Drupal Release: 9.1.0-beta1

TL;DR

Drupal 9.1.0-beta1: Enhanced Security, PHP 8 Compatibility, and UI Improvements

This beta release introduces significant security enhancements for the update system, adds PHP 8 compatibility, and brings UI improvements to Claro admin theme and the new Olivero frontend theme. Key updates include HTTPS enforcement for translation downloads, improved status report pages, and better media library functionality. The release also fixes numerous bugs and improves code quality to prepare for stable deployment.

Highlight of the Release

• Enhanced security for the update system with HTTPS enforcement and verification of update sources
• Improved PHP 8 compatibility with numerous fixes for deprecated functions and behavior changes
• Updated dependencies including Composer 2 and Semver 3 support
• UI improvements to Status Report page and Media Library
• Olivero theme enhancements and official maintainer designation
• Claro admin theme improvements for better user experience

Migration Guide

for Drupal 9.1.0-beta1

PHP 8 Compatibility

If you're planning to use PHP 8 with this release, be aware that several changes have been made to ensure compatibility:

• The GDToolkit now supports \GdImage objects
• Error types and messages have been updated
• Deprecated methods like \ReflectionParameter::getClass() have been addressed
• MySQL transaction handling has been updated

Deprecated Features

• IE Conditional Comments: Support for IE conditional comments has been deprecated (#3095113). If your theme or module relies on these, you should update your code to use alternative approaches.

Dependency Updates

• Composer 2 and Semver 3: This release updates to Composer 2 and Semver 3. If you have custom scripts or workflows that interact with Composer, ensure they are compatible with these newer versions.

Theme Changes

• Olivero Theme: If you're extending or customizing the Olivero theme:
  • The node teaser template no longer hard-codes the text-content CSS class
  • RTL support for small variant select form elements has been improved
  • The .form-type prefix block element has been removed

Update System

• The update system now verifies the identity and authenticity of the release history URL. This is a security enhancement and should not require changes to your code unless you have custom modules that interact with the update system.

Upgrade Recommendations

Who Should Upgrade

• Development and Testing Environments: As this is a beta release (9.1.0-beta1), it is recommended for testing in development environments but not yet for production sites.
• PHP 8 Early Adopters: If you're planning to use PHP 8, this release includes important compatibility fixes that make it a good candidate for testing.
• Theme Developers: Those working with the new Olivero theme or Claro admin theme will benefit from the numerous improvements and fixes.

When to Upgrade

• Wait for the stable 9.1.0 release before upgrading production sites.
• Use this beta release for testing your custom modules and themes for compatibility with the upcoming 9.1.0 stable release.
• If you're currently experiencing any of the specific bugs fixed in this release, consider testing the fixes in a development environment.

How to Prepare

1. Test in Development First: Always test the upgrade in a development or staging environment before applying to production.
2. Check Custom Code: Review any custom modules or themes for compatibility with PHP 8 if you plan to upgrade your PHP version.
3. Update Dependencies: Ensure your site's dependencies are compatible with Composer 2 and Semver 3.
4. Review Deprecated Features: Check if your site uses any deprecated features like IE conditional comments and plan for their removal.

Upgrade Path

• For sites on Drupal 9.0.x, this should be a straightforward update following standard procedures.
• For sites still on Drupal 8.x, consider upgrading to Drupal 9.0.x first before moving to 9.1.x.

Bug Fixes

PHP 8 Compatibility Fixes

• Fixed \Drupal\system\Plugin\ImageToolkit\GDToolkit to support \GdImage objects for PHP 8 compatibility (#3156887)
• Updated error types and messages for PHP 8 compatibility (#3178998)
• Fixed \ReflectionParameter::getClass() deprecation in PHP 8.0 (#3156542)
• Fixed EntityRouteEnhancerTest assertion that breaks in PHP 8 (#3179013)
• Fixed \Drupal\error_test\Controller\ErrorTestController::generateWarnings() to properly handle notices in PHP 8 (#3177557)
• Fixed MySQL transaction handling on PHP 8 which now errors when committing or rolling back with no active transaction (#2736777)

Core Functionality Fixes

• Fixed ViewsFormBase::getForm() which re-used $key and relied on odd PHP 7 behavior (#3177590)
• Fixed \Drupal\views\Plugin\views\PluginBase::listLanguages() which incorrectly used in_array() resulting in listing additional languages (#3177546)
• Fixed \Drupal\field\Entity\FieldStorageConfig::getCardinality() to be more type safe (#3177545)
• Fixed stream_open() to better handle failures in \Drupal\Core\StreamWrapper\LocalStream::getLocalPath() (#3177541)
• Fixed undefined index: title in Drupal\update\ProjectSecurityRequirement (#3132426)
• Fixed WebAssert::addressEquals() and AssertLegacyTrait::assertUrl() which failed to check the querystring (#3164686)

Theme and UI Fixes

• Fixed Olivero's node.classList.remove() which only supported one argument (#3173905)
• Fixed Classy stylesheet being attached from Olivero twig template for node (#3157308)
• Removed .form-type prefix block element that doesn't exist (#3173018)

Test Stability Improvements

• Made QuickEditIntegrationTest more robust and fail-proof (#3037436)
• Fixed BasicAuthTestTrait::basicAuthPostForm() which was not working (#3178273)
• Improved stability of core JS testing and prepared for update of MinkSelenium2Driver (#3174928)

New Features

Security Enhancements

• Update System Security: Added verification of the identity and authenticity of the release history URL, significantly improving security when checking for updates (#1538118)
• HTTPS Enforcement: Now always using HTTPS for fetching translations, improving security (#3179318)

UI Improvements

• Status Report Page: Completely updated with improved visual organization and clarity (#3061042)
• Media Library: Enhanced interface with better usability and functionality (#3062751)
• Broken Block Messages: "This block is broken or missing..." messages now only shown to users who have access to fix the issue (#2918149)

Theme Enhancements

• Olivero Theme:

  • Added official maintainers to MAINTAINERS.txt (#3177318)
  • Improved documentation for fieldset.html.twig variables (#3176908)
  • Fixed node teaser template to avoid hard-coding CSS classes (#3178806)
  • Improved RTL support for small variant select form elements (#3179157)

• Claro Theme:

  • Fixed details caret display issues (#3179768)

Security Updates

• Update System Security Enhancement: Implemented verification of the identity and authenticity of the release history URL (#1538118). This is a significant security improvement that prevents potential man-in-the-middle attacks when checking for updates.

• HTTPS Enforcement for Translations: Now always using HTTPS for fetching translations (#3179318), preventing potential security issues with unencrypted connections.

• Dependency Updates: Updated several dependencies to more secure versions, including:

  • Updated fabpot/goutte to 3.3.1 for PHP 8 compatibility and security improvements (#3180092)
  • Updated composer/composer to ^2 and composer/semver to ^3 (#3128631)

• IE Conditional Comments: Deprecated Internet Explorer conditional comments support (#3095113), which helps reduce potential attack surface in the codebase.

Performance Improvements

• Dependency Updates: Updated to Composer 2 and Semver 3, which offer performance improvements over previous versions (#3128631)

• Code Cleanup: Removed various unused variables throughout the codebase, which can lead to small memory usage improvements:

  • Removed unused variable $email in SearchBlockTest.php (#3173595)
  • Removed unused variables $charcodes and $node2 (#3177377)
  • Removed unused variable $assert_session in UpdateScriptTest.php (#3173891)
  • Removed unused $admin_user variable in FieldEntityOperationsTest.php (#3175666)

• Type Safety Improvements: Several fixes to improve type safety which can prevent runtime errors and improve performance:

  • Made \Drupal\field\Entity\FieldStorageConfig::getCardinality() more type safe (#3177545)
  • Fixed \Drupal\views\Plugin\views\PluginBase::listLanguages() incorrect use of in_array() (#3177546)

Impact Summary

Drupal 9.1.0-beta1 represents a significant step forward in several key areas:

Security Enhancements

The most impactful change is the addition of verification for update sources, addressing a long-standing security concern (issue open since 2012). This enhancement, along with HTTPS enforcement for translations, significantly improves the security posture of Drupal sites by preventing potential man-in-the-middle attacks during update checks and translation downloads.

PHP 8 Readiness

This release includes numerous fixes to ensure compatibility with PHP 8, positioning Drupal to support the latest PHP version soon after its release. This forward-looking approach helps developers prepare their sites for future PHP requirements and take advantage of performance improvements in PHP 8.

UI and UX Improvements

The updated Status Report page and Media Library enhancements deliver a more intuitive and visually appealing administrative experience. These changes, along with improvements to the Claro admin theme and Olivero frontend theme, demonstrate Drupal's continued commitment to improving user experience.

Developer Experience

Updates to dependencies like Composer 2 and Semver 3, along with numerous code quality improvements and bug fixes, enhance the developer experience and maintain Drupal's technical excellence. The official designation of maintainers for the Olivero theme also ensures its continued development and support.

Overall, this beta release lays important groundwork for the stable 9.1.0 release, with a strong focus on security, compatibility with modern PHP versions, and improved user interfaces. While it's recommended primarily for testing environments at this stage, it showcases the significant improvements coming in Drupal 9.1.0.