Drupal Release: 8.2.4

TL;DR

Drupal 8.2.4 is a maintenance and security release that addresses multiple bugs and includes several security fixes. This release focuses on improving migration functionality, fixing issues with Views, enhancing REST API capabilities, and addressing various UI and performance problems. It's particularly important for sites using content migration tools, multilingual features, or REST services. Site administrators should update to this version to ensure security and stability of their Drupal 8 installations.

Highlight of the Release

• Security improvements including timing attack safe string comparison for CSRF tokens
• Enhanced migration functionality for Drupal 6/7 to Drupal 8 upgrades
• Fixed REST API issues and improved test coverage
• Improved multilingual support and language negotiation
• Better handling of Views with aggregation and argument validation

Migration Guide

Migration from Previous Versions

This is a maintenance release with bug fixes and minor improvements. No specific migration steps are required when updating from Drupal 8.2.3 to 8.2.4.

For sites upgrading from Drupal 6 or 7 to Drupal 8, this release includes several improvements to the migration system:

1. Enhanced support for migrating language negotiation settings
2. Fixed migration of menu links with option parameters
3. Added migration path for entity reference fields from Drupal 7
4. Fixed scalar to array migration that was returning NULL
5. Improved handling of field formatters with names different than their field type

If you're using the Migrate module for upgrading from earlier Drupal versions, these improvements should make your migration process more reliable.

Upgrade Recommendations

This release contains important bug fixes and security improvements. All site owners running Drupal 8.2.x should upgrade to this version as soon as possible.

The update process is straightforward:

1. Back up your site's files and database
2. Put your site into maintenance mode
3. Update Drupal core using Composer, Drush, or by manually replacing files
4. Run the database update script by visiting /update.php or using Drush
5. Take your site out of maintenance mode

No special considerations are needed for this update as it contains only bug fixes and minor improvements without API changes or database schema modifications that would require additional steps.

For detailed instructions, refer to the Drupal 8 update documentation.

Bug Fixes

Views Module Fixes

• Fixed Views field token replacement patterns not showing in area handlers admin form
• Fixed issue with HTML being escaped when aggregation is enabled
• Fixed incorrect permission check in Views node access filter
• Fixed click sorting on EntityOperations field that was causing exceptions
• Fixed issue with adding filter groups to Views
• Fixed argument validations not setting block titles correctly

Entity and Form Handling

• Fixed EntityAutocomplete form element validation being too strict
• Fixed boolean fields with #access FALSE causing EntityStorageException
• Fixed issue with draggable list builders not having pagers
• Fixed SystemMainBlock to prevent fatal errors when setMainContent method is not called
• Fixed moderation_state field incorrectly reporting being read-only
• Fixed issue with non-translatable entity types throwing exceptions during moderation

UI and Accessibility Issues

• Fixed "offcanvas-lining" div inappropriately covering whole page
• Fixed toolbar items not closing when going into edit mode
• Fixed display of resize icon for CKEditor on Seven theme
• Improved IME (Input Method Editor) handling on autocomplete fields
• Fixed Outside In motion selectors that were not scoped down enough

Multilingual and Translation

• Fixed language from URL negotiator not adding request query to language switcher links
• Fixed content_translation_source not being migrated when migrating node translations
• Added support for Uyghur language name in Cyrillic alphabet

Other Fixes

• Fixed incomprehensible validation message when anonymous users try to submit comments with existing usernames
• Fixed services.yml and settings.local.php not being included if settings.php is a symlink
• Fixed DiffFormatter component class having leak from core class
• Fixed template_preprocess_responsive_image() doing unnecessary IO operations
• Fixed HtmlResponseAttachmentsProcessor producing invalid HTTP Link headers

New Features

Enhanced Migration Tools

• Added documentation describing migration plugins and their relationship to source, process, and destination plugins
• Improved migration of language negotiation settings from Drupal 6 and 7
• Added migration path for entity reference fields from Drupal 7
• Fixed migration of menu links with option parameters
• Enhanced handling of CCK field data in migrations

REST API Improvements

• Fixed REST module to allow HTTP methods beyond GET/PATCH/POST/DELETE (such as OPTIONS and PUT)
• Added comprehensive test coverage for EntityResource across entity types, formats, and methods
• Fixed issue with cookie authentication for the user.login.http route

Developer Experience Enhancements

• Added http.response.debug_cacheability_headers: true to development.services.yml
• Improved documentation for JavaScript tests and browser tests in core.api.php
• Added DependencySerializationTrait to ContextDefinition

Security Updates

Security Improvements

• Updated CsrfTokenGenerator to use timing attack safe string comparison, protecting against timing-based attacks on CSRF tokens
• Updated random_compat library to the latest version in composer.json, improving random number generation security
• Fixed cookie authentication issue where the user.login.http route wasn't supporting certain formats depending on module order
• Improved validation and error handling in various components to prevent potential security issues

Performance Improvements

Performance Optimizations

• Fixed template_preprocess_responsive_image() doing unnecessary IO by avoiding creation of Image objects when not needed
• Improved entity handling to prevent unnecessary processing
• Fixed HtmlResponseAttachmentsProcessor::processHtmlHeadLink to produce valid HTTP Link headers, improving HTTP response efficiency
• Optimized dropbutton rendering to prevent value of last_render_text leaking into the next Dropbutton
• Improved caching and rendering of entity view builders by fixing issues with non-existing #theme hooks

Impact Summary

Drupal 8.2.4 is a maintenance release that addresses numerous bugs and includes several security improvements. The release significantly enhances the migration system for sites upgrading from Drupal 6 or 7, fixes multiple issues in the Views module, improves REST API functionality, and addresses various UI and performance problems.

Key improvements include security enhancements like timing attack safe string comparison for CSRF tokens, fixes for language negotiation in multilingual sites, better handling of entity references and form elements, and improved test coverage for REST resources.

For developers, the release provides better documentation, fixes for entity handling, and improvements to JavaScript testing. Content editors will benefit from fixes to the CKEditor, better error messages, and improved handling of Views token replacement patterns.

This release is particularly important for sites using content migration tools, multilingual features, or REST services. While it doesn't introduce major new features, the numerous bug fixes and security improvements make it a recommended update for all Drupal 8.2.x sites.