Drupal Release: 9.2.0

TL;DR

Drupal 9.2.0 brings significant improvements to accessibility, JavaScript modernization, and entity query security. Key highlights include the Olivero theme's accessibility enhancements, a new Starterkit theme for easier theme development, refactored JavaScript using the new once() utility, and improved entity query access checking. This release also updates several core libraries including jQuery to 3.6.0, CKEditor to 4.16.0, and various Symfony components to 5.3.

Highlight of the Release

• Introduction of the Starterkit theme in core for easier theme development
• Major accessibility improvements to the Olivero theme
• JavaScript modernization with the new once() utility
• Entity query access checking improvements for better security
• Updated core libraries including jQuery 3.6.0 and CKEditor 4.16.0
• New permission to control viewing of user email fields
• Security advisory information now displayed in the Update status report

Migration Guide

Entity Query Access Checking

If you have custom code that uses entity queries, you may need to update it to explicitly specify whether access checking should be applied. The default behavior has been made more secure, but this might break existing code that relied on queries without access checks. Review your entity queries and add ->accessCheck(FALSE) where appropriate for queries that should bypass access control.

JavaScript Behaviors

Olivero's JavaScript behaviors have been refactored to use the new once() utility. If you have custom JavaScript that extends or interacts with Olivero's behaviors, you should update your code to follow this pattern:

// Old pattern
Drupal.behaviors.myBehavior = {
  attach: function (context, settings) {
    $(context).find('.my-selector').each(function () {
      // Do something
    });
  }
};

// New pattern using once()
Drupal.behaviors.myBehavior = {
  attach: function (context, settings) {
    once('my-behavior', '.my-selector', context).forEach(function (element) {
      // Do something
    });
  }
};

Deprecated APIs

Several APIs have been deprecated in this release:

• Drupal\Core\Database\StatementEmpty - Use alternative methods for handling empty result sets
• strtoupper for URLs in MailFormatHelper.php's htmlToText() method
• update_set_schema() - Plan to update your code before this is removed

jQuery UI Position Dependency

Steps have been taken to address the jQuery UI position dependency. If your code relies on this, you should plan to update it in future releases.

Upgrade Recommendations

Who should upgrade?

All sites running Drupal 9.1.x should upgrade to Drupal 9.2.0. This release contains important security fixes, accessibility improvements, and feature enhancements.

Upgrade path

The upgrade from Drupal 9.1.x to 9.2.0 is straightforward and follows the standard minor version upgrade process:

1. Update your development environment to use PHP 7.3 or higher (PHP 7.4 is recommended)
2. Back up your code, files, and database
3. Update to the latest Drupal 9.1.x release
4. Update core using Composer:

   composer update drupal/core drupal/core-* --with-all-dependencies
   

5. Run the database updates:

   drush updatedb
   

6. Clear caches:

   drush cache:rebuild
   

7. Test thoroughly before deploying to production

Special considerations

• If you have custom entity queries, review them to ensure they explicitly specify access checking behavior
• If you have custom JavaScript that interacts with Olivero theme behaviors, update it to use the new once() utility
• Review any deprecated API usage in your custom code and plan for updates

Bug Fixes

Entity Query Access Checking

Fixed numerous issues related to entity query access checking, ensuring that access checks are properly applied or explicitly bypassed as needed. This addresses potential security issues where entity queries might inadvertently expose protected content.

Accessibility Fixes in Olivero

• Fixed major accessibility problems with Olivero header show/hide feature
• Improved keyboard navigation for secondary menus
• Fixed focus management after submenu closure via ESC key
• Ensured that tabledrag user interface is usable within Olivero
• Fixed issues with skip link focus creating layout shifts

UI and Display Fixes

• Fixed logout option being displayed for anonymous users
• Fixed issues with the mobile menu in Safari
• Addressed Windows high contrast mode not showing search icon in Olivero
• Fixed content layout issues in IE11
• Corrected vertical alignment in small button variations
• Fixed misaligned display title checkbox in Layout Builder

Form and Field Handling

• Fixed file field's maximum upload size validation
• Fixed PHP notices in Media Library form widget
• Fixed wrapper removal when adding HTML textfield or textarea using replacement patterns
• Fixed issues with breadcrumb and metatag title translations

Other Fixes

• Fixed help searches failing when site is not fully indexed
• Fixed incorrect Content-Type header encoding
• Fixed issues with Views argument plugin access sensitivity
• Fixed fatal error when passing non-existing ID to entity parameter converter
• Fixed config export field not clearing when config type changes

New Features

Starterkit Theme

A new Starterkit theme has been added to core, providing a better starting point for theme developers. This replaces the previous approach of cloning and modifying existing themes, making the theme development process more straightforward and maintainable.

New Permission for User Email Fields

A new permission has been added to control who can view user email fields, providing more granular access control for user data.

Security Advisory Information in Update Status

The Update status report now displays relevant security advisory information for Drupal core and contributed projects, making it easier for site administrators to assess security risks.

Reset Button on Custom Block Library

A new "Reset" button has been added to the Custom block library page, allowing users to clear filters more easily.

Row for Switching to Live Workspace

The Workspaces listing UI now includes a row for switching to the live workspace, improving the workspace management experience.

Security Updates

Security Advisory SA-CORE-2021-002

This release includes security fixes from SA-CORE-2021-002.

Entity Query Access Checking

Improved entity query access checking to prevent potential information disclosure. The changes ensure that entity queries properly respect access controls unless explicitly bypassed.

Permissions-Policy Header

Added a Permissions-Policy header to block Google FLoC, enhancing privacy protection for site visitors.

Email Field Permission

Added a new permission to control who can view user email fields, providing better protection of user data.

Performance Improvements

Database Performance

• Improved database query performance by addressing inconsistencies in Upsert::execute() return values
• Reduced unnecessary work in FieldHelpTest

Cache Optimization

• Reduced cache variations in locale cache for better performance
• Improved route preloading by preventing preloading of routes generated by JSON:API

Migration Performance

• Fixed source count caching for SqlBase-based source plugins, reducing unnecessary cache I/O
• Optimized migration code to avoid unnecessary format calls in DateTimePlus::createFromFormat

JavaScript Performance

• Updated JavaScript dependencies to more efficient versions
• Improved Olivero theme JavaScript performance with better event handling

Impact Summary

Drupal 9.2.0 represents a significant step forward in accessibility, security, and developer experience. The introduction of the Starterkit theme addresses a long-standing pain point for theme developers, while the extensive accessibility improvements to Olivero make the theme more usable for all visitors, especially those using assistive technologies.

The security enhancements around entity query access checking are particularly important, as they help prevent potential information disclosure vulnerabilities. Site administrators will also appreciate the addition of security advisory information in the Update status report, making it easier to stay informed about potential security issues.

For developers, the JavaScript modernization efforts, including the adoption of the once() utility and updates to core libraries like jQuery and CKEditor, provide a more modern and maintainable codebase. The deprecation of several APIs signals the continued evolution of Drupal's architecture toward more modern patterns.

Performance improvements in database handling, caching, and JavaScript execution contribute to a better overall user experience, while the numerous bug fixes address pain points across various aspects of the system.

Overall, this release balances new features with important under-the-hood improvements that strengthen Drupal's foundation for future development.