Drupal Release: 11.0.0-alpha1

TL;DR

Drupal 11.0.0-alpha1 marks the first alpha release of Drupal 11, introducing significant architectural changes and modernization efforts. This release removes several deprecated modules (Book, Forum, Tour, Tracker, Action UI), improves performance through optimized asset handling and caching, enhances security with CSRF protection for user logout, and introduces the experimental Navigation module. The release also includes major code cleanup by removing deprecated code paths, adopting PHP 8 features like attributes for plugin discovery, and updating to jQuery 4.0.x beta and Twig 3.9. Workspaces module has been promoted to stable status, while Statistics module has been deprecated for future removal.

Highlight of the Release

• Removal of several core modules: Book, Forum, Tour, Tracker, and Action UI
• Promotion of Workspaces module to stable status
• Introduction of experimental Navigation module
• Major code cleanup with removal of deprecated APIs and BC layers
• Security enhancement with CSRF protection for user logout
• Performance improvements in asset handling and caching
• Adoption of PHP attributes for plugin discovery
• Update to jQuery 4.0.x beta and Twig 3.9

Migration Guide

Removed Modules

The following modules have been removed from core in Drupal 11:

• Book module
• Forum module
• Tour module
• Tracker module
• Action UI module

If your site relies on these modules, you should:

1. Before upgrading to Drupal 11, migrate to the contributed versions of these modules
2. For Book and Forum, consider alternative content structuring approaches or contributed modules
3. For Tour, explore alternative onboarding solutions

Deprecated Modules

The Statistics module has been deprecated and will be removed in a future version. Plan to migrate to alternative analytics solutions.

Code Changes

If your custom or contributed modules use any of the following, they will need updates:

• Deprecated code in entity system, render system, field module, and many other core components
• jQuery's tabbable.js (removed)
• shepherd.js (deprecated and removed)
• state_cache setting (removed)

Plugin Discovery Changes

Field Type and Layout plugins now use PHP attributes instead of annotations. If you have custom plugins, update them to use the new attribute-based discovery system.

jQuery and JavaScript Updates

• Updated to jQuery 4.0.x beta
• Many jQuery methods have been replaced with vanilla JavaScript
• Review custom JavaScript for compatibility

Configuration Schema Updates

Several configuration schemas now have validation constraints added. Ensure your module's configuration follows the schema definitions for:

• system.image and system.image.gd
• system.date
• system.advisories
• field_ui.settings
• update.settings

Upgrade Recommendations

Recommendation Level: Experimental

This is an alpha release and is not recommended for production sites. It's intended for developers and site builders who want to test and provide feedback on Drupal 11's new features and changes.

Who Should Upgrade:

• Developers working on ensuring module compatibility with Drupal 11
• Module maintainers preparing their modules for Drupal 11
• Testing environments where you can evaluate the impact of removed modules and API changes
• Early adopters who want to explore new features and provide feedback

Who Should Wait:

• Production sites should continue using Drupal 10.x until at least the beta or RC phase
• Sites using removed modules (Book, Forum, Tour, Tracker, Action UI) should wait until they have a migration plan
• Sites with custom code that may rely on deprecated APIs

Preparation Steps:

1. Set up a separate development environment for testing
2. Review the list of removed modules and plan alternatives if needed
3. Update custom code to use current APIs and remove usage of deprecated code
4. Test thoroughly with your specific site configuration and modules

Bug Fixes

CSRF Protection for User Logout

Fixed a long-standing security issue where user logout was vulnerable to CSRF attacks.

Menu Link Visibility

Fixed an issue where newly added menu links were invisible until published.

CKEditor 5 Link Handling

Fixed an issue where setting an empty URL when making embedded media a link in CKEditor 5 caused JavaScript errors.

Views Filter Group Behavior

Fixed incorrect filter group OR behavior where LEFT JOIN was incorrectly changed to INNER JOIN.

Toolbar JavaScript Error

Fixed a regression causing "Uncaught TypeError: Cannot read properties of null (reading 'style')" in toolbar.js.

Comment Edit Status Message

Fixed incorrect status message on comment edit that incorrectly stated "Your comment has been posted."

Layout Builder with Custom Blocks

Fixed an issue where custom blocks with Layout Builder enabled no longer used the front-end theme.

Asset Loading Issues

Fixed 404 errors for throbber-active.gif and loading-small.gif assets.

Navigation Menu Accessibility

Fixed several accessibility issues in the new Navigation module, including:

• Font preloading when navigation bar is not loaded
• Submenu title text color contrast
• Toggle button flickering on page load

New Features

New Experimental Navigation Module

A new experimental Navigation module has been added to core, providing an improved navigation experience with modern interaction patterns.

EntityQuery Alter Hook

A new hook hook_entity_query_alter() has been added, allowing modules to modify entity queries before execution, providing more flexibility for query manipulation.

Workspace Improvements

• Workspaces module has been promoted to stable status
• New API for marking forms and actions as workspace-safe
• Improved workspace switcher in toolbar
• Added pagination to the workspace manage page

Media Enhancements

Sites can now programmatically opt in to accept more image type uploads in CKEditor 5, including TIFF and SVG formats.

Comment Form Placement

A new setting has been added to move the comment form after comments, providing more flexibility in comment display.

Form Mode Alter Hook

Added a new hook_ENTITY_TYPE_form_mode_alter() hook to allow modules to alter form mode settings for specific entity types.

Security Updates

CSRF Protection for User Logout

Fixed a critical security vulnerability (Issue #144538) where user logout was vulnerable to Cross-Site Request Forgery (CSRF) attacks. This issue had been open for a long time and has now been properly addressed.

Improved Error Handling

• More graceful handling of invalid compressed ajax_page_state to prevent potential security issues
• Better error handling when NestedArray::setValue() is called with parents referencing a non-array value

Performance Improvements

Asset Handling Optimization

• Optimized AssetResolver caching to reduce redundant asset calculations
• Only sending libraries with aggregate URLs that have the aggregate type included
• Improved handling of compressed ajax_page_state

Layout Shift Reduction

• Fixed layout shift issues in Views UI action buttons
• Improved BigPipe rendering to prevent layout shifts with Local Actions block

Database Performance

• Added support for failed database statement events in performance test query logging
• Optimized context repository to reduce repeated calls to getAvailableContexts()

Reduced Test Execution Time

Reduced time of Migrate Upgrade tests by not outputting logs by default

Impact Summary

Drupal 11.0.0-alpha1 represents a significant step forward in Drupal's evolution, focusing on modernization, performance, and code quality. The removal of several core modules (Book, Forum, Tour, Tracker, Action UI) marks a shift toward a more streamlined core, with these functionalities moving to contributed modules. This approach allows core to focus on essential features while enabling more specialized functionality to evolve independently.

The promotion of Workspaces to stable status enhances content staging capabilities, providing a more reliable way to prepare and review content changes before publishing. This is particularly valuable for organizations with complex editorial workflows.

Performance improvements through optimized asset handling and caching will benefit all Drupal sites, especially those with high traffic. The security enhancement addressing the long-standing CSRF vulnerability in user logout operations strengthens Drupal's security posture.

For developers, the adoption of PHP attributes for plugin discovery and the removal of deprecated code paths represent a modernization of Drupal's codebase, embracing newer PHP features and reducing technical debt. The update to jQuery 4.0.x beta and Twig 3.9 keeps Drupal current with its dependencies.

The new experimental Navigation module introduces a modern navigation experience, potentially improving site usability once it reaches stability. This alpha release sets the foundation for Drupal 11's focus on performance, security, and developer experience, while streamlining core functionality.