symfony polyfills have been updated from 1.22.1 to 1.23.0.
• Diactoros has been updated from 2.5.1 to 2.6.0.
• Our internal dependency on composer/semver has been updated from 3.2.4 to 3.2.5.

Development dependencies

• Our internal composer/composer dependency has been updated to 2.1.0. While some users of composer-patches have reported issues with Composer 2.1, this internal dependency does not affect the version of Composer the site may use on the CLI.
• composer/xdebug-handler has also been updated from 1.4.6 to 2.0.1.

Known issues

Search the issue queue for known issues.

All changes since 9.2.0-beta3

• Issue #3217322 by effulgentsia, xjm, Gábor Hojtsy: Update dependencies except PHPUnit to latest releases as of June 3, 2021
• Revert "Issue #3162016 by longwave, andypost, Hardik_Patel_12, catch, alexpott, daffie, Kristen Pol: [Symfony 6] Retrieving a non-string value from "Symfony\Component\HttpFoundation\InputBag::get()" is deprecated"
• Issue #3216088 by Spokje, xjm, longwave: Update Symfony 5 components to 5.3

Release type: Bug fixesNew featuresInsecure