drupal 10.0.0-alpha6

This is an alpha release for the next major version of Drupal. This alpha release is intended for module or theme authors to test whether their code is compatible with recent significant changes in Drupal 10.0.x. Drupal 10 alpha releases should not be used in production. No upgrade path will be provided between Drupal 10 alpha releases, nor to Drupal 10.0.0-beta1.

This release fixes security vulnerabilities present in 10.0.0-alpha5. Sites are urged to update immediately after reading the notes below and the security announcements:

• Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Many breaking changes will be added before Drupal 10.0.0-beta1

Drupal 10 alphas do not include all the breaking changes that will be included in 10.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more APIs that are (or that will be) deprecated in Drupal 9, including several core modules and themes that will be moved to contributed projects. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 10 compatibility of modules, themes, and sites.

Specific, highly disruptive changes that are not complete in 10.0.0-alpha5:

1. CKEditor 4 will be removed from Drupal 10 core, and content created with CKEditor 4 might not work in CKEditor 5 because of upstream changes. You must either install the CKEditor 4 module in contrib (which will receive security fixes until Drupal 9's end-of-life in 2023), or update your site and content to CKEditor 5. There is a beta-stability CKEditor 5 module available for testing in Drupal 9 and 10.

2. Various core modules and themes will be moved to contributed projects.

3. Numerous JavaScript libraries and APIs will be removed, including the JavaScript build step.

There will be many other specific updates and deprecated API removals beyond this list. For more information on 10.0.x development, see #3118143: [meta] Release Drupal 10 on December 14, 2022.

The 10.0.x branch also includes all the latest commits that will be backported to 9.5.x and earlier branches. 10.0.x will be nearly identical to 9.5.x except for the following:

1. Deprecated code will be removed, including entire deprecated modules.
2. Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 9.5.x branch.

Important update information

This alpha includes many changes that are also included in Drupal 9.4.0. For additional changes from Drupal 9, review the release notes of the previous alpha releases:

1. Drupal 10.0.0-alpha1
2. Drupal 10.0.0-alpha2
3. Drupal 10.0.0-alpha3
4. Drupal 10.0.0-alpha4
5. Drupal 10.0.0-alpha5

Platform requirement changes

Composer 2.3.5 is required

Drupal 10 will require Composer version 2.3.5 or higher. Core developers must update to at least Composer 2.3.5 to work on Drupal core, and site owners may also receive a warning or error about older Composer versions in the future.

Composer plugin authorization change

Composer 2.2 introduced a new security feature that requires Composer projects to authorize plugins. This change means that Composer commands to install and update Drupal projects will fail unless either the required plugins are authorized in the project configuration or the user manually replies "y" to a prompt to authorize the plugin. The prompt can break continuous integration and deployment workflows, so it is recommended that projects authorize core's required plugins (and projects using development dependencies should authorize development plugins).

This release configures drupal/recommended-project to authorize core's required and development plugins by default. Existing projects may also need to update their configuration to authorize these plugins. For more information, review Composer 2.2+ authorized plugins.

Support removed for old versions of UC browser

Drupal has removed explicit support for older versions of UC browser that relied on a forked version of Chrome. Newer versions of the browser that rely on WebView should be unaffected.

CKEditor 5 API changes

The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag. (Note that this change is also available in Drupal 9.4.0.)

Dependency updates

• Drupal 10 now requires Symfony 6.1, and all Symfony components have been updated to 6.1.2.

• guzzlehttp/guzzle 7.4.5 and guzzlehttp/psr7 2.4.0 are now required to address two upstream security advisories:

  1. CVE-2022-31090
  2. CVE-2022-31091

• Psr/Log has been updated to version 3. All the methods that are on \Psr\Log\LoggerInterface have stricter typehints. Contrib and custom modules that provide logger implementations will need to be updated for Drupal 10.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases and, where appropriate, constraints have been increased to require the latest minor versions.

  The composer/xdebug-handler and sebastian/type dependencies have received major version updates that remove support for PHP versions not supported by Drupal 10.

• Chalk has been removed as a JavaScript development dependency.

Known issues

Search the issue queue for known issues.

All changes since Drupal 10.0.0-alpha5

• Issue #3294205 by shaal, NickDickinsonWilde, Spokje, alexpott, xjm, larowlan, longwave: Composer v2.2 prompts to authorize another plugin when stability=dev
• Issue #3294076 by longwave: Remove unused ExceptionTestSiteSubscriber
• Issue #3225381 by mikelutz, jrockowitz, yivanov, Spokje, larowlan, longwave, parkh, AdamPS, gcb: PHP Notice logged when switching "Configuration type" in single configuration export screen
• Issue #3112290 by Spokje, mondrake, mpdonadio, daffie, andypost, Kristen Pol, quietone, mallezie, alexpott: Replace REQUEST_TIME in procedural code
• Issue #3266274 by Spokje, nod_, xjm, lauriii: Remove chalk as a dependency
• Issue #3293952 by Spokje, longwave: Remove unneeded TextFormatElementFormTest::getUrl() and AssertContentTrait::getUrl()
• Issue #3293284 by catch: Throw an exception when Router::generate() is called
• Issue #3248078 by uri_frazier, antojose, alisonjo315, rootwork: Update 8.x specific documentation URLs
• Issue #3215870 by catch, effulgentsia, Gábor Hojtsy, xjm, andypost, longwave, freelock, Mixologic, phenaproxima, ressa: Require Composer 2.3.5 for developing Drupal 10 core
• Issue #3291729 by mherchel, andy-blum: Refactor Olivero styles to use new --drupal-displace variables and ensure that toolbar/buttons are always visible
• Issue #3259671 by alexpott, _KASH_, Lendude: Slow query in titleQuery Vid.php
• Issue #3284912 by mherchel, javi-er: Abstract and refactor Olivero's text color styles with new "text-color" custom properties
• Issue #3255749 by Spokje, alexpott, shaal, longwave, cilefen, AaronMcHale, benjifisher, Mile23: Composer v2.2 prompts to authorize pluginsile
• Issue #3284420 by longwave, Gábor Hojtsy, Spokje: Remove Composer 1 specific code paths from Drupal 10
• Issue #3291303 by Spokje: "Wierd" assertion in \Drupal\Tests
  iews\Functional\Wizard\BasicTest
• Issue #3031492 by longwave, tedbow, Spokje: Remove @todo in InlineBlockEntityOperations constructor
• Issue #3291295 by Ishani Patel, Webbeh: Incorrect ckeditor5.plugin.media_media schema label
• Issue #3292850 by tim.plunkett, chrisfromredfin, leslieg, xjm: Add Project Browser intitative to MAINTAINERS.txt
• Issue #3264145 by ankithashetty, yogeshmpawar, ravi.shankar, mrinalini9, neclimdul, mondrake, longwave, daffie: Fixing missing use statement in ConfigOverrider test class
• Issue #3285667 by andregp, ankithashetty, quietone, longwave: Remove duplicate test from source\d7\NodeTest::providerSource
• Issue #3239935 by mondrake, alexpott, andypost, daffie: Refactor ToolkitGdTest
• Issue #3270831 by Wim Leers, bnjmnm, xjm, catch: Make the CKEditor 4 → 5 upgrade path work even when the CKEditor 4 module is removed
• Issue #2896993 by cburschka, andypost, mxr576, jedihe: Decorated services crash on serialization
• Issue #3173031 by Spokje, andypost, mondrake: Clean-up \Drupal\system\Plugin\ImageToolkit\GDToolkit when core require php 8.0
• Issue #3293297 by catch: Remove bc layer in Drupal\Core\Theme\Registry::__construct()
• Issue #3292428 by Spokje: Remove inadvertedly committed core/modules/quickedit/tests/src/Functional/CKEditor5/CKEditor5QuickEditLibraryTest.php.orig
• Issue #3291830 by webflo: Fix PSR4 path for database driver
• Issue #3293215 by longwave: Remove remnants of Simpletest UI
• Issue #3293075 by longwave: Remove deprecated code from ModuleHandlerInterface
• Issue #3293051 by Spokje, longwave: \Drupal\Core\Composer\Composer::preAutoloadDump contains duplicate if statement
• Issue #3291208 by mondrake, longwave: Remove stray ignore deprecation patterns
• Issue #3270556 by quietone: Handle NULL for max_filesize_per_file in d6\FieldInstanceSettings::convertSizeUnit
• Issue #3070747 by immaculatexavier, herved, alexpott, yoruvo: Profile paths are not updated after moving them to other directories
• Issue #3293114 by uri_frazier, mikelutz, Spokje: Fix var tag on recent commit
• Issue #3278122 by andregp, mondrake, Spokje, daffie: Since symfony/routing 6.1: The "Symfony\Component\Routing\Matcher\UrlMatcher::handleRouteRequirements()" method will have a new "array $routeParameters" argument in version 7.0, not defining it is deprecated
• Issue #3271057 by Wim Leers, xjm, lauriii: Move Media Library CKEditor 4 integrations from Media into CKEditor
• Issue #3293077 by longwave: Enforce TrustedCallbackInterface in #date_date_callbacks
• Issue #3076684 by Spokje, andypost, longwave, paulocs, Mile23, KapilV, greg.1.anderson: Remove deprecated vendor cleanup scripts
• Issue #3284010 by _shY, mherchel, Abhijith S: "Create content" link within Olivero's "Getting started" page doesn't account for base directory
• Issue #3086931 by longwave, zrpnr, Spokje: Remove unused postcss.config.js
• Issue #3291317 by immaculatexavier, mherchel, Janner, longwave: Views Mini Pager's next button labeled "Previous" for screen readers in Olivero
• Issue #3292992 by Spokje: [#3280589] broke HEAD on 10.0.x and 10.1.x
• Issue #3280589 by Spokje, longwave, Mile23: Deprecate Composer Vendor Cleanup Scripts
• Issue #3153956 by clayfreeman, Spokje, andypost, longwave: Remove code related to "context from configuration" that was deprecated in Drupal 9
• Issue #3292730 by mondrake: Update to Symfony 6.1.2
• Issue #2987089 by askibinski, andypost, alexpott: Remove views.module's direct use of the _serviceId property
• Issue #3291283 by nod_, jsutta, longwave, cilefen, alexpott, Gabbia998, ptomulik: Restore missing backbone-min.js.map
• Issue #3292626 by Spokje, dww: Remove core/modules/ckeditor5/css/quickedit.css
• Issue #3153852 by clayfreeman, catch: Both component and core versions of ContextAwarePluginBase need updated deprecation documentation
• Revert "Issue #3238501 by kostyashupenko, Spokje, mherchel, nod_, longwave, lauriii, bnjmnm: Remove Internet Explorer 11 polyfills"
• Issue #3238501 by kostyashupenko, Spokje, mherchel, nod_, longwave, lauriii, bnjmnm: Remove Internet Explorer 11 polyfills
• Issue #3290808 by longwave, catch, Spokje, dww, Lendude: Remove workspaces special casing from system_requirements() and fix versions/docs
• Issue #3291780 by longwave, xjm, Spokje: guzzlehttp/guzzle 7.4.5 requires guzzlehttp/psr7 ^2.3 which breaks HEAD
• Issue #3285230 by xjm, benjifisher, phenaproxima, mikelutz, quietone: Migrate's DownloadFunctionalTest:: testExceptionThrow() is failing on guzzlehttp/psr7 2.3.0
• Issue #3291877 by alexpott, longwave: Fix \Drupal\FunctionalTests\Installer\InstallerTestBase tests to not test drupal.org
• Issue #3291893 by Spokje, alexpott: Stub release for 10.1.x breaks 10.0.x tests in HEAD
• Issue #3267314 by quietone, danflanagan8: Handle migration tests for removing tracker
• Revert "Issue #3267314 by quietone, danflanagan8: Handle migration tests for removing tracker"
• Issue #3267314 by quietone, danflanagan8: Handle migration tests for removing tracker
• Issue #1645328 by Liam Morland, darvanen, shravan sonkar, andregp, mandar.harkare, jhedstrom, sun: Add test to ensure fieldset allows any non-empty-string #title
• Issue #3254966 by mallezie, Taran2L, mglaman, mondrake, longwave: PHPStan error LinkItemTest
• Issue #3145738 by andrewmacpherson, quietone, Mile23, mmjvb: Incorrect composer update instructions for Drupal core metapackages
• Issue #3283235 by TR: Fix a comment typo in FileFieldWidgetTest
• Issue #3164699 by jungle, ravi.shankar, andregp, kishor_kolekar, sulfikar_s, ankithashetty, paulocs, Abhijith S, WagnerMelo, quietone: Fix or ignore 15 words used in Help Topics
• Issue #3291265 by Spokje: \Drupal\Testsorum\Functional\ForumNodeAccessTest doesn't use tracker module
• Issue #3276187 by mondrake, catch: Since symfony/routing 6.1: Construction of "Symfony\Component\Routing\Exception\MissingMandatoryParametersException" with an exception message is deprecated, provide the route name and an array of missing parameters instead
• Issue #3280033 by hmendes, rajandro, dpi, Ayesh: PHP 8.2 compatibility: ${} string interpolation deprecated
• Issue #3283498 by Mile23, alexpott: Scaffold ReplaceOp::copyScaffold() throws an error for empty files
• Issue #3291018 by Spokje, Wim Leers: Move \Drupal\Tests\ckeditor5\Functional\CKEditor5QuickEditLibraryTest to the quickedit namespace/directory
• Issue #3272779 by mondrake, longwave, alexpott: [Symfony 6.1] Replace deprecationListenerTrait with PHPUnitBridge ignoreFile
• Issue #3291047 by Wim Leers, Spokje: Move Quick Edit-specific styling of CKEditor 4 & 5 into Quick Edit module
• Issue #3285131 by andregp, daffie, catch, longwave: Fix constructor deprecation in Drupal\Core\Theme\Registry::__construct()
• Issue #2733675 by smccabe, murilohp, andregp, Johnny Santos, ankithashetty, mglaman, jonathanshaw, daffie, alexpott, catch, froboy: Warning when mysql is not set to READ-COMMITTED
• Issue #3257600 by tstoeckler, rpayanm: SettingsTrayBlockFormTest needlessly overrides getTestThemes
• Issue #2747273 by quietone, mayurjadhav, talhaparacha: Example given on FormBuilder::submitForm API Page is not working
• Issue #3267258 by Spokje, dww, andregp, Wim Leers, mstrelan, catch: Remove Quick Edit support from editor.module
• Issue #3268244 by Spokje, xjm, Wim Leers: [random test failure] Un-skip and fix QuickEditIntegrationTest::testArticleNode()
• Issue #3264633 by mstrelan, Spokje, dww, larowlan, catch, tim.plunkett, bbrala, xjm: Remove \Drupal\layout_builder\QuickEditIntegration and refactor it so that quickedit contrib provides the integration with layout builder
• Issue #3283794 by mondrake, longwave: Fix 'should return {type} but return statement is missing' PHPStan L0 errors in test code
• Issue #2430379 by quietone, znerol, larowlan: Add explicit test for session based language negotiation
• Issue #3265429 by neclimdul, eleonel: Fix array keys in MailManagerTest
• Issue #3277025 by Spokje, longwave: For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code
• Issue #3281535 by mondrake, daffie: Fix 'Access to an undefined property' PHPStan L0 errors in test code
• Issue #2430133 by JeroenT, znerol, mgifford: BlockLanguageTest tests non-existing pages
• Issue #3285503 by quietone, longwave: Remove deprecated code in constructors
• Issue #3265492 by dww, Spokje, Amber Himes Matz, quietone: Fix inaccuracies in quickedit help topic (after the split from settings_tray)
• Issue #3277148 by rpayanm, andregp, joachim, Farnoosh, Athrylith, Jingting: ResourceResponse should document that the route it is used with must define the _format requirement
• Issue #3257485 by TR, daffie: Constructor of Drupal\Core\Test\TestDiscovery called with 3 parameters and the constructor only takes 2 in TestDiscoveryTest
• Issue #3198340 by alexpott, xjm, Mile23, cilefen, mmjvb, catch, Mixologic, effulgentsia, mfb, longwave, larowlan, greg.1.anderson, Warped, quietone: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available
• Issue #2392815 by alexpott, pooja saraah, bircher, cilefen, pratik_specbee, catch, fago: Module uninstall validators are not used to validate a config import
• Issue #3283619 by eleonel: Fix a comment typo in common.inc
• Issue #3283599 by eleonel: Fix a typo in Help message on ckeditor5.module
• Issue #3281443 by _shY: Update Taxonomy tests to not use Bartik and Seven
• Issue #3281451 by tinto: Update Ajax FunctionalJavascript test to not use Bartik and Seven
• Issue #3285136 by catch, andregp, longwave: Remove a couple of constructor bc layers
• Issue #3284761 by longwave: Remove deprecated code in the update system
• Issue #3284970 by alexpott: Reduce complexity in \Drupal\Core\Site\Settings::initialize
• Issue #3269215 by slucero, dpi: EntityTypeInterface::getKey() is typehinted as possibly returning bool, but never returns true
• Issue #3281175 by neclimdul: PhpUnitCliTest fails outside of CI
• Issue #3284760 by longwave: Remove deprecated \Drupal\FunctionalTests\Image\ToolkitTestBase
• Issue #3284759 by longwave: Remove deprecated BcTimestampNormalizerUnixTestTrait
• Issue #3280398 by alexpott, mherchel, quietone: Theme's post updates within update.php refer to themes as "module"
• Issue #3285193 by Lendude, xjm: Temporarily skip random test failures that hide real test failures, part 4
• Revert "Issue #3269141 by longwave, sharayurajput, andypost: Alias deprecated Drupal\Core\StringTranslation\TranslationWrapper to TranslatableMarkup"
• Issue #3269141 by longwave, sharayurajput, andypost: Alias deprecated Drupal\Core\StringTranslation\TranslationWrapper to TranslatableMarkup
• Issue #3285061 by mondrake, mallezie, alexpott: Prevent installation of phpstan/phpstan >=1.7
• SA-CORE-2022-011 by GHaddon, JeroenT, yivanov, Heine, longwave, DamienMcKenna, mlhess, cilefen, xjm, benjifisher
• Issue #3276108 by jasonfelix, mherchel, zenimagine, lauriii: Allow the RSS Feed block's title to be customized by user
• Issue #3251384 by mherchel, xjm, catch, ckrina, longwave, andy-blum, droplet, lauriii, bnjm: Remove support for UC Browser
• Issue #3281438 by tinto, deviantintegral, catch: Update CKEditorTest to not use Bartik and Seven
• Issue #3101620 by gapple, longwave, catch: Remove IE conditional comments support in Drupal 10
• Issue #3272447 by alexpott, Spokje, catch, xjm: Update to PSR/log v3
• Issue #3275864 by Spokje, mondrake, catch: Update to Symfony 6.1.1
• Issue #3284502 by effulgentsia, alexpott: [regression] Drupal 9.4 breaks BC via incorrect autoloading of \Drupal\Driver\* overrides of core db drivers
• Issue #3274937 by nod_, woldtwerk, Dom., Wim Leers: Get CKEditor 5 to work in (modal) dialogs