Drupal Release: 10.2.3

TL;DR

Drupal 10.2.3 is a maintenance release that focuses on bug fixes, performance improvements, and test infrastructure enhancements. Key improvements include fixing invalid RSS feeds, hardening user password rehashing against attacks, fixing URL alias handling, addressing entity autocomplete issues, and resolving various strict typing errors. This release primarily benefits site maintainers and developers by improving stability, security, and test performance without introducing breaking changes.

Highlight of the Release

• Fixed RSS feeds that were invalid due to   entities
• Hardened user_pass_rehash() function against potential attacks
• Fixed URL alias handling to correctly prioritize language-specific aliases
• Resolved entity autocomplete form element issues with '0' labels
• Improved form validation for unlimited cardinality fields
• Enhanced test performance and infrastructure

Migration Guide

No migration is required for this maintenance release. Drupal 10.2.3 contains bug fixes and performance improvements that do not require any special migration steps from Drupal 10.2.2.

If you are upgrading from an earlier version than 10.2.2, please refer to the migration guides for those specific versions.

Upgrade Recommendations

This is a maintenance release containing important bug fixes and security improvements. It is recommended that all sites running Drupal 10.2.x upgrade to this version as soon as possible.

The upgrade process from Drupal 10.2.2 to 10.2.3 should be straightforward:

1. Back up your database and code
2. Put your site into maintenance mode
3. Update Drupal core using Composer: composer update drupal/core-* --with-all-dependencies
4. Run database updates: drush updatedb or visit /update.php
5. Clear caches: drush cache:rebuild or clear via the admin interface
6. Take your site out of maintenance mode

No special steps are required for this upgrade as it contains only bug fixes and performance improvements without API changes.

Bug Fixes

Core Bug Fixes

• RSS Feed Validation: Fixed a regression where RSS feeds were invalid due to   entities (#3409587)
• URL Alias Handling: Fixed AliasStorage::preloadPathAlias() incorrectly prioritizing 'und' aliases over language-specific ones (#2745755)
• Entity Autocomplete: Resolved issue where entity autocomplete form elements ignored entities with label "0" (#3383131)
• Form Validation: Fixed issue where existing field items were incorrectly validated when adding another item in widgets for unlimited cardinality fields (#3076054)
• URL Query Parameters: Fixed issue with query string duplications in URLs (#2885351)
• Node Revisions: Fixed revisions log on translated nodes to show only revisions of translated content, not original language revisions (#3092558)
• Views RSS: Fixed Node RSS Views plugin causing wrong entity_view output to be cached (#2885098)
• URL Alias Validation: Fixed hook_node_grants implementations causing 'URL Alias' validation errors when saving translated nodes (#3101344)
• Layout Builder: Fixed issue where Layout Builder overrides section storage set local tasks block cache max-age to 0 on content entity pages without overrides enabled (#3190542)
• Dialog Buttons: Fixed issue where dialog drupalAutoButtons option was not respected on initial load (#2793343)
• External CSS: Fixed issue where external fonts could not be loaded via add_css ajax command (#3400359)
• Form UI: Fixed issue where "Add another" buttons lacked proper vertical margin (#3198236)
• Views UI: Fixed issue where links did not align properly in Views UI field/sort rearrange dialog (#3376159)
• Twig Tokens: Fixed invalid twig token variables being added on certain URLs that could crash the site if assertions were enabled (#3414144)
• Form Fields: Fixed issue where the 'Name' field in Add form mode lacked indication of being mandatory despite being required (#3375406)
• Olivero Theme: Fixed missing dom_id in Olivero views front page template (#3408913)
• JSON:API: Fixed warning about undefined array key "id" in EntityResource->patchIndividual() (#3377269)
• Access Checking: Fixed access check in AnnounceBlock not taking into account $return_as_object parameter (#3414800)

New Features

No significant new features were introduced in this maintenance release. Drupal 10.2.3 focuses primarily on bug fixes, security improvements, and test infrastructure enhancements.

Security Updates

Security Improvements

• Password Rehashing: Hardened user_pass_rehash() function against potential attacks (#3277003)
• PostgreSQL Security: Fixed PostgreSQL column name escaping in field constraints (#3358609)
• Log Security: Prevented the use of placeholders that cannot be converted into strings when creating logs, which could potentially expose sensitive information (#2481349)
• AJAX State: Fixed issue where ajax_page_state leaked through request in Views Ajax (#3399951)

Performance Improvements

• Update Registry: Improved the performance of \Drupal\Core\Update\UpdateRegistry::getRemovedPostUpdates() (#3414349)
• Test Performance: Multiple improvements to test performance:
  • Fixed test performance of \Drupal\Tests\help\Functional\HelpTest (#3404108)
  • Fixed test performance of \Drupal\Tests\content_translation\Functional\ContentTranslationStandardFieldsTest (#3405085)
  • Fixed test performance of Drupal\system\Tests\Cache\PageCacheTagsIntegrationTest (#2254209)
  • Fixed test performance of Drupal\node\Tests\NodeTranslationUITest (#2254189)
  • Added dedicated runner for performance tests (#3415296)
  • Added @group #slow to various tests to better organize test runs (#3413430, #3411934, #3416308)
  • Split up large test classes to improve performance (#3412029, #3416220, #3416046)
  • Speed up UpdatePathTestBaseTest (#3413730)
  • Added authenticated user Umami performance tests (#3414261)

Impact Summary

Drupal 10.2.3 is a maintenance release that focuses on bug fixes, performance improvements, and test infrastructure enhancements. The most notable fixes include resolving issues with RSS feeds, hardening password security, fixing URL alias handling, and addressing entity autocomplete problems.

For site administrators, this release improves stability and security without requiring significant changes to existing sites. The fixes for RSS feeds and URL alias handling are particularly important for sites that rely on these features.

For developers, the numerous test performance improvements and strict typing fixes make the codebase more robust and easier to work with. The enhanced error messages and performance optimizations in the update registry will improve the development experience.

Content editors will benefit from fixes to form validation, URL alias handling for translated content, and improved UI for adding content with unlimited cardinality fields.

End users will experience a more stable site with fewer bugs and improved accessibility. While most changes are "under the hood," they collectively contribute to a better user experience.

Overall, this release represents Drupal's ongoing commitment to stability, security, and performance, making incremental improvements that benefit all stakeholders without introducing breaking changes.