drupal 8.8.7

This is a patch release of Drupal 8 and is ready for use on production sites. Learn more about Drupal 8.

If you are upgrading to this release from 8.7.x, read the Drupal 8.8.0 release notes before upgrading to this release.

This is the final normal bugfix release of 8.8.x. Further bugfixes will be available in 8.9.0 and 9.0.0, also released today. Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.x is released.

If you are running Drupal 8.7.x or earlier, you should update to Drupal 8.8.7 immediately in order to have the latest critical bug and security fixes applied. Sites that wish to receive regular bug fixes should plan to update to Drupal 8.9 in the near future and may consider preparing their site for Drupal 9.

If you are starting a new Drupal project, start with 9.0 for forward compatibility with later releases.

Important update information

• Drupal now shows a more user-friendly warning when a site tries to upgrade to a new version without having run required intermediate database updates first.

  If you see 'Unsupported schema version' when attempting to run updates, you should:

  1. Back up your site and codebase.
  2. Locate an older version of the contributed module which contains the updates you missed.
  3. Downgrade the module to that version in your code base, and attempt to run updates again.

  When this error is shown, it will now also prevent any updates from proceeding, so may make a persistent issue on an existing site more obvious.

  Ideally, you should always attempt updates of contributed modules and core on a backup of your site (such as a local development environment) prior to running them on production.

• The Views configuration fixes applied as post-updates in #2846614: Incorrect field name is used in views integration for multi-value base fields are now applied at every Views save in order to resolve an upgrade path issue. The old configurations are now formally deprecated in 9.0.0 and will be removed from 10.0.0. For more information on the changes that introduced this in previous releases, see the related change records:

  • Multi-value base fields in views no longer use an incorrect field name
  • Drupal\node\Plugin\views\field\Path deprecated, Drupal\views\Plugin\views\field\EntityLink now provides this functionality
  • Exposed filters can now limit which operator they expose

• Drupal 9 updates PHPUnit to PHPUnit 8, which introduces backwards compatibility breaks and new deprecations. In order to provide a continuous upgrade path from Drupal 8 (which uses PHPUnit 6 and 7), we've added forward-compatibility shims to provide backwards compatibility and support the new APIs on older PHPUnit versions, and backported them to 8.8.x. Read the change record on the forward-compatibility shims for more information on the methods you can implement in your PHPUnit tests.

• A handful of deprecation errors triggered were not actually classified as deprecation errors, and were being raised as silenced notices instead. E_USER_DEPRECATED were added to each to correct the problem. This means a small number of sites or modules might see deprecation errors in their tests when they did not previously. Only a handful of methods are affected. See #3137713: [D8 only] Update deprecation notices in NodeNewComments constructor and #3138591: [D8 only] Add missing E_USER_DEPRECATED to deprecation notices for the affected APIs.

Dependency update information

• The project composer/installers is no longer pinned in drupal/core-recommended. It may now be upgraded whenever a new version is available, and a Composer-managed site runs composer update. We are releasing this fix on 8.8.x for Composer 2 forward-compatibility and to mitigate against an unusual composer upgrade path problem See #3134648: [backport, needs scheduling] Don't pin the composer/installers version in drupal/core-recommended for background information on this bug, and #3135247: Composer's "prefer-stable" setting cannot be relied on to produce a stable release for the direction we are taking to prevent future such problems.

• Earlier this year, Symfony released an advisory for a security vulnerabilities, CVE-2019-18888 Drupal core was not affected by these vulnerabilities, so back in November, we updated Drupal's lock file to provide only the secure version of Symfony to tarball installations.

  In this release, the version constraint of symfony/http-foundation has been increased to 3.4.35, to ensure Composer-built sites are also secure. Going forward, we may adopt this strategy for other packages where Drupal is not affected by a security issue, or we might add an external dependency that adds constraints for insecure versions of packages.

• Drupal is now using stable releases for behat/mink (1.8.0) and behat/mink-selenium2-driver (1.4.0). While we wouldn't normally do a minor update to dependencies in a patch release, these were previously pinned to development versions because a critical bug affecting Drupal core had not been resolved in any stable release.

  This change will also make it easier to transition sites away from minimum-stability: "dev", which is no longer recommended. (See #3135247: Composer's "prefer-stable" setting cannot be relied on to produce a stable release from the known issues below for more information on our plans to address future issues with minimum-stability.)

• All of Drupal's JavaScript development packages have been updated to the latest secure versions. This does not affect production sites.

Known issues

Search the issue queue for known issues.

• #3135247: Composer's "prefer-stable" setting cannot be relied on to produce a stable release

All changes since 8.8.6

• #3134648 by alexpott, dww, greg.1.anderson, hussainweb, catch, xjm, Mixologic: [backport, needs scheduling] Don't pin the composer/installers version in drupal/core-recommended
• #3118741 by dww, lauriii, alexpott, xjm, nod_, longwave, tedbow, catch: [Security] Update yarn dependencies to fix security issues
• #3143722 by shaal, jungle, xjm: Update symfony/http-foundation to 3.4.35 (a security release)
• #3143339 by mohrerao, Bunty Badgujar, mondrake, xjm, longwave: [backport] Clean up the arguments of calls to WebAssert::titleEquals() and AssertLegacyTrait::assertTitle()
• #3138793 by sja112, mohrerao: Fix "configuration" relevant typos in core
• #3138801 by sja112, ankit.singh: Fix "readily" relevant typos in core
• #3138787 by mohrerao, sja112: Fix "response" relevant typos in core
• #3138792 by sja112, xjm, dww: Fix "compatibility" relevant typos in core
• #3138802 by sja112, kkalashnikov: Fix "snafus" relevant typos in core
• #3138803 by sja112: Fix "strength" relevant typos in core
• #3138799 by sja112, kkalashnikov: Fix "description" relevant typos in core
• #3138786 by sja112, mohrerao: Fix "Protected" relevant typos in core
• #3138785 by sja112, ankit.singh: Fix "Picasso" relevant typos in core
• #3138775 by sja112, mohrerao: Fix "Monoceros" relevant typos in core
• #3138591 by ankit.singh, benjifisher, xjm, mikelutz, andypost: [D8 only] Add missing E_USER_DEPRECATED to deprecation notices
• #3143115 by Ramya Balasubramanian, mrinalini9, atul4drupal, xjm: README.txt file format for Drupal
• #3002820 by daffie, pavnish, dww, sokru, mmjvb: PHP Warning in template_preprocess_update_report(): Invalid argument supplied for foreach()
• #3139439 by Bunty Badgujar, mondrake, xjm, daffie: Replace usages of deprecated AssertLegacyTrait::assertHeader()
• #3139403 by sja112, mondrake, xjm: Replace usages of deprecated AssertLegacyTrait::assertElement(Not)Present()
• #3134308 by quietone, mrinalini9, benjifisher, xjm: Change 'is was' to 'is' in comments
• #3110200 by himanshu_sindhwani, kiamlaluno, tdnshah, xjm: Comments make a reference to filter_process_format(), which no longer exists
• #3100712 by daffie, tim.plunkett, milindk, StevenPatz, xjm, alexpott, dorficus, tedbow, bircher, marcuschristopher, opdavies: Drupal 8.7.10 to 8.8.0 update fails if views have invalid configuration
• #3138731 by jungle, dww: Fix "inheritdoc" typos in core
• #3137713 by mohrerao, jyotimishra123, benjifisher, mikelutz, andypost: Update deprecation notices in NodeNewComments constructor
• #3136302 by Webbeh, bnjmnm, catch, xjm: Replace UPDATE.txt with links to d.o documentation
• Revert "Issue #3062446 by a.qala: duplicate if statements in "MenuLinkContent.php" on line 151 and 156 - Code Improvement in "Custom Menu Links" module"
• Merged 8.8.6.
• #3136668 by dww, dawehner, pavnish, catch, daffie, alexpott, xjm: Invalid system.schema key_value entry causes fatal on updating to 8.8.5
• #3135390 by jungle, munish.kumar, xjm, longwave, mondrake, daffie: Replace assertions involving calls to is_readable() and is_writeable() on files and directories with PHPUnit assertions
• #3123933 by greg.1.anderson, alexpott, longwave, xjm: Determine whether ComposerProjectTemplatesTest is testing the internet, and if it is, avoid that
• #3137268 by benjifisher, mikelutz, quietone, phenaproxima, heddn: Add benjifisher as a sub-system maintainer for migrate
• #3078671 by alexpott, Simon Peacock, greg.1.anderson, vuil, jungle, rodrigoaguilera, sam-elayyoub, mmjvb, karolrybak, catch, longwave: Pin behat/mink and behat/mink-selenium2-driver to use resolvable release
• #3062446 by a.qala: duplicate if statements in "MenuLinkContent.php" on line 151 and 156 - Code Improvement in "Custom Menu Links" module
• #3119733 by Raunak.singh, Suresh Prabhu Parkala, daffie, bertboerland, Kristen Pol, xjm: COPYRIGHT.txt outdated
• #3134472 by jungle, xjm, Kristen Pol: [8.8 only] Fix failure of enabled phpcs rule: Drupal.Files.EndFileNewline in 8.8.x
• #3135747 by alexpott, mondrake, jungle: assertStringContainsString() and related BC layer in 8.8.x does not work as expected
• Revert "Issue #3134648 by alexpott, dww, greg.1.anderson, hussainweb, xjm: Don't pin the composer/installers version in drupal/core-recommended"
• #3134648 by alexpott, dww, greg.1.anderson, hussainweb, xjm: Don't pin the composer/installers version in drupal/core-recommended
• #3101635 by mrinalini9, TylerMarshall, Kristen Pol: Update comments in taxonomy.es6.js to reflect taxonomy and not blocks
• #3116399 by catch, Kristen Pol: Place blocks .module file should not trigger a deprecation
• #3126906 by jungle, longwave, AndyF: MenuLinkContentTest.php is recognized as a binary file by git
• Revert "Issue #3133604 by Berdir, dww: Dependency compatibility check in system doesn't check if version is defined"
• #3133604 by Berdir, dww: Dependency compatibility check in system doesn't check if version is defined
• #3113124 by B2F, Kristen Pol: Incorrect API example about default widget override
• #3134333 by xjm, longwave, ravi.shankar, daffie: Change Drupal\Tests\search\Functional\SearchSimplifyTest and Drupal\Tests\search\Functional\SearchTokenizerTest to kerneltests
• #3087465 by zuhair_ak, tim.plunkett, Kristen Pol: Move hook_views_ui_display_top_links_alter() to views_ui.api.php
• #3126333 by longwave, mondrake, xjm, catch: Replace usage of the optional $canonicalize parameter of assertEquals(), that is deprecated
• #3134475 by Beakerboy, daffie: Avoid directly comparing string to blob in CommentIntegrationTest
• #3121020 by dww, Kristen Pol: Move Update Manager XML test fixtures into a fixtures/release-history directory
• #3110620 by salah1, xjm, kiamlaluno: Documentation for ModuleHandler::invokeAll() says the method uses a PHP function that is not used anymore
• #3082602 by bnjmnm, Kristen Pol, longwave, catch: Remove transform rule from css_disable_transitions_test
• #3126787 by jungle, xjm, mondrake, alexpott, MegaChriz: [D8 only] Add forwards-compatibility shim for assertInternalType() replacements in phpunit 6&7
• #3128761 by Beakerboy, daffie, alexpott, xjm: Duplicate timestamp placeholder in statistics query
• #3094067 by kishor_kolekar, Suresh Prabhu Parkala, jungle, dpi, xjm: Update missing @param and @return documentation and docs typehints for TypedDataInterface
• #3123253 by mondrake, Lal_, prabha1997, longwave, xjm, alexpott, jungle: Remove usage of AssertLegacyTrait::pass() from base test classes
• #3124281 by emyu01: Multiple grammatical errors in docs of BasicAuth class in basic_auth module
• #3111463 followup by dww: Fix line wrapping
• #3063694 by dhirendra.mishra, devoidfury, joachim: class docs for Url should give an overview of how to create one
• #3111463 by dww, benjifisher, xjm: Improve code documentation for \Drupal\update\ProjectSecurityData
• #3074064 by TR: LoggerChannelFactoryInterface documentation references non-existent class
• #3131474 by jungle, mondrake, alexpott: Replace assertions involving calls to array_search() with assertContains()/assertNotContains()
• #3120961 by dww, tedbow: Remove VERSION from update test modules that receive dynamic version numbers in tests
• #2978398 by ilya.no, iyyappan.govind, mcdruid, aleevas, quietone, joachim, alexpott, tvb, catch: UserPasswordResetTest extends PageCacheTagsTestBase unecessarily
• #3132745 by jungle, longwave, xjm, swatichouhan012, daffie: Fix Drupal.Array.Array.LongLineDeclaration coding standard for instances of the $modules test property
• #3100251 by Hardik_Patel_12, longwave: Several code comments have incorrect namespaces for classes or interfaces they reference
• #3020905 by kiamlaluno, johnwebdev: Remove the implementation example from the documentation for ModuleUninstallValidatorInterface::validate()
• #3122547 by dww, Kristen Pol, jungle: Fix duplicate word typos (the the, to to, etc) for test assertions
• #3132287 by jungle, dww, xjm: Fix wrong usages of {@inheritdoc}
• #3120910 by catch, tedbow, longwave, Pascal-, alexpott, Punyasloka: Sites with missing schema information can't update to 8.8.3+ - attempts to run all historical updates
• #3126957 by Suresh Prabhu Parkala, jungle, Neslee Canil Pinto, Kristen Pol, xjm: Add missing curly brackets around @inheritdoc
• #3125763 by quietone, heddn, dww, benjifisher, Lal_, Neslee Canil Pinto, alexpott, mikelutz: Test coverage for hidden dependency on migrate_drupal from node module when only migrate.module is enabled
• #3099528 by andrewmacpherson: Duplicate paragraph in Media Library help
• #3130427 by jungle, longwave, xjm: Fix upstream failing tests involving in oEmbed
• #2992631 by dww, swatichouhan012, tedbow, jungle, xjm: Update report incorrectly recommends security releases for old minors when a security update is needed and a secure version of the old minor is also available
• #3121827 by dww: Documentation follow-up fixes for hook_update_last_removed() from #3098475
• #3084813 by dpi: Fix return typehinting for user_load functions
• #3120901 by longwave, Kristen Pol: Update deprecations from 8.8.4 to 8.8.5
• #3121362 by jungle, Meenakshi.g, dww, xjm, alexpott, tim.plunkett: Fix duplicate word typos (the the, to to, etc.) for code comments
• #3126797 by mondrake, jonathan1055, longwave, Berdir, catch: [D8 only] Add forwards-compatibility shim for assertString(Not)ContainsString()replacements in phpunit 6&7
• #3070745 by AndyF, ravi.shankar, olli, tedbow, samuel.mortenson, droplet, alexpott: Off canvas filling up localStorage's quota, causing errors
• #3126695 by mondrake, jonathan1055, catch, longwave: [D8 only] Add forwards-compatibility shim for assertEqualsCanonicalizing() in phpunit 6&7
• #3098475 by Berdir, catch, Gábor Hojtsy, TravisCarden, dww, xjm, benjifisher, alexpott, larowlan, webchick: Add more strict checking of hook_update_last_removed() and better explanation
• #3074047 by Neslee Canil Pinto, mikelutz, quietone: Update MigrateDestinationInterface::import return type documentation
• #2989745 by plach, jungle, alexpott, Lendude, catch, tim.plunkett: views_update_8500() inlines configuration changes instead of this being done on config save for bc
• #3030989 by Lendude, emyu01, ravi.shankar, nisha_gupta, kaszarobert: Error while trying to bulk delete already deleted nodes