Drupal Release: 11.1.2

TL;DR

Drupal 11.1.2: Bug Fix and Performance Release

This minor release addresses several critical bugs and performance issues in Drupal 11. Key improvements include fixes for cache handling, entity access control, navigation rendering, and security-related updates. The release focuses on enhancing stability and performance, particularly for the new core navigation system introduced in Drupal 11. This update is recommended for all Drupal 11 sites to ensure proper functionality and security.

Highlight of the Release

• Fixed critical cache poisoning issue affecting user role permissions
• Improved performance for the core navigation system with render caching
• Fixed entity access control handler to prevent false positive cache hits
• Updated Twig to address security vulnerability CVE-2025-24374
• Fixed Firefox-specific issue with media library widget form handling

Migration Guide

This is a minor update that focuses on bug fixes and performance improvements. No specific migration steps are required when updating from Drupal 11.1.1 to 11.1.2.

However, if you have custom code that:

1. Extends the navigation system: Review the changes to navigation rendering and caching to ensure compatibility.
2. Uses entity access control handlers: Check for any code that might have been relying on the previous behavior of EntityAccessControlHandler::createAccess().
3. Works with recipes: Be aware of the new support for array keys in recipe input values.
4. Implements custom media formatters: Review the changes to FileMediaFormatterBase for handling unknown file extensions.

As always, it's recommended to test the update thoroughly in a development environment before applying it to production sites.

Upgrade Recommendations

Priority: Medium-High

This release contains important bug fixes and performance improvements that enhance the stability and security of Drupal 11. The update is particularly important for sites that:

• Use the new core navigation system
• Have complex user permission requirements
• Use paragraphs with nested structures
• Implement media libraries, especially on sites accessed with Firefox
• Run on Windows/XAMPP environments with SDC components

We recommend updating to Drupal 11.1.2 at your earliest convenience, especially if you're experiencing any of the issues addressed in this release. As this is a minor update, the risk of regressions is low, but standard testing procedures should still be followed.

Bug Fixes

• Nested Paragraphs Ordering: Fixed issue where nested paragraphs with the same field name were ordered incorrectly.
• User Permissions: Fixed RuntimeException that occurred when adding non-existent permissions to a role.
• Cache Context: Resolved critical issue with UserRolesCacheContext that could lead to poisoned cache returns for user 1 (admin).
• Media Handling: Improved handling of unknown file extensions in FileMediaFormatterBase.
• Entity Duplication: Fixed ContentEntityBase::createDuplicate() to properly reset default revision flag.
• JavaScript Dependencies: Fixed tabledrag library that was depending on non-existent libraries.
• Entity References: Fixed issue where referring to the same entity multiple times would break _referringItem.
• Form Handling: Fixed Firefox-specific issue where the browser retains form_build_id on form reloads, causing old form cache entries to be used in the Media Library widget.
• Navigation Display: Fixed issue where Help link always appeared in navigation regardless of configuration.
• Path Aliases: Fixed issue where updating path alias language in workspace did not work correctly.
• Component Validation: Updated ComponentValidator to always include the component ID.
• Windows Compatibility: Fixed issue where SDC components CSS & JS generated wrong URLs in Windows/XAMPP environments.
• Navigation JS: Fixed error when navigation JavaScript was loaded for anonymous users.
• Test Failures: Fixed random test failure in CommentPreviewTest::testCommentPreview.
• Unicode Support: Fixed issue where run-tests.sh could not handle unicode in PHPUnit output.

New Features

• Navigation Extensibility: Added ability for modules to hook into the top of content section of the new core navigation system, allowing for better customization and extension of the navigation experience.
• Recipe Enhancements: Added support for recipe input values in array keys, making recipes more flexible and powerful.
• Navigation Performance: Added headroom to the navigation performance test to ensure better reliability and performance benchmarking.

Security Updates

• Twig Update: Updated Twig to address security vulnerability CVE-2025-24374.
• CSRF Protection: Fixed Menu APIs that were providing invalid CSRF tokens, ensuring proper security for menu operations.
• User Roles Cache: Fixed critical issue with UserRolesCacheContext that could lead to poisoned cache returns for user 1 (admin), which had potential security implications.

Performance Improvements

• Navigation Rendering: Added render caching for the navigation render array, significantly improving performance of the new core navigation system.
• Entity Access Control: Fixed EntityAccessControlHandler::createAccess() to prevent false positive cache hits by properly considering context, improving both performance and correctness of access checks.
• Cache Handling: Improved warning messages when variation cache detects an incompatible CacheRedirect, helping to identify and resolve performance issues more quickly.

Impact Summary

Drupal 11.1.2 is a maintenance release that addresses several important bugs and performance issues. The most significant fixes relate to cache handling, particularly the UserRolesCacheContext issue that could affect admin users, and improvements to the new core navigation system introduced in Drupal 11.

The release enhances stability for core features like paragraphs, media handling, and entity access control. It also improves performance through better caching strategies, particularly for navigation rendering. Security is strengthened with an update to Twig addressing CVE-2025-24374 and fixes for CSRF token generation.

For developers, the release provides better extensibility for the navigation system and improvements to recipes. Content editors will benefit from fixes to the media library widget and path alias handling in workspaces.

Overall, this release represents an important step in stabilizing and optimizing Drupal 11's new features while addressing security concerns. The changes are focused on bug fixes rather than new functionality, making it a recommended update for all Drupal 11 sites.