Drupal Release: 9.5.0-rc2

TL;DR

Drupal 9.5.0-rc2 brings significant improvements to performance, security, and stability. This release candidate includes important cache optimization for content entities, fixes for media entity handling, and security enhancements like blocking access to sensitive files. It also addresses several critical bugs in taxonomy terms, block layouts, and CKEditor 5, while updating various dependencies to their latest versions. This release is an important step toward the stable 9.5.0 release, with numerous bug fixes and performance improvements that enhance the overall Drupal experience.

Highlight of the Release

• Optimized caching with setMultiple in ContentEntityStorageBase for better performance
• Fixed critical issues with media entities and owner handling
• Enhanced security by blocking access to sensitive files like yarn.lock and package.json
• Fixed taxonomy term editing to preserve parent relationships
• Updated CKEditor 5 to version 35.3.2 to fix voice control and IME issues
• Improved block layout handling to prevent site breakage with empty forms
• Fixed Twig cache growth issues in multi-server environments

Migration Guide

No significant migration steps are required for this release candidate. However, developers should note:

1. Deprecated NULL values in HTML handling functions:

   • Html::escape(), Html::decodeEntities(), and FormattableMarkup::placeholderFormat() now deprecate NULL values to prepare for PHP 8 compatibility
   • Update your code to ensure you're passing strings to these methods

2. Ajax handling changes:

   • Changes to Drupal.ajax in 9.5.x were causing regressions in modules like paragraphs_features
   • If you've built custom modules that extend Drupal.ajax functionality, test thoroughly with this release

3. Updated JavaScript dependencies:

   • If you have custom themes or modules that depend on specific versions of core JavaScript libraries, verify compatibility with the updated dependencies

Upgrade Recommendations

This is a release candidate (RC2) for Drupal 9.5.0, which means it's approaching stability but is not yet recommended for production sites. We recommend:

1. For development and testing environments: Upgrade to this release candidate to help identify any potential issues before the final release.

2. For production sites: Continue using the latest stable release (9.4.x) until the final 9.5.0 release is available.

3. For module developers: Test your modules with this release candidate to ensure compatibility with the upcoming 9.5.0 stable release.

The upgrade path from previous 9.x versions to 9.5.0-rc2 should be straightforward, with no major breaking changes reported. However, as with any upgrade, make a complete backup of your site before proceeding and test thoroughly in a non-production environment first.

Bug Fixes

Entity Management Fixes

• Fixed issue where media entities would crash when saved without an owner
• Fixed taxonomy terms losing <root> as parent when editing
• Fixed entity count query returning a string instead of an integer
• Fixed block layout form submission causing breakage for all block entities when empty

Views and UI Fixes

• Fixed Views roles contextual filters not saving multiple options
• Fixed broken cache context assertions in DefaultMenuLinkTreeManipulatorsTest
• Fixed issue with Views trying to call trigger_error() with E_WARNING

Cache and Performance Fixes

• Fixed infinite growth of Twig cache in multiple webheads environments
• Fixed regression in Drupal.ajax affecting paragraphs_features module

Documentation and Type Fixes

• Fixed incorrect return type in FieldableEntityNormalizerTrait::extractBundleData()
• Fixed PHPStan errors related to method return types and property types
• Fixed incorrect documentation example in hook_views_pre_view
• Fixed typo in machine name for Container field in ForumController::addForum
• Corrected the type of $pattern in DateFormat

New Features

Enhanced Cache Management

• Added optimization using cacheBackend->setMultiple in ContentEntityStorageBase for improved performance when caching multiple entities
• Added ability to pass CLI arguments to chromedriver for better testing flexibility

Improved User Experience

• Updated article content type form display to show image above body to match display
• Enhanced Views UI by hiding type filter form when there are no logs
• Better discovery of CKEditor 5 debug documentation for developers

Security Updates

Security Enhancements

• Blocked access to sensitive files like yarn.lock and package.json to prevent information disclosure
• Fixed source code disclosure vulnerability with /core/scripts/transliteration_data.php.txt
• Removed Google FLoC header as Google has abandoned this technology
• Updated dependencies including laminas/escaper to 2.10.0 and vm2 package to address potential security issues

Performance Improvements

Cache Optimization

• Implemented cacheBackend->setMultiple in ContentEntityStorageBase to improve performance when caching multiple entities at once
• Fixed issue causing infinite growth of Twig cache in multi-server environments, which could lead to performance degradation over time

Build Process Improvements

• Enhanced commit-code-check.sh to run phpcs in parallel for faster code checks
• Updated various JavaScript dependencies to improve build performance

Testing Performance

• Added ability to pass CLI arguments to chromedriver for more efficient testing scenarios

Impact Summary

Drupal 9.5.0-rc2 delivers significant improvements to core functionality with a focus on performance, security, and stability. The implementation of cache optimization in ContentEntityStorageBase will benefit sites with heavy entity usage, while fixes for media entities and taxonomy terms address critical issues that could affect content management workflows.

Security enhancements like blocking access to sensitive files and fixing the source code disclosure vulnerability strengthen Drupal's security posture. The update to CKEditor 5 improves accessibility by fixing voice control and IME issues on certain platforms.

Performance improvements extend beyond entity caching to include fixes for Twig cache growth in multi-server environments and optimizations in the development workflow. The numerous bug fixes address issues across various subsystems, from Views to block layouts, enhancing overall platform stability.

For developers, improved documentation, type fixes, and updated dependencies provide a better development experience. The preparation for PHP 8 compatibility through deprecation notices helps ensure a smoother transition path for future upgrades.

Overall, this release candidate represents a solid step toward the stable 9.5.0 release, with improvements that benefit all types of Drupal users from site administrators to content editors and end users.