Drupal Release: 9.1.0-rc1

TL;DR

Drupal 9.1.0-rc1: Security Fixes, Bug Fixes, and Library Updates

What's New: This release candidate for Drupal 9.1.0 includes critical security fixes (SA-CORE-2020-012), multiple bug fixes addressing issues with Book module, JSON:API, and path aliases, and updates to JavaScript libraries including Underscore.js and Popper.js.

Why It Matters: The security fixes address critical vulnerabilities that should be applied immediately. Bug fixes improve stability and user experience across various components, particularly for content management workflows and API functionality.

Who Should Care: Site administrators should update immediately due to security fixes. Developers working with JSON:API, Book module, or custom themes will benefit from the bug fixes and improved stability.

Highlight of the Release

• Critical security fixes included in SA-CORE-2020-012
• Fixed Book module settings form validation and outline selection issues
• Updated JavaScript libraries: Underscore.js and Popper.js to latest versions
• Fixed JSON:API issues with resource types and link key collisions
• Improved path alias functionality, now allowing '0' as a valid path alias
• Fixed translation search to properly handle spaces before or after search strings

Migration Guide

No specific migration steps are required when updating from Drupal 9.1.0-beta1 to 9.1.0-rc1. However, site administrators should be aware of the following:

• Composer 2 Users: If you're using Composer 2, ensure that path repositories are listed first in your composer.json file as this release fixes compatibility issues with Composer 2.

• Book Module: If you're using the Book module and experienced validation issues after Drupal 8.9.7, these have been fixed in this release.

• Custom Code Using JSON:API: If you have custom code that interacts with JSON:API, test thoroughly after updating as there are fixes to FieldItemNormalizer and link key handling that might affect custom implementations.

• Theme Developers: If you have custom themes that install blocks during profile installation, review your implementation as this release fixes an issue where blocks were being created for all enabled themes.

Upgrade Recommendations

Immediate upgrade recommended due to critical security fixes included in SA-CORE-2020-012.

For sites currently on Drupal 9.1.0-beta1, upgrading to this release candidate is strongly recommended to benefit from security fixes and numerous bug fixes. The update process should be straightforward with minimal risk of regressions.

For sites on earlier Drupal 9 versions or Drupal 8, consider planning your upgrade path to Drupal 9.1.x once the final release is available, as this version includes important security updates and bug fixes.

Before upgrading production sites:

1. Create a complete backup of your site and database
2. Test the upgrade on a staging environment first
3. Review your custom and contributed modules for compatibility
4. Update during a maintenance window to minimize disruption

Bug Fixes

• Book Module Fixes:

  • Fixed "Illegal choice 0 in Book element" error when switching the book outline field from any value to "- None -"
  • Resolved Book Settings Form validation issues introduced in Drupal 8.9.7

• JSON:API Improvements:

  • Fixed issue where JSON:API link keys could collide, causing unexpected behavior
  • Resolved error "Argument 2 passed to Drupal\jsonapi\Routing\Routes must be an instance of ResourceType, NULL given"
  • Fixed FieldItemNormalizer to not flatten if one property and getMainPropertyName is NULL

• Theme and Block Issues:

  • Fixed issue where blocks installed by a profile for a specific theme were incorrectly created for all enabled themes
  • Added missing @file documentation in Olivero's node.html.twig

• Views Module:

  • Fixed issue where sort direction was not hidden when no sort field was selected

• Path Alias System:

  • Fixed issue where "0" couldn't be used as a path alias without showing an error

• Database Compatibility:

  • Fixed datetime-related test failures on PostgreSQL 12

• Composer Integration:

  • Fixed issue where path repositories needed to be listed first for Composer 2 compatibility

• Typo and Grammar Fixes:

  • Fixed numerous grammar issues changing "a" to "an" where necessary
  • Fixed 45 "shouldBeCamelCased" and related typos in core
  • Removed misspelled words from dictionary that are no longer used

New Features

and Enhancements

• JavaScript Library Updates: Updated Underscore.js and Popper.js to their latest versions, improving security and functionality.

• Improved Translation Search: Enhanced the translation search functionality to properly handle spaces before or after search strings, making content translation workflows more reliable.

• Path Alias Improvements: Added support for using "0" as a valid path alias, which was previously not possible despite no error being shown to users.

• Test Framework Improvements: Multiple improvements to testing frameworks including:

  • Split assertions using && into multiple assertions for better test clarity
  • Replaced deprecated AssertLegacyTrait::assert(No)FieldByXPath methods
  • Removed uses of t() in assertText() and drupalPostForm() calls
  • Refactored UncaughtExceptionTest to not use cUrl

Security Updates

• SA-CORE-2020-012: This release includes critical security fixes detailed in SA-CORE-2020-012. The security advisory addresses vulnerabilities that should be patched immediately.

• JavaScript Library Updates: Updated Underscore.js and Popper.js to their latest versions, which include security improvements and fixes for known vulnerabilities.

Performance Improvements

• Code Quality Improvements: Multiple code quality improvements that may indirectly improve performance:

  • Refactored test assertions to be more specific and efficient
  • Updated JavaScript libraries to latest versions which may include performance optimizations
  • Fixed code style issues and typos throughout the codebase

• Composer 2 Compatibility: Fixed path repositories listing order for Composer 2, which can lead to faster dependency resolution and installation processes.

Impact Summary

Drupal 9.1.0-rc1 is a significant release that addresses critical security vulnerabilities while fixing numerous bugs across various components. The security fixes alone make this an essential update for all Drupal sites.

The bug fixes improve stability and user experience in several key areas:

1. Content Management: Book module fixes resolve frustrating errors when managing book content hierarchies.

2. API Functionality: JSON:API improvements fix issues with resource types and link key collisions, making the API more reliable for developers.

3. Path Alias System: The fix allowing "0" as a valid path alias removes a longstanding limitation.

4. Translation Workflows: Improved translation search functionality makes content translation more reliable.

5. Theme System: Fixed issues with block installation during profile installation ensures themes work as expected.

The JavaScript library updates (Underscore.js and Popper.js) bring security improvements and ensure Drupal stays current with upstream dependencies.

Overall, this release candidate represents a solid step toward the final Drupal 9.1.0 release, with important fixes that benefit administrators, developers, and content editors alike.