Drupal Release: 10.3.0-beta1

TL;DR

Drupal 10.3.0-beta1 introduces significant improvements with the Workspaces module now marked as stable, a new experimental Navigation module, and the addition of a Recipes API. This release also includes numerous performance optimizations, security enhancements, and developer experience improvements. Key changes include fixing CSRF vulnerabilities in user logout, improved image handling, and better TypeScript support. This beta release represents a major step forward for Drupal's content management capabilities while maintaining backward compatibility.

Highlight of the Release

• Workspaces module is now stable, providing robust content staging and publishing workflows
• New experimental Navigation module added to core for improved site navigation experience
• New experimental Recipes API for streamlined site installation and configuration
• Security fix for CSRF vulnerability in user logout functionality
• Improved performance with optimized asset handling and caching
• Better TypeScript support and code quality enhancements
• Enhanced accessibility with improved color contrast and screen reader support

Migration Guide

Workspaces Module Now Stable

If you've been using the experimental Workspaces module, you should review your implementation as it's now stable. Key changes to be aware of:

• Check any custom code that interacts with workspaces to ensure compatibility
• Review workspace-related permissions in your roles
• Test workspace operations, especially if you use Layout Builder with workspaces

AJAX Replace Method Deprecated

The AJAX replace method has been deprecated and removed (#3303557). If your code uses this method, you'll need to update it to use an alternative approach.

Super User Behavior Changes

Multiple tests have been updated to no longer rely on UID1's super user behavior. If your custom code or tests assume special behavior for user 1, you should review and update them to use proper permissions instead.

jQuery Dependency Reductions

Several jQuery dependencies have been removed or reduced:

• jQuery.tabbable.shim has been deprecated (#3278625)
• Some jQuery animate functions have been refactored to use vanilla JavaScript (#3239139)
• jQuery parents function usage has been refactored in some places (#3238868)
• Dialog events no longer use jQuery (#3390549)

If your custom code extends or relies on these jQuery features, you'll need to update it accordingly.

Statistics Module Deprecated

The Statistics module has been deprecated (#3413917) and will be removed in a future version. If your site relies on this module, you should plan to migrate to an alternative solution.

Contextual Module Deprecation Updated

The contextual module deprecation has been updated for removal in Drupal 12.0 (#3442530). If your site relies on this module, you should plan to migrate to an alternative solution.

PHP 8.3 Recommended

PHP 8.3 is now recommended for Drupal 10.3. While earlier supported versions will continue to work, it's recommended to upgrade to PHP 8.3 for the best experience.

Twig Updated to 3.9

Twig has been updated to version 3.9 (#3441331). If you have custom Twig templates or extensions, you should test them with this new version.

New Hook for Entity Form Modes

A new hook has been added: hook_ENTITY_TYPE_form_mode_alter() (#3419186). If you previously used workarounds to alter entity form modes, you can now use this hook instead.

Upgrade Recommendations

Drupal 10.3.0-beta1 introduces significant new features and improvements, particularly with the stable Workspaces module and new experimental Navigation and Recipes APIs. However, as this is a beta release, it's recommended to:

1. Test thoroughly in a non-production environment before upgrading production sites.

2. Review deprecated code usage in your custom modules and themes, particularly around jQuery dependencies, AJAX replace method, and Statistics module.

3. Check for compatibility with your contributed modules, especially those that interact with Workspaces, Layout Builder, or file handling.

4. Update to PHP 8.3 if possible, as it's now the recommended PHP version for Drupal 10.3.

5. Test your site's performance after upgrading, as there are significant performance improvements that may affect your site's behavior.

6. Review security changes, particularly around user logout CSRF protection, to ensure your site's security is maintained.

7. Consider waiting for the stable release if you're managing critical production sites, as this beta may still have undiscovered issues.

For most sites, it's advisable to wait for the stable release of Drupal 10.3.0 before upgrading production environments, but testing with this beta release is encouraged to identify any potential issues early.

Bug Fixes

CSRF Protection for User Logout

A critical security fix has been implemented to protect the user logout functionality from Cross-Site Request Forgery (CSRF) attacks, addressing a long-standing issue (#144538).

Image Derivative Generation Fix

Fixed an issue where image derivative generation would fail when using the "Convert" effect with files stored in a private filesystem (#2786735).

Views Query Handling

Fixed incorrect filter group OR behavior where LEFT JOIN was incorrectly changed to INNER JOIN, affecting query results (#1766338).

Media Library Improvements

• Fixed pagination in Media Library widget display when applying filters (#3272629)
• Fixed issues with media mappings source removal (#3271688)

Layout Builder Fixes

• Fixed an issue where custom blocks with Layout Builder enabled were not using the front-end theme (#3423920)
• Fixed Layout Builder overrides on content items not being allowed in workspaces (#3000749)

Workspaces Module Fixes

• Fixed hidden dependency on the path_alias module (#3440000)
• Fixed revision metadata not being updated when a workspace is merged into its parent (#3323317)

Performance Test Fixes

• Fixed failing performance tests in 10.3.x (#3440112)
• Improved OpenTelemetry node page performance test to ensure proper hot cache testing (#3412641)
• Fixed StandardPerformanceTest::testAnonymous to make it easier to pass locally (#3439671)

JavaScript Fixes

• Fixed toolbar.js issue causing "Cannot read properties of null" error (#3409505)
• Fixed dialog.js issues with tabbable elements (#3296098)
• Fixed modal close icon overlapping title text in Claro theme (#3440959)
• Fixed flickering issues with navigation toggle button on page load (#3443866)

Accessibility Fixes

• Fixed color contrast for disabled form labels in Claro theme (#3266299)
• Fixed collapsed nav-tabs status not being exposed to screen readers (#3432632)
• Fixed duplicate announcement of current page in pager for screen readers (#3444512)

Other Fixes

• Fixed strict type errors in various core components
• Fixed issues with tests that relied on UID1's super user behavior
• Fixed handling of compressed ajax_page_state when zlib extension isn't available
• Fixed issues with changing Views display machine names when attachments exist
• Fixed comment form status message showing incorrect text on edit

New Features

Workspaces Module Now Stable

The Workspaces module has been promoted from experimental to stable status. This module provides robust content staging and publishing workflows, allowing content editors to prepare and preview content changes before making them live. Key improvements include:

• Better integration with Layout Builder for content item overrides
• Fixed revision metadata updates when merging workspaces
• Added pagination to the workspace management page
• Improved API for marking forms as workspace-safe
• Added ability to mark Views Bulk Operations (VBO) actions as workspace-safe

New Experimental Navigation Module

A new experimental Navigation module has been added to core, providing an improved navigation experience with:

• Modern, accessible navigation interface
• Mobile-friendly design with improved submenu handling
• Better keyboard navigation support
• Customizable footer region

Recipes API (Experimental)

A new experimental Recipes API has been added to core, providing a standardized way to:

• Define site installation recipes
• Configure sites with predefined settings
• Streamline the site setup process
• Enable more flexible site installation options

Entity Query Alter Hook

A new hook has been added to allow modules to alter entity queries:

hook_entity_query_alter(QueryInterface $query)

This provides developers with more flexibility to modify entity queries before execution.

File Upload Handler Improvements

The file upload handling system has been refactored with:

• New FileUploadHandler class for centralized file upload handling
• Better validation of uploaded files
• Improved integration with REST and JSON:API file uploads

Configuration Validation Constraints

New validation constraints have been added to various configuration schemas:

• Contact settings
• System image settings
• Field UI settings
• Update settings
• And more

CKEditor 5 Improvements

CKEditor 5 has been updated to version 41.3.1 with:

• Support for additional image types (TIFF, SVG) through programmatic opt-in
• Fixed issues with embedded media links
• Improved plugin management using PHP attributes

Security Updates

CSRF Protection for User Logout

A critical security fix has been implemented to protect the user logout functionality from Cross-Site Request Forgery (CSRF) attacks. This addresses a long-standing issue (#144538) that could potentially allow malicious websites to log users out without their consent.

File Upload Security Improvements

The file upload handling system has been improved to ensure that uploaded files are always validated properly:

• \Drupal\file\Upload\FileUploadHandler::handleFileUpload() now always checks that uploaded files are valid (#3437623)
• Better validation of file uploads across REST and JSON:API interfaces

Error Handling Security Improvements

Several improvements to error handling that enhance security:

• NestedArray::setValue() now throws an exception when parents reference a non-array value instead of causing a PHP error (#3427174)
• Improved handling of warnings in various components to use logging instead of triggering PHP warnings
• Better handling of invalid compressed ajax_page_state (#3416700)

Bootstrap Character Encoding

Fixed an issue where the bootstrap process sets C locale but does not set UTF-8 character encoding, which could potentially lead to security issues with character handling (#1561214).

Super User Access Policy

Improved the super user access policy and installer to prevent potential security issues (#3443037). This includes fixes for numerous tests that relied on UID1's super user behavior.

Performance Improvements

Asset Handling Optimizations

Several significant performance improvements have been made to asset handling:

• Optimized AssetResolver caching to reduce redundant calculations of the same set of assets (#3414398, #3443108)
• Improved handling of libraries with aggregate URLs to only send those with the aggregate type included (#3437839)
• Reduced theme registry flushes when uploading files to media library (#3439981)

Context Repository Optimization

Fixed an issue where many redundant calls to ContextRepository::getAvailableContexts() were occurring due to entity upcasting, significantly improving performance in certain scenarios (#3158130).

Query String Compression

Added a check to skip query string compression if the zlib extension isn't available, preventing potential performance issues (#3439647).

Error Handling Improvements

Several improvements to error handling that impact performance:

• Improved handling of cache data in EarlyRenderingControllerWrapperSubscriber to avoid throwing exceptions (#2638686)
• Better handling of invalid compressed ajax_page_state (#3416700)
• Optimized warning handling in various components to use logging instead of triggering PHP warnings

Layout Shift Optimizations

• Fixed layout shift issues in Views UI action buttons (#3441124)
• Fixed layout shift issues with BigPipe injecting Local Actions block in Claro (#3441137)
• Improved Olivero content shift on page load (#3446078)

Test Performance Improvements

• Reduced time of Migrate Upgrade tests by not outputting logs by default (#3442259)
• Implemented failed database statement events in performance test query logging (#3444060)
• Set budgets rather than exact numbers for asset size assertions in tests (#3441844)

Impact Summary

Drupal 10.3.0-beta1 represents a significant step forward for Drupal's content management capabilities with several high-impact changes that benefit different user groups.

The promotion of the Workspaces module to stable status is perhaps the most significant change, providing robust content staging and publishing workflows that will benefit content editors, site builders, and developers. This feature allows for more sophisticated content management processes, particularly for sites with complex editorial workflows.

The introduction of the experimental Navigation module addresses long-standing needs for improved site navigation, offering a modern, accessible, and mobile-friendly navigation experience. While still experimental, this module shows Drupal's commitment to enhancing the user experience.

The new experimental Recipes API lays groundwork for more streamlined site installation and configuration, which will be particularly valuable for developers and site builders working on multiple similar sites.

Security improvements, particularly the CSRF protection for user logout, address important vulnerabilities that have existed for some time. Performance optimizations in asset handling and caching will benefit all sites, especially those with heavy traffic.

For developers, the addition of the EntityQuery alter hook, improved file upload handling, and better TypeScript support enhance the development experience and provide more flexibility.

Accessibility improvements continue Drupal's commitment to inclusivity, with better color contrast, screen reader support, and keyboard navigation.

Overall, this beta release balances new features with important fixes and optimizations, maintaining backward compatibility while moving Drupal forward in key areas of content management, user experience, and developer tooling.