drupal 10.0.0

This is the first supported release of the new Drupal 10 major version, and it is ready for use on production sites! Learn more about Drupal 10 and the Drupal core release cycles.

Drupal 10.0.0 has been released simultaneously with Drupal 9.5.0. Drupal 9.5 has most of the changes that Drupal 10 does, but retains backwards compatibility layers added through Drupal 9.5.0's release. Update to Drupal 9.5 before updating to Drupal 10 for the smoothest upgrade path.

If you are starting a new Drupal project, you have a choice between Drupal 9.5.0 and 10.0.0, and generally should choose Drupal 10 where possible for forward compatibility with future releases.

Regardless of which version you choose now, features will only be added to Drupal 10 minor releases. Plan to adopt Drupal 10 so that you can easily update to Drupal 10.1 and later.

Refer to Preparing your site to upgrade to a newer major version for tools you can use to check the Drupal 10 compatibility of modules, themes and sites. Then, upgrade from Drupal 9 to 10.

Both 10.0.0 and 9.5.0 include all the latest changes, and they have the same APIs and features aside from a few edge-cases. This also means modules and themes can be compatible with Drupal 9 and 10 at the same time! The key changes in 10.0.0 are:

1. Deprecated code, including entire modules and themes, has been removed.
2. Dependencies have been updated to new major versions as appropriate.
3. Platform requirements (including supported PHP and database versions, Composer requirements, and supported browsers) have been updated.

For all other changes, refer to the 9.5.x branch.

Important update information

Sites must update to at least Drupal 9.4.4 before upgrading to Drupal 10

Drupal sites running 9.3.x or earlier versions must first update to 9.4.4 or later before updating to Drupal 10. All core updates added before 9.4.0 have been removed and the data upgrade path from CKEditor 4 to CKEditor 5 is not available before Drupal 9.4.4. In general, sites should update to the most recent release of their current major branch before updating to the next major release.

Sites using CKEditor 4 should upgrade to CKEditor 5 in Drupal 9.4 or 9.5 before updating to Drupal 10

Most Drupal sites using CKEditor 4 should upgrade to CKEditor 5. See the recommendations for CKEditor for details. Upgrading from CKEditor 4 to 5 is a manual process, because it requires human supervision.

Changes to site-owner-managed files

• Performance has been improved for Apache serving gzipped JavaScript and CSS aggregates to browsers. Sites should update their .htaccess files to take advantage of this performance improvement.

• yarn.lock and package.json are now blocked by Drupal's default web server configuration, sites should update any copies of .htaccess or web.config to incorporate the changes.

• It is no longer necessary or recommended to configure fast 404s in settings.php.

• The default robots.txt file has been updated to disallow indexing of oEmbed media links.

• A new developer feature to show debug markup for render caching has been added. It can be configured in services.yml and is disabled by default. Sites should ensure that their site-specific services.yml includes the new section.

• For forward-compatibility with a deprecation in 10.1.x, a change has been made to the assertion handling defaults in example.settings.local.php. Site owners can update their settings.local.php to maintain consistency and forward-compatibility.

Platform requirements changes

PHP requirements

• Drupal 10 requires PHP 8.1 or higher.

  PHP versions 8.1.0 through 8.1.5 have a bug with the PHP OPcache that may cause intermittent fatal errors at runtime for class autoloading, so PHP 8.1.6 or higher is recommended.

• Warnings are displayed on the Drupal status report page when a site is using a PHP version that has reached its official end-of-life date. This won't prevent running, updating, or installing Drupal unless the version is below the absolute minimum requirement. Review the handbook documentation on unsupported PHP versions for more information.

Database requirements

The following minimum database versions are supported by Drupal 10 core:

• MySQL or Percona 5.7.8.
• MariaDB 10.3.7 (This is a more recent release than the MySQL version.)
• PostgreSQL 12 with the pg_trgm extension.
• SQLite 3.26 with the JSON1 extension. PHP does not always use the system-provided SQLite, so verify that your PHP is compiled with at least this version.

Browser support changes

• Internet Explorer 11 is not supported in Drupal 10.
• Support for older versions of UC Browser has been removed. Newer versions of the browser that rely on WebView should be unaffected.

See the browser support policy for more information.

Composer requirements

Drupal 10 recommends Composer version 2.3.6 or higher, which is required for compatibility with PHP 8.2 and the forthcoming Automatic Updates feature. Core developers must update to at least Composer 2.3.6 to work on Drupal core, and site owners will receive warnings on older versions. Drupal will not install or update with Composer versions lower than 2.1.

To update your host's version of Composer, run:

composer self-update

You can roll back to the previous version at any time by using:

composer self-update --rollback

Update to a specific version with:

composer self-update 2.3.6

More information on using Composer for Drupal .

Removed modules and themes

Numerous modules and themes have been removed from Drupal core and moved to contributed projects. In many cases, the removed extensions have little to no impact on site development.

Sites that depend on a removed module or theme should download the contributed project version (either manually, or by requiring it with Composer) before updating their sites to Drupal 10. Drush may bypass warning and error messages on update.php related to missing modules or themes. The status report will display errors about missing modules after upgrading, but missing active themes will cause fatal errors and/or a white screen.

Removed modules

If a removed module is required for a site's functionality, the contributed version should be downloaded to the codebase or added to the Composer requirements before upgrading. Do not uninstall the module, since this would destroy the module configuration.

In addition to the below changes, some related CSS and templates have been removed from core base themes, so sites using the below modules may need to update their themes.

• Aggregator

  The Aggregator module has been removed from Drupal 10 and is available as the Aggregator contributed module.

• CKEditor 4

  Refer to the CKEditor 4 and 5 summary at the beginning of these release notes.

• Color

  The Color module has been removed from Drupal 10 and is available as a contributed module.

• HAL

  HAL has been removed from Drupal 10 and moved to a contributed project. In most cases, sites should be converted to use JSON:API instead. More information on replacing HAL.

• Quick Edit

  The Quick Edit module has been removed from Drupal 10 and moved to a contributed project. Most users do not use Quick Edit and it can usually be uninstalled safely. If you want to keep using this functionality, read the recommendations for Quick Edit.

• RDF

  The RDF module has been removed from Drupal 10 and moved to a contributed project.

  RDF was previously installed as part of the standard install profile, but many sites do not use the functionality it provides. If you are not sure what RDF is, it is likely that you can safely uninstall it.

  If you want to keep using the functionality provided by RDF, read the recommendations for RDF.

• Entity Reference (stub module)

  Entity Reference: If this module is installed on your site for some reason, simply uninstall it. (It is obsolete with no impact on site functionality.)

• Migrate Drupal Multilingual (stub module)

  Migrate Drupal Multilingual: This functionality is now provided by the core Migrate Drupal module. If this module is installed on your site for some reason, simply uninstall it. (It is obsolete with no impact on site functionality.)

Removed themes

Even if you do not use the below themes directly, you should check whether your installed themes extend them. This information is available in the .info.yml file for the theme. For example, to see if themes/mytheme uses Classy as a base theme, check in themes/mytheme/mytheme.info.yml for this line:

base theme: classy

Base themes may extend other base themes, so if a non-core base theme is listed, you should also check whether or not that theme extends one of the below themes (especially Classy or Stable).

• Bartik

  The Bartik theme has been removed from Drupal 10, and is now available as a contributed theme. Sites using Bartik must install the contributed theme before updating to Drupal 10.

• Seven

  The Seven theme has been removed from Drupal core and is now available as a contributed theme. We recommend switching to the new core admin theme, Claro. In order to continue using Seven, sites must install the contributed theme version of Seven before updating to Drupal 10.

• Classy

  The Classy base theme has been removed from Drupal core and is now available as a contributed theme. Themes depending on Classy should add a dependency on the contributed Classy theme. Sites that use a theme that extends Classy must install the contributed project versions of both it and Stable (see below) before updating to Drupal 10.

  Developers looking to create a new theme should now use the Starterkit theme generator that is provided with Drupal 10.

• Stable

  The Stable theme has been removed from Drupal core and is now available as a contributed theme. Themes depending on Stable should add a dependency on the contributed Stable theme or migrate to Stable 9. Sites that use a theme that extends Stable must install the contributed project version before updating to Drupal 10.

Composer integration changes

Composer 2.2 and higher require Composer projects to authorize individual plugins. This means that Composer commands to install and update Drupal projects will fail unless either the required plugins are allowed in the project configuration or the user manually replies y to a prompt to allow the plugin. Existing projects may need to update their configuration to authorize these plugins. This can be done by running the following commands:

composer config --no-plugins "allow-plugins.composer/installers" true
composer config --no-plugins "allow.plugins.drupal/core-composer-scaffold" true
composer config --no-plugins "allow-plugins.drupal/core-vendor-hardening" true
composer config --no-plugins "allow-plugins.drupal/core-project-message" true
  

For more information, review Composer 2.2+ authorized plugins.

Change to the Standard profile

The 'Basic HTML' format provided with the Standard profile no longer allows the <span> tag. This should simplify copying and pasting from Microsoft Word, Google Docs and similar programs into either version of CKEditor on new installs. Existing installs may want to consider removing the tag from text formats and reviewing existing content.

API changes

• Entity API changes

  • hook_entity_view_mode_alter() no longer receives the $context argument, which was always an empty array. Existing implementations of hook_entity_view_mode_alter() should remove the $context argument. See the hook_entity_view_mode_alter() change record for more details.

  • The range validator for entities now yields a more accurate 'value not in range' message for Symfony 6.1 compatibility, with its violation error code also more accurately being Range::NOT_IN_RANGE_ERROR.

• Serializer changes

  Code that extends Symfony's Serializer component has been updated with stricter typehints and an additional argument for compatibility with Symfony 6.1 and future releases. For more information, review the change record: Context argument added in code that extends from Symfony's Serializer component.

• Drupal version constant changes

  In order to provide sites with the most complete information on which PHP versions are supported and recommended for their current installation, \Drupal::MINIMUM_SUPPORTED_PHP is deprecated and replaced by \Drupal\Core\PhpRequirements::minimumSupportedPhp().

• Database API changes

  • Drupal previously supported per-table prefixing for complex multisite setups. This functionality has been deprecated since Drupal 8.2. Warnings are displayed on the status reports of sites that still use this functionality from Drupal 9.3.0 on, and the functionality has been removed from Drupal 10. See the change record for alternatives to per-table prefixing.

  • A new interface Drupal\Core\Database\SupportsTemporaryTablesInterface has been added for database drivers to indicate support of temporary tables.

• SimpleTest support removed from the core test runner

  The SimpleTest module was moved to contrib before Drupal 9.0.0. Drupal 10 removes support for SimpleTest from the core test runner. Projects that use SimpleTest should convert their tests to PHPUnit.

• Ajax commands can now return promises

  Ajax commands can now return promises when they need to ensure some code has been executed before executing the next Ajax command in the list.
  When altering the success method of a Drupal.Ajax object, please make sure a Promise is returned to ensure proper execution. Read more about the API changes in the Ajax system..

• Off-canvas/Settings Tray CSS modernized

  The off-canvas dialog’s CSS has been completely refactored in Drupal 10.0.0. This means that if your module or theme previously implemented custom CSS for the off-canvas dialog, it may need to be re-implemented (or removed if it was solely bug fixes). Additionally, all of the off-canvas CSS has been removed from Stable and Stable 9 to ensure that as many themes as possible will be able to benefit from the improvements. Read more about the changes to the off-canvas and Settings Tray CSS.

• Functional JavaScript tests will now fail on JavaScript errors

  JavaScript errors in tests are now caught and raised as test failures.. Previously, any JavaScript error that occurs that did not interfere with the functionality of the test was ignored. Now those errors are surfaced to the test runner.

• _serviceId property no longer added to container services

  For compatibility with PHP 8.2, the _serviceId property is no longer added to services in the container. Developers who relied on this property in custom code should read the change record for alternatives to the _serviceId property.

Backend (PHP) dependency changes

Added PHP dependencies

• Drupal core requires guzzlehttp/psr7 2.4.3 for implementation of several core services for PSR-17.

Removed PHP dependencies

The following dependencies have been removed from Drupal core:

• Diactoros: PSR-7, PSR-17, and PSR-18 functionality is now provided by guzzlehttp/psr7.
• Laminas Feed
• symfony-cmf/routing
• EasyRDF
• symfony/translation
• TYPO3/phar-stream-wrapper: this library is only needed for PHP 7.3 and earlier.
• doctrine/reflection: Relevant APIs were previously moved to Drupal core.
• stack/builder: The functionality is now provided by a core API. The http_kernel service's functionality is unaffected by this change.

Updated PHP dependencies

• Drupal 10 requires Symfony 6.2. Several indirect dependencies have changed as a result of the Symfony 6 update.

  Additionally, the symfony/deprecation-contracts, symfony/event-dispatcher-contracts, symfony/service-contracts, and symfony/translation-contracts libraries have been updated from 2.5.2 to 3.1.1.

• Twig has been updated from 2.x to 3.4.3. Review the Twig 3 changes for PHP developers and template creators.

• guzzlehttp/guzzle 7.5 is now required.

• asm89/stack-cors has been updated from version 1.3.0 to 2.1.1.

  Enabling CORS now preserves cacheability whenever possible.

  Previously, enabling CORS would add Vary: Origin to all requests of a different origin. With this change, enabling CORS will only add this if absolutely necessary.

• Drupal core's other production Composer dependency versions have been updated where possible to the latest major, minor, and patch releases. Where appropriate, constraints have been increased to require the latest minor versions.

Frontend (CSS and JavaScript) dependency changes

Removed frontend dependencies

• The public Backbone and Underscore core libraries have been removed. These dependencies are now deprecated and for internal use only. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core.

  Modules or themes that depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

• Since Internet Explorer 11 is no longer supported, Drupal 10 deprecates all polyfill libraries and removes the files. Additionally, the details HTML tag is available in all supported browsers, so the supporting code that provided this element for Internet Explorer has been removed. If you plan to continue supporting Internet Explorer 11 even when used with Drupal 10, your project will have to depend on or implement any required polyfills directly.

• The Farbtastic library has been removed from Drupal core. There is no replacement. Developers should consider using browser-native color pickers instead.

• The jQuery Joyride JavaScript library has been removed.

• The PopperJS JavaScript library has been removed as a direct dependency. It was used only by Quick Edit, which has been removed from core. If you need to use it, you should define the library in a custom module.

Updated frontend dependencies

• CKEditor 5 has been updated to the latest 35.4.0 release. This update has a minor breaking change that could affect the development of certain contributed or custom CKEditor 5 integrations. For more information read the CKEditor 5 35.4.0 release notes.

• jQuery has been updated from 3.6.0 to 3.6.2.

• tabbable has been updated to 6.0.10.

• The Shepherd.js JavaScript package has been updated to 10.0.1. Additionally, the public core library for this package has been deprecated. Shepherd.js should only be used internally by Drupal core.

• Drupal core's other production JavaScript dependency versions have been updated to the latest major, minor, and patch releases where possible. Where appropriate, constraints have been increased to require the latest minor versions.

Development dependencies

• The JavaScript ES6 build process has been removed given that all browsers supported by Drupal Core are now ES6-compatible. This means that once the build tooling is removed from Drupal 10, core developers are no longer required to run the commands when they make changes to core JavaScript. This also means that babel/core and all related dependencies are no longer used as core development dependencies.

• Node.js is a required development dependency for Drupal core and the minimum supported version has been updated from 12 to 16. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core's JavaScript development dependencies with npm or yarn.

• The PHPStan static analysis tool, version 1.9.1, has been added to Drupal core's development dependencies and is run against all core patches and merge requests.

• PHPUnit has been upgraded from 8.5.21 to 9.5.24, and all its sub-packages have been updated. PHPUnit 9.5 or higher is required, and PHPUnit 8 is no longer supported.

  phpspec/prophecy-phpunit and Mink 1.10 or later are also now required for PHPUnit.

• Drupal 10 development now requires composer/installers version 2.0 or higher (up from version 1.9).

• The Nightwatch testing library has been updated to version 2.4.2. Reference the Nightwatch developer guide for a list of high level changes in the 2.0.0 release.

• The JavaScript chromedriver package has been removed. If you were running Nightwatch tests locally, you may need to start Chromedriver manually.

• The JavaScript raw-loader package has been removed as it is no longer required by Drupal’s build process.

• The Stylelint development dependency has been updated to version 14, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

• stylelint-config-standard, which enforces Drupal's CSS style, has been upgraded from 23.0.0 to 28.0.0. Developers who relied on this ruleset may have to make minor tweaks to their CSS to comply with the new standards.

• cspell has been updated from version 5 to 6.14.1. This results in some slight changes to the dictionary for core development.

• Chalk has been removed as a JavaScript development dependency.

• PostCSS has been upgraded from 7.0.39 to 8.4.16. Developers who used custom PostCSS plugins may need to refer to the PostCSS 8 plugin migration guide.

• The ESLint JavaScript development dependency has been updated to version 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

• eslint-plugin-yml, the YAML style checker for ESLint, has been upgraded from 0.14.0 to 1.2.0.

• Drupal core's other JavaScript and PHP development dependencies have been updated to the latest major, minor, and patch versions wherever possible.

  Core developers should completely remove their node_modules directory and re-run yarn install from within the core/ directory.

Coding standards

The following coding standards checks have been enabled in core:

• Drupal.Array.Array.ArrayClosingIndentation
  Drupal.Array.Array.ArrayIndentation
  Drupal.Commenting.FunctionComment.MissingReturnType

• All YAML files are linted for correct indentation.

Known issues

Search the issue queue for known issues.

• #3327856: Performance regression introduced by container serialization solution
• #3328256: Not working with Drupal 9.5 and 10

All changes since 10.0.0-rc3

• Revert "Issue #2568889 by smustgrave, berenddeboer, Lendude, Anandhi Karnan, ckaotik, boromino, diaodiallo, Yago Elias, yashingole, Abhijith S, Amber Himes Matz, dawehner, Scott Weston: Views exposed text filter set to required shows an empty error and form error on page load"
• Issue #3327115 by Eric_A, alexpott, xjm, longwave, pandaski: .htaccess rules broken since yarn.lock got added
• Issue #3326896 by longwave, lauriii, Wim Leers, effulgentsia, catch, xjm: Update CKEditor 5 to 35.4.0
• Issue #3326874 by longwave, xjm: Update to jQuery 3.6.2
• Issue #2828724 by Spokje, alexpott, ravi.shankar, Lal_, malcomio, ElusiveMind, smaz, yogeshmpawar, ridhimaabrol24, semiaddict, piggito, f.mazeikis, tvhung, tatarbj, ranjith_kumar_k_u, vijaycs85, baikho, Jelle_S, kleinmp, bbrala, Mike_info, David_Rothstein, pwolanin, cburschka: Username enumeration via one time login route
• Issue #3325772 by andypost, mondrake: Fix wrong property typehinting in SchemaCheckTrait
• Issue #2810985 by _Archy_, smustgrave, GoZ, joelpittet, csheltonlcm, ayush.khare, Lendude: Remove duplicate condition
• Issue #3213752 by Spokje, bradjones1, quietone, _pratik_, ravi.shankar, rpayanm, bbrala, alexpott, catch: Remove dead code from JsonApiDocumentTopLevelNormalizerTest
• Issue #3259090 by Lendude, mr.york, Pandepoulus: Exposed filter equality check works differently in PHP 8.0
• Back to dev.