Drupal Release: 10.3.2

TL;DR

Drupal 10.3.2 is a maintenance release that addresses numerous bug fixes, accessibility improvements, and performance optimizations. This update focuses on enhancing developer experience, fixing security issues with cache IDs, improving accessibility for file upload fields, and resolving various UI and backend issues. It's particularly important for sites using REST/JSON:API with content translation, those experiencing layout issues with long strings in Claro theme, or anyone affected by the login authentication changes in previous versions.

Highlight of the Release

• Fixed a security issue with cache IDs where trailing whitespace could lead to cache collisions
• Improved accessibility for file upload fields by adding aria-describedby attributes
• Fixed backward compatibility break in login authentication changes from previous updates
• Resolved issues with REST resources breaking when Content Translation module was installed
• Fixed layout issues in Claro admin theme where long strings would break the layout
• Improved error messages for plugin discovery when using attributes instead of annotations

Migration Guide

No specific migration steps are required for this maintenance release. This is a bugfix release that maintains backward compatibility with Drupal 10.3.1.

However, if you were affected by the backward compatibility break in login authentication changes from issue #3444978 (introduced in a previous version), this release fixes that issue and should resolve any authentication problems you were experiencing.

Upgrade Recommendations

It is recommended to update to Drupal 10.3.2 as soon as possible, especially if you are:

1. Using REST or JSON:API with Content Translation module
2. Experiencing layout issues with long strings in the Claro admin theme
3. Having issues with authentication after a previous update
4. Using file upload fields and need improved accessibility
5. Experiencing cache-related issues, particularly with trailing whitespace in cache IDs

This is a maintenance release containing bug fixes and minor improvements with no known breaking changes. The update process should be straightforward:

1. Back up your database and site files
2. Update Drupal core using Composer: composer update drupal/core-* --with-all-dependencies
3. Run database updates: drush updatedb or visit /update.php
4. Clear caches: drush cache:rebuild or via the admin interface

As always, test the update on a staging environment before applying to production.

Bug Fixes

• Authentication & Security

  • Fixed backward compatibility break in login authentication changes from issue #3444978
  • Ensured trailing whitespace at the end of a cache ID results in a unique cache item, preventing potential cache collisions
  • Fixed conditionally disabled access to update manager routes

• UI & Layout

  • Fixed layout issues in Claro admin theme where long strings would break the layout
  • Resolved spacing issues in the Advanced search section on the Search page
  • Fixed autocomplete input text overflow under magnifier icon
  • Prevented simultaneous open/close on simultaneous click/hover events in menus
  • Fixed Drupal Displace outputting invalid value for --drupal-displace-offset-right when opening top dialog

• API & Integration

  • Fixed JsonApiRequestValidator not setting cacheable metadata when the filter allows the request
  • Resolved issue where installing Content Translation module breaks REST resources
  • Fixed filter placeholders without arguments not being replaced when HTML corrector filter applied afterwards
  • Corrected ExtensionMimeTypeGuesser breaking other mime_type_guesser services

• Core & System

  • Fixed TypeError if config entity dependencies are NULL
  • Corrected access checks for bundle permissions to avoid triggering config validation errors
  • Fixed format=flowed; delsp=yes encoding of email messages
  • Fixed random test failures in EntityReferenceWidgetTest
  • Ensured post transaction callbacks are only executed at the end of the root Drupal transaction
  • Fixed single directory component CSS asset library not being picked up in admin theme immediately after module install

• Documentation & Code Quality

  • Fixed NodeListBuilder using mark theme incorrectly
  • Corrected deprecation message for user_validate_name pointing to an invalid replacement
  • Fixed instances of floats passed to functions expecting integers
  • Made core recipes idempotent
  • Fixed incorrect documentation in DateFormatter::format()
  • Corrected punctuation in the description for \Drupal\Tests\UnitTestCase

New Features

• Added ability for modules and themes to alter the list of layouts through the new hook system
• Created a dedicated category for blocks provided by the Navigation module, improving organization
• Improved developer experience by providing more informative error messages when typed config fails during upgrades
• Enhanced input string error messages in createConnectionOptionsFromUrl() to include the problematic string

Security Updates

• Fixed a security issue with cache IDs where trailing whitespace could lead to cache collisions, potentially allowing unauthorized access to cached data
• Improved security by conditionally disabling access to update manager routes
• Enhanced security by properly filtering module and theme names on output, preventing potential XSS vulnerabilities

Performance Improvements

• Consolidated test methods in StandardPerformanceTest for better efficiency
• Optimized TelephoneFieldTest to improve test execution speed
• Merged test methods in FieldUIRouteTest for better performance
• Consolidated CKEditor5's FunctionalJavascript tests to reduce test execution time
• Consolidated Umami performance tests for improved efficiency
• Merged the build and lint stages in core MR pipelines to speed up CI processes
• Marked more tests with @group #slow and removed it from others to better balance test execution

Impact Summary

Drupal 10.3.2 is a maintenance release that addresses over 60 issues, focusing primarily on bug fixes, accessibility improvements, and performance optimizations. The update resolves several critical issues including a backward compatibility break in login authentication, problems with REST resources when using Content Translation, and security concerns with cache IDs.

For site administrators, this release fixes layout issues in the Claro admin theme and improves the search page interface. Developers will benefit from better error messages for typed config failures and database connection string parsing. Content editors will see improvements in the autocomplete interface and file upload accessibility.

The release also includes important performance optimizations for test execution and CI processes, which will benefit contributors and those running automated tests. Security is enhanced through proper filtering of module and theme names on output and fixes for cache ID handling.

No breaking changes are introduced in this release, making it a recommended update for all Drupal 10.3.x sites. The fixes for REST/JSON:API with Content Translation are particularly important for sites using these features.