This is last release of Drupal 8.x.
8.9.20 (2021-11-17)
This release fixes security vulnerabilities. Sites are urged to update
immediately after reading the notes below and the security announcement:
Drupal core - Critical - Third-party library - SA-CORE-2021-011
No other fixes are included.
8.9.17 (2021-07-21)
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Critical - Third-party library - SA-CORE-2021-004
No other fixes are included.
8.9.18 (2021-08-12)
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Critical - Third-party library - SA-CORE-2021-005
No other fixes are included.
8.9.16 (2021-05-26)
Maintenance and security release of the Drupal 8 series.
This release fixes a security vulnerability. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Cross Site Scripting -
SA-CORE-2021-003 No other fixes are included.
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive
security coverage.
8.9.15 (2021-05-05)
This is a patch (bugfix) release of Drupal 8 and is ready for use on
production sites. Learn more about Drupal 8.
Drupal 8.9 is the final minor release of the 8.x series. It is a long-term
support (LTS) version, and will receive security coverage until November
2021. It provides the same public API as Drupal 9.0 aside from deprecated
code and dependency changes. (Learn more about Drupal 9.) Note that
features will only be added to Drupal 9 minor releases, so plan to adopt
Drupal 9 as soon as possible so that you can easily update to Drupal 9.2 and
later.
If you are upgrading to this release from 8.8.x, read the Drupal 8.9.0
release notes before you upgrade.
Known issues
Search the issue queue for known issues.
Important changes
The default glossary view did not previously include a filter to exclude
unpublished content. This view now includes such a filter by default, and
an update function is provided with this release to add a status filter to
the view on existing installations which do not have it.
Dependency updates
The composer/composer development dependency has been updated from 1.10.6 to
1.10.22.
Archive_Tar has been updated to 1.4.13 for security hardening.
Drupal core's development dependency on the Nightwatch npm package has been
increased from 1.2.1 to 1.6.3 and all locked versions of dependencies have
been updated to address security issues in these dependencies.
The minimum version of node.js for 8.9.x development has been increased to
version 10.
Underscore.js has been updated to 1.13.1
8.9.14 (2021-04-21)
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
Update durpal8 to latest 8.x release, 8.9.1.
pkgsrc change: update PHP support to 7.3.x and 7.4.x.
Changes from 8.7.14 are too many to write here.
Please refer <https://www.drupal.org/project/drupal/releases/> for
each release.
Update drupal8 to 8.7.14.
8.7.14 (2020-05-20) -- Security update
View usage statistics for this release
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Third-party library - SA-CORE-2020-002
No other fixes are included.
Update drupal8 to 8.7.12.
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
No other fixes are included.
Which release do I choose? Security coverage information
* Sites on 8.7.x will receive security coverage until June 3, 2020 (when
Drupal 8.9.0 is scheduled for release).
* Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive
security coverage.
Important update information
No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary if your site is already on the previous
release.
Update durpal8 to 8.7.11, security release.
8.7.11 (2019-12-18)
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement.
Symfony http-foundation has been updated to version 3.4.35 in this
release. This includes an upstream security release which does not
impact Drupal core.
Core versioning support in *.info.yml files since 8.7.7
Drupal 8.7.7 introduces a new core_version_requirement key to
*.info.yml files, allowing contributed modules to specify specific
versions for Drupal core compatiblity, as well as to indicate that
they are compatible with both Drupal 8 and the forthcoming Drupal
9 release. See the change record for more details. Important
accessibility fix to the Toolbar
This releases resolves a significant accessibility bug which
prevented toolbar links from working with some screen readers.
Websites which need to support administrators who use assistive
technology are strongly recommended to upgrade. If in doubt, assume
this is the case, particularly in larger organizations. Discussing
the issue with staff from IT user-support, disabled employee support,
and human resources teams is advisable. Internal change to entity
and field definition update events
It is now possible to install a new field storage definition during
a fieldable entity type update. Event subscribers for entity type
and field definition update events will now be passed the updated
definitions rather than the outdated ones. Code relying on this
buggy behavior may need adjustment.
Core versioning support in *.info.yml files since 8.7.7
Drupal 8.7.7 introduces a new core_version_requirement key to
*.info.yml files, allowing contributed modules to specify specific
versions for Drupal core compatiblity, as well as to indicate that they
are compatible with both Drupal 8 and the forthcoming Drupal 9 release.
See the change record for more details.
Dependency updates
* Several JavaScript dependencies have been updated to resolve
publicly disclosed security issues:
+ nightwatch has been updated to version 1.2.1
+ chromedriver has been updated to version 75.1.0
+ stylelint-no-browser-hacks has been updated to 1.2.1
* Due to a compatibility issue between zend-diactoros 1.8.5 and
psr-http-message-bridge versions prior to 1.1.2, Drupal core's
composer.json has increased the minimum requirement for
psr-http-message-bridge from 1.0 to 1.1.2. This should not affect
sites using the tarball packaged by Drupal.org (which already
supplied version 1.1.2 of the component in Drupal 8.7.7), but may
lead to a dependency update for certain sites maintained with
Composer.
Full release notes available at:
https://www.drupal.org/project/drupal/releases/8.7.8
The update to 8.6.17 wasn't enough to make the annoying messages go away.
PHP 5 support, automatic entity updates, and Internet Explorer 9 workarounds
have been removed
* PHP 5.5 and 5.6 will no longer be supported as of Drupal 8.7.0.
As of December 2018, PHP 5.6 no longer receives security support
from the maintainers of PHP. Anyone running Drupal 8 on PHP 5.5 or
5.6 should upgrade their PHP version to at least 7.1. PHP 7.2 is
now recommended. Read more in the change record for the PHP
requirement update.
* Starting with 8.7.0, Drupal core no longer provides support for
automatic entity updates as these have resulted in conflicts with
regular database updates and data integrity issues. Whenever an
entity type or field storage definition needs to be created,
changed or deleted, it has to be done with an explicit update
function as provided by the Update API, and using the API provided
by the entity definition update manager. (Note that using the API
has always been the recommended way for developers to trigger
entity updates.) drush entup is also no longer supported by Drupal
core. These three change records provide further details:
1. Support for automatic entity updates has been removed
2. Kernel tests have to install entity type schemas for all the
entity types they are testing, and before installing any other
configuration
3. New helper method available to set up the "current_user"
service in kernel tests
* Workarounds for the stylesheet limit in Internet Explorer 9 (IE9)
and earlier have been removed. Drupal dropped support for Internet
Explorer 9 and 10 in 8.4.0, but Drupal 8.5 and 8.6 retained a
workaround to allow 32 or more stylesheets to be included. This
workaround has been removed in 8.7. Sites still requiring Internet
Explorer 9 support for the work around of IE's limit of 31 style
sheets per page, should enable CSS aggregation (preferred) or
install the IE9 Compatibility contributed module.
Extensive release notes here:
- https://www.drupal.org/project/drupal/releases/8.7.0
- https://www.drupal.org/project/drupal/releases/8.7.7
This bugfix release is intended to resolve issues that might interfere
with future security release upgrades. Symfony 3.4.25 reverted a
previous change which affected Drupal's lazy session handling. This
release updates Symfony to 3.4.25 and reverts a previous workaround for
the regression.
* Drupal core - Cross-Site Scripting- SA-CORE-2019-004
Under certain circumstances the File module/subsystem allows a
malicious user to upload a file that can trigger a cross-site
scripting (XSS) vulnerability.
Upstream changes:
8.6.12
The third-party Twig library, which powers Drupal 8's theme system, recently released new versions (Twig 1.38.0 and 1.38.1) that introduced a fatal error for Drupal 8 sites using Composer. Drupal 8.6.11 was released yesterday with an update to Twig 1.38.2 in order to resolve that error. However, this update also led to a different regression for certain Drupal 8 themes that use Twig {% embed %} tags. This release hotfixes Drupal 8 to resolve that regression. No other changes are included.
8.6.11
This release resolves two critical issues affecting Drupal 8 site updates:
The third-party Twig library, which powers Drupal 8's theme system, recently released a new minor version (1.38.0) that introduced a fatal error when used with Drupal 8. As a result, Drupal 8 sites managed with Composer encountered this fatal error when updating Twig to version 1.38.0 or 1.38.1. This release updates Drupal to require Twig 1.38.2, which resolves the fatal error.
The recent releases for SA-CORE-2019-003 introduced a serialized data integrity issue affecting some contributed and custom modules, including the Default Content and Paragraphs modules. This release resolves the issue for affected sites.
Additionally, this release resolves an administrator-only access bypass with the Layout Builder module. Previously, users who didn't have access to view individual entities were still granted access to configure the layout for that entity (if per-entity layout configuration was enabled) and therefore could view its content. This implicit access has been removed. Site owners should ensure that all content editor roles have access to view the content for which they are configuring the layout.
Drupal 8.6.10 (2019-02-20)
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement and notes below:
* Drupal core - Remote code execution - SA-CORE-2019-003
Sites on 8.5.x or earlier should update immediately to Drupal 8.5.11 instead,
and plan to update to the latest 8.6.x release before May 2019 (when 8.7.0 is
released and 8.5.x security coverage ends).
Important update information
For site owners
* In addition to the above fix, this release includes the fix for #3031740:
Updating to 8.6.8 or 8.6.9 with Drush 8 causes data loss via
update_fix_compatibility() to prevent Drush 8 issues for sites updating
directly from an earlier security release.
* update.php must be run after updating to ensure changes from the patch take
effect.
* No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary if your site is already on the previous
release.
For module developers
Some contributed module tests may need to be updated if they extend core's
test suite, due to a minor API change in a test base class.
Remove the patch that included in upstream
Upstream changes:
8.6.7:
This is a hotfix release for a regression affecting some Drush installations that was introduced by the fix for SA-CORE-2019-002. No other fixes are included.
8.6.8:
Changes since 8.6.7
#2975539 by mondrake, alexpott, marcoscano, desierto: Changing machine name of image style leads to WSOD when loading widgets that used the old name
#2859315 by quietone, heddn, jhodgdon: SQL error from profile_fields when migrating d6 (or d7) to d8 without Profile module
#2443165 by davidwbarratt, amateescu, HOG, kostyashupenko, yched, Berdir, andypost, alexpott, tstoeckler, xjm: Drupal\Core\Entity\EntityInterface\ContentEntityStorageBase::doCreate() assumes that the bundle is a string
#2849074 by decafdennis, alexpott, zuuperman, AdamPS, sagesolutions, tucho, xjm: SiteConfigureForm overrides value from install profile
#3007716 by Sam152, kevin.dutra, jhedstrom, larowlan: Security update introduces breaking changes to content moderation
#2215857 by michielnugter, Lendude, gmercer, tim.plunkett, cferthorney, marabak, olli, ericmulder1980, TwoD, sanduhrs, stella, dww, nod_: Behaviors get attached to removed forms
#3017812 by ibustos, joachim: Language selector is immune to hook_entity_field_access in entity forms
#2900883 by larskhansen, GaëlG, kalyansamanta, Chi, tim.plunkett, Gábor Hojtsy, joachim: Wrong documentation of Drupal\Component\Plugin\Derivative\DeriverInterface::getDerivativeDefinitions()
#3027595 by amateescu, pmelab: Incorrect blacklist condition in WorkspaceManager
#2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, lauriii, catch, cilefen, Cottser: [regression] Table Drag handles no longer respond to up/down arrow keys
Revert "Issue #2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys"
#2725259 by sardara, andrewmacpherson, claudiu.cristea, tedbow, alwaysworking, droplet, techmsi, kwoxer, xjm, alexpott, @catch, @cilefen, @Cottser, @lauriii: [regression] Table Drag handles no longer respond to up/down arrow keys
#2937073 by tim.plunkett, Saviktor, tedbow: Improve robustness of FieldBlockTest
#2973713 by quietone, Adita, etecjdo, apmsooner, mikeryan, gnuschichten, tstoeckler: cache_key source plugin configuration not documented
#2949555 by quietone, ankitjain28may: Correct the documentation on method UserMigrationClassTest
#3025685 by quietone: Add error msg to assertions in MigrateSourceTestBase
#3026840 by izus: Fix plural typo in workspaces field
#3024452 by kfritsche, hchonov, alexpott: DatabaseStorageExpirable:setWithExpireIfNotExists is not respecting expired
#2999908 by penyaskito: View more link in recipe cards is not fully translated
#3028819 by alwaysworking: Update username
#2916021 by d.olaresko, wengerk, Chi, xjm, dawehner, idebr: Update "Running tests" section in core.api.php
#2953995 by kjay, starshaped, rachel_norfolk, Vidushi Mehta, cferthorney, HAL 9000, Eli-T, markconroy, steveparks: Update the Umami Vegan Chocolate Brownie recipe
#3028608 by danharper, Eli-T, markconroy, Not Real: Umami - favicon
#2940027 by jmsosso: Add change record to @deprecated for AccountInterface
#2995150 by msankhala, tim.plunkett: Command examples in core/tests/README.md are confusing and not executable
#3024184 by seanB, andrewmacpherson, Kristen Pol: Make the tabbing order match the visual reading order in MediaLibraryWidget
#2668416 by Krzysztof Domański, wheatpenny, Lendude, alexpott: Wrong assert in NodeTitleTest
#2981870 by Lendude, alexpott: Duplicate BrokenSetUpTest for BrowserTestBase
#2809513 by Lendude, brentgees: Convert AJAX part of \Drupal\responsive_image\Tests\ResponsiveImageFieldUiTest to JavascriptTestBase and the rest to BrowserTestBase
#3027574 by tuutti: SqlContentEntityStorage no longer update entities with certain (id) fields
#3026043 by Berdir: ConfigEntityBase::__sleep() serializes plugin instances if they were not previously initialized
#3021395 by quietone, alexpott: MigrateDrupalTestBase::migrateContent(['translations') does not migrate translations
Revert "Issue #3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()"
#2987418 by quietone, Kristen Pol: Rename MigrateUpgrade tests
#3003238 by Sam152, amateescu, Berdir: EntityStorageException: Default revision can not be deleted in content_moderation_entity_revision_delete()
#3026470 by alexpott, jrockowitz, Joseph Zhao: ArchiveTar is throwing fatal error
Merged 8.6.7.
Merged 8.6.6.
#3015992 by Krzysztof Domański, alexpott, larowlan: Not affecting spacing in PhpTransliterationTest
#2998769 by kiamlaluno, quietone, kkalaskar: @see directive used in the wrong place outputs the wrong HTML markup
#3000677 by catch, Shane Birley, featherbelly, alexpott, larowlan: Fatal error after upgrade to 8.6x [due to regression in extension system]
#2955457 by pfrenssen, Chewie, unrealauk, alexpott, Pol: ConfigFactory static cache gets polluted with data from config overrides
#3020142 by mglaman, tim.plunkett: Test module no_transitions_css has invalid hook_page_attachments
#3007973 by tim.plunkett, lukasss, xopoc, bnjmnm, stompersly: Layout builder prevents the rendering of extra fields (like Links) on pages not using Layout Builder
#3024259 by Pol, alexpott: [PHP 7.3] Fix EnvironmentTest::providerTestCheckMemoryLimit() notice
#3023747 by mikelutz, heddn: D6 profile migrations assume stubs, which fail
#2978922 by brathbone, philipnorton42, msankhala, hardikpandya, alexpott, siliconmeadow: Improve batch_process() documentation
#2845975 by quietone, Jo Fitzgerald, aleevas, maxocub, Gábor Hojtsy: Migrate Drupal 6 user profile field value option translations
#2701829 by alexpott, andypost, Soul88, Graber, Eduardo Morales, dawehner, pingwin4eg, catch, Berdir, jibran, httang12: Extension objects should not implement \Serializable
#2693727 by mikelutz, sanduhrs, CalebD, ajlib, Lendude, tstoeckler, catch: Limiting options for exposed Language filters causes errors and doesn't work for special languages
8.6.9:
Changes since 8.6.8:
#2215857 followup by gaydamaka, timmillwood, alexpott, lauriii: Regression on Internet Explorer 11
#3031128 by alexpott, TrevorBradley, indigoxela, catch, cilefen, larowlan, jibran: Update from 8.6.7 to 8.6.8 warnings - Drupal\Core\Extension\Extension has no unserializer
Revert "Issue #2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD"
#2924201 by tim.plunkett, tedbow, larowlan, xjm, jibran, Kristen Pol: Resolve random failure in LayoutBuilderTest so that it can be added to HEAD
This is a hotfix release for a regression affecting some Drush installations
that was introduced by the fix for SA-CORE-2019-002. No other fixes are
included.
Drupal\Core\Extension\Exception\UnknownExtensionException: The module standard does not exist. in Drupal\Core\Extension\ExtensionList->get() (line 257 of /usr/pkg/share/drupal/core/lib/Drupal/Core/Extension/ExtensionList.php)
e.g. when trying to put the site in maintenance mode.
Upstream changes:
Changes since 8.6.4
#3023402 by alexpott: \Drupal\Tests\Component\Datetime\DateTimePlusTest fails on latest PHP7.3 build
#3001997 by Krzysztof Domańskii, scott_euser, alexpott: Transliteration a string containing an unknown character (e.g. 0x80) is not valid
#3018942 by welly, alexpott, jibran, Krzysztof Domańskii, floydm: Domain URL language detection - InvalidArgumentException: The user-entered string must begin with a '/', '?', or '#'
#3020902 by Berdir, alexpott: PostgresqlDateSql fails to serialize
Revert "Issue #2986725 by Mile23, devitate, alexpott: doctrine common 2.9 has moved reflection"
#3022183 by wengerk, benjifisher: Fix BlockContentAccessHandlerTest::providerTestAccess wrong coverage by early return
#2984072 by vijaycs85, Lendude, ApacheEx, dawehner: System: Convert ErrorHandlerTest to phpunit
#3019706 by hchonov, alexpott, sheanhoxie, jibran, dawehner: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable
Revert "Issue #3019706 by hchonov, jibran: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable"
#3021204 by maxocub: Remove maxocub from Migrate maintainers
#3019706 by hchonov, jibran: Functional JS Tests are broken if XDEBUG_CONFIG is set as an env variable
#2986725 by Mile23, devitate, alexpott: doctrine common 2.9 has moved reflection
#2939908 by kjay, steveparks, spitzialist, cferthorney, danharper, Eli-T: Add an article to Umami - Dairy-free chocolate
#3007439 by tim.plunkett, Wim Leers, xopoc: Layout builder renders Book navigation block on non-book pages
#2927768 by justinlevi, Lendude, pritish.kumar, Wim Leers, dawehner: Update RestRegisterUserTest to use the ResourceTestBase base class instead of the deprecated RESTTestBase
#3020550 by catch: Passing commands as a string to Process is deprecated in Symfony 4
#3020579 by catch: TypeError: Argument 3 passed to Symfony\Component\HttpKernel\Event\FilterResponseEvent::__construct() must be of the type integer, string given [Symfony 4]
#2618606 by dawehner, rbayliss: Update.php - Reverse proxy settings not used
#2865344 by mpdonadio, Lendude, mbovan, organicwire, alexpott, jibran, jhedstrom, bobemoe, Berdir, larowlan: Exposed date filters 'empty' and 'not empty' are broken
#2974274 by mitrpaka, RumyanaRuseva, joachim: exception message for unrecognized source IDs in lookupDestinationIds() should have more detail
#2809305 by Upchuk, Pavan B S, Jo Fitzgerald, tim.plunkett, Berdir: Block Context assignment form element shows even if no options are available
#3018774 by xjm: hook_post_update_NAME() docs do not explain batching/ parameter
#3018539 by phenaproxima, rodrigoaguilera, alexpott: Media types cannot be created in the UI without JavaScript
#3018764 by Wim Leers: One test case in MediaUiFunctionalTest is not actually tested due to a duplicate key
#2998462 by AndyF, Baysaa, Siavash, tim.plunkett, millionleaves, fatmarker: Error adding Content Type Selection criteria or Context
#3016501 by govind.maloo, andrewmacpherson, markconroy: Writing style - Umami should be capitalised when it is used as a proper noun in English
#2916595 by phenaproxima, AdamPS, Wim Leers: File element discards attributes if #multiple
#2883260 by kiamlaluno, yogeshmpawar, msankhala, benjifisher, alexpott, bdlangton: Replace the schema example with one actually used from a module
#2883553 by govind.maloo, msankhala, seanB, Berdir, xjm, alexpott: Obsolete argument for hasPermission in node_node_access()
#3016011 by mikelutz, quietone, alexpott: Reroll all migrate dump files
#3017753 by mxr576, alexpott: MemoryBackend should validate the passed cids
Many bug fixes including:
- Breadcrumbs disappears when starting with front-page after cache rebuild
- Adding a display mode to a content type using layout, and disabling
layout on that new display mode removes the layout_builder__layout
field and breaks layout in already configured display modes
- Clearing the persistent entity cache every time we switch between
workspaces is super wasteful
For full list, see:
- https://www.drupal.org/project/drupal/releases/8.6.3
- https://www.drupal.org/project/drupal/releases/8.6.4
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal Core - Multiple vulnerabilities - SA-CORE-2018-006
No other fixes are included.
Sites on 8.5.x should update immediately to Drupal 8.5.8 instead, and plan to
update to the latest 8.6.x release before May 2019.
Important update information
Site update and module owners planning to update to this should take note of
the following important changes.
For site owners
* Previously, users who didn't have access to use any Content Moderation
transitions were granted implicit access to update content provided the
state of the content did not change. This access has been removed. Site
owners should ensure that all content editor roles have access to
appropriate transitions for moderated content types (including published to
published where appropriate).
* There are no database updates in this release, but site owners will need to
run update.php to ensure a cache clear.
* No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary.
For contributed and custom module developers
* \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination()
has been removed. If you have extended that class or are calling that
method, you should review your implementation in line with the changes in
the patch.
* An additional method has been added to
StateTransitionValidationInterface. Implementations should review the new
method and ensure compatibility with it.
* ModerationStateConstraintValidator now has two additional service
dependencies. Subclasses will need to update their constructor to inject the
new services.
Upstream changes:
Drupal 8.5.6 Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal Core - 3rd-party libraries -SA-CORE-2018-005
No other fixes are included.
Upstream changes:
Release notes
This is a patch release of Drupal 8 and is ready for use on production sites. Learn more about Drupal 8.
This release only contains bug fixes, along with documentation and testing improvements. Translators should take note of a minor string change since the last release.
Known issues
View with user/% path breaks login/logout on 8.5.x - a regression from 8.4.x
Important: If you have not already upgraded to 8.5.0, read the Drupal 8.5.0 release notes before upgrading to 8.5.5.
Search the issue queue for all known issues.
Changes since 8.5.4:
#2921661 by heddn, maxocub, alexpott, phenaproxima, Jo Fitzgerald, badmetevils, quietone: Add support to migrate multilingual revisions
#2977945 by awm: typo in test_node_revision_links views yml file
Revert "Issue #2971338 by Jo Fitzgerald, quietone, joachim: MigrationLookupTest::testMultipleSourceIds() uses wrong class for mocking"
#2971338 by Jo Fitzgerald, quietone, joachim: MigrationLookupTest::testMultipleSourceIds() uses wrong class for mocking
#2887490 by michaellenahan, cilefen, rOprOprOp, catch: Activity Tracker cannot be enabled if there are unpublished nodes
#2982042 by progga: UUID component's composer.json has wrong description
#2860760 by Jo Fitzgerald, heddn, quietone, alexpott: Match setup() functionality of MigrateFileTest with MigratePrivateFileTest
#2979813 by Wim Leers, TwoD: Add TwoD as maintainer for the editor.module component
#2581557 by dawehner, mxh, xjm, sorabh.v6, JeroenT: Add ltrim($path, '/') in drupalGet method
#2635046 by neclimdul, dawehner, alexpott: run-test.sh doesn't work in directories with spaces
#2950158 by Vidushi Mehta, ankitjain28may, Shiva Srikanth T, ckrina, markconroy, Eli-T: Choose policy for defining font-weight on Umami theme
#2875679 by mondrake, daffie: BasicSyntaxTest::testConcatFields fails with contrib driver
#2933413 by Graber, alexpott, joelpittet, chanderbhushan, jchand: Improve test coverage of using bulk actions when the view has an exposed form using AJAX
#2978596 by visshu007, Chi: views_add_contextual_links() references to non existent views_preprocess_page() function
#2977175 by borisson_, PieterJanPut, tstoeckler, msankhala: DataDefinition::setConstraints() should be on DataDefinitionInterface
#2822611 by Mile23, Wim Leers, alexpott, Berdir, catch, dawehner, xjm, tstoeckler, borisson_: Document why UserInterface + FileInterface + MenuLinkContentInterface + … extend \Drupal\Core\Entity\ContentEntityInterface
#2969598 by msankhala, joachim: badly formatted sample code in docs for Select::orderBy()
Revert "Issue #2886609 by quietone, Jo Fitzgerald, jhodgdon, masipila, heddn, Gábor Hojtsy, mikeryan: Migrate D6 i18n loacalized translations of taxonomy terms"
#2975751 by msankhala, leolando.tan, joachim, claudiu.cristea: incorrect @return for Tables::getTableMapping()
#2927723 by longwave, artreaktor, chiranjeeb2410, ankitjain28may, cilefen, dawehner: The URL "/ " with trailing space is not getting recognized as
#2737773 by antongp, wturrell, pcambra, cilefen, Darvanen, cwells, manningpete, alexpott: Proper way to install Drupal, missing vendor folders, example.gitignore
#2943107 by mherchel, NicholasS, jordana, finnsky, tomphippen, smaz, markconroy, andrewmacpherson, kjay: Umami support for Internet Explorer 11
#2979166 by RajeevK, lomasr: Wrong documentation on SiteCacheContext class
#2749901 by MaskyS, kleog, priya.chat, harsha012, rakesh.gectcr, shobhit_juyal, snehi, SenthilMohith, neerajpandey, gawaksh, thompsizzle, ecrown, mohit1604, andrewmacpherson, surbz, rahulrasgon, riddhi.addweb: Add README.txt to Bartik theme
#2886609 by quietone, Jo Fitzgerald, jhodgdon, masipila, heddn, Gábor Hojtsy, mikeryan: Migrate D6 i18n loacalized translations of taxonomy terms
#2772251 by msankhala, markpavlitski, joachim: description for EntityForm::actions() could use rewording
#2978848 by claudiu.cristea, amateescu: EntityReferenceFieldItemList::referencedEntities() doesn't work for computed fields
#2073467 by maxocub, Jo Fitzgerald, pobster, masipila, plach, heddn, phenaproxima, catch: Migrate Drupal 7 Entity Translation settings to Drupal 8
#2877828 by msankhala, joachim: FormInterface::getFormId() should state restrictions on the returned ID string
#2855054 by alexpott, LoMo, wesleydv, Artusamak, gawaksh, xjm: User cancel link doesn't redirect to the homepage
#2936821 by msankhala, joachim, lomasr, marxjohnson: unclear docs in MigrateProcessInterface
#2951715 by dravenk, marvil07, rakesh.gectcr, davidsonjames, heddn, Jo Fitzgerald, quietone, alexpott, maxocub: Log message if static_map plugin skips the row
#2932777 by mondrake, borisson_, alexpott, daffie: Risky count() in SQLite Statement
#2951163 by nkoporec, Parvateesam, joachim: CachePluginBase::cacheGet()/::cacheSet() doesn't document @params or @return
Upstream changes:
Releases for Drupal core
API version
drupal 8.5.4
Posted by catch on 6 June 2018
Release notes
This is a patch release of Drupal 8 and is ready for use on production sites
Upstream changes:
Drupal-8.5.3:
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes critical security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004
No other fixes are included.
Drupal-8.5.2:
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal core - Moderately Critical - Cross Site Scripting- SA-CORE-2018-003
No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
What's new in Drupal 8.5.0?
This new version makes Media module available for all, improves
migrations significantly, stabilizes the Content Moderation and
Settings Tray modules, serves dynamic pages faster with BigPipe enabled
by default, and introduces a new experimental entity layout user
interface. The release includes several very important fixes for
workflows of content translations and supports running on PHP 7.2.
Upstream changes:
8.4.5
Security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcements:
Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001
No other fixes are included.
Upstream changes:
The following important issues are resolved in 8.4.4 (in addition to the dozens of other fixes listed at the end of this post):
[PHP 7.2] count() parameter must be an array or an object that implements Countable. Drupal 8.4.4 still has one remaining critical bug on PHP 7.2 which will be fixed by Drupal 8.5.0, to be released March 7 2018.
Concurrently editing two translations of a node may result in data loss for non-translatable fields
Known issues
There are no known regressions in this release.
Important: If you have not already upgraded to 8.4.0, read the Drupal 8.4.0 release notes before upgrading to 8.4.4. Drupal 8.4 includes major version updates for Symfony, jQuery, and jQuery UI and is no longer compatible with older versions of Drush.
Drupal 8 currently has one remaining critical bug on PHP 7.2 which will be fixed by Drupal 8.5.0, to be released March, 7 2018.
Search the issue queue for all known issues.
All changes since the last release
#2894068 by Jo Fitzgerald, davidsickmiller, alexpott, heddn, Yogesh Pawar, quietone, xjm: datetime_type is not set correctly when migrating datetime fields from D7
#2930715 by alexpott, dawehner: Recursive rebuild caused by installing admin_toolbar_tools module
#2837022 by hchonov, xjm, vlad.dancer, plach, matsbla, Gábor Hojtsy: Concurrently editing two translations of a node may result in data loss for non-translatable fields
#2933125 by Tessa Bakker: Case mismatch in ExportForm.php
#2323459 by harsha012, jhodgdon, joachim: Change wording of annotation keys to properties
#2840257 by kiamlaluno: The documentation makes reference to a function that doesn't exist
#2779921 by kiamlaluno, alexpott: hook_field_widget_form_alter() still reference a hook that is not used anymore
#2931294 by claudiu.cristea, Wim Leers: Timestamp field type misses schema for value
#2923884 by mfernea: Fix 'Squiz.WhiteSpace.SemicolonSpacing' coding standard
#2899708 by gaurav.kapoor, tan33sh, tedbow, droplet, Wim Leers: `quote` should be `blockquote` in off-canvas.base.css
#2932154 by jhedstrom: ModerationInformation::getLatestRevisionId returns access-specific results
#2932551 by jeqq: Error when calling ModerationStateFieldItemList::updateModeratedEntity() if the entity doesn't have workflow
#2346893 by lauriii, idebr, slashrsm, RavindraSingh, Rade, Fabianx, alexpott, swentel, gauravjeet, darrenwh, deepak_zyxware, joelpittet, Wim Leers, Yogesh Pawar, Vj, ivan.chavarro, josephdpurcell, josmera01, rloos289, kattekrab, Tanvish Jha, csakiistvan, xjm, larowlan, akalata: Duplicate AJAX wrapper around a file field
#2921033 by Jo Fitzgerald, masipila, phenaproxima, xjm, Wim Leers: Improve API documentation of DrupalSqlBase source plugin
#2862671 by masipila, Jo Fitzgerald, kleog, phenaproxima, quietone: Add documentation to SqlBase source plugin
#2930072 by vaplas, Lendude: Module: Convert system functional tests to phpunit
#2913864 by Jo Fitzgerald, chiranjeeb2410, matslats, phenaproxima: badly constructred link in drupal_set_message
#2928846 by alexpott, Berdir: [PHP 7.2] count() parameter must be an array or an object that implements Countable
#1489692 by Liam Morland, pfrenssen, YesCT, geekinpink, sudishth, josmera01, David_Rothstein: Incorrect handling of file upload limit exceeded - file widget disappears
#2914938 by timmillwood, RajabNatshah, xjm, Manuel Garcia, amateescu, Wim Leers: Preview of content - Notice: Undefined offset: 0 in _quickedit_entity_is_latest_revision() (line 196 of core/modules/quickedit/quickedit.module)
#2880445 by pjcdawkins, japerry, gargsuchi, q0rban: Config sync should not throw a warning when not being writable
#2927636 by alexpott, Mile23, Mixologic: Backport --supress-deprecations to run-tests.sh 8.4.x
#2928778 by plach: Exception when trying to save a new revision after manually setting the original revision ID
#2929464 by tedbow, mpdonadio: Tests under "core/modules/ckeditor/tests/modules/src/Kernel" are in the wrong folder and do not get tested
#2795317 by hswong3i, alexpott, Lendude, bircher, dawehner, martin107, Jo Fitzgerald, mondrake: Allow PHPUnit 6+ support for object mocking
#2862745 by masipila, quietone: Add documentation to EntityFieldInstance destination plugin
#2862746 by masipila, quietone, phenaproxima: Add documentation to EntityFieldStorageConfig destination plugin
#2927844 by Jo Fitzgerald, quietone, heddn: Correct references to 'iterator' plugin to be 'sub_process'
#2927563 by tstoeckler, amateescu: Aggregator feed "refresh" field should have a default value
#2927569 by tstoeckler, amateescu: Various tests do not set values for required field when creating entities
#2862207 by kalpaitch, jmmarquez, jeetendrakumar: Config import change profile message
#2923886 by mfernea: Fix 'Squiz.WhiteSpace.LanguageConstructSpacing' coding standard
Revert "Issue #2929076 by marcoscano: Fix wrong \Drupal\Core\Entity\EntityTypeInterface::getBundleLabel() docblock"
#2929076 by marcoscano: Fix wrong \Drupal\Core\Entity\EntityTypeInterface::getBundleLabel() docblock
#2927758 by Wim Leers, dagmar: Update DbLogResourceTest to use the ResourceTestBase base class instead of the deprecated RESTTestBase
#2717965 by Yogesh Pawar, pguillard, alexpott, Liam Morland, skylord, oxy86, cilefen, balagan, Anthony Fok: Site name is not UTF-8 encoded in email headers
Drupal is a free web Content Management System (CMS) that allows an
individual or a community of users to easily publish, manage and organize a
wide variety of content on a website.
Drupal is ready to go from the moment you download it. It even has an
easy-to-use web installer! The built-in functionality, combined with dozens
of freely available add-on modules, will enable features such as: Content
Management Systems, Blogs, Collaborative authoring environments, Forums,
Peer-to-peer networking, Newsletters, Podcasting, Picture galleries, File
uploads/downloads and much more.
