10.5.0

TL;DR

Drupal 10.5.0 introduces significant improvements to performance, security, and developer experience. This release includes multiple security fixes, PHP 8.4 compatibility updates, and enhancements to the SDC (Single Directory Components) system. Key improvements include better Twig performance, fixes for workspace functionality, and updates to CKEditor 5. This is a feature release that maintains backward compatibility while adding new capabilities and addressing numerous bugs.

Highlight of the Release

• Multiple security fixes addressing critical vulnerabilities
• PHP 8.4 compatibility improvements
• Performance optimization for Twig templates
• Enhanced workspace functionality for content moderation
• Updated CKEditor 5 to version 45.2.0
• Improved SDC (Single Directory Components) system
• Fixed issues with Media Library and Layout Builder
• Better handling of password reset functionality

Migration Guide

Migration from Drupal 10.4.x to 10.5.0

No specific migration steps are required when upgrading from Drupal 10.4.x to 10.5.0. This is a minor version update that maintains backward compatibility.

PHP 8.4 Compatibility

If you're planning to use PHP 8.4 with Drupal 10.5.0, review your custom code for:

• Usage of str_getcsv() and fgetcsv() functions
• Closures in test code
• Usage of trigger_error() with E_USER_ERROR
• Any code that might be affected by PHP 8.4 changes

Custom SDC Components

If you're using custom SDC components:

• Review your component CSS/JS handling as SDC stylesheets are now added to the "theme" aggregate group instead of "default"
• Ensure your SDC slots are properly validated against JSON config schema
• If you're developing on Windows/XAMPP, check that component CSS/JS URLs are generating correctly

Custom Access Policies

If you've implemented custom access policies:

• Consider implementing the new interface to opt out of caching if appropriate
• Review access cacheability, especially if using "view own unpublished content" permission

Custom Form Handling

If you have custom forms that interact with the Media Library or Layout Builder:

• Review your code for compatibility with the fixed Media Library selection handling
• Check any code that interacts with form_build_id, especially on Firefox

Upgrade Recommendations

Recommendation Level: High

Drupal 10.5.0 is recommended for all Drupal 10.x sites due to the significant security fixes and performance improvements included in this release.

When to Upgrade

• Immediate upgrade is recommended for sites concerned about the security vulnerabilities addressed in this release.
• Planned upgrade is recommended for all other Drupal 10.x sites to benefit from performance improvements and bug fixes.

How to Upgrade

1. Create a complete backup of your site's files and database
2. Update your composer.json file:

   composer require drupal/core-recommended:^10.5.0 --update-with-dependencies
   

3. Run composer update:

   composer update
   

4. Run database updates:

   drush updatedb
   

   or visit /update.php in your browser
5. Clear caches:

   drush cache:rebuild
   

   or visit /admin/config/development/performance and click "Clear all caches"
6. Test your site thoroughly, especially features related to workspaces, media library, and layout builder

Testing Focus Areas

• Media Library functionality
• Layout Builder operations
• Workspace content moderation
• Password reset functionality
• RSS feeds
• Multilingual features
• Forms with file uploads

Bug Fixes

Critical Bug Fixes

• Fixed regression in yaml_parser_class setting that broke sites < 11.0
• Addressed recursion limit exceeded with Twig v3.14.1 when editing nodes or blocks
• Fixed issue where an update to symfony/http-foundation plus a trailing space took down the views UI
• Corrected handling of published moderated entities in workspaces
• Fixed issue where RssResponseCdata was filtering out common HTML tags from RSS feeds

Form and UI Fixes

• Fixed Media Library currentSelection not being reset properly
• Corrected handling of Firefox retaining form_build_id on form reloads
• Fixed logout confirmation form showing inappropriate confirmation description
• Addressed issue where password and confirm password fields weren't properly marked as mandatory when setting up passwords via one-time links
• Fixed Views exposed filter reset creating sessions for anonymous users
• Corrected decimal separator and decimals settings being ignored when aggregating decimal fields
• Fixed issue where contextual links would disappear intermittently

Entity and Field Handling

• Fixed issue where referring to the same entity multiple times broke _referringItem
• Corrected EntityAccessControlHandler::createAccess() returning false positive cache hits
• Fixed ContentEntityBase::createDuplicate() to reset default revision flag
• Addressed issue where Block visibility settings had summary duplicated in the title
• Fixed Menu Link Edit form not saving Weight and Expanded values properly for default links

Caching and Performance Issues

• Fixed ChainedFast backend to ensure invalid items are not written
• Corrected BreadcrumbManager ignoring cacheability when no builders apply
• Fixed MenuActiveTrail creating invalid cache tags when called without a menu name
• Addressed issue where UserRolesCacheContext could lead to poisoned cache returns for user 1

Other Fixes

• Fixed DateHelper::dayOfWeekName() returning untranslated names
• Corrected handling of unknown file extensions in FileMediaFormatterBase
• Fixed FileSystem::deleteRecursive() following symlinks and removing files outside the target directory
• Addressed issue where Views StringFilter didn't escape % character
• Fixed datetime date views filter when DateTime object not set
• Corrected handling of batch IDs that don't exist

New Features

PHP 8.4 Compatibility

Drupal 10.5.0 includes several updates to ensure compatibility with PHP 8.4:

• Fixed closures in tests for PHP 8.4 compatibility
• Updated handling of str_getcsv() and fgetcsv() functions
• Fixed usage of trigger_error() with E_USER_ERROR
• Upgraded open-telemetry packages for PHP 8.4 compatibility
• Added daily testing with PHP 8.4

Enhanced SDC (Single Directory Components)

• SDC stylesheets are now added to the "theme" aggregate group instead of "default" group to ensure correct CSS source order
• Fixed component validation to properly use the set validator
• Fixed issues with SDC components CSS & JS URL generation on Windows/XAMPP environments
• Added validation for SDC slots against JSON config schema

Access Policy Improvements

• Added interface to allow access policies to opt out of caching
• Fixed access cacheability when "view own unpublished content" permission is in use

Navigation Enhancements

• Added ability for modules to hook into the top of content section in the new core navigation
• Fixed settings rendering in navigation module

Security Updates

Security Advisories

Drupal 10.5.0 includes fixes for multiple security advisories:

• SA-CORE-2024-003: Fixed security vulnerability reported by jrb, larowlan, catch, mingsong, poker10, longwave, and benjifisher
• SA-CORE-2024-004: Addressed security issue identified by zengenuity, cilefen, kristiaanvandeneynde, mcdruid, and larowlan
• SA-CORE-2024-006: Fixed vulnerability reported by mcdruid and larowlan
• SA-CORE-2024-007: Addressed security issue identified by mcdruid and larowlan
• SA-CORE-2024-008: Fixed security vulnerability reported by mcdruid, fabianx, poker10, larowlan, longwave, and alexpott
• SA-CORE-2025-001: Addressed security issue identified by larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, and catch
• SA-CORE-2025-002: Fixed vulnerability reported by jeff cardwell, benjifisher, poker10, and mingsong
• SA-CORE-2025-003: Addressed security issue identified by shin24, anzuukino, mcdruid, nicxvan, ghost of drupal past, and longwave
• SA-CORE-2025-004: Fixed vulnerability reported by samuel.mortenson, xjm, larowlan, pandaski, effulgentsia, jenlampton, mcdruid, longwave, benjifisher, bramdriesen, and phenaproxima

Other Security Improvements

• Updated Twig for CVE-2025-24374
• Improved CSRF token handling in Menu APIs
• Enhanced XSS protection by removing srcdoc attributes in Xss::filter()
• Fixed status report handling of null and duplicate emails
• Added SECURITY.md explaining how to report security vulnerabilities properly

Performance Improvements

Twig Performance Optimization

• Fixed performance degradation after update to Twig 3.14.2
• Updated to Twig 3.15.0 with performance improvements
• Added static caching for recipe objects in RecipeConfigurator::getIncludedRecipe() to avoid performance problems

Caching Improvements

• Enhanced caching mechanisms for entity access control
• Improved handling of cache redirects with better warning messages
• Fixed caching issues in BreadcrumbManager and MenuActiveTrail
• Optimized UserRolesCacheContext to prevent poisoned cache returns

Request Handling Optimization

• DefaultExceptionHtmlSubscriber no longer clones the request for 400/BadRequestException
• Improved handling of PathValidator to prevent unnecessary processing

Other Performance Enhancements

• Optimized entity query handling with proper alter hooks for aggregate queries
• Improved file handling performance
• Enhanced Media Library widget performance
• Optimized Layout Builder operations

Impact Summary

Drupal 10.5.0 represents a significant enhancement to the Drupal 10.x series, focusing on security, performance, and developer experience. This release addresses multiple security vulnerabilities through nine security advisories, making it an important update for all Drupal 10.x sites.

Performance improvements are a key highlight, particularly the fixes for Twig performance that address regressions introduced in previous versions. The update to Twig 3.15.0 and optimizations in caching mechanisms should result in noticeable performance gains for many sites.

For developers, the PHP 8.4 compatibility improvements provide forward compatibility while maintaining support for earlier PHP versions. The enhancements to the SDC (Single Directory Components) system improve the developer experience for creating and maintaining components, particularly with better CSS/JS handling and proper validation.

Content editors will benefit from numerous fixes to the Media Library, Layout Builder, and workspace functionality. The correction of issues with form handling, especially for password reset and media selection, improves the editorial workflow.

Site administrators will appreciate the security enhancements and the more reliable handling of critical site functions like user authentication, RSS feeds, and multilingual features.

Overall, Drupal 10.5.0 is a mature release that builds on the stability of Drupal 10.x while adding important security fixes, performance improvements, and quality-of-life enhancements for all user types.