drupal 10.1.0-alpha1

This is an alpha release for the next minor (feature) release of Drupal 10. Alphas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Alpha releases are not recommended for non-technical users, nor for production websites. More information on alpha releases.

This minor release provides improvements and new functionality. It does not not break backward compatibility (BC) for public APIs.There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 10.1.x contains new features, and should be the target for new site development. Drupal 10.0.x will continue to have security support until December 2023.

Drupal 9.4.x security support will end on June 21, 2023. Sites on Drupal 8 or a Drupal 9 version earlier than 9.5.x should upgrade to a supported release as soon as possible.

Important update information

Sites must update to at least Drupal 9.4.4 before upgrading to Drupal 10

Drupal sites running 9.3.x or earlier versions must first update to 9.4.4 or later before updating to Drupal 10. All core updates added before 9.4.0 have been removed. The data upgrade path from CKEditor 4 to CKEditor 5 is not available before Drupal 9.4.4. In general, sites should update to the most recent release of their current major branch before updating to the next major release.

Sites using CKEditor 4 should upgrade to CKEditor 5 in Drupal 9.4 or 9.5 before updating to Drupal 10

Most Drupal sites using CKEditor 4 should upgrade to CKEditor 5. See the recommendations for CKEditor for details. Upgrading from CKEditor 4 to 5 is a manual process. You must review each text format editor condition.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 10.1. The migration paths from Drupal 6 and Drupal 7 to Drupal 10 will remain supported throughout Drupal 10's release cycle.

Changes to site-owner-managed files

• The root .htaccess file now unsets the X-Content-Type-Options header before setting it again. This prevents duplicate headers in some configurations of Apache. Site owners should update their .htaccess files with this change to avoid duplicate headers.
• The root .htaccess file now caches all files for one year instead of two weeks. This brings the value in line with industry standards.
• Drupal adds 'Samesite: Lax' as a session cookie attribute by default. This is configurable in default.services.yml and site owners should update their copy of the file to include the section.
• Sites using nginx and php-fpm may need to update their nginx.conf for changes to CSS and JavaScript aggregation.
• The file location for Drupal's asset aggregation system is now configurable. It can be set in settings.php via $settings['file_assets_path']. Existing sites will continue to use the public files location.

New features

• New permissions for managing custom blocks. Administrators can delegate the management of custom block content to users without granting the 'administer blocks' permission. The permissions allow for control by custom block type and access to block administration pages.
• Block content entities now have a UI for managing revisions. Users with sufficient permissions can view, revert and delete block content revisions.
• Content administrators can be given permission to delete any file, rather than just files they created. An operations field can be added to views on File entities to add a delete button. The view that ships with the File module has been updated to include the operations field. Existing sites need to add themselves.
• The timestamp default formatter has a setting "Display as a time difference. This allows the date/time to display as a time difference (e.g. '2 hours 23 minutes ago'). The refresh interval is configurable.
• The CKEditor code block is now configurable, allowing the list of languages that can be input to be changed in the editor configuration. Modules or install profiles that provide default editor configurations may need to update their shipped config.

API deprecations and behavior changes

• Drupal now uses the default PHP password_hash() and password_verify() functions in order to store and verify passwords securely. A new module, Password Compatibility, allows existing users to log in. Read password hashing is changed to learn how this may impact users and when to uninstall the module.
• Some "notice" level user events are now logged at the lower-severity "info" level.
• The paths to manage custom-block types and block content (formerly custom blocks) have changed.
  • /admin/structure/block/block-content/types is now /admin/structure/block-content and available as Block types from the Structure menu.
  • /admin/structure/block/block-content is now /admin/content/block and available from the Blocks tab from the Content menu.
  • /block/{block id} is now /admin/content/block/{block id}
• Passing a string to AddCssCommand is now deprecated, instead an array of attributes is expected like for AddJsCommand. CSS files added with Ajax commands are now loaded with loadjs and Ajax commands wait for all CSS files to load before executing the next commands.
• Passing an array value to a database condition without using a compatible operator is no longer supported and will result in an exception.
• The READ COMMITTED transaction isolation level is set by default for new installs on MySQL and equivalent databases such as MariaDB. This level has been recommended for several years and is configurable as before in the database connection settings. No change will be made for existing sites.
• A bug in Drupal's dependency injection container is fixed. The bug could allow certain private services to be accessed by $container->get() depending on code execution order. Custom or contributed module code accessing services in this way would have been fragile before the change, but will now always break. Public services are unaffected.
• Config dependencies now have validation constraints. These are not currently used by Drupal core. They will be used later for validating config entities at the data layer.

Performance improvements

• Only the CSS or JavaScript aggregate URL is built during the main request. Before the content of the aggregate was built and written to disk during the main request, which on complex pages could result in slow page loads. This now happens when the browser requests the CSS or JavaScript file.
• Comments and whitespace are removed from JavaScript files. This results in a significant file size reduction. Sites not using Drupal's aggregation should re-evaluate their aggregation and minification method.
• Responsive images now support lazy loading. Sites using the default responsive image configuration should update their config to include the new setting.

New experimental modules

Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.

Announcements (beta stability)

This module provides an announcements feed of project news from Drupal.org. The announcements are displayed in the Drupal administrative toolbar to site owners and editors.

Announcements may include the following items:

• news about upcoming Drupal features
• important information for site owners on older Drupal versions
• information about supporting the Drupal project through Drupal Association programs

Single Directory Components (beta stability)

This module allows themes and modules to create “components” consisting of a directory containing a Twig template, YML metadata, and optional JavaScript and CSS files. The JavaScript and CSS are automatically loaded when the component is used. For more information, see Using Single Directory Components.

PHP dependency updates

Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.
Additionally, Drupal core’s composer constraints increased to require the latest minor version. This supports forward compatibility and non-disruptive security updates.
colinodell/psr-testlogger has been added to Drupal core's development dependencies.

Frontend (CSS and JavaScript) production dependency changes

Drupal core's JavaScript dependencies have been updated. The latest minor versions of all JavaScript dependencies are now required by core yarn constraints.

• CKEditor has been updated from 35.4.0 to 37.1.0. Custom CKEditor plugins may need updating to match API changes in the new version of CKEditor — please check CKEditor 5's v36.x and v37.x update guides.
• The js-cookie library is unused in core after refactoring. js-cookie has therefore been deprecated as a core dependency and there is no replacement. Contributed modules or custom code relying on this library should declare their own dependency on it.
• Drupal uses Prettier instead of Stylelint to format PostCSS output.

Development dependencies

Core Nightwatch tests now include Axe accessibility scans that check common pages and forms for accessibility bugs.

Changed coding standards

• The following coding standards checks are now used to standardize the format of {@inheritdoc} for API docblocks.
  • SlevomatCodingStandard.Commenting.ForbiddenAnnotations
  • SlevomatCodingStandard.Commenting.ForbiddenComments
• The rule Drupal.NamingConventions.ValidVariableName.LowerCamelName is used for tests only.

Known issues

Search the issue queue for known issues.