Drupal Release Notes

Release notes

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

All changes since 10.6.2

• task: #3566054 Add heddn as a maintainer of the Image subsystem
• task: #3566053 Add heddn as a maintainer of the Authentication and Authorization subsystem
• test: #3571492 Several tests fail on PHP 8.1 on 10.6.x because of requirements issues
• fix: #3463524 editor_post_update_sanitize_image_upload_settings fails on missing text format
• Reapply "task: #3571196 Update symfony/process constraint"
• task: #3570133 PHPUnit security update
• Revert "task: #3571196 Update symfony/process constraint"
• task: #3571196 Update symfony/process constraint
• docs: #3532469 Documentation mentions Drupal being fully "repaired"
• task: #3569877 Add PHP 8.4 and 8.5 end of life dates to PhpRequirements
• docs: #3559209 cache contexts should use list everywhere
• task: #3566060 Add smustgrave as a maintainer of the Menu UI subsystem
• task: #3566058 Add penyaskito as a maintainer of the Content Translation subsystem
• task: #3566059 Add penyaskito as a maintainer of the Language subsystem
• fix: #3561800 Using \Drupal\Core\Database\Query\Insert::from() on postgres on a table with a serial field can result in duplicate key error
• fix: #3327662 Deleting the system.site:page.front config results in a PHP deprecation
• fix: #3539508 form-data: Usage of unsafe random function
• fix: #3450792 Only set #group is status field exists in NodeForm
• fix: #3389633 SwitchShortcutSet form does not set access on machine name element
• test: #3520036 [random test failure] CKEditor5MarkupTest
• fix: #3550787 [random test failure] CKEditor5Test::testLanguageOfPartsPlugin
• fix: #3419203 ckeditor5_post_update_code_block() throws an error for format using CKE5 but with CKE4 settings
• fix: #3468180 Undefined array key "view_mode" in block_content_theme_suggestions_block_alter
• fix: #3566429 Update to 10.6.0 fails due to nodejs version incompatibility

Back to dev.

Release type

Bug fixes

Original source Report a problem

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 11.3.x will receive security coverage until December 2026.

All changes since 11.3.2

• task: #3566054 Add heddn as a maintainer of the Image subsystem
• task: #3566053 Add heddn as a maintainer of the Authentication and Authorization subsystem
• task: #3566049 Add amateescu as a maintainer of the Workflows subsystem
• test: #3571492 Several tests fail on PHP 8.1 on 10.6.x because of requirements issues
• fix: #3463524 editor_post_update_sanitize_image_upload_settings fails on missing text format
• Reapply "task: #3571196 Update symfony/process constraint"
• task: #3570133 PHPUnit security update
• Revert "task: #3571196 Update symfony/process constraint"
• task: #3571196 Update symfony/process constraint
• fix: #3567770 Media Library message persists after deselecting items to fix overflow
• docs: #3532469 Documentation mentions Drupal being fully "repaired"
• fix: #3566568 The short description for the \Drupal\user\AccountForm class is not correct
• fix: #3569778 Fix link in \Drupal\Tests\package_manager\Kernel\TestSandboxManager::__sleep doc
• fix: #3564510 TypeError: Drupal\Core\Utility\ThemeRegistry::getGlobalPreprocess(): Return value must be of type array
• fix: #3570220 RoleSettingsForm::submitForm() should not load config overrides
• fix: #3570219 BlockListBuilder::submitForm() should not load config overrides
• fix: #3565213 Adjust contextual CSS for navigation module reset CSS
• fix: #3568141 Try to avoid style recalculation in Olivero's isDesktopNav
• fix: #3564880 BigPipe placeholders with identical IDs are not all replaced
• docs: #3563727 Fix PHPStan missingType.generics for \ArrayIterator not specifying its types
• feat: #3535230 Reverted revision is not listed on the version history when using Set as current revision
• Revert "feat: #3535230 Reverted revision is not listed on the version history when using Set as current revision"
• feat: #3535230 Reverted revision is not listed on the version history when using Set as current revision
• feat: #3556794 preprocess_HOOK__candidates in themes can be assigned to module invoke maps
• docs: #3559209 cache contexts should use list everywhere
• task: #3566060 Add smustgrave as a maintainer of the Menu UI subsystem
• task: #3566058 Add penyaskito as a maintainer of the Content Translation subsystem
• task: #3566059 Add penyaskito as a maintainer of the Language subsystem
• fix: #3561800 Using \Drupal\Core\Database\Query\Insert::from() on postgres on a table with a serial field can result in duplicate key error
• fix: #3327662 Deleting the system.site:page.front config results in a PHP deprecation
• task: #3564264 Fix concrete typehinting of EntityTypeManager
• task: #3567983 Avoid unnecessary style recalculation from Olivero search
• task: #3449874 Update to jQuery 4.0.0
• fix: #3562759 ContentEntityBase::hasTranslationChanges() must use loadRevisionUnchanged()
• fix: #3552984 MigrateTestBase::display() causes a TypeError if a test fails a migration
• fix: #3532360 Check return value from getCurrentRequest() before calling setRequest() in ViewExecutableFactory
• fix: #3450792 Only set #group is status field exists in NodeForm
• fix: #3560093 $target_url in ViewAjaxController::ajaxView can be NULL
• fix: #3389633 SwitchShortcutSet form does not set access on machine name element
• fix: #3567086 Alias case sensitivity after the removal of the preload cache
• Revert "fix: #3516264 CKEditor 5 loads all plugin translations on AJAX operations"
• test: #3520036 [random test failure] CKEditor5MarkupTest
• task: #3563647 Remove unneeded patterns from deprecation-ignore.txt
• fix: #3401726 MediaLibraryUiBuilder service does not properly allow additional contextual filter arguments
• Revert "fix: #3560202 UserCreationTrait::create* methods can never return false"
• fix: #3560202 UserCreationTrait::create* methods can never return false
• fix: #3550787 [random test failure] CKEditor5Test::testLanguageOfPartsPlugin
• fix: #3566844 [random test failure] MediaTest::testTranslationAlt
• fix: #3566845 [random test failure] ImageTest::testLinkability
• fix: #3549107 Escape or strip control characters in JSON:API
• fix: #3505182 An entity without a label causes an uncaught exception for the navigation:title component
• fix: #1522154 Saving non-default revisions shouldn't trigger a search reindex
• fix: #3526908 Fix issues with ConfigEntityValidationTestBase
• fix: #3557014 PageDisplayVariant does not transmit cache metadata
• task: #3556936 Outdated todo in EarlyRenderingControllerWrapperSubscriber
• fix: #3061838 Email element does not have default #ajax event
• task: #3557840 Remove @legacy-covers in cases where the test method name starts with the covered method
• task: #3562214 Upgrade glob because of CVE-2025-64756
• fix: #3565703 block_content post update fails if views module is disabled
• fix: #3566261 [regression] custom field twig for second comment fields has null value in comment after 11.3.0 upgrade
• fix: #3565937 Workaround PHP bug with fibers and __get()
• fix: #3387013 Check LinkItemInterface::isEmpty() before validating
• task: #2620330 Move ContainerDerivativeDiscoveryDecoratorTest::testGetDefinitions() to DerivativeDiscoveryDecoratorTest
• task: #2436209 Test ContentEntityBase constructor called with multilanguage values
• task: #3308418 Improve more error messages on unrouted URLs
• fix: #3552531 Unsupported operand types: array + null when calling field_formatter_third_party_settings_form hook
• fix: #3152281 Extra field blocks render even when empty
  Back to dev.

Release type

• Bug fixes

Original source Report a problem

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

All changes since 10.6.1

task: #3565943 [backport] [security hardening] Update composer to 2.9.3
task: #3557585 [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9.2
fix: #3565218 [random test failure] ResponsiveImageFieldUiTest::testResponsiveImageFormatterUi()
fix: #3551373 [random test failure] ManageDisplayTest testFormatterUI() and testWidgetUI()

Back to dev.

Release type

Bug fixes

Original source Report a problem

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 11.3.x will receive security coverage until December 2026.

All changes since 11.3.1

• performance: #3566156 APCu FileCache can consume a ton of memory due to caching procedural hook data since Drupal 11.1
• feat: #3563812 Top bar CSS does not set text colour
• task: #3565943 [security hardening] Update composer to 2.9.3
• fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm
• Revert "fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm"
• perf: #3559030 Installing from existing config causes massive cache.config population and slow installs
• fix: #3516264 CKEditor 5 loads all plugin translations on AJAX operations
• fix: #3542774 The “reduce motion” setting in the operating system should be respected
• fix: #3564548 update_post_update_fix_update_emails() can fail on invalid config
• fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm
• fix: #3565218 [random test failure] ResponsiveImageFieldUiTest::testResponsiveImageFormatterUi()
• fix: #3564926 Fix the documentation for SystemAdminMenuBlockAccessCheck::access() first parameter
• fix: #3560690 Functional update tests consistently fail on mysqli
• task: #3562159 Make it easier to run test-only job against different PHP / DB combinations
• fix: #3562676 Fix type hints with wrong case in @param and @return annotations
• fix: #3553342 Race condition in LocalTaskManager::getLocalTasks() with fibers
• fix: #3555152 Move skip_procedural_hook_scan cleanup to HookCollectorKeyValueWritePass
• fix: #3551373 [random test failure] ManageDisplayTest testFormatterUI() and testWidgetUI()
• fix: #3557585 Update to Composer 2.9.2

Back to dev.

Release type

Bug fixes

Original source Report a problem

Important update information

This update fixes two critical bugs in the Comment and History modules that were present in Drupal 11.3.0.
There are no other changes. For all other information about Drupal 11.3, see the Drupal 11.3.0 release notes.

All changes since Drupal 11.3.0

• fix: #3562753 History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled
• fix: #3563876 TypeError: trigger_error(): Argument #2 () must be of type int, string given in trigger_error()

Release type

• Bug fixes

Read the Drupal 11.3.0 release announcement for improvements and highlights in this release.
This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.
This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.
Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.
Drupal 11 will be supported until the release of Drupal 13.

Original source Report a problem

Drupal 10.6.x Maintenance Minor Release Notes

This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.

This maintenance minor provides the best forward-compatibility with Drupal 11. It includes important dependency updates and API additions. It does not break backward compatibility (BC) for public APIs. This is according to Drupal core's backward compatibility and experimental module policies.

Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.

Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

Sites on 10.6 upgrading to Drupal 11 must upgrade to 11.3.0 or higher.

Important update information

This update adds an additional dependency on doctrine/lexer that was accidentally missed from Drupal 10.6.0.
There are no other changes. For all other information about Drupal 10.6, see the Drupal 10.6.0 release notes.

All changes since Drupal 10.6.0

• feat: #3563642 Drupal 10.6 incompatible with doctrine/lexer 3

Release type

• Bug fixes

Original source Report a problem

This is a a feature minor release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal and the Drupal core release cycle.
Read the Drupal 11.3.0 release announcement for improvements and highlights in this release.
This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.
This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.
Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.
Drupal 11 will be supported until the release of Drupal 13.

Important update information

Permission changes

• A new permission "Administer node published status" allows content editors to change the publication status of all content types without being able to edit the content.
• A new permission "Rebuild node access permissions" restricts who can rebuild the node access grants, as this can be a long and disruptive process.
• Neither of these permissions will be granted by default (except to administrators who have all permissions) but you may wish to review your permission setup if these features are relevant to your site.

Navigation is now stable

• The Navigation module is now stable and safe for use on production sites. Navigation provides a collapsible, vertical sidebar for Drupal's administrative user interface. It is a significant improvement for Drupal's administrative user experience.
• Navigation will replace Drupal's existing Toolbar in the Standard profile in a future release, but there are known major and critical bugs that must be resolved first, including known accessibility issues:
  • #3541728: Submenu opened with hover does not close by Escape key when another menu item has focus
  • #3541910: Elements in closed sidebar are focusable
  • #3443571: Mobile version of Navigation should have focus trap
  • #3443830: Navigation layout Drag is not working in some browers
  • #3542774: The “reduce motion” setting in the operating system should be respected

Platform requirements changes

• PHP 8.4 is now the recommended PHP version for sites using Drupal 11 versions 11.3 and above. (PHP 8.3 is still the minimum supported version.)
• Support for hosting Drupal directly on Windows in production environments is deprecated. Windows is not a well supported environment, we do not have an automated Windows test environment and there are few developers who can test on Windows. Therefore, sites wanting to use Windows servers in production should plan to use Linux on Windows.
• Support for Windows in development environments will continue.

API and behavior changes

• The Promoted to frontpage checkbox on the Node Type form now defaults to unchecked. This change affects new content types only.
• Themes now support OOP hooks. Themes that use includes from within their .theme file may need to update in some cases.

Deprecated modules

• The Ban core module is deprecated in Drupal 11.3.0 and will be moved to contributed projects in Drupal 12.
• Additional modules may be deprecated prior to Drupal 12.

PHP dependency changes

• The doctrine/annotations package is marked abandoned upstream. Parts of the code have been forked into Drupal core. This change only affects custom code that was handling PHP annotations; for more information, see the change record.
• Symfony components have been updated to Symfony v7.4.0.
• Many dependencies have also received minor- and patch-level updates to the latest versions.

Frontend (CSS and JavaScript) production dependency changes

• CKEditor has been updated to CKEditor v47.3.0.
• Many dependencies have also received minor- and patch-level updates to the latest versions.

Development dependencies

• Framework support for testing with PHPUnit 10 is removed. Both core and contrib can now only run tests with PHPUnit 11.
• Test classes using annotation metadata still work under PHPUnit 11, but throw PHPUnit deprecations that lead to CI job failures if appropriately set up. It is strongly recommended to convert annotations to attributes as described in Tests with PHPUnit 10 attributes are now supported.
• Many dependencies have received minor- and patch-level updates to the latest versions.

Known issues

• #3562753: History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled
• #3560487: Gin Top Bar styling is fully gone in 11.3.x
  (affects the contributed Gin theme)
• Search the issue queue for known issues.

All changes since Drupal 11.3.0-rc2

• fix: #3446368 SymfonyMailer RfcComplianceException when sending to multiple comma-separated addresses
• fix: #3558939 options_config_install_test has unnecessary Body field
• fix: #3559059 Add UserAuthenticationInterface alias to user.auth service
• docs: #3496417 Fix PHPStan missingType.generics for FieldItemListInterface not specifying its type
• task: #3549727 Fix LongLineDeclaration in module Controller, Hook and Database directories

Release type

• Bug fixes
• New features

Original source Report a problem

This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.
This maintenance minor provides the best forward-compatibility with Drupal 11. It includes important dependency updates and API additions. It does not break backward compatibility (BC) for public APIs. This is according to Drupal core's backward compatibility and experimental module policies.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.
Sites on 10.6 upgrading to Drupal 11 must upgrade to 11.3.0 or higher.

Important update information

Platform requirements changes

PHP 8.4 is now the recommended PHP version for sites using Drupal 10 versions 10.6 and above. (PHP 8.1 is still the minimum supported version.)

PHP dependency changes

The doctrine/annotations package is marked abandoned upstream. Parts of the code have been forked into Drupal core. This change only affects custom code that was handling PHP annotations; for more information, see the change record.
Many dependencies have also received minor- and patch-level updates to the latest versions.

Frontend (CSS and JavaScript) production dependency changes

CKEditor has been updated to https://github.com/ckeditor/ckeditor5/releases/tag/v47.3.0">CKEditor v47.3.0.
Many dependencies have received minor- and patch-level updates to the latest versions.

Known issues

Search the issue queue for known issues.

All changes since Drupal 10.6.0-rc1

docs: #3555621 Wrong type for \Drupal\Tests\UiHelperTrait::$loggedInUser

Release type:

• Bug fixes

Original source Report a problem

This is a release candidate for the next minor version (feature release) of Drupal 11

Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.

Drupal 11 will be supported until the release of Drupal 13.

Important update information

Navigation is now stable

The Navigation module is now stable and safe for use on production sites. Navigation provides a collapsible, vertical sidebar for Drupal's administrative user interface. It is a significant improvement for Drupal's administrative user experience.

Navigation will replace Drupal's existing Toolbar in the Standard profile in a future release, but there are known major and critical bugs that must be resolved first, including known accessibility issues:

• #3541728: Submenu opened with hover does not close by Escape key when another menu item has focus
• #3541910: Elements in closed sidebar are focusable
• #3443571: Mobile version of Navigation should have focus trap
• #3443830: Navigation layout Drag is not working in some browers
• #3542774: The “reduce motion” setting in the operating system should be respected

Full list of known accessibility issues: #3391723: [PLAN] Accessibility review for new Navigation bar

PHP dependency changes

Symfony components have been updated to Symfony v7.4.0.

Frontend (CSS and JavaScript) production dependency changes

CKEditor has been updated to CKEditor v47.3.0.

Known issues

• #3562753: History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled

Search the issue queue for known issues.

All changes since Drupal 11.3.0-rc1

• fix: #3274635 [upstream] Use CKEditor 5's native <ol type> and <ul type> UX
• revert: #3365985 Promote justinrainbow/json-schema from dev-dependency to full dependency
• task: #3502752 Deprecate migrate destination plugins needed only for site upgrades
• fix: #2550977 FileItem::generateSampleValue() should generate files with the actual allowed extensions
• fix: #3562009 Off canvas on the right is now always full-width
• fix: #3127026 Not possible to override an entity type class multiple times
• task: #3549630 Fix LongLineDeclaration in several core/tests/Drupal directories
• fix: #3562319 [regression] The installer does not properly load the theme
• task: #3549629 Fix LongLineDeclaration in Tests/Component
• task: #3551596 Add return types to core/tests code via Rector - round 1
• fix: #3560833 Create better way to manage theme setting alters
• ci: #3559601 [CI] Group DB jobs differently to improve UI
• fix: #3555974 HttpExceptionNormalizer sets cache-max to 0 unnecessarily sometimes
• docs: #3554909 Narrowed typing regression for plugins
• docs: #3555621 Wrong type for \Drupal\Tests\UiHelperTrait::$loggedInUser
• docs: #3549662 Fix LongLineDeclaration in module Form directories

Back to dev.

Release type:

• Bug fixes
• New features

Original source Report a problem

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 11.2.x will receive security coverage until June 2026.

Important update information

Symfony packages were previously updated in Drupal 11.2.8 as a security hardening for CVE-2025-64500, but Drupal 11.2.9 accidentally downgraded these packages. This release again updates the packages. No other changes are included.

While Drupal does not expose the above vulnerability, it is still recommended that sites using Drupal 11.2.9 either update to 11.2.10 or ensure symfony/http-foundation is on at least version 7.3.7.

Release type

• Bug fixes

Original source Report a problem