drupal 10.1.0

This is a minor version (feature release) of Drupal 10 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs.There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 10.1.x contains new features, and should be the target for new site development. Drupal 10.0.x will continue to have security support until December 2023.

Drupal 9.4.x no longer receives security support. Sites on Drupal 8 or a Drupal 9 version earlier than 9.5.x should upgrade to a supported release as soon as possible.

Important update information

Sites must update to at least Drupal 9.4.4 before upgrading to Drupal 10

Drupal sites running 9.3.x or earlier versions must first update to 9.4.4 or later before updating to Drupal 10. All core updates added before 9.4.0 have been removed. The data upgrade path from CKEditor 4 to CKEditor 5 is not available before Drupal 9.4.4. In general, sites should update to the most recent release of their current major branch before updating to the next major release.

Sites using CKEditor 4 should upgrade to CKEditor 5 in Drupal 9.4 or 9.5 before updating to Drupal 10

Most Drupal sites using CKEditor 4 should upgrade to CKEditor 5. See the recommendations for CKEditor for details. Upgrading from CKEditor 4 to 5 is a manual process. You must review each text format editor condition.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 10.1. The migration paths from Drupal 6 and Drupal 7 to Drupal 10 will remain supported throughout Drupal 10's release cycle.

Changes to site-owner-managed files

• The root .htaccess file now unsets the X-Content-Type-Options header before setting it again. This prevents duplicate headers in some configurations of Apache. Site owners should update their .htaccess files with this change to avoid duplicate headers.
• The root .htaccess file now caches all files for one year instead of two weeks. This brings the value in line with industry standards.
• Drupal adds 'Samesite: Lax' as a session cookie attribute by default. This is configurable in default.services.yml and site owners should update their copy of the file to include the section.
• Sites using nginx and php-fpm may need to update their nginx.conf for changes to CSS and JavaScript aggregation.
• The file location for Drupal's asset aggregation system is now configurable. It can be set in settings.php via $settings['file_assets_path']. Existing sites will continue to use the public files location.

• A new setting $settings['sa_core_2023_004_phpinfo_flags'] in default.settings.php has been added to configure the behaviour of admin/reports/status/php.

New features

• New permissions for managing custom blocks. Administrators can delegate the management of custom block content to users without granting the 'administer blocks' permission. The permissions allow for control by custom block type and access to block administration pages.
• Block content entities now have a UI for managing revisions. Users with sufficient permissions can view, revert and delete block content revisions.
• Content administrators can be given permission to delete any file, rather than just files they created. An operations field can be added to views on File entities to add a delete button. The view that ships with the File module has been updated to include the operations field. Existing sites need to add themselves.
• The timestamp default formatter has a setting "Display as a time difference. This allows the date/time to display as a time difference (e.g. '2 hours 23 minutes ago'). The refresh interval is configurable.
• The CKEditor code block is now configurable, allowing the list of languages that can be input to be changed in the editor configuration. Modules or install profiles that provide default editor configurations may need to update their shipped config.
• A new “Development settings” page at /admin/config/development/settings that contains Twig development settings, as well as the ability to disable various caches. The settings are stored within the state table (as opposed to configuration), so the settings cannot be accidentally committed and uploaded to production environments.

API deprecations and behavior changes

• Some "notice" level user events are now logged at the lower-severity "info" level.
• The paths to manage custom-block types and block content (formerly custom blocks) have changed.
  • /admin/structure/block/block-content/types is now /admin/structure/block-content and available as Block types from the Structure menu.
  • /admin/structure/block/block-content is now /admin/content/block and available from the Blocks tab from the Content menu.
  • /block/{block id} is now /admin/content/block/{block id}
• Drupal now uses the default PHP password_hash() and password_verify() functions in order to store and verify passwords securely. Backwards compatibility is provided by the new phpass module that will be installed on existing sites via an update.
• Passing a string to AddCssCommand is now deprecated, instead an array of attributes is expected like for AddJsCommand. CSS files added with Ajax commands are now loaded with loadjs and Ajax commands wait for all CSS files to load before executing the next commands.
• Passing an array value to a database condition without using a compatible operator is no longer supported and will result in an exception.
• The READ COMMITTED transaction isolation level is set by default for new installs on MySQL and equivalent databases such as MariaDB. This level has been recommended for several years and is configurable as before in the database connection settings. No change will be made for existing sites.
• A bug in Drupal's dependency injection container is fixed. The bug could allow certain private services to be accessed by $container->get() depending on code execution order. Custom or contributed module code accessing services in this way would have been fragile before the change, but will now always break. Public services are unaffected.
• Config dependencies now have validation constraints. These are not currently used by Drupal core. They will be used later for validating config entities at the data layer.
• Layout Builder field blocks will now display the user-specified label from the block configuration. Sites should review their existing blocks as this change may impact workflows that relied on the previous behavior.

Performance improvements

• Only the CSS or JavaScript aggregate URL is built during the main request. Before the content of the aggregate was built and written to disk during the main request, which on complex pages could result in slow page loads. This now happens when the browser requests the CSS or JavaScript file.
• Comments and whitespace are removed from JavaScript files. This results in a significant file size reduction. Sites not using Drupal's aggregation should re-evaluate their aggregation and minification method.
• Responsive images now support lazy loading. Sites using the default responsive image configuration should update their config to include the new setting.
• The update to Symfony 6.3 includes a change to normalizers and denormalizers which should improve performance of JSON:API responses.

New experimental modules

Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.

Announcements (beta stability)

This module provides an announcements feed of project news from Drupal.org. The announcements are displayed in the Drupal administrative toolbar to site owners and editors.

Announcements may include the following items:

• news about upcoming Drupal features
• important information for site owners on older Drupal versions
• information about supporting the Drupal project through Drupal Association programs

Single Directory Components (beta stability)

This module allows themes and modules to create “components” consisting of a directory containing a Twig template, YML metadata, and optional JavaScript and CSS files. The JavaScript and CSS are automatically loaded when the component is used. For more information, see Using Single Directory Components.

PHP dependency updates

Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.
Symfony components have been updated to version 6.3.
Additionally, Drupal core’s composer constraints increased to require the latest minor version. This supports forward compatibility and non-disruptive security updates.
PHPUnit has been upgraded from 9.5 to 9.6. Drupal is not yet compatible with PHPUnit 10.
colinodell/psr-testlogger has been added to Drupal core's development dependencies.

Frontend (CSS and JavaScript) production dependency changes

Drupal core's JavaScript dependencies have been updated. The latest minor versions of all JavaScript dependencies are now required by core yarn constraints.

• CKEditor has been updated from 35.4.0 to 38.0.1.

  Custom CKEditor plugins may need updating to match API changes in the new version of CKEditor — please check CKEditor 5's v36.x and v37.x update guides.

• The js-cookie library is unused in core after refactoring. js-cookie has therefore been deprecated as a core dependency and there is no replacement. Contributed modules or custom code relying on this library should declare their own dependency on it.
• Drupal uses Prettier instead of Stylelint to format PostCSS output.

Development dependencies

Core Nightwatch tests now include Axe accessibility scans that check common pages and forms for accessibility bugs.

Changed coding standards

• The rule Drupal.Commenting.DocComment.ShortSingleLine has been enabled.
• The following coding standards checks are now used to standardize the format of {@inheritdoc} for API docblocks.
  • SlevomatCodingStandard.Commenting.ForbiddenAnnotations
  • SlevomatCodingStandard.Commenting.ForbiddenComments
• The rule Drupal.NamingConventions.ValidVariableName.LowerCamelName is used for tests only.

Known issues

Search the issue queue for known issues.

All changes since Drupal 10.1.0-rc1

• Issue #3059955 by oknate, Hardik_Patel_12, paulocs, phenaproxima, seanB, NikolaAt, smustgrave, bnjmnm, yogeshmpawar, rensingh99, xjm, chr.fritsch, lauriii, raman.b, Wim Leers, nikunj.shah, AndySipple, harshitthakore, saurabh.tripathi.cs, AaronMcHale, irene_dobbs, alexpott, andrewmacpherson, dorficus, effulgentsia, himanshu_sindhwani, codersukanta, pankaj.singh, tripurari, snehalgaikwad, priyanka.sahni: It is possible to overflow the number of items allowed in Media Library
• Issue #3356929 by Wim Leers, kevinquillen: Provide an upgrade path from "codesnippet" contrib CKEditor 4 plugin to "CodeBlock" core CKEditor 5 plugin
• Issue #3357382 by Robert Ngo, e0ipso, smustgrave: Unable to override library auto-definition to add external CSS & JS
• Issue #3367204 by JeroenT, smustgrave, neclimdul: [CKEditor5] Missing dependency on drupal.ajax
• Issue #3350973 by Spokje, acbramley: [random failure] Curl error thrown for http in JSWebAssertTest
• Issue #3367651 by Ahmad Smhan, MakerTimSWIS: Attached Library set to string instead of array
• Issue #3367433 by Spokje: [random test failure] \Drupal\Tests\ckeditor5\FunctionalJavascript\MediaTest::testViewMode random fail
• Issue #3317378 by Spokje, Wim Leers: [random test failure] DrupalTestsmedia_libraryFunctionalJavascriptWidgetViewsTest::testWidgetViews random fail
• Issue #3351638 by swirt, lauriii, larowlan, mgifford, bnjmnm, smustgrave, maggiewachs: Remove truncation of path alias
• Issue #3361465 by Spokje: Remove outdated @todo's pointing to #3135457
• Issue #3360139 by bradjones1: Phpdoc for ResourceTypeRepositoryInterface::get return value is incomplete
• Issue #3356515 by fjgarlin, varun verma, smustgrave: Give users a way to access announcements if toolbar module is disabled
• Issue #3355403 by mglaman: Add "Edit permisisons" as local task on role edit form
• Issue #3366722 by Gábor Hojtsy, lauriii: Add Lauri Eskola to Drupal core product managers
• Issue #3309585 by Mingsong, Wim Leers, Chi: CKEditor 5 Style plugin configuration tab does not appear
• Issue #3366481 by cilefen, acbramley, phenaproxima, seanB: OEmbedIframeController returns an HTTP response code that can be cached by forward proxies when it is given illegal parameters
• Issue #3355122 by joachim, dww, D34dMan: ContentTranslationContextualLinksTest should use API calls to set up translation
• Issue #3366081 by Spokje: [random test failure] MediaTest:: testEditableCaption()
• Issue #3366288 by andypost, longwave: Add [#\ReturnTypeWillChange] attribute to TemporaryArrayObjectThrowingExceptions for PHP 8.3 compatibility
• Issue #3346560 by DieterHolvoet, smustgrave: Allow extending StatusMessages class
• Issue #3027705 by claudiu.cristea, Pancho, smustgrave: Allow ?edit[field_xyz] as query parameter in contextual filter
• Issue #3319184 by royalpinto007, bbombachini, sourabhjain, Rassoni, smustgrave, Chi, catch, mstrelan: hook_condition_info_alter is not documented
• Issue #3270647 by P44T, AndyF, Sander Edwards van Muijen, Nitin shrivastava, Albert Volkman, mr.baileys, jshimota01, catch, mpellegrin, poker10, alexpott: PhpMail : broken mail headers in PHP 8.0+ because of LF characters
• Issue #3366633 by Spokje: Uncomment assertions in StyleTest related to https://github.com/ckeditor/ckeditor5/issues/11709
• Issue #3366287 by lauriii, catch, dmurphy1: [regression] Inserting media via the media library modal when paged redirects to the wrong destination
• Issue #3332456 by Spokje, jastraat: [random test failure] MediaTest::testLinkManualDecorator()
• Issue #3365480 by ctrlADel, e0ipso, sharkbaitdc, smustgrave, sarahjean, carolpettirossi: [SDC] Improve error handling during prop validation errors
• Issue #3358402 by totten, lisotton, jensschuppe, larowlan, znerol: [regression] route defaults are now automatically route parameters
• Issue #3048760 by Upchuk, ndobromirov, seanB, hchonov, bkosborne, Berdir: EntityCreateAnyAccessCheck::access() too restrictive
• Issue #3312733 by benjifisher, quietone, longwave, mikelutz, smustgrave: SQL migrations cannot be instantiated if database is not available and Node, Migrate Drupal modules are enabled
• Issue #3354090 by catch, longwave, smustgrave, mas5d2: Better default base path in assets stream wrapper