Drupal Release: 9.5.10

TL;DR

Drupal 9.5.10: Bug Fixes, Security Enhancements, and Testing Improvements

This maintenance release for Drupal 9.5.x addresses multiple bugs and security concerns while improving testing infrastructure. Key improvements include fixes for REST API responses, media library functionality, JavaScript asset loading, and PHP 8.2 compatibility. The release also enhances security by adding protection against potentially malicious file extensions and fixing mail header handling in PHP 8.0+.

Highlight of the Release

• Fixed PHP 8.2 compatibility by removing incompatible dependencies from core-recommended
• Enhanced security by adding protection against potentially malicious file extensions
• Improved REST API functionality by allowing DELETE requests to return response bodies
• Fixed JavaScript asset loading between jQuery UI libraries
• Improved media library functionality and CKEditor 5 integration

Migration Guide

No specific migration steps are required for this maintenance release. However, if you're experiencing issues with PHP 8.2 compatibility, note that this release removes laminas-feed, laminas-escaper, and laminas-stdlib from drupal/core-recommended to allow Drupal 9.5 to be installed on PHP 8.2.

If you're using the media library and experiencing issues with required fields, this release fixes the problem where "is required" messages were showing for users without access to those fields.

For developers working with REST APIs, note that DELETE requests can now return response bodies, which might require adjustments to your API consumers if they weren't expecting content in DELETE responses.

Upgrade Recommendations

This release contains important bug fixes and security enhancements, making it a recommended upgrade for all Drupal 9.5.x sites. The update addresses several issues that could affect site functionality, performance, and security.

Sites using PHP 8.2 will particularly benefit from this update as it removes dependencies that were causing compatibility issues. Sites using the media library, CKEditor 5, or REST APIs will also see notable improvements.

To upgrade:

1. Back up your database and code
2. Update your codebase to Drupal 9.5.10
3. Run the database updates via the admin interface or using Drush: drush updatedb
4. Clear caches: drush cache:rebuild

As with any update, testing in a development environment before applying to production is recommended.

Bug Fixes

• Media Library: Fixed issue where "is required" message was showing while the user had no access to the field.
• Form Validation: Corrected vertical tab focus behavior on form validation.
• JavaScript Assets: Fixed library order asset weights when loading a large number of JavaScript files between two jQuery UI libraries.
• Entity Handling:
  • Fixed TypeError in EntityViewBuilder::view() when null is passed instead of an EntityInterface.
  • Fixed EntityCreateAnyAccessCheck::access() being too restrictive.
• Migration:
  • Added missing mapping for "nodereference_url" widget.
  • Fixed entity stubs not following fallback logic from entities, which led to broken migrations.
• Views: Fixed fatal error when entering a non-numeric value for a start row in 'Multiple field settings'.
• Email: Fixed broken mail headers in PHP 8.0+ caused by LF characters in PhpMail.
• Routing: Fixed regression where route defaults were automatically becoming route parameters.
• CKEditor 5:
  • Fixed Style plugin configuration tab not appearing.
  • Added missing dependency on drupal.ajax.
  • Fixed random test failures in media view mode tests.
• OEmbed: Fixed OEmbedIframeController returning an HTTP response code that could be cached by forward proxies when given illegal parameters.

New Features

• REST API Enhancement: DELETE requests can now return response bodies, providing more flexibility in API design and usage.
• Query Parameter Support: Added support for ?edit[field_xyz] as a query parameter in contextual filters, improving editor workflows.
• Core Team Updates: Promoted quietone and bnjmnm from provisional core committers to full core committers, and added Lauri Eskola to Drupal core product managers.

Security Updates

• File Security: Added .phtml files to the list of potentially malicious extensions, enhancing protection against security vulnerabilities.
• Email Security: Fixed broken mail headers in PHP 8.0+ because of LF characters, which could potentially be exploited for email header injection.
• OEmbed Security: Improved OEmbedIframeController to properly handle illegal parameters and prevent caching of error responses by forward proxies.

Performance Improvements

• Testing Infrastructure: Improved how KernelTestBase manages its persistent key value storage, enhancing test performance and reliability.
• Memory Usage: Optimized memory usage by not using the persist tag for keyvalue.memory in KernelTestBase.

Impact Summary

Drupal 9.5.10 is a maintenance release that addresses multiple bugs and security concerns while improving the overall stability and functionality of Drupal 9.5.x. The release includes fixes for PHP 8.2 compatibility, media library functionality, REST API responses, and JavaScript asset loading.

For developers, the most significant improvements include PHP 8.2 compatibility, enhanced REST API functionality with DELETE requests now able to return response bodies, and more reliable testing infrastructure. Site administrators will benefit from improved security measures and fixed mail header handling in PHP 8.0+ environments. Content editors will experience a better media library interface and improved CKEditor 5 functionality.

This release demonstrates Drupal's commitment to maintaining a stable, secure, and feature-rich platform while addressing community-reported issues. The fixes for random test failures and improvements to the testing infrastructure also contribute to the long-term health of the project by ensuring more reliable development and testing processes.