Drupal Release: 10.0.10

TL;DR

Drupal 10.0.10 is a maintenance release that addresses multiple bugs, security vulnerabilities, and adds several enhancements to improve the stability and functionality of Drupal 10. This release includes fixes for media library issues, entity handling, API improvements, and security hardening. It's particularly important for sites using media features, entity references, or experiencing specific errors mentioned in the fixes.

Highlight of the Release

• Fixed security issue with potentially malicious file extensions
• Improved API to allow DELETE requests to return response bodies
• Fixed multiple NULL entity reference issues that were causing fatal errors
• Enhanced media library functionality and fixed required field message issues
• Improved CKEditor 5 with fixes for the Style plugin and media handling
• Added better documentation for hooks and interfaces

Migration Guide

No significant migration steps are required for this maintenance release. The changes are primarily bug fixes and minor enhancements that should not require any special migration procedures.

If you're using custom code that:

1. Relies on DELETE requests not having response bodies
2. Extends the StatusMessages class
3. Uses the entity access system in a specific way

You may want to review your code to ensure compatibility with the fixes in this release, but no formal migration steps are needed.

Upgrade Recommendations

This release contains important bug fixes and security improvements, so upgrading is recommended for all Drupal 10.0.x sites. The update addresses several critical issues that could cause fatal errors or security vulnerabilities.

Priority: Medium-High

Sites experiencing any of the specific issues mentioned in the bug fixes section should prioritize this update, especially if you're using:

• Media library functionality
• Entity references that might be NULL
• CKEditor 5 with the Style plugin
• PHP 8.0+ with the PhpMail system

To update:

1. Back up your database and code
2. Update your codebase to Drupal 10.0.10
3. Run the database updates via the UI or Drush
4. Clear caches

No special update procedures are required beyond the standard Drupal update process.

Bug Fixes

Entity Handling

• Fixed multiple instances where FieldPluginBase::getEntity() did not check for NULL values, preventing white screen of death errors.
• Fixed EntityCreateAnyAccessCheck::access() being too restrictive, improving entity access handling.
• Fixed TypeError in EntityViewBuilder::view() when null is passed instead of an EntityInterface.

Media and CKEditor Issues

• Fixed media library showing 'is required message' when users don't have access to the field.
• Fixed CKEditor 5 Style plugin configuration tab not appearing.
• Fixed random test failures in MediaTest for editable captions.
• Fixed missing dependency on drupal.ajax in CKEditor 5.
• Fixed OEmbedIframeController returning HTTP response codes that could be cached by forward proxies when given illegal parameters.

Form and Widget Issues

• Fixed OptionsWidgetBase not respecting #required_error.
• Fixed progress throbber position being incorrect.
• Fixed fatal error when entering non-numeric values for start row in Multiple field settings for views.

Other Fixes

• Fixed broken mail headers in PHP 8.0+ due to LF characters in PhpMail.
• Fixed regression where route defaults were automatically becoming route parameters.
• Fixed random test failures in various tests.
• Fixed CSS nesting accidentally used in off-canvas dialog styles.

New Features

API Improvements

• DELETE Request Response Bodies: Added support for DELETE requests to return response bodies, providing more flexibility in API responses.
• StatusMessages Extension: The StatusMessages class can now be extended, allowing for more customization of system messages.
• Contextual Filter Enhancement: Added support for ?edit[field_xyz] as a query parameter in contextual filters, improving content editing workflows.

Documentation Updates

• Hook Documentation: Added documentation for hook_condition_info_alter, which was previously undocumented.
• Base System Maintenance: Clarified that the "Base system" is maintained by the framework managers.
• API Documentation: Improved PHPDoc for ResourceTypeRepositoryInterface::get() return value.

Security Updates

Security Hardening

• Added PHTML files to the list of potentially malicious extensions, improving security against file upload vulnerabilities.
• Fixed OEmbedIframeController security issue where it could return cacheable HTTP response codes when given illegal parameters, which could potentially be exploited.
• Improved handling of PHPDocBlocks by disallowing @inheritdoc (without curly braces) annotation, preventing potential documentation issues.

Performance Improvements

Test Performance

• Improved how KernelTestBase manages its persistent key value storage, enhancing test performance.
• Fixed issue with not using persist tag for keyvalue.memory in KernelTestBase.

Dependency Management

• Updated Guzzle PSR-7 constraint for better performance and compatibility.
• Locked Drupal 10.0 on symfony/serializer and symfony/validator 6.2 for stability and performance.

Impact Summary

Drupal 10.0.10 is a maintenance release that focuses on bug fixes, security improvements, and minor enhancements. The most significant impacts include:

1. Stability Improvements: Multiple fixes for NULL entity references and type errors that were causing fatal errors in various scenarios.

2. Security Hardening: Added PHTML files to the list of potentially malicious extensions and fixed issues with OEmbed iframe responses that could be cached inappropriately.

3. Developer Experience: Several API improvements including allowing DELETE requests to return response bodies, better extension capabilities for StatusMessages, and improved documentation.

4. Media Handling: Fixed several issues with the media library and CKEditor 5 media integration, improving the content editing experience.

5. Form Handling: Fixed issues with required field messages, progress throbber positioning, and form validation.

This release doesn't introduce any breaking changes but resolves several issues that could cause errors or unexpected behavior in previous versions. The fixes are particularly important for sites using media features, entity references, or experiencing specific errors mentioned in the fixes.