Drupal Release: 10.4.6

TL;DR

Drupal 10.4.6 is a security and bug fix release addressing critical security vulnerabilities and several important bugs. This maintenance release includes fixes for PostgreSQL table renaming, user permissions handling, rendering issues, and various view-related bugs. The security update (SA-CORE-2025-004) is particularly important, making this an essential upgrade for all Drupal 10 sites.

Highlight of the Release

• Critical security update (SA-CORE-2025-004)
• Fixed PostgreSQL table renaming with multiple indexes
• Fixed user permissions form handling
• Improved AJAX view pager functionality with exposed filters
• Fixed decimal handling in aggregated views

Migration Guide

No migration steps are required for this update. This is a standard security and bug fix release that can be applied following the normal Drupal update procedures:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core files
4. Run the database update script
5. Take your site out of maintenance mode

For detailed instructions, refer to the Drupal update documentation.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes (SA-CORE-2025-004) and important bug fixes. All Drupal 10.4.x sites should be updated immediately to version 10.4.6 to ensure site security and stability.

For sites still on earlier versions of Drupal 10, consider updating to the latest version in your branch, as similar security fixes may be available for your version.

Bug Fixes

PostgreSQL Table Renaming Fix

Fixed an issue where renaming a table containing "drupal_" in the name with multiple indexes would fail on PostgreSQL (Issue #3494471).

User Permissions Form Fix

Resolved an issue where UserPermissionsForm was incorrectly using overridden permissions (Issue #3196245).

Renderer Context Error Fix

Fixed a TypeError that occurred in Renderer::getCurrentRenderContext() when there was no current request (Issue #3497935).

Random Test Failure Fix

Addressed a random test failure in FilterEntityReferenceTest (Issue #3502658).

AJAX View Pager Fix

Fixed an issue where pagers were not working correctly in AJAX views with exposed filters (Issue #3323574).

Decimal Field Aggregation Fix

Resolved a bug where decimal separator and decimals settings were being ignored when aggregating decimal fields (Issue #2735997).

Image Item Display Settings Fix

Fixed ImageItem::defaultStorageSettings() to properly override display_default (Issue #3513317).

Terminology Update

Updated MAINTAINERS.txt to use Drupal Core Leadership terminology (Issue #3508649).

New Features

No significant new features were added in this maintenance release. Drupal 10.4.6 focuses on security fixes and bug corrections to improve stability and reliability.

Security Updates

This release includes a critical security update identified as SA-CORE-2025-004. While specific details about the vulnerability are not provided in the commit messages (as is standard practice for security fixes), this update addresses important security concerns and all site administrators should update immediately to protect their sites.

Performance Improvements

No specific performance improvements were included in this release. The focus was on security fixes and bug corrections.

Impact Summary

Drupal 10.4.6 is primarily a security and bug fix release that addresses critical security vulnerabilities and several important bugs affecting database operations, user permissions, rendering, and views functionality.

The security update (SA-CORE-2025-004) is the most significant component of this release and requires immediate attention from all site administrators.

The bug fixes address issues that could impact site stability and functionality, particularly for sites using PostgreSQL databases, complex permission configurations, or advanced views with AJAX and decimal field aggregation.

This release maintains compatibility with existing Drupal 10.4.x installations and requires no special migration steps beyond the standard update procedure.