drupal 10.1.0-rc1

This is a release candidate for the next minor (feature) release of Drupal 10. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 10.1.x contains new features, and should be the target for new site development. Drupal 10.0.x will continue to have security support until December 2023.

Drupal 9.4.x security support will end on June 21, 2023. Sites on Drupal 8 or a Drupal 9 version earlier than 9.5.x should upgrade to a supported release as soon as possible.

Important update information

Sites must update to at least Drupal 9.4.4 before upgrading to Drupal 10

Drupal sites running 9.3.x or earlier versions must first update to 9.4.4 or later before updating to Drupal 10. All core updates added before 9.4.0 have been removed. The data upgrade path from CKEditor 4 to CKEditor 5 is not available before Drupal 9.4.4. In general, sites should update to the most recent release of their current major branch before updating to the next major release.

Sites using CKEditor 4 should upgrade to CKEditor 5 in Drupal 9.4 or 9.5 before updating to Drupal 10

Most Drupal sites using CKEditor 4 should upgrade to CKEditor 5. See the recommendations for CKEditor for details. Upgrading from CKEditor 4 to 5 is a manual process. You must review each text format editor condition.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 10.1. The migration paths from Drupal 6 and Drupal 7 to Drupal 10 will remain supported throughout Drupal 10's release cycle.

Changes to site-owner-managed files

• The root .htaccess file now unsets the X-Content-Type-Options header before setting it again. This prevents duplicate headers in some configurations of Apache. Site owners should update their .htaccess files with this change to avoid duplicate headers.
• The root .htaccess file now caches all files for one year instead of two weeks. This brings the value in line with industry standards.
• Drupal adds 'Samesite: Lax' as a session cookie attribute by default. This is configurable in default.services.yml and site owners should update their copy of the file to include the section.
• Sites using nginx and php-fpm may need to update their nginx.conf for changes to CSS and JavaScript aggregation.
• The file location for Drupal's asset aggregation system is now configurable. It can be set in settings.php via $settings['file_assets_path']. Existing sites will continue to use the public files location.
• A new setting $settings['sa_core_2023_004_phpinfo_flags'] in default.settings.php has been added to configure the behaviour of admin/reports/status/php.

New features

• New permissions for managing custom blocks. Administrators can delegate the management of custom block content to users without granting the 'administer blocks' permission. The permissions allow for control by custom block type and access to block administration pages.
• Block content entities now have a UI for managing revisions. Users with sufficient permissions can view, revert and delete block content revisions.
• Content administrators can be given permission to delete any file, rather than just files they created. An operations field can be added to views on File entities to add a delete button. The view that ships with the File module has been updated to include the operations field. Existing sites need to add themselves.
• The timestamp default formatter has a setting "Display as a time difference. This allows the date/time to display as a time difference (e.g. '2 hours 23 minutes ago'). The refresh interval is configurable.
• The CKEditor code block is now configurable, allowing the list of languages that can be input to be changed in the editor configuration. Modules or install profiles that provide default editor configurations may need to update their shipped config.
• A new “Development settings” page at /admin/config/development/settings that contains Twig development settings, as well as the ability to disable various caches. The settings are stored within the state table (as opposed to configuration), so the settings cannot be accidentally committed and uploaded to production environments.

API deprecations and behavior changes

• Drupal now uses the default PHP password_hash() and password_verify() functions in order to store and verify passwords securely. A new module, Password Compatibility, allows existing users to log in. Read password hashing is changed to learn how this may impact users and when to uninstall the module.
• Some "notice" level user events are now logged at the lower-severity "info" level.
• The paths to manage custom-block types and block content (formerly custom blocks) have changed.
  • /admin/structure/block/block-content/types is now /admin/structure/block-content and available as Block types from the Structure menu.
  • /admin/structure/block/block-content is now /admin/content/block and available from the Blocks tab from the Content menu.
  • /block/{block id} is now /admin/content/block/{block id}
• Passing a string to AddCssCommand is now deprecated, instead an array of attributes is expected like for AddJsCommand. CSS files added with Ajax commands are now loaded with loadjs and Ajax commands wait for all CSS files to load before executing the next commands.
• Passing an array value to a database condition without using a compatible operator is no longer supported and will result in an exception.
• The READ COMMITTED transaction isolation level is set by default for new installs on MySQL and equivalent databases such as MariaDB. This level has been recommended for several years and is configurable as before in the database connection settings. No change will be made for existing sites.
• A bug in Drupal's dependency injection container is fixed. The bug could allow certain private services to be accessed by $container->get() depending on code execution order. Custom or contributed module code accessing services in this way would have been fragile before the change, but will now always break. Public services are unaffected.
• Config dependencies now have validation constraints. These are not currently used by Drupal core. They will be used later for validating config entities at the data layer.
• Layout Builder field blocks will now display the user-specified label from the block configuration. Sites should review their existing blocks as this change may impact workflows that relied on the previous behavior.

Performance improvements

• Only the CSS or JavaScript aggregate URL is built during the main request. Before the content of the aggregate was built and written to disk during the main request, which on complex pages could result in slow page loads. This now happens when the browser requests the CSS or JavaScript file.
• Comments and whitespace are removed from JavaScript files. This results in a significant file size reduction. Sites not using Drupal's aggregation should re-evaluate their aggregation and minification method.
• Responsive images now support lazy loading. Sites using the default responsive image configuration should update their config to include the new setting.
• The update to Symfony 6.3 includes a change to normalizers and denormalizers which should improve performance of JSON:API responses

New experimental modules

Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.

Announcements (beta stability)

This module provides an announcements feed of project news from Drupal.org. The announcements are displayed in the Drupal administrative toolbar to site owners and editors.

Announcements may include the following items:

• news about upcoming Drupal features
• important information for site owners on older Drupal versions
• information about supporting the Drupal project through Drupal Association programs

Single Directory Components (beta stability)

This module allows themes and modules to create “components” consisting of a directory containing a Twig template, YML metadata, and optional JavaScript and CSS files. The JavaScript and CSS are automatically loaded when the component is used. For more information, see Using Single Directory Components.

PHP dependency updates

Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

Symfony components have been updated to version 6.3.

PHPUnit has been upgraded from 9.5 to 9.6. Drupal is not yet compatible with PHPUnit 10.

Additionally, Drupal core’s composer constraints increased to require the latest minor version. This supports forward compatibility and non-disruptive security updates.

colinodell/psr-testlogger has been added to Drupal core's development dependencies.

Frontend (CSS and JavaScript) production dependency changes

Drupal core's JavaScript dependencies have been updated. The latest minor versions of all JavaScript dependencies are now required by core yarn constraints.

• CKEditor has been updated from 35.4.0 to 38.0.1.

  Custom CKEditor plugins may need updating to match API changes in the new version of CKEditor — please check CKEditor 5's v36.x and v37.x update guides.

• The js-cookie library is unused in core after refactoring. js-cookie has therefore been deprecated as a core dependency and there is no replacement. Contributed modules or custom code relying on this library should declare their own dependency on it.
• Drupal uses Prettier instead of Stylelint to format PostCSS output.

Development dependencies

Core Nightwatch tests now include Axe accessibility scans that check common pages and forms for accessibility bugs.

Changed coding standards

• The rule Drupal.Commenting.DocComment.ShortSingleLine has been enabled.
• The following coding standards checks are now used to standardize the format of {@inheritdoc} for API docblocks.
  • SlevomatCodingStandard.Commenting.ForbiddenAnnotations
  • SlevomatCodingStandard.Commenting.ForbiddenComments
• The rule Drupal.NamingConventions.ValidVariableName.LowerCamelName is used for tests only.

Known issues

Search the issue queue for known issues.

All changes since Drupal 10.1.0-beta1

• Issue #3365499 by lauriii, ckrina, bnjmnm: Promote bnjmnm from provisional accessibility topic maintainer to full accessibility topic maintainer
• Issue #3364713 by lauriii, bnjmnm, andy-blum, Dave Reid, cosmicdreams: Claro: Messages can be malformed when JS creates messages and PHP messages already exist
• Issue #3351750 by benjifisher, Rassoni, smustgrave, larowlan, AaronMcHale: Create BC redirects for children of changed paths
• Issue #3361453 by longwave: Update multiple JavaScript dependencies for 10.1
• Issue #3365314 by longwave, smustgrave: Update dependencies for Drupal 10.1
• Issue #3346748 by Lendude, borisson_: Entering a non-numeric value for a start row value in 'Multiple field settings' for a views field leads to a fatal error
• Issue #3354382 by mondrake: [PHPUnit 10] Provide a static viable alternative to $this->prophesize() in data providers
• Issue #3039185 by nord102, yogeshmpawar, swentel, tim.plunkett, manishsaharan, nkoporec, catch, bkosborne: Allow field blocks to display the configuration label when set in Layout Builder
• Issue #3364088 by lauriii, tim.plunkett, anup.singh, olli: Ajax state leaking to Views destination paths
• Issue #3363391 by webchick: Remove webchick from MAINTAINERS.txt
• Issue #3351750 by benjifisher, Rassoni, smustgrave, larowlan, AaronMcHale: Create BC redirects for children of changed paths
• Skip \Drupal\Tests\file\Kernel\Views\RelationshipUserFileDataTest on PostgreSQL
• Skip \Drupal\Tests\file\Kernel\Views\RelationshipNodeFileDataTest on PostgreSQL
• Issue #3363222 by andypost: Update to Symfony 6.3
• Issue #2628230 by Lendude, mohit_aghera, wadmiraal, usrsbn, cilefen, dawehner, nubeli: Adding File Usage "File" relationship results in broken/missing handler
• Issue #3320721 by ranjith_kumar_k_u, martins.bertins, Manibharathi E R, smustgrave, Lendude: The active page number is not showing on the last page(Views Full pager)
• Issue #3363873 by Wim Leers: Stop using `first-uuid` and `second-uuid` in tests: violates config schema
• Issue #3364267 by lauriii, dww, smustgrave: Claro low contrast for buttons in dialog
• Issue #3349293 by Wim Leers, phenaproxima, smustgrave, longwave, bnjmnm, borisson_: Make assertions using ConfigEntityValidationTestBase::assertValidationErrors() clearer
• Issue #2825712 by Utkarsh_33, lauriii, bnjmnm, tstoeckler, idebr, BramDriesen, Lendude, srishtiiee: The allowed values storage setting of list fields should be required
• Issue #3115445 by mherchel, Ratan Priya, jedihe, alexdmccabe, selvakumar-96, Neslee Canil Pinto, catch, joycehutch, gonssal, Daniel Korte, shashank5563, Luke.Leber, SKAUGHT: Add a new clean_unique_id Twig filter for Html::getUniqueId
• Issue #2253257 by Utkarsh_33, bnjmnm, hooroomoo, jhedstrom, Xano, narendraR, chr.fritsch, vsujeetkumar, lauriii, Manuel Garcia, borisson_, andrewmacpherson, swentel, vijaycs85, tim.plunkett, larowlan, Berdir, mgifford, bojanz, jibran, olli, runeasgar, pooja saraah, zvischutz, InternetDevels, yoroy, effulgentsia, pfrenssen, jessebeach: Use a modal for entity delete operation links
• Issue #3361315 by mherchel, smustgrave, bnjmnm, ckrina: Dropbutton quickly shows/hides its menu on pageload causing layout shift
• Issue #3358514 by poker10, mcdruid, smustgrave: Make phpinfo on the admin status report configurable
• Issue #3359494 by bnjmnm, Spokje, lauriii, hooroomoo: Focus is lost on dialog close if the opener is inside a collapsible element
• Issue #3360991 by Wim Leers, borisson_: TypedData instances created by TypedConfigManager::createFromNameAndData() are incomplete
• Issue #3359421 by Anybody, Grevil: (Re-)Add width / height also on fallback image
• Issue #3362569 by Spokje: Update mglaman/phpstan-drupal and make daily "updated deps" QA jobs pass
• Revert "Issue #3359494 by bnjmnm, lauriii, hooroomoo: Focus is lost on dialog close if the opener is inside a collapsible element"
• Issue #3359494 by bnjmnm, lauriii, hooroomoo: Focus is lost on dialog close if the opener is inside a collapsible element
• Issue #3362414 by longwave: Update CKEditor 5 to 38.0.1
• Issue #3348603 by lauriii, joelpittet, Wim Leers, catch, smustgrave, witeksocha: CKEditor 5 resizes images with % width instead of px width (the CKEditor 4 default): breaks image captions *and* is a regression
• Issue #3362306 by Spokje: Skip InstallerExistingConfig[SyncDirectory]MultilingualTest::testConfigSync
• Issue #2823910 by daffie, pwolanin, smustgrave, neclimdul, larowlan, dawehner: DBTNG/EQ condition works inconsistently with arrays
• Issue #3278883 by vhin0210, longwave: TypeError: Argument 1 passed to Drupal\Core\Entity\EntityViewBuilder::view() must implement interface Drupal\Core\Entity\EntityInterface, null given, called in core/modules/node/node.module on line 559
• Issue #3361949 by andypost: Update to Symfony 6.3 RC1
• Issue #3361983 by effulgentsia, smustgrave: Remove psr/http-message from drupal/core-recommended
• Issue #3361730 by Berdir, longwave, DamienMcKenna, borisson_, catch: Rename EntityListBuilder::getQuery() to something less generic
• Issue #3361839 by BramDriesen, mherchel, rpayanm: Accidental use of CSS nesting in misc/dialog/off-canvas/css/details.css
• Issue #3361148 by Spokje: Update mglaman/phpstan-drupal and make daily "updated deps" QA jobs pass
• Issue #3361800 by Wim Leers, neclimdul, smustgrave: Update CKEditor 5 to 38.0.0
• Issue #3358524 by benjifisher, quietone, smustgrave: Users cannot log in if Password Compatibility module is not enabled
• Issue #3360124 by andypost, elber, catch, Spokje: Deprecate ::supportedInterfaceOrClass property on normalizer/denormalizers
• Issue #3357585 by longwave, catch: Pin to egulias/email-validator v4
• Issue #3352204 by longwave, nod_: Update jQuery to 3.7.0
• Issue #3360245 by mherchel, lauriii, longwave: Black bar appears (then disappears) at top of viewport when navigating
• Issue #3354606 by ranjith_kumar_k_u, pascalim, Abhijith S, smustgrave, borisson_: Datetime field name missing from validation error message
• Back to dev.