Drupal.org

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Remote code execution - SA-CORE-2020-012

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released. You should plan to update to 8.9.x or higher as soon as possible.
• Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Which release do I choose? Security coverage information

No other fixes are included.

• Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
• Sites on 8.8.x or earlier should update immediately to Drupal 8.8.11 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
• Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Remote code execution - SA-CORE-2020-012

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
• Sites on 8.9.x should update immediately to Drupal 8.9.9 instead.
• Sites on 8.8.x or earlier should update immediately to Drupal 8.8.11 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
• Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.

Important update information

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.1.x contains new features, and should be the target for new site development. Drupal 9.0.x will continue to have security support until June 2021. Drupal 8.9.x will continue to have security support until November 2021.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.2 and later.

Important update information

If you are updating from 9.0.x or earlier, also read:

• 9.1.0-alpha1 update information
• 9.1.beta1 update information

Security update required!

This release fixes security vulnerabilities. Sites that installed 9.1.0-alpha1 or 9.1.0-beta1 are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Remote code execution - SA-CORE-2020-012

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Note for users of the Experimental Workspaces module

Existing Drupal 8 sites using the experimental Workspaces module must update to at least Drupal 8.8.2 before updating to Drupal 9. (This is due to a required data integrity fix.) Remember that Workspaces is currently in beta status and is not intended for production.

Upgrading from Drupal 7

Drupal 7 users can continue to migrate to Drupal 8.9, or migrate to 9.0 or 9.1 directly. The upgrade path for multilingual sites is stable in Drupal 8.9, 9.0 and 9.1!

PHP 8 compatibility

Drupal 9.1 core has made numerous internal changes in order to be compatible with PHP 8.0, which is due to be released before the end of November. However, full compatibility with PHP 8 is currently blocked by one set of upstream dependencies that do not have PHP 8 versions available yet: #3180207: Update laminas-diactoros, laminas-escaper and laminas-feed for PHP 8 compatibility

Official Drupal PHP 8.0 compatibility will therefore not be available until Drupal 9.2.0. However, sites wishing to use PHP 8 should be able to do so safely with either of the following site setups:

• For Composer sites, Drupal core should run on PHP 8.0 with
  composer install --ignore-platform-requirements.
• Drupal core sites using a supported 9.1 release tarball (for example, 9.1.0-rc1 or 9.1.0) downloaded from the release page should also run on PHP 8 without any problems.

Composer template changes

The core recommended project templates now explicitly depend on the current minor branch (for example, ^9.1 instead of ^9), in order to make Composer behavior with pre-release milestones more predictable (so that, for example, a site running 9.1.0-beta1 will not be accidentally downgraded to 9.0.x.)

Dependency updates since 9.1.0-beta1

• typo3/phar-stream-wrapper updated from 3.1.5 to 3.1.6 for PHP 8 compatibility.
• Popper.js has been updated from 2.0.6 to 2.5.4.
• Underscore.js has been updated from 1.9.1 to 1.11.0.

Known issues

Search the issue queue for known issues.

All changes since 9.1.0-beta1

• SA-CORE-2020-012 by ufku, mrf, fgm, samuel.mortenson, dww, Heine, mlhess, David_Rothstein, pwolanin, xjm, fgm, stefan.r, dsnopek, rickmanelius, David Strauss, tedbow, alexpott, dww, larowlan, kim.pepper, Wim Leers, quicksketch, mcdruid, Fabianx, effulgentsia, drumm, pandaski, Mixologic
• Issue #3181059 by longwave, lauriii, alexpott, jungle: Update Popper.js to the latest version
• Issue #3182891 by alexpott: The variables_required setting is a tricky name
• Issue #3181057 by longwave, lauriii, jungle, alexpott: Update Underscore.js to the latest version
• Issue #3182959 by xjm: Prevent pre-release milestones from downgrading to earlier releases
• Issue #3175884 by gabesullice, mglaman, juagarc4, catch: JSON:API link keys can collide
• Issue #3179258 by julien, paulocs: Spaces before or after a string searched to be translated returns nothing
• Issue #2996114 by BR0kEN, gabesullice, jungle, ARUN AK, tengoku, Wim Leers, nishantkumar155, lawxen, bbrala, mglaman, Morbus Iff, larowlan, joachim, mxr576: Argument 2 passed to Drupal\jsonapi\Routing\Routes::Drupal\jsonapi\Routing\{closure}() must be an instance of Drupal\jsonapi\ResourceType\ResourceType, NULL given
• Issue #3145005 by longwave, mondrake, cburschka, raman.b, Lal_, dww, xjm: [November 9, 2020] Remove uses of t() in drupalPostForm() calls
• Issue #2404105 by chr.fritsch, jlbellido, penyaskito, alexpott: When a profile installs a block for a theme, it is created for all enabled themes
• Issue #3118591 by alexpott, xjm, chesnut: Datetime-related test failures on PostgreSQL 12
• Issue #268909 by maartenvg, raman.b, paulocs, lyricnz, Abhijith S, webchick, Freso, chx, pameeela: "0" can't be used a path alias, but no error is shown
• Issue #2851394 by GoZ, hgunicamp, oknate, jungle, wolffereast, tameeshb, mmatsoo, ridhimaabrol24, jofitz, swarad07, tanc, shaktik, dimaro, shashikant_chauhan, MerryHamster, quietone, nitesh624, martin_q, boaloysius, gaurav.kapoor, nitvirus, ankithashetty, Munavijayalakshmi, kostyashupenko, leolando.tan, amit.drupal, ravi.shankar, akashkrishnan01, Swapnil_Kotwal, Saviktor, mrinalini9, anmolgoyal74, Venkatesh Rajan.J, shimpy, lomasr, Dinesh18, shubham.prakash, mahtab_alam, markdorison, cilefen, longwave, bleen, xjm, alexpott, gmaltoni: Fix grammar 'a' to 'an' when necessary
• Issue #3176919 by kapilkumar0324, komalk, nitesh624, mherchel: Missing @file documentation in Olivero's node.html.twig
• Issue #3178581 by alexpott, longwave: Remove misspelled words from dictionary that are no longer used
• Issue #2987980 by alexpott, longwave, Lendude, jibran: Refactor UncaughtExceptionTest to not use cUrl
• Issue #3145418 by longwave, paulocs, shetpooja04, Spokje, nikitagupta, mondrake, ravi.shankar, sarvjeetsingh, mrinalini9: [November 9, 2020] Remove uses of t() in assertText() calls
• Issue #2851504 by alexpott, vomiand, Vj, BalajiDS, cilefen, tamasd: "Illegal choice 0 in Book element" when switching the book outline field from anything to "- None - "
• Issue #3112229 by mglaman, johnwebdev, jibran, Wim Leers: FieldItemNormalizer to not flatten if one property and getMainPropertyName is NULL
• Issue #3158651 by paulocs, benjifisher, abhisekmazumdar, himanshu_sindhwani, sarvjeetsingh, mayurjadhav, Vidushi Mehta, janmejaig, thalles, quietone: Sort direction is not hidden when no sort field is selected
• Issue #3139429 by mondrake, rahulrasgon, mohrerao, siddhant.bhosale, paulocs, longwave, jungle, cburschka, munish.kumar: Replace usages of AssertLegacyTrait::assert(No)FieldByXPath, that is deprecated
• Issue #3166450 by mondrake, longwave, snehalgaikwad: Split assertTrue using && into multiple assertions
• Issue #3138746 by jungle, rajandro, sja112, longwave, jameszhang023, quietone, dww: Fix 45 "shouldBeCamelCased" and related typos in core
• Issue #3181173 by longwave, pefferen, JD_1, larowlan: Drupal 8.9.7 breaks Book Settings Form Validation
• Issue #3179875 by greg.1.anderson, Mixologic: Path repositories need to be listed first for Composer 2
• Issue #3181240 by andypost: Upgrade typo3/phar-stream-wrapper 3.1.6

Release type: Security updateBug fixesNew features