drupal 10.3.0

This is the final feature release of Drupal 10 and is ready for use on production sites. Learn more about Drupal 10 and the Drupal core release cycle.

This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

Understanding the new release cycle: Drupal 10, 11, and 12

Sites must update to at least Drupal 10.3.0 (this release) prior to updating to Drupal 11. For information on the upcoming Drupal 11 release, read the Drupal 11.0.0-beta1 release notes.

Once Drupal 11 is released, start new projects on Drupal 11 for the best forward-compatibility with later releases. New features will only be added to upcoming Drupal 11 minor releases. Therefore, we recommend that you prepare existing sites for Drupal 11 this year in order to continue receiving the new features.
More information on the new Drupal core major release schedule.

Drupal 11.0 and 10.3

Drupal 10.3 provides almost the same public API as Drupal 11.0, which will be released in August. The main differences between Drupal 10.3 and 11.0 are dependency changes and the removal of deprecated code. For more information, refer to the Drupal 11.0.0-beta1 release notes.

Drupal 10.3.x and 11.0.x will receive security coverage until June 2025, when Drupal 11.2.0 is released. Drupal 10.2.x security coverage continues until December 2024.

Drupal 11.1 and 10.4

Drupal 10.4 will be a maintenance minor, the first in Drupal history. Maintenance minors receive limited ongoing forward-compatibility and security fixes only. Maintenance minor releases of Drupal 10 will be provided until the release of Drupal 12 in 2026. (More information on the new Drupal core major release schedule.)

Drupal 11.1 and 10.4 will be released in December 2024 and receive security coverage until December 2025.

Older Drupal versions

Drupal 10.1.x security support has ended. Sites on Drupal 8, 9, 10.0, or 10.1 should upgrade to a supported release as soon as possible.

Drupal 7 will reach its final end-of-life on January 5, 2025. No further support extensions will be provided. (Drupal 7 Migration Resource Center.)

Important update information

Backwards-compatibility break for security hardening

For security hardening, a backwards-compatibility break has been introduced in ImageStyleDownloadController. This change may affect modules that provide custom stream wrappers or extend ImageStyleDownloadController. Review the change record for information on how to update your routing entries for this change.

Changes to site-owner-managed files

• The special privileges of user 1 are now part of the SuperUserAccessPolicy and is enabled by default. The special behavior of user 1 can be disabled by setting the parameter security.enable_super_user in the site services.yml file to false.

• The use of the State cache can be controlled using a new setting in settings.php. The setting is $settings['state_cache'] and is set to TRUE to improve performance. Sites may set it to FALSE if any modules are storing large amounts of data or frequently changing data in the State store. In Drupal 11, the setting will be removed and the State cache will be permanently enabled.

Platform requirements changes

• Drupal 10.3 is fully compatible with PHP 8.3. PHP 8.3 is now recommended and may offer performance improvements.

API and behavior changes

• In order to protect users from being unexpectedly logged out, the user logout route is now CSRF-protected. Logout links that are hardcoded as /user/logout will result in a redirection to a confirmation form. Therefore, site users may be surprised when seeing this unexpected confirmation form for the first time. Site owners who have hardcoded /user/logout links can follow the instructions in the change record on the route's new protection to avoid the redirection behavior.

• Drupal now returns render cache items (except for forms) on POST requests. This improves performance of form submissions by allowing other elements of the page to be render cached. This change should be transparent to contributed and custom code. Module developers who implement custom forms should read POST requests are now render-cached,

Experimental module changes

Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.

• The Navigation module provides new administration navigation. It is at beta stability.

Theme system and template changes

• Sticky table headers are now implemented with pure CSS instead of JavaScript.

  Claro's custom implementation of sticky table headers (which was already using pure CSS) has been removed and Claro now relies on the default implementation.

  Themes that heavily customize the sticky tableheaders markup, CSS, or JavaScript may need to update, or may be able to remove overrides if they were implementing a CSS-only solution similar to Claro's.

• update.php will now use the Claro theme instead of the configured maintenance theme, to ensure that updates are run in a consistent environment.

PHP dependency changes

• Twig has been upgraded from 3.5.0 to 3.9.3. If you have custom code that extends Twig, you should read the Twig v3.9.0 changelog as there are new deprecations.

• Drupal core's Composer development dependency has been updated to Composer 2.7.7, which addresses security vulnerabilities. It is recommended that Drupal site owners also update their local Composer versions with composer self-update.

• Numerous other dependencies have received minor- and patch-level updates to the latest versions.

Frontend (CSS and JavaScript) production dependency changes

• CKEditor 5 has been updated from 41.2.0 to 41.3.1.

  If you are updating from 10.2.x or earlier and have the CKEditor font module installed, or another CKEditor extension that has been disrupted by this update, you should consider switching to CKEditor5 Plugin pack for a more up-to-date version of the plugin which is compatible with the CKEditor5 version shipped with Drupal 10.3.

• jQuery Form is removed as an external dependency. It is now forked into core because it is abandoned upstream. It is tagged @internal and should not be used by contributed or custom modules directly.

Known issues

• Drupal core does not currently have an effective way of handling data model updates that are needed in two separate versions of Drupal (for example, Drupal 10.4 and 11.1, or 10.3 and 11.0). The issue to resolve this is: #3108658: Handling update path divergence between 11.x and 10.x

  Until this issue is resolved, issues requiring a data model change may be held to a later release.

• PHP 8.4 compatibility for Drupal 10 and 11 remains under development. 10.4 (or even a later patch release of 10.3) will provide full compatibility with PHP 8.4.

• #3441010: Container compile crash when a service decorates a destructable service

• #3446026: Adding media library openers use autoconfigure and tags in 10.3.x has BC consequences

Search the issue queue for known issues.

All changes since Drupal 10.3.0-rc1

• Issue #3315694 by b_sharpe, vermario, deviantintegral, narendraR: Allow recipe command to write to the container - ensuring that cache does not be cleared after a recipe installs a module
• Issue #3455552 by mstrelan, xjm, quietone: Remove commented-out code in ArgumentDefaultTest referring to php module
• Issue #3421418 by mstrelan, Spokje, xjm, mondrake, longwave, acbramley: Add void return typehints to all test methods
• Issue #3454605 by thejimbirch, pooja_sharma, phenaproxima, the_g_bomb, catch, b_sharpe: Roles should be in their own recipes for composability
• Issue #2874067 by kkalashnikov, Nikolay Shapovalov, quietone, b_sharpe, smustgrave, xjm, benjifisher, MerryHamster, dww: Fix Drupal.Commenting.DocCommentLongArraySyntax coding standard
• Issue #3454212 by nathankg, joachim: Update mentions of #2225961 in comments
• Issue #2684251 by pooja_sharma, sheldonreed3, smustgrave, jehon, Lendude: Global Token Replacements is not working correctly in href
• Issue #3454062 by kim.pepper: Move Recipe\RollbackTest is to the FunctionalTests namespace
• Issue #3453320 by timurtripp: [10.3 regression] CKEditor 5 renamed CSS variable causing CKEditor dialogs to fail to appear above jQuery UI dialogs
• Issue #3454556 by xjm: Require Composer 2.7.7
• Issue #2927141 by Akhil Babu, pooja_sharma, geertvd, smustgrave, JeroenT, larowlan, catch, quietone: Updates to an entity's URL alias do not reflect on the corresponding local tasks
• Issue #3453551 by mstrelan: Fix return type of FormatterInterface::settingsSummary
• Issue #3450567 by kalpanajaiswal, joachim: GenerateTheme::__construct() does not document its parameters
• Issue #3121155 by quietone, lauriii, bnjmnm, tedbow: Add comments about alphabetical sorting in UpdateRegistry and test
• Issue #3452426 by mxr576, kristiaanvandeneynde: Insufficient cacheability information bubbled up by UserAccessControlHandler
• Issue #3450616 by catch, quietone, smustgrave: Optimize test order when --directory is used
• Issue #3453324 by calebtr, catch: core.libraries.yml mis-implements moved_files syntax
• Issue #3453621 by lauriii: Update 'lauriii' last name
• Issue #3192830 by neclimdul: twig_render_template micro optimization
• Issue #3445909 by seanB, smustgrave, alexpott, catch: Add static caching to LayoutTempstoreRepository
• Issue #3449891 by NexusNovaz, manish-31, bbrala: Move to new test path in NodeTest as per todo