Drupal Release: 8.6.11

TL;DR

Drupal 8.6.11 is a maintenance and security release that addresses multiple bugs and accessibility issues across the platform. This update focuses on fixing critical issues in Layout Builder, file handling, migration tools, and the Umami demo theme. Key improvements include preventing potential data loss during updates, fixing accessibility problems in the UI, and resolving issues with file uploads and handling. This release is important for maintaining site stability and security, particularly for sites using Layout Builder or file uploads.

Highlight of the Release

• Fixed critical issue that could cause data loss when updating to 8.6.8/8.6.9 with Drush 8
• Improved Layout Builder security by preventing users from seeing entities they don't have access to
• Enhanced accessibility in the Umami demo theme and form elements
• Fixed file upload handling to preserve correct filenames
• Resolved performance issues with Layout Builder block plugin filtering

Migration Guide

No specific migration steps are required for this maintenance release. However, if you are using Drush 8 to update from versions prior to 8.6.8 or 8.6.9, be aware that this release fixes a critical issue that could cause data loss during updates.

If you're experiencing issues with Layout Builder translations, file uploads, or any of the other fixed bugs, upgrading to this version should resolve those problems without requiring additional configuration changes.

For sites using custom serialized fields, note that this release changes how empty field data is normalized, which may affect custom code that interacts with these fields.

Upgrade Recommendations

This release contains important bug fixes and security improvements, making it a recommended upgrade for all Drupal 8.6.x sites.

Sites using Layout Builder, file uploads, or the Umami demo theme will particularly benefit from this update due to the numerous fixes in these areas. The resolution of the potential data loss issue when updating with Drush 8 is also critical for sites that use this update method.

The update process follows the standard Drupal minor version update procedure:

1. Back up your database and code
2. Put the site into maintenance mode
3. Update Drupal core codebase
4. Run update.php
5. Take the site out of maintenance mode

No special steps are required for this particular update.

Bug Fixes

Core System

• Fixed issue where SiteConfigureForm could install the file module without the field module
• Resolved issue with DateFormatter() incorrectly assuming 30 days per month
• Fixed issue with Twig update to v1.38.0/v1.38.1 causing fatal errors
• Fixed issue where custom serialized field's data was not normalized when empty

Layout Builder

• Fixed incorrect method comment for DefaultsSectionStorage::getDisplay
• Resolved security issue where users with "configure any layout" permission could see entities they don't have "view" access to
• Fixed issue where translating "inline blocks" literal broke Layout Builder functionality
• Improved performance of filtering block plugins by context

File Handling

• Fixed issue where files renamed by _file_save_upload_single() had incorrect filenames on the File entity
• Resolved issue with FileUploadResource using PHP's basename() instead of Drupal's version
• Fixed potential error in REST FileUploadResource::streamUploadData() that could call fclose(FALSE)

Migration

• Fixed issue with i18ntaxonomy not being an array in d6 VocabularyPerType source plugin
• Resolved issue with D7 i18n fields label and description migration
• Fixed incorrect directory for user migrations tests

Umami Demo Theme

• Fixed icon misalignment on warning and error messages
• Resolved issue with identical hero blocks on Home and Recipe pages causing confusion
• Fixed accessibility issues with "read more" links lacking context
• Corrected card layout broken in IE11

Forms & UI

• Fixed issue with ARIA required attribute in states.js
• Resolved issue where toolbar displayed Manage tab even when user lacked permission
• Fixed undefined index notice in Datetime::valueCallback()
• Changed FAPI Container example class to an array for better standards compliance

Testing

• Fixed issue causing test runs to double in duration due to UpdateKernel::fixSerializedExtensionObjects()
• Improved UpdatePathTestBase to properly re-initialize test site after running database updates
• Enhanced Selenium driver API to get remote file paths

New Features

No significant new features were introduced in this maintenance release. This update focuses primarily on bug fixes, security improvements, and accessibility enhancements to existing functionality.

Security Updates

Layout Builder Access Control

• Fixed a security issue where users with "configure any layout" permission could see entities they don't have "view" access to, potentially exposing restricted content

File Upload Security

• Improved security in file upload handling by ensuring proper use of Drupal's basename function instead of PHP's native version, which helps prevent potential path traversal issues

General Security

• Fixed coding standard errors from SA-CORE-2019-003 to ensure security patches are properly implemented

Performance Improvements

Layout Builder Performance

• Significantly improved the performance of filtering block plugins by context in Layout Builder, which was previously causing slowdowns when working with layouts containing many blocks

Test Performance

• Fixed an issue in \Drupal\Core\Update\UpdateKernel::fixSerializedExtensionObjects() that was causing test runs to double in duration, greatly improving development and CI pipeline efficiency

Impact Summary

Drupal 8.6.11 is primarily a maintenance release that addresses multiple bugs and accessibility issues across the platform. The most significant impact is the fix for a critical issue that could cause data loss when updating to 8.6.8 or 8.6.9 using Drush 8.

For site administrators and developers, this release improves the stability and security of Layout Builder by fixing permission issues and improving performance when filtering block plugins. File handling has been enhanced to properly preserve filenames during uploads and prevent potential errors.

Accessibility improvements in the Umami demo theme and form elements provide a better experience for all users, particularly those using screen readers. The fixes for IE11 compatibility in the Umami theme ensure a consistent experience across browsers.

This release also includes several improvements to the migration system, making it more reliable for sites upgrading from Drupal 6 or 7, especially those using multilingual features.

Overall, while this release doesn't introduce new features, it significantly improves the stability, security, and accessibility of existing functionality, making it an important update for all Drupal 8.6.x sites.