Drupal Release Notes

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 11.3.x will receive security coverage until December 2026.

All changes since 11.3.1

• performance: #3566156 APCu FileCache can consume a ton of memory due to caching procedural hook data since Drupal 11.1
• feat: #3563812 Top bar CSS does not set text colour
• task: #3565943 [security hardening] Update composer to 2.9.3
• fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm
• Revert "fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm"
• perf: #3559030 Installing from existing config causes massive cache.config population and slow installs
• fix: #3516264 CKEditor 5 loads all plugin translations on AJAX operations
• fix: #3542774 The “reduce motion” setting in the operating system should be respected
• fix: #3564548 update_post_update_fix_update_emails() can fail on invalid config
• fix: #2339921 Undefined variable: groups in \Drupal\views\Plugin\views\filter\FilterPluginBase::groupForm
• fix: #3565218 [random test failure] ResponsiveImageFieldUiTest::testResponsiveImageFormatterUi()
• fix: #3564926 Fix the documentation for SystemAdminMenuBlockAccessCheck::access() first parameter
• fix: #3560690 Functional update tests consistently fail on mysqli
• task: #3562159 Make it easier to run test-only job against different PHP / DB combinations
• fix: #3562676 Fix type hints with wrong case in @param and @return annotations
• fix: #3553342 Race condition in LocalTaskManager::getLocalTasks() with fibers
• fix: #3555152 Move skip_procedural_hook_scan cleanup to HookCollectorKeyValueWritePass
• fix: #3551373 [random test failure] ManageDisplayTest testFormatterUI() and testWidgetUI()
• fix: #3557585 Update to Composer 2.9.2

Back to dev.

Release type

Bug fixes

Original source Report a problem

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

All changes since 10.6.1

task: #3565943 [backport] [security hardening] Update composer to 2.9.3
task: #3557585 [backport to 11.2, 10.6, and 10.5] Update to Composer 2.9.2
fix: #3565218 [random test failure] ResponsiveImageFieldUiTest::testResponsiveImageFormatterUi()
fix: #3551373 [random test failure] ManageDisplayTest testFormatterUI() and testWidgetUI()

Back to dev.

Release type

Bug fixes

Original source Report a problem

Important update information

This update fixes two critical bugs in the Comment and History modules that were present in Drupal 11.3.0.
There are no other changes. For all other information about Drupal 11.3, see the Drupal 11.3.0 release notes.

All changes since Drupal 11.3.0

• fix: #3562753 History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled
• fix: #3563876 TypeError: trigger_error(): Argument #2 () must be of type int, string given in trigger_error()

Release type

• Bug fixes

Read the Drupal 11.3.0 release announcement for improvements and highlights in this release.
This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.
This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.
Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.
Drupal 11 will be supported until the release of Drupal 13.

Original source Report a problem

Drupal 10.6.x Maintenance Minor Release Notes

This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.

This maintenance minor provides the best forward-compatibility with Drupal 11. It includes important dependency updates and API additions. It does not break backward compatibility (BC) for public APIs. This is according to Drupal core's backward compatibility and experimental module policies.

Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.

Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.

Sites on 10.6 upgrading to Drupal 11 must upgrade to 11.3.0 or higher.

Important update information

This update adds an additional dependency on doctrine/lexer that was accidentally missed from Drupal 10.6.0.
There are no other changes. For all other information about Drupal 10.6, see the Drupal 10.6.0 release notes.

All changes since Drupal 10.6.0

• feat: #3563642 Drupal 10.6 incompatible with doctrine/lexer 3

Release type

• Bug fixes

Original source Report a problem

This is a a feature minor release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal and the Drupal core release cycle.
Read the Drupal 11.3.0 release announcement for improvements and highlights in this release.
This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.
This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.
Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.
Drupal 11 will be supported until the release of Drupal 13.

Important update information

Permission changes

• A new permission "Administer node published status" allows content editors to change the publication status of all content types without being able to edit the content.
• A new permission "Rebuild node access permissions" restricts who can rebuild the node access grants, as this can be a long and disruptive process.
• Neither of these permissions will be granted by default (except to administrators who have all permissions) but you may wish to review your permission setup if these features are relevant to your site.

Navigation is now stable

• The Navigation module is now stable and safe for use on production sites. Navigation provides a collapsible, vertical sidebar for Drupal's administrative user interface. It is a significant improvement for Drupal's administrative user experience.
• Navigation will replace Drupal's existing Toolbar in the Standard profile in a future release, but there are known major and critical bugs that must be resolved first, including known accessibility issues:
  • #3541728: Submenu opened with hover does not close by Escape key when another menu item has focus
  • #3541910: Elements in closed sidebar are focusable
  • #3443571: Mobile version of Navigation should have focus trap
  • #3443830: Navigation layout Drag is not working in some browers
  • #3542774: The “reduce motion” setting in the operating system should be respected

Platform requirements changes

• PHP 8.4 is now the recommended PHP version for sites using Drupal 11 versions 11.3 and above. (PHP 8.3 is still the minimum supported version.)
• Support for hosting Drupal directly on Windows in production environments is deprecated. Windows is not a well supported environment, we do not have an automated Windows test environment and there are few developers who can test on Windows. Therefore, sites wanting to use Windows servers in production should plan to use Linux on Windows.
• Support for Windows in development environments will continue.

API and behavior changes

• The Promoted to frontpage checkbox on the Node Type form now defaults to unchecked. This change affects new content types only.
• Themes now support OOP hooks. Themes that use includes from within their .theme file may need to update in some cases.

Deprecated modules

• The Ban core module is deprecated in Drupal 11.3.0 and will be moved to contributed projects in Drupal 12.
• Additional modules may be deprecated prior to Drupal 12.

PHP dependency changes

• The doctrine/annotations package is marked abandoned upstream. Parts of the code have been forked into Drupal core. This change only affects custom code that was handling PHP annotations; for more information, see the change record.
• Symfony components have been updated to Symfony v7.4.0.
• Many dependencies have also received minor- and patch-level updates to the latest versions.

Frontend (CSS and JavaScript) production dependency changes

• CKEditor has been updated to CKEditor v47.3.0.
• Many dependencies have also received minor- and patch-level updates to the latest versions.

Development dependencies

• Framework support for testing with PHPUnit 10 is removed. Both core and contrib can now only run tests with PHPUnit 11.
• Test classes using annotation metadata still work under PHPUnit 11, but throw PHPUnit deprecations that lead to CI job failures if appropriately set up. It is strongly recommended to convert annotations to attributes as described in Tests with PHPUnit 10 attributes are now supported.
• Many dependencies have received minor- and patch-level updates to the latest versions.

Known issues

• #3562753: History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled
• #3560487: Gin Top Bar styling is fully gone in 11.3.x
  (affects the contributed Gin theme)
• Search the issue queue for known issues.

All changes since Drupal 11.3.0-rc2

• fix: #3446368 SymfonyMailer RfcComplianceException when sending to multiple comma-separated addresses
• fix: #3558939 options_config_install_test has unnecessary Body field
• fix: #3559059 Add UserAuthenticationInterface alias to user.auth service
• docs: #3496417 Fix PHPStan missingType.generics for FieldItemListInterface not specifying its type
• task: #3549727 Fix LongLineDeclaration in module Controller, Hook and Database directories

Release type

• Bug fixes
• New features

Original source Report a problem

This is a maintenance minor release of Drupal 10 and is ready for use on production sites. Maintenance minors are recommended for sites that prefer the minimum changes between releases. Learn more about the Drupal core release cycle.
This maintenance minor provides the best forward-compatibility with Drupal 11. It includes important dependency updates and API additions. It does not break backward compatibility (BC) for public APIs. This is according to Drupal core's backward compatibility and experimental module policies.
Drupal 10.6.x will receive security support until December 2026. Drupal 10.5.x will continue to receive security support until June 2026.
Drupal 10.4.x security support has ended. Sites on any Drupal version prior to 10.5.x should upgrade to a supported release as soon as possible.
Sites on 10.6 upgrading to Drupal 11 must upgrade to 11.3.0 or higher.

Important update information

Platform requirements changes

PHP 8.4 is now the recommended PHP version for sites using Drupal 10 versions 10.6 and above. (PHP 8.1 is still the minimum supported version.)

PHP dependency changes

The doctrine/annotations package is marked abandoned upstream. Parts of the code have been forked into Drupal core. This change only affects custom code that was handling PHP annotations; for more information, see the change record.
Many dependencies have also received minor- and patch-level updates to the latest versions.

Frontend (CSS and JavaScript) production dependency changes

CKEditor has been updated to https://github.com/ckeditor/ckeditor5/releases/tag/v47.3.0">CKEditor v47.3.0.
Many dependencies have received minor- and patch-level updates to the latest versions.

Known issues

Search the issue queue for known issues.

All changes since Drupal 10.6.0-rc1

docs: #3555621 Wrong type for \Drupal\Tests\UiHelperTrait::$loggedInUser

Release type:

• Bug fixes

Original source Report a problem

This is a release candidate for the next minor version (feature release) of Drupal 11

Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 11.3.x will receive security support until December 2026. Drupal 11.2.x will continue to receive security support until June 2026.

Drupal 11 will be supported until the release of Drupal 13.

Important update information

Navigation is now stable

The Navigation module is now stable and safe for use on production sites. Navigation provides a collapsible, vertical sidebar for Drupal's administrative user interface. It is a significant improvement for Drupal's administrative user experience.

Navigation will replace Drupal's existing Toolbar in the Standard profile in a future release, but there are known major and critical bugs that must be resolved first, including known accessibility issues:

• #3541728: Submenu opened with hover does not close by Escape key when another menu item has focus
• #3541910: Elements in closed sidebar are focusable
• #3443571: Mobile version of Navigation should have focus trap
• #3443830: Navigation layout Drag is not working in some browers
• #3542774: The “reduce motion” setting in the operating system should be respected

Full list of known accessibility issues: #3391723: [PLAN] Accessibility review for new Navigation bar

PHP dependency changes

Symfony components have been updated to Symfony v7.4.0.

Frontend (CSS and JavaScript) production dependency changes

CKEditor has been updated to CKEditor v47.3.0.

Known issues

• #3562753: History module triggers ServiceNotFoundException for comment.manager when Comment module is not enabled

Search the issue queue for known issues.

All changes since Drupal 11.3.0-rc1

• fix: #3274635 [upstream] Use CKEditor 5's native <ol type> and <ul type> UX
• revert: #3365985 Promote justinrainbow/json-schema from dev-dependency to full dependency
• task: #3502752 Deprecate migrate destination plugins needed only for site upgrades
• fix: #2550977 FileItem::generateSampleValue() should generate files with the actual allowed extensions
• fix: #3562009 Off canvas on the right is now always full-width
• fix: #3127026 Not possible to override an entity type class multiple times
• task: #3549630 Fix LongLineDeclaration in several core/tests/Drupal directories
• fix: #3562319 [regression] The installer does not properly load the theme
• task: #3549629 Fix LongLineDeclaration in Tests/Component
• task: #3551596 Add return types to core/tests code via Rector - round 1
• fix: #3560833 Create better way to manage theme setting alters
• ci: #3559601 [CI] Group DB jobs differently to improve UI
• fix: #3555974 HttpExceptionNormalizer sets cache-max to 0 unnecessarily sometimes
• docs: #3554909 Narrowed typing regression for plugins
• docs: #3555621 Wrong type for \Drupal\Tests\UiHelperTrait::$loggedInUser
• docs: #3549662 Fix LongLineDeclaration in module Form directories

Back to dev.

Release type:

• Bug fixes
• New features

Original source Report a problem

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 11.2.x will receive security coverage until June 2026.

Important update information

Symfony packages were previously updated in Drupal 11.2.8 as a security hardening for CVE-2025-64500, but Drupal 11.2.9 accidentally downgraded these packages. This release again updates the packages. No other changes are included.

While Drupal does not expose the above vulnerability, it is still recommended that sites using Drupal 11.2.9 either update to 11.2.10 or ensure symfony/http-foundation is on at least version 7.3.7.

Release type

• Bug fixes

Original source Report a problem

This is a patch (bugfix) release of Drupal 10 and is ready for use on production sites. Learn more about the latest version of Drupal.

Drupal 10.5.x will receive security support until June 2026. Drupal 10.4.x will continue to receive security support until December 2025.

Drupal 10.3.x security support has ended. Sites on any Drupal version prior to 10.4.x should upgrade to a supported release as soon as possible.

Important update information

Symfony packages were previously updated in Drupal 10.5.6 as a security hardening for CVE-2025-64500, but Drupal 10.5.7 accidentally downgraded these packages. This release again updates the packages. No other changes are included.

While Drupal does not expose the above vulnerability, it is still recommended that sites using Drupal 10.5.7 either update to 10.5.8 or ensure that the symfony/http-foundation package is on at least version 6.4.29.

Release type:

• Bug fixes

Original source Report a problem

Release notes

This is a patch (bugfix) release of Drupal 11 and is ready for use on production sites. Learn more about the latest version of Drupal.
Drupal 11.2.x will receive security coverage until June 2026.

All changes since 11.2.8

• docs: #3517609 Remove broken link in MenuTreeStorageInterface
• task: #3559318 Exclude htmx from aggregation
• task: #3536191 Remove RainbowArray as maintainer for Breakpoint and Responsive Image
• fix: #3524163 [regression] Empty slot definitions give incorrect validation message
• fix: #3424200 Media overwrites validation constraints
• fix: #3553671 BrowserTestBase::initMink crashes if not using DrupalTestBrowser
• fix: #3546894 HandlerBase::breakString doesn't handle tokens, leading to type mismatches in calling code
• fix: #3506870 Tabledrag misalignment and "Show row weights" link
• fix: #3552521 Fatal error caused by install_check_class_requirements
• fix: #3539508 form-data: Usage of unsafe random function
• Revert "fix: #3543036 Cannot enable both views_test_entity_reference and entity_reference_test in testing"
• fix: #3543036 Cannot enable both views_test_entity_reference and entity_reference_test in testing
• Issue #3536748 by griffynh, thejimbirch: Remove smaz as maintainer for Umami demo subsystem

Release type

• Bug fixes

Original source Report a problem