Drupal Release: 10.1.6

TL;DR

Drupal 10.1.6: Security Fixes and Bug Fixes

This minor release of Drupal 10.1.6 focuses primarily on security updates and bug fixes. It addresses several security vulnerabilities in dependencies (composer/composer and postcss), fixes issues with error logging, CKEditor 5 in Firefox, and resolves various PHP 8 compatibility issues. The release also improves accessibility with better contrast for required field indicators and enhances the Site-building Components (SDC) functionality.

Highlight of the Release

• Security updates for composer/composer (CVE-2023-43655) and postcss (CVE-2023-44270)
• Fixed CKEditor 5 error in Firefox when used in a modal dialog
• Improved accessibility with better contrast for required field indicators
• Enhanced error logging by preventing HTTP 4XX errors from being logged to PHP logger channel
• Fixed PHP 8 compatibility issues and warnings

Migration Guide

No significant migration steps are required for this minor update. This is a standard security and bug fix release that should be applied using your normal update process:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core using your preferred method (Composer recommended)
4. Run the database updates
5. Clear caches
6. Take your site out of maintenance mode

If you're using Composer, the recommended update command is:

composer update drupal/core-recommended --with-all-dependencies

Followed by:

drush updatedb
drush cache:rebuild

Upgrade Recommendations

This release contains important security updates and bug fixes. It is strongly recommended that all sites running Drupal 10.1.5 or earlier in the 10.1.x series upgrade to this version as soon as possible.

The security updates address vulnerabilities in dependencies (composer/composer and postcss), which could potentially affect your site's security. Additionally, the bug fixes resolve several issues that could impact site functionality, particularly for sites using CKEditor 5 in Firefox and those running on PHP 8.

This is a minor release with no known breaking changes, so the upgrade process should be straightforward for most sites. As always, test the update in a development environment before applying it to your production site.

Bug Fixes

Core System Fixes

• Fixed issue where _TARGET_DB_TYPE was undefined in certain contexts
• Resolved problem where ExceptionLoggingSubscriber was incorrectly logging HTTP 4XX errors using PHP logger channel
• Fixed issue where config saved during import did not have correct initial values set
• Corrected issue where password is null if user has never logged in, which caused PHP 8 warnings
• Fixed issue where AssetResolver::getCssAssets() was trying to sort and optimize when $css is empty

UI and Editor Fixes

• Fixed CKEditor 5 error in Firefox where event.target.classList is undefined when the editor is used in a modal
• Resolved issue where large placeholders were not being processed correctly
• Fixed dialog options not being honored when opening a dialog using GET method

Entity and Block Management Fixes

• Fixed issue where adding or editing a block through the UI was saving the entity twice
• Corrected problem where BlockContent JSON:API collection endpoint wasn't returning unpublished blocks when filtered without proper permissions
• Fixed issue where BaseFieldOverride wasn't inheriting internal property from the base field
• Corrected wrong comment display for sites configuring base field display in the UI
• Fixed issue with block content type checking in BlockPluginId process plugin

Code and Documentation Improvements

• Updated return type declarations in various methods for better PHP 8 compatibility
• Fixed @return instead of @returns in documentation
• Improved cspell directives for better code quality
• Corrected dependencies declaration in decoupled menus test module

New Features

Enhanced Site-building Components (SDC)

• Improved ComponentElement: The SDC ComponentElement now transforms slots scalar values to #plain_text instead of throwing an exception, making component usage more flexible and user-friendly.

• Better Twig Node Visitors: Now allows other Twig node visitors to modify 'display_start' and 'display_end', enhancing extensibility for theme developers.

Improved Documentation

• Updated documentation for the getSetting() method to specify what happens when a setting doesn't exist, providing clearer guidance for developers.

Security Updates

• Composer Security Update: Updated composer/composer to address CVE-2023-43655, protecting against potential security vulnerabilities.

• PostCSS Security Update: Updated postcss to address CVE-2023-44270, fixing a security vulnerability in this dependency.

• Improved Error Logging: Modified ExceptionLoggingSubscriber to not log HTTP 4XX errors using PHP logger channel, reducing log pollution and potential information disclosure.

Performance Improvements

Performance Enhancements

• Reduced Redundant Operations: Fixed issue where AssetResolver::getCssAssets() was attempting to sort and optimize when $css is empty, eliminating unnecessary processing.

• Optimized Block Saving: Resolved an issue where adding or editing a block through the UI was saving the entity twice, reducing database operations and improving performance.

• Improved File Management: Removed more of the aggregate stale file threshold and state entry, streamlining file handling processes.

• Build Process Optimization: Excluded copying 'core/node_modules' in getCodebaseFinder, improving build performance and reducing unnecessary file operations.

Impact Summary

Drupal 10.1.6 is a security and bug fix release that addresses several important issues. The most significant impacts include:

1. Enhanced Security: Updates to composer/composer and postcss address known vulnerabilities (CVE-2023-43655 and CVE-2023-44270), improving the overall security posture of Drupal sites.

2. Improved Editor Experience: Fixes for CKEditor 5 in Firefox when used in modals and better handling of large placeholders will result in a more stable editing experience for content creators.

3. Better Accessibility: Improved contrast for required field indicators (red asterisks) enhances compliance with WCAG contrast minimum requirements, making forms more accessible to users with visual impairments.

4. PHP 8 Compatibility: Several fixes address PHP 8 warnings and compatibility issues, ensuring smoother operation on modern PHP environments.

5. Enhanced Developer Experience: Improved type declarations, documentation updates, and fixes to the Site-building Components (SDC) functionality provide a better development experience.

This release demonstrates Drupal's ongoing commitment to security, accessibility, and code quality. While it doesn't introduce major new features, it strengthens the foundation of the platform through targeted improvements and fixes.