Drupal Release: 8.7.7

TL;DR

Drupal 8.7.7 is a security and maintenance release that addresses several critical vulnerabilities, including an XSS issue in date format configuration. It also includes bug fixes for entity handling, migration processes, and JavaScript test compatibility with newer Chrome versions. This release improves workspace functionality, fixes issues with typed data handling, and introduces support for semantic versioning in module info files.

Highlight of the Release

• Fixed XSS vulnerability in date format configuration
• Added support for semantic versioning in module info files
• Improved workspace functionality - system now remembers page state when switching workspaces
• Fixed JavaScript tests compatibility with Chromedriver 75 and higher
• Fixed issues with entity handling and migration processes

Migration Guide

Updating to Drupal 8.7.7

1. Before updating:

   • Back up your database and site files
   • Review the list of changes to identify any that might affect your site

2. Update process:

   • Update using Composer (recommended):

     composer update drupal/core-recommended --with-dependencies
     

   • Or update manually by replacing core files and running database updates

3. After updating:

   • Run database updates: drush updatedb or visit /update.php
   • Clear caches: drush cache-rebuild or via the admin interface
   • Test your site thoroughly, especially if you use workspaces or have custom modules

4. For module developers:

   • If you maintain modules, consider implementing the new core_version_requirement key in your info.yml files for better compatibility with future Drupal versions

Upgrade Recommendations

This release contains an important security fix for an XSS vulnerability in date format configuration, along with several critical bug fixes. All sites running Drupal 8.7.x should upgrade to 8.7.7 as soon as possible.

The security fix alone makes this update highly recommended, but the improvements to workspace functionality and fixes for entity handling also provide significant value for most Drupal sites.

For sites using workspaces, custom entity types, or running JavaScript tests with newer Chrome versions, this update resolves several important issues that could affect site functionality and development workflows.

Bug Fixes

Security and Critical Fixes

• Fixed XSS vulnerability in date format configuration
• Fixed incorrect return type declaration in TwigExtension::getUrl()
• Added composer conflict for symfony/dom-crawler >=4 for Drupal 8.7 compatibility
• Fixed deprecated method usage of Symfony\Component\BrowserKit\Response::getStatus()

Entity and Data Handling

• Fixed class name validation in image styles
• Fixed issue where Typed Data's EntityDeriver wasn't deriving bundle-level data types when a bundle has the same name as its entity type
• Fixed PATCH 405 errors for untranslatable content entities with different default language than English
• Fixed failing assertions when bundle ID contains only numbers
• Fixed potential failures in ViewsEntitySchemaSubscriber when a view has a broken handler

Migration Issues

• Fixed D6 OptionWidgetsField migrate plugin namespace
• Fixed boolean field "On" and "Off" label migration
• Fixed issue where migrating to Date-only fields didn't drop time values

Testing and Development

• Fixed JavaScript tests compatibility with Chromedriver 75 and higher
• Clarified how to set MINK variables in phpunit.xml.dist
• Fixed CKEditorIntegrationTest failures on SQLite

New Features

Support for Semantic Versioning in Module Info Files

This release introduces support for semantic versioning in module info files through the core_version_requirement key. This enhancement allows module developers to specify compatibility with multiple major versions of Drupal core using standard semantic versioning notation.

The implementation includes proper validation of the core_version_requirement value, with exceptions thrown for invalid formats rather than silently failing.

Security Updates

XSS Vulnerability in Date Format Configuration

This release addresses a critical security vulnerability that could allow Cross-Site Scripting (XSS) attacks through the date format configuration interface. The fix prevents malicious code injection that could be executed in a user's browser when viewing pages with affected date formats.

Site administrators should update immediately to mitigate this security risk.

Performance Improvements

No specific performance improvements were highlighted in this release. The changes primarily focus on security fixes, bug fixes, and feature enhancements rather than performance optimizations.

Impact Summary

Drupal 8.7.7 is primarily a security and maintenance release that addresses several important issues. The most critical fix is for an XSS vulnerability in date format configuration, which could allow attackers to inject malicious code. This alone makes the update essential for all Drupal 8.7.x sites.

Beyond security, this release improves the workspace experience by remembering page state when switching workspaces, fixes several entity handling issues that could affect content management, and resolves problems with migration processes. Developers will benefit from improved JavaScript test compatibility with newer Chrome versions and the introduction of semantic versioning support in module info files.

The changes are largely focused on fixing existing functionality rather than introducing new features, with the exception of the semantic versioning support. Most users will experience improved stability and security without significant changes to their day-to-day usage of the system.