Drupal Release: 10.5.0-beta1

TL;DR

Drupal 10.5.0-beta1 introduces significant improvements to performance, security, and user experience. This release includes multiple security fixes, PHP 8.4 compatibility updates, and enhancements to core functionality like the Media Library, Layout Builder, and Workspaces. It also addresses numerous bugs and improves accessibility. This beta release is an important step toward Drupal 10.5.0 stable and is recommended for testing environments to prepare for the upcoming stable release.

Highlight of the Release

• Multiple security fixes addressing critical vulnerabilities (SA-CORE-2024-003 through SA-CORE-2025-004)
• PHP 8.4 compatibility improvements to ensure future compatibility
• Performance optimizations for Twig templates and caching systems
• Enhanced Media Library functionality and fixes for content management
• Improved Workspaces module for better content moderation workflows
• Accessibility improvements including better ARIA attribute handling
• Fixed issues with Layout Builder to improve content editing experience
• Enhanced error handling and user feedback throughout the system

Migration Guide

Upgrading to Drupal 10.5.0-beta1

Before Upgrading

1. Create a complete backup of your site's files and database.
2. Update to the latest version of your current Drupal release (e.g., 10.4.x) before attempting to update to 10.5.0-beta1.
3. Test the update on a staging environment before applying to production.

Potential Breaking Changes

YAML Parser Class Setting

The yaml_parser_class setting was deprecated in Drupal 10.3, but a regression was fixed in this release that affected sites < 11.0. If you were experiencing issues with this setting, this release should resolve them.

Entity Display Changes

The createCopy action was removed from EntityDisplayBase, and cloneAs is now compatible with wildcards. If your custom code uses these methods, you may need to update it.

PHP 8.4 Compatibility

If you're planning to use PHP 8.4, be aware that several fixes have been made to ensure compatibility. Review your custom code for any similar issues that might need addressing.

Post-Update Steps

1. Clear caches after updating: drush cr or through the admin interface.
2. Run database updates: drush updb or visit /update.php.
3. Check for any deprecation notices in your logs that might indicate needed updates to custom code.
4. Test thoroughly all site functionality, especially if you use Layout Builder, Media Library, or Workspaces.

Upgrade Recommendations

For Development and Testing Environments

We strongly recommend upgrading development and testing environments to Drupal 10.5.0-beta1 to help identify any potential issues before the stable release. This beta release contains important security fixes and performance improvements that benefit all Drupal sites.

For Production Environments

For production sites, we recommend waiting for the stable 10.5.0 release unless you are experiencing specific issues that are fixed in this beta. If you must upgrade a production site to this beta release, ensure you have:

• A complete backup of your site
• Thoroughly tested the upgrade in a staging environment
• Allocated time to address any potential issues

Dependency Updates

This release includes updates to several dependencies, including Twig, CKEditor 5, and various JavaScript libraries. If you have custom code that interacts with these libraries, test thoroughly after upgrading.

Security Considerations

If you are concerned about the security issues fixed in this release, consider applying the security patches to your current version instead of upgrading to the beta, or wait for the stable 10.5.0 release which will include all these security fixes.

Bug Fixes

Media Library Fixes

• Fixed issue where Firefox retains form_build_id on form reloads, causing old form cache entries to be used
• Fixed Media Library currentSelection not being reset properly
• Fixed styling issues with Media Library items when contextual module is not present

Layout Builder Improvements

• Fixed issue where removing a field from Layout Builder content type incorrectly edits associated roles
• Fixed block visibility settings having duplicated summary in the title
• Fixed issue with the PlaceBlock config action when placing a block in an empty region

Form and User Management Fixes

• Fixed password and confirm password fields not being properly marked as mandatory when setting up passwords using one-time links
• Fixed incorrect message displayed after resetting password
• Fixed logout confirmation form showing inappropriate confirmation description
• Fixed issue with user permissions cache context leading to poisoned cache returns for user 1

Caching and Performance Issues

• Fixed issue with invalid items being written to FastBackend in ChainedFast
• Fixed BreadcrumbManager ignoring cacheability when no builders apply
• Fixed issue with variation cache detecting incompatible CacheRedirect
• Fixed Menu APIs providing invalid CSRF tokens

Views and Filters

• Fixed pager not working correctly in AJAX view with exposed filters
• Fixed Views exposed filter reset creating session for anonymous users
• Fixed Views StringFilter not escaping % character
• Fixed decimal separator and decimals settings being ignored when aggregating decimal fields

Other Critical Fixes

• Fixed issue where RssResponseCdata was filtering out common HTML tags from RSS feeds
• Fixed FileSystem::deleteRecursive() following symlinks and removing files outside the target directory
• Fixed issue with aggregate entity queries missing alter hooks
• Fixed handling of unknown file extensions in FileMediaFormatterBase

New Features

PHP 8.4 Compatibility

Multiple updates have been made to ensure compatibility with PHP 8.4, including:

• Fixed usage of str_getcsv() and fgetcsv() functions
• Fixed closures in tests
• Fixed handling of E_USER_ERROR in trigger_error()
• Updated dependencies to support PHP 8.4

Improved Navigation

• Added ability for modules to hook into the top of content section in the new core navigation
• Fixed issues with the navigation top bar hiding entity local tasks

Enhanced Workspaces Module

• Fixed issue where creating a published moderated entity in a workspace would incorrectly make it published in Live
• Improved exception messages for unsupported entity types in a workspace
• Fixed Media Library form submission in non-default workspaces

Form Enhancements

• Added support for #type 'button' elements that aren't form submits
• Improved handling of password and confirm password fields when setting up passwords using one-time links

Security Updates

Security Advisories

This release includes fixes for multiple security advisories:

• SA-CORE-2024-003: Fixed by jrb, larowlan, catch, mingsong, poker10, longwave, benjifisher
• SA-CORE-2024-004: Fixed by zengenuity, cilefen, kristiaanvandeneynde, mcdruid, larowlan
• SA-CORE-2024-006: Fixed by mcdruid, larowlan
• SA-CORE-2024-007: Fixed by mcdruid, larowlan
• SA-CORE-2024-008: Fixed by mcdruid, fabianx, poker10, larowlan, longwave, alexpott
• SA-CORE-2025-001: Fixed by larsdesigns, bdanin, nuwans, dgroene, arkepp, juanramonperez, svendecabooter, wgunn_e, mcdruid, catch
• SA-CORE-2025-002: Fixed by jeff cardwell, benjifisher, poker10, mingsong
• SA-CORE-2025-003: Fixed by shin24, anzuukino, mcdruid, nicxvan, ghost of drupal past, longwave
• SA-CORE-2025-004: Fixed by samuel.mortenson, xjm, larowlan, pandaski, effulgentsia, jenlampton, mcdruid, longwave, benjifisher, bramdriesen, phenaproxima

Other Security Improvements

• Updated Twig for CVE-2025-24374
• Removed srcdoc attributes in Xss::filter()
• Fixed FileSystem::deleteRecursive() to prevent it from following symlinks and removing files outside the target directory
• Fixed Menu APIs to provide valid CSRF tokens
• Improved handling of user permissions to prevent unauthorized access
• Enhanced validation for file uploads when checking size limits

Performance Improvements

Twig Performance Optimization

• Fixed performance degradation after update to Twig 3.14.2
• Updated to Twig 3.15.0 with performance improvements

Caching Enhancements

• Improved caching behavior with ChainedFast backend to ensure invalid items are not written to cache
• Enhanced BreadcrumbManager to properly consider cacheability when no builders apply
• Fixed issue with UserRolesCacheContext that could lead to poisoned cache returns for user 1
• Added interface to allow access policies to opt out of caching for better performance control

Request Handling Optimization

• Fixed DefaultExceptionHtmlSubscriber to avoid cloning the request for 400/BadRequestException
• Improved handling of batch operations to avoid registering multiple batch sets

Static Caching

• Added static caching for recipe objects in RecipeConfigurator::getIncludedRecipe() to avoid performance problems
• Improved entity handling with better caching of entity references

Impact Summary

Drupal 10.5.0-beta1 represents a significant step forward in Drupal's evolution, focusing on security, performance, and user experience improvements. This release addresses multiple critical security vulnerabilities through nine security advisories, making it an important update for security-conscious sites.

Performance has been enhanced through optimizations to Twig template rendering, caching systems, and request handling. These improvements should result in faster page loads and better overall site performance, particularly for complex sites with heavy traffic.

For developers, the addition of PHP 8.4 compatibility ensures that Drupal remains future-proof as PHP continues to evolve. The improved error handling and exception management provide better debugging capabilities and more robust code.

Content editors will benefit from numerous fixes to the Media Library and Layout Builder, making content creation and management more reliable and intuitive. The enhanced Workspaces module functionality improves content moderation workflows, particularly for sites that manage content staging and publishing processes.

Accessibility improvements, including better ARIA attribute handling and focus management, ensure that Drupal continues to be inclusive and compliant with accessibility standards.

The numerous bug fixes across core systems like Views, forms, and entity handling address long-standing issues that have affected users across different versions of Drupal. These fixes contribute to a more stable and reliable platform for all users.

Overall, Drupal 10.5.0-beta1 demonstrates the Drupal community's commitment to security, performance, and user experience, setting the stage for a robust stable release in the near future.