Drupal Release: 9.0.13

TL;DR

Drupal 9.0.13 is a security and maintenance release that updates several dependencies to address security vulnerabilities and bugs. This release includes updates to Archive_Tar, Symfony components, and various development dependencies like Nightwatch and composer/composer. It also fixes an issue with relative URL handling when ports differ from the site's request port. This release is important for maintaining the security and stability of your Drupal 9 site.

Highlight of the Release

• Security update for Archive_Tar to version 1.4.13
• Updates to Symfony components to latest patch releases
• Security fixes for Nightwatch and other development dependencies
• Fix for relative URL handling when ports differ from the site's request port
• Update to caniuse-lite database

Migration Guide

No specific migration steps are required for this update as it primarily consists of security updates and bug fixes. Standard update procedures for Drupal 9.0.x should be followed:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core using Composer:

   composer update drupal/core --with-dependencies
   

4. Run database updates:

   drush updatedb
   

5. Clear caches:

   drush cache:rebuild
   

6. Take the site out of maintenance mode

Upgrade Recommendations

This release contains important security updates, so it is strongly recommended that sites running Drupal 9.0.12 or earlier update to Drupal 9.0.13 as soon as possible.

For sites still on Drupal 8, note that Drupal 8 reached end-of-life on November 2, 2021. If you are still running Drupal 8, you should plan to upgrade to Drupal 9 immediately.

For the smoothest upgrade experience:

• Use Composer for the update process
• Test the update in a development or staging environment before applying to production
• Perform a full site backup before beginning the update process
• Schedule a maintenance window for the update if running on a production site

Bug Fixes

• Relative URL Handling: Fixed an issue in file_url_transform_relative() that prevented proper handling of URLs where the port is different from the site's request port. This ensures proper URL transformation in environments with non-standard port configurations.

• Outdated Dependencies: Addressed issues with outdated dependencies by updating several packages:

  • Updated caniuse-lite as it was outdated, ensuring proper browser compatibility information
  • Updated composer/composer dev dependency in metapackages to version 2.0.13

New Features

No significant new features were added in this maintenance release. This update focuses primarily on security improvements and dependency updates to ensure the stability and security of Drupal 9.0.x installations.

Security Updates

• Archive_Tar Update: Updated Archive_Tar to version 1.4.13 to address security vulnerabilities in the library.

• Symfony Components: Updated Drupal 9 branches to the latest patch releases of Symfony components to address security issues.

• Development Dependencies: Updated Nightwatch and locked dev dependencies to address security issues. This is particularly important for development environments to prevent potential security exploits during the development process.

Performance Improvements

No specific performance improvements were highlighted in this release. The focus was on security updates and bug fixes rather than performance enhancements.

Impact Summary

Drupal 9.0.13 is primarily a security and maintenance release that addresses several important security vulnerabilities in dependencies. The impact is relatively low for most sites as the changes are focused on updating dependencies rather than changing core functionality.

The update to Archive_Tar 1.4.13 addresses security vulnerabilities that could potentially be exploited in certain configurations. Similarly, the updates to Symfony components and development dependencies like Nightwatch patch known security issues.

The bug fix for relative URL handling when ports differ from the site's request port will benefit sites running on non-standard port configurations, improving compatibility in these environments.

Overall, this release maintains the stability of Drupal 9.0.x while addressing important security concerns, making it an essential update for all Drupal 9.0.x sites.