Drupal Release: 11.1.0-beta1

TL;DR

Drupal 11.1.0-beta1 introduces significant enhancements with OOP hooks using PHP attributes, improved performance across multiple areas, and new configuration management capabilities. This release brings major improvements to the Workspaces module, adds a new experimental Package Manager, enhances CKEditor 5, and introduces Navigation improvements. Performance optimizations include faster permission page loading and improved caching mechanisms. The release also includes important security fixes and prepares for PHP 8.4 compatibility.

Highlight of the Release

• Introduction of OOP hooks using PHP attributes and event dispatcher for cleaner, more maintainable code
• New experimental Package Manager module for managing Drupal dependencies
• Significant performance improvements for the permissions page and Workspaces with large content sets
• Enhanced configuration management with new actions for cloning entities and creating entities for every bundle
• Split of Workspaces UI into a separate module for better maintainability
• Improved caching mechanisms including better handling of dynamic page cache
• Updated CKEditor 5 to version 43.1.1 with various improvements
• Better navigation settings organization and logo handling
• Preparation for PHP 8.4 compatibility with various fixes and updates
• Important security fixes including protection against sandbox bypass in Twig

Migration Guide

Return Type Declarations

Drupal 11.1.0-beta1 enforces return types in all new methods and functions. If you're extending core classes or implementing interfaces, ensure your code includes appropriate return type declarations to maintain compatibility.

// Before
public function myMethod() {
  return $result;
}

// After
public function myMethod(): array {
  return $result;
}

OOP Hooks Implementation

With the introduction of OOP hooks using PHP attributes, you may want to update your custom modules to use this new approach:

// Old procedural way
function mymodule_form_alter(&$form, \Drupal\Core\Form\FormStateInterface $form_state, $form_id) {
  // Form alteration code
}

// New OOP way
namespace Drupal\mymodule\Hook;

use Drupal\Core\Form\FormStateInterface;
use Drupal\core\Attribute\Hook;

class FormAlter {
  #[Hook('form_alter')]
  public function alter(array &$form, FormStateInterface $form_state, string $form_id): void {
    // Form alteration code
  }
}

Workspaces UI Module

If you're using the Workspaces functionality, be aware that the UI has been split into a separate module. If you need the UI, make sure to enable the workspaces_ui module:

// Enable both core functionality and UI
\Drupal::service('module_installer')->install(['workspaces', 'workspaces_ui']);

Deprecated Features

Several features have been deprecated in this release:

1. The $variables['view'] for node.html.twig is deprecated. Update your templates to use more specific variables.

2. References to whitelist in code and comments have been removed. Update any custom code that might reference this terminology.

3. The Variable::export() method now exports using short-hand array syntax. If you're parsing this output, ensure your code can handle the new format.

4. ApcClassLoader references should be removed as it was removed in Symfony 4.

5. The string code path for values parameter in BlockContentTestBase::createBlockContentType is deprecated. Use array syntax instead.

Upgrade Recommendations

Recommendation Level

Recommended for development environments, wait for stable release for production

This beta release introduces significant architectural changes and new features that are still being stabilized. While it includes important performance improvements and bug fixes, it's best to test thoroughly in development environments before considering for production use.

Who Should Upgrade Now

• Developers working on modules that need to leverage the new OOP hooks system
• Sites experiencing performance issues with the permissions page or workspaces with large content sets
• Development teams wanting to test and provide feedback on the new Package Manager module
• Anyone interested in contributing to Drupal 11.1's development by testing the beta

Who Should Wait

• Production sites that require stability
• Sites without dedicated development environments for testing
• Organizations with strict change management requirements
• Sites using custom modules that may need updates to work with the new architecture

Testing Recommendations

Before upgrading any environment:

1. Create a complete backup of your site and database
2. Test the upgrade on a clone of your production environment
3. Check for deprecated code usage in your custom modules
4. Verify that all contributed modules are compatible
5. Pay special attention to any custom code that:
   • Implements hooks that are now available as OOP hooks
   • Works with workspaces or content moderation
   • Extends or overrides core form functionality
   • Relies on caching mechanisms that have been improved

Bug Fixes

Workspaces and Content Moderation

• Fixed issue where sub workspaces did not clear properly
• Resolved problem where workspaces with thousands of items couldn't be published
• Fixed issue where content moderation prevented workspace deployment
• Ensured creating a published moderated entity in a workspace doesn't make it published in Live
• Made user login and password reset forms workspace-safe
• Improved performance for path_alias queries in a workspace

Form and UI Issues

• Fixed password_confirm children not picking up #states or #attributes
• Resolved issue where special menu items were rendered as empty links in navigation
• Fixed header always showing in Claro even when regions in it are empty
• Corrected spacing issue between checkbox label and button
• Fixed issue with Drupal\Core\Template\Attribute not supporting adding attributes with array syntax
• Resolved issue with submit button being too wide in Olivero's off-canvas dialog box

Caching and Performance

• Fixed issue where aggregated asset generation caused uncacheable assets
• Resolved problem where cacheability information from route access checker access results were ignored by dynamic_page_cache
• Fixed issue with ResourceObjectNormalizer::getNormalization resulting in max-age drift

Security and Access Control

• Fixed StringFormatter always displaying links to entity even if the user in context does not have access
• Ensured entity link label formatter checks URL access
• Fixed issue where reply link for unpublished comments was visible
• Resolved issue where term view access wasn't checked before trying to redirect after an update

Other Fixes

• Fixed issue with external applications being redirected to frontpage in maintenance mode
• Resolved problem with YAML discovery not taking theme inheritance into account
• Fixed issue with too long breadcrumbs creating scrollbar
• Corrected issue with JS errors from Drupal.behaviors.activeLinks
• Fixed issue with media image thumbnail incorrectly ending up as NULL

New Features

OOP Hooks Using PHP Attributes

Drupal 11.1.0-beta1 introduces a major architectural improvement with Object-Oriented Programming (OOP) hooks using PHP attributes and event dispatcher. This allows for cleaner, more maintainable code by moving away from procedural hook implementations to class-based approaches.

Experimental Package Manager Module

A new experimental Package Manager module has been added at Alpha stability level. This module aims to improve the management of Drupal dependencies and provides a foundation for better package management in Drupal.

Enhanced Configuration Management Actions

Several new configuration actions have been added:

• Clone a config entity
• Create an entity for every bundle of another entity type
• Entity displays cloning with special config action
• Improved toolbar configuration with options to prevent adding duplicate items

Workspaces UI as Separate Module

The Workspaces UI has been split into a separate module, improving maintainability and allowing sites to use the core Workspaces functionality without the UI if desired.

Navigation Improvements

• New NavigationLinkBlock Plugin with Help as a usage example
• More consistent organization of navigation settings
• Better handling of navigation logo dimensions on upload

UUID Tokens for Content Entities

UUID tokens are now exposed for all content entities in Drupal core, making it easier to reference entities consistently across environments.

Security Updates

Twig Security Fix

A critical security fix has been applied to address a possible sandbox bypass vulnerability in Twig versions prior to 3.14.0. This update ensures that the Twig templating engine is protected against potential template injection attacks.

Environment Information Protection

Fixed an issue where maintenance pages were leaking sensitive environment information, which could potentially be used by attackers to gather information about the server environment.

Access Control Improvements

• The StringFormatter now properly respects access controls and doesn't display links to entities when the user doesn't have access
• The entity link label formatter now checks URL access before rendering links
• Reply links for unpublished comments are now hidden from users who shouldn't see them

Security Advisory

The release includes security fixes from SA-CORE-2024-002, addressing important security vulnerabilities in Drupal core.

PHP 8.4 Compatibility

Several updates have been made to ensure compatibility with PHP 8.4, removing usage of deprecated features that could potentially lead to security issues in the future.

Performance Improvements

User Permissions Page

A significant performance improvement has been made to the user.permissions.js script running in /admin/people/permissions. This enhancement greatly reduces the loading time of the permissions page, especially on sites with many roles and permissions.

CKEditor 5 Tests

The overall running time from CKEditor 5 image tests has been shortened, improving the development and testing experience.

Workspaces Performance

Performance has been improved for workspaces with thousands of items, making it possible to publish large workspaces that previously would fail. Additionally, path_alias queries in a workspace have been optimized for better performance.

Caching Improvements

Several caching-related improvements have been implemented:

• Better handling of cacheability information from route access checker access results in dynamic_page_cache
• Form tokens are now rendered lazily, allowing forms to opt in to be cacheable
• Improved X-Drupal-Cache and X-Drupal-Dynamic-Cache headers, even for responses that are not cacheable

Asset Handling

• Ensured consistent ordering when calculating library asset order
• Fixed issue where aggregated asset generation caused uncacheable assets

CI Pipeline Improvements

• Reduced CPU requirements for core GitLab pipelines
• Improved test ordering by accounting for test type, number of methods, and data providers
• Better artifact caching in GitLab CI

Impact Summary

Drupal 11.1.0-beta1 represents a significant step forward in Drupal's evolution with architectural improvements that lay the groundwork for more maintainable and performant code. The introduction of OOP hooks using PHP attributes modernizes Drupal's extension system, making it more aligned with contemporary PHP practices while maintaining backward compatibility.

Performance improvements are a standout feature of this release, particularly the optimization of the permissions page which addresses a long-standing pain point for site administrators managing large sites. Similarly, the enhancements to Workspaces functionality make it more viable for complex content workflows involving large amounts of content.

The experimental Package Manager module, while still at Alpha stability, signals Drupal's commitment to improving dependency management - a critical aspect of modern web development. This, combined with the enhanced configuration management capabilities, gives site builders and developers more powerful tools for managing site architecture.

Security improvements, including protection against Twig sandbox bypass and better access control enforcement, demonstrate Drupal's ongoing commitment to maintaining a secure platform. The preparation for PHP 8.4 compatibility ensures that Drupal remains forward-compatible with evolving PHP standards.

For developers, the enforcement of return types in new methods and functions represents a shift toward more type-safe code, which will improve code quality and reduce runtime errors in the long term. While this may require some adaptation in coding practices, it aligns with the direction of PHP itself.

Overall, this beta release balances innovation with practical improvements, addressing both architectural technical debt and everyday user experience issues. It sets the stage for a more modern, performant, and developer-friendly Drupal 11.1 stable release.