drupal 10.1.0-beta1

This is a beta release for the next minor (feature) release of Drupal 10. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This minor release provides improvements and new functionality. It does not not break backward compatibility (BC) for public APIs.There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies.

This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 10.1.x contains new features, and should be the target for new site development. Drupal 10.0.x will continue to have security support until December 2023.

Drupal 9.4.x security support will end on June 21, 2023. Sites on Drupal 8 or a Drupal 9 version earlier than 9.5.x should upgrade to a supported release as soon as possible.

Important update information

Sites must update to at least Drupal 9.4.4 before upgrading to Drupal 10

Drupal sites running 9.3.x or earlier versions must first update to 9.4.4 or later before updating to Drupal 10. All core updates added before 9.4.0 have been removed. The data upgrade path from CKEditor 4 to CKEditor 5 is not available before Drupal 9.4.4. In general, sites should update to the most recent release of their current major branch before updating to the next major release.

Sites using CKEditor 4 should upgrade to CKEditor 5 in Drupal 9.4 or 9.5 before updating to Drupal 10

Most Drupal sites using CKEditor 4 should upgrade to CKEditor 5. See the recommendations for CKEditor for details. Upgrading from CKEditor 4 to 5 is a manual process. You must review each text format editor condition.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 10.1. The migration paths from Drupal 6 and Drupal 7 to Drupal 10 will remain supported throughout Drupal 10's release cycle.

Changes to site-owner-managed files

• The root .htaccess file now unsets the X-Content-Type-Options header before setting it again. This prevents duplicate headers in some configurations of Apache. Site owners should update their .htaccess files with this change to avoid duplicate headers.
• The root .htaccess file now caches all files for one year instead of two weeks. This brings the value in line with industry standards.
• Drupal adds 'Samesite: Lax' as a session cookie attribute by default. This is configurable in default.services.yml and site owners should update their copy of the file to include the section.
• Sites using nginx and php-fpm may need to update their nginx.conf for changes to CSS and JavaScript aggregation.
• The file location for Drupal's asset aggregation system is now configurable. It can be set in settings.php via $settings['file_assets_path']. Existing sites will continue to use the public files location.

New features

• New permissions for managing custom blocks. Administrators can delegate the management of custom block content to users without granting the 'administer blocks' permission. The permissions allow for control by custom block type and access to block administration pages.
• Block content entities now have a UI for managing revisions. Users with sufficient permissions can view, revert and delete block content revisions.
• Content administrators can be given permission to delete any file, rather than just files they created. An operations field can be added to views on File entities to add a delete button. The view that ships with the File module has been updated to include the operations field. Existing sites need to add themselves.
• The timestamp default formatter has a setting "Display as a time difference. This allows the date/time to display as a time difference (e.g. '2 hours 23 minutes ago'). The refresh interval is configurable.
• The CKEditor code block is now configurable, allowing the list of languages that can be input to be changed in the editor configuration. Modules or install profiles that provide default editor configurations may need to update their shipped config.
• A new “Development settings” page at /admin/config/development/settings that contains Twig development settings, as well as the ability to disable various caches. The settings are stored within the state table (as opposed to configuration), so the settings cannot be accidentally committed and uploaded to production environments.

API deprecations and behavior changes

• Drupal now uses the default PHP password_hash() and password_verify() functions in order to store and verify passwords securely. A new module, Password Compatibility, allows existing users to log in. Read password hashing is changed to learn how this may impact users and when to uninstall the module.
• Some "notice" level user events are now logged at the lower-severity "info" level.
• The paths to manage custom-block types and block content (formerly custom blocks) have changed.
  • /admin/structure/block/block-content/types is now /admin/structure/block-content and available as Block types from the Structure menu.
  • /admin/structure/block/block-content is now /admin/content/block and available from the Blocks tab from the Content menu.
  • /block/{block id} is now /admin/content/block/{block id}
• Passing a string to AddCssCommand is now deprecated, instead an array of attributes is expected like for AddJsCommand. CSS files added with Ajax commands are now loaded with loadjs and Ajax commands wait for all CSS files to load before executing the next commands.
• Passing an array value to a database condition without using a compatible operator is no longer supported and will result in an exception.
• The READ COMMITTED transaction isolation level is set by default for new installs on MySQL and equivalent databases such as MariaDB. This level has been recommended for several years and is configurable as before in the database connection settings. No change will be made for existing sites.
• A bug in Drupal's dependency injection container is fixed. The bug could allow certain private services to be accessed by $container->get() depending on code execution order. Custom or contributed module code accessing services in this way would have been fragile before the change, but will now always break. Public services are unaffected.
• Config dependencies now have validation constraints. These are not currently used by Drupal core. They will be used later for validating config entities at the data layer.

Performance improvements

• Only the CSS or JavaScript aggregate URL is built during the main request. Before the content of the aggregate was built and written to disk during the main request, which on complex pages could result in slow page loads. This now happens when the browser requests the CSS or JavaScript file.
• Comments and whitespace are removed from JavaScript files. This results in a significant file size reduction. Sites not using Drupal's aggregation should re-evaluate their aggregation and minification method.
• Responsive images now support lazy loading. Sites using the default responsive image configuration should update their config to include the new setting.
• The update to Symfony 6.3 includes a change to normalizers and denormalizers which should improve performance of JSON:API responses

New experimental modules

Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.

Announcements (beta stability)

This module provides an announcements feed of project news from Drupal.org. The announcements are displayed in the Drupal administrative toolbar to site owners and editors.

Announcements may include the following items:

• news about upcoming Drupal features
• important information for site owners on older Drupal versions
• information about supporting the Drupal project through Drupal Association programs

Single Directory Components (beta stability)

This module allows themes and modules to create “components” consisting of a directory containing a Twig template, YML metadata, and optional JavaScript and CSS files. The JavaScript and CSS are automatically loaded when the component is used. For more information, see Using Single Directory Components.

PHP dependency updates

Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

Symfony components have been updated to version 6.3.

PHPUnit has been upgraded from 9.5 to 9.6. Drupal is not yet compatible with PHPUnit 10.

Additionally, Drupal core’s composer constraints increased to require the latest minor version. This supports forward compatibility and non-disruptive security updates.

colinodell/psr-testlogger has been added to Drupal core's development dependencies.

Frontend (CSS and JavaScript) production dependency changes

Drupal core's JavaScript dependencies have been updated. The latest minor versions of all JavaScript dependencies are now required by core yarn constraints.

• CKEditor has been updated from 35.4.0 to 37.1.0. CKEditor will also likely be updated again before the final release of Drupal 10.1.0 to solve some outstanding bugs and regressions.

  Custom CKEditor plugins may need updating to match API changes in the new version of CKEditor — please check CKEditor 5's v36.x and v37.x update guides.

• The js-cookie library is unused in core after refactoring. js-cookie has therefore been deprecated as a core dependency and there is no replacement. Contributed modules or custom code relying on this library should declare their own dependency on it.
• Drupal uses Prettier instead of Stylelint to format PostCSS output.

Development dependencies

Core Nightwatch tests now include Axe accessibility scans that check common pages and forms for accessibility bugs.

Changed coding standards

• The rule Drupal.Commenting.DocComment.ShortSingleLine has been enabled.
• The following coding standards checks are now used to standardize the format of {@inheritdoc} for API docblocks.
  • SlevomatCodingStandard.Commenting.ForbiddenAnnotations
  • SlevomatCodingStandard.Commenting.ForbiddenComments
• The rule Drupal.NamingConventions.ValidVariableName.LowerCamelName is used for tests only.

Known issues

Search the issue queue for known issues.

All changes since Drupal 10.1.0-alpha1

• Issue #3338328 by Spokje, andypost, longwave, effulgentsia, jungle, catch, smustgrave, Wim Leers: Update to Symfony 6.3
• Issue #3269419 by Gauravvvv, Kaustab_Roy, mherchel: Claro: Boundary of modals are difficult to discern in forced colors
• Issue #3013069 by israelshmueli, Gauravvvv, smustgrave: Locale module is css missing RTL support for collapse state in translation update page
• Issue #3278493 by mglaman, rabbitlair, mherchel, Purencool, dww, benjifisher, lauriii, andy-blum, AdamPS, jwilson3, alexpott, smustgrave, rlahoda, akalata, ckrina, bnjmnm, crasx, mndonx, hbrokmeier, callinmullaney: Make it easier for theme builders to enable Twig debugging and disable render cache
• Issue #3358323 by longwave, rpayanm, smustgrave: Update dependencies for Drupal 10.1
• Issue #3342816 by Utkarsh_33, bnjmnm, lauriii: Adjust hardcoded widths in dialog modals
• Issue #3359065 by Spokje: Fix PHPStan L1 errors "Fix PHPStan L1 errors "Array has 2 duplicate keys with value 'Foo.SOME_KEY'..."
• Issue #2962088 by yogeshmpawar, jvsouto, Rassoni, Prashant.c, bhanuprakashnani, quietone, cilefen, longwave, drumm, smustgrave: Convert drupal.org to example.com in tests
• Issue #3359543 by Spokje: Update mglaman/phpstan-drupal and make daily "updated deps" QA jobs pass
• Issue #3351619 by Gauravvvv, longwave, Spokje, mherchel, smustgrave: Update PostCSS and postcss-preset-env for Drupal 10.1
• Issue #3130107 by stefanos.petrakis, rpayanm, smustgrave, jungle: Extend unit test coverage for LanguageNegotiationContentEntity
• Issue #3358739 by andypost, dww: Update coder to 8.3.18
• Issue #3087950 by Utkarsh_33, swatichouhan012, komalk, Sivaji_Ganesh_Jojodae, Therapychild, Sakthivel M, lauriii, thalles, shalinigaur, kostyashupenko, fhaeberle, amjad1233, sibustephen, pankaj.singh, KondratievaS, pranav.aeer, hooroomoo, ckrina, huzooka: Progress throbber position is incorrect
• Issue #3358328 by alexpott, dww, mglaman: Improve how KernelTestBase manages its persistent key value storage
• Issue #3227354 by JeroenT, bnjmnm, Wim Leers, jungle, VladimirAus, lauriii, RenatoG, nmangold, Gábor Hojtsy, el7cosmos, catch, mandclu, freelock, ckrina, witeksocha, Reinmar: Add support for ckeditor5-autoformat
• Issue #3336535 by lauriii, andypost, longwave: Require Node.js 18 for development in 10.1.x
• Issue #3111550 by Primsi, Berdir, smustgrave: Test that new fields are translatable when re-using existing storage but not translatable when added from the UI
• Issue #3349449 by dww, Gábor Hojtsy: Synchronize core language list with localize.drupal.org
• Issue #3355449 by dww, smustgrave: Document that "Base system" is maintained by the framework managers
• Issue #3060626 by mohit_aghera, ranjith_kumar_k_u, Suresh Prabhu Parkala, aalin, Prem Suthar, cindytwilliams, larowlan, smustgrave, Kristen Pol: OptionsWidgetBase doesn't respect #required_error
• Issue #3338907 by mondrake, longwave, larowlan, daffie, alexpott: Update to PHPUnit 9.6.7
• Issue #3358416 by Spokje, mondrake: Use RandomGeneratorTrait in UnitTestCase and remove direct implementations of randomMachineName and getRandomGenerator
• Issue #3357112 by bnjmnm, hooroomoo, lauriii, smustgrave, ckrina: Reduce reflow on the Home / Back to Site button
• Issue #3358044 by solideogloria, longwave: Fix parameter type hint order in AccessResultReasonInterface and FileListingTest
• Issue #3357825 by Spokje, Eric_A: Update guzzlehttp/psr7 constraint
• Issue #3258433 by daniel_j, smustgrave, tedfordgif, quietone: Clear Caches button should not be part of Performance form
• Issue #3358048 by mglaman, dww, amateescu: Do not use persist tag for keyvalue.memory in KernelTestBase
• Issue #3353658 by mondrake, smustgrave: [PHPUnit 10] Provide a static alternative to randomMachineName() and implement in data providers
• Issue #3351379 by Spokje, mondrake, longwave: Only mock methods defined in interfaces
• Issue #3355604 by joachim, penyaskito, borisson_: ContentTranslationLanguageChangeTest should perform setup tasks using API calls not form submissions
• Issue #3178983 by smustgrave, andypost, quietone, mondrake, alexpott: Clean-up Testing from topic maintainers
• Issue #3267401 by nils.destoop, acbramley, smustgrave: Media library is showing 'is required message' while the user has no access to the field
• Issue #3213745 by AlexGreen, mcdruid, dww, poker10, smustgrave: Add phtml files to the list of potentially malicious extensions
• Issue #3093973 by robindh, Diego_Mow, smustgrave, Grayle: Allow DELETE requests to return a response body
• Issue #2986372 by ranjith_kumar_k_u, robertom, _utsavsharma, smustgrave, penyaskito, catch, larowlan: "Comments per page" setting cannot be configured to "all comments"
• Issue #3351356 by bnjmnm, longwave, dww, jan kellermann, smustgrave: Reduce toolbar user button related browser reflow
• Issue #2272011 by mashermike, quietone, mikeryan, rpayanm: SiteSettingsForm needs to include install.inc
• Issue #3357518 by poker10, DanielVeza: StatisticsLoggingTest does not truncate node_counter
• Issue #3356093 by claudiu.cristea: Code duplication in MediaLibraryUiBuilder::buildMediaLibraryView()
• Issue #3353693 by rckstr_rohan, joachim, smustgrave: the way QueryFactory and Query work with namespaces and classes needs to be documented
• Issue #3259255 by gordon, smustgrave, cilefen, quietone, catch, larowlan: Html::escapeCdataElement() not adding CDATA correctly
• Issue #3344386 by Charlie ChX Negyesi: Add entity to the entity reference label formatter render array
• Issue #3357646 by Spokje: Fix 2 PHPStan L1 errors "Relying on entity queries to check access by default is deprecated..." in the Layout Builder module
• Issue #3357700 by Tim Bozeman: Ensure that all revisions are cleaned up after deleting a workspace
• Issue #2985882 by tim.plunkett, Mirakolous, ravi.shankar, ayush9598, Rajab Natshah, andypost, Anybody, kattekrab, devarch, Freddy Rodriguez, adubovskoy, corneliusd, mradcliffe, longwave, lukasss, Pancho, Graber, dpi, joshf, lordzik, dorianwinterfeld, jacov, kdmdrupal, jlancaster, jborgesr, joarferme, tonytheferg, chrisrockwell, agilman, kducharm, Sam152, scotwith1t, labboy0276, Spokje, jazzfiction, Shrutidkadam, ab2211, Dave Kopecek, segx, alexmoreno, themaurice, the_glitch, NWOM, kwfinken, berliner, design.er, ouissla, zterry95, jamsilver, fonant, Rajendar Reddy, Christopher Riley, BramDriesen, webdrips: Workaround for "Call to a member function getLabel() after enabling layout_builder"
• Issue #3117230 by martijn.cuppens, abhijeet.kumar2107, Gauravvvv, Kristen Pol, alexpott, andrewmacpherson, Chi, idebr: Remove redundant role="article" from html tags
• Issue #3351561 by longwave, smustgrave, catch, xjm, quietone: Allow egulias/email-validator v4
• Issue #3123060 by Spokje, quietone, longwave, ankithashetty, daffie, jungle, xjm: Enable 'Drupal.Commenting.DocComment.ShortSingleLine' coding standard
• Issue #2577909 by martin107, smustgrave, longwave, dawehner: Add type hinting to \Drupal\Component\Utility\Xss
• Issue #2692451 by neclimdul, tedfordgif, smustgrave, mikey_p, larowlan: Xss::filterAdmin() incorrectly filters datetime attribute
• Issue #3129762 by amateescu, adriancid, msuthars, Alexj12: Creating an unpublished entity in a workspace does not set the workspace field on the revision
• Issue #3352043 by andypost, smustgrave: Rename $op operation in hook_node_grants[_alter]() and node_access_grants to $operation
• Issue #3357114 by Spokje: Update mglaman/phpstan-drupal and help make daily "updated deps" QA jobs pass
• Issue #3357247 by Spokje: Update guzzlehttp/psr7
• Issue #3356337 by Spokje, mondrake: Fix incorrect type hint and make daily "updated deps" QA jobs pass
• Issue #3269177 by DieterHolvoet, quietone, smustgrave: Should some TranslatableInterface methods return ContentEntityInterface or TranslatableRevisionableInterface
• Issue #2228799 by pmagunia, mohit_aghera, rpayanm, lalitware, AkashKumar07, quietone, bnjmnm: Change page title "Content language" when Content Translation module is enabled
• Issue #3356482 by fjgarlin, quietone: Add help topic for Announcements Feed module
• Issue #3332872 by Akram Khan, PrabuEla, smustgrave, longwave, joachim: Allow EntityListBuilder::getEntityIds() to easily extend the query
• Issue #3355139 by krystalcode: Method documented to raise error while it actually does not
• Issue #3345272 by Rassoni, elber, Ranjit1032002, Rishabh Vishwakarma, Liam Morland, smustgrave: Fix deprecation documentation for node_revision_load()
• Issue #3354961 by Spokje: Update @todo comment in \Drupal\Core\Routing\UrlGenerator::getRouteStringIdentifier
• Issue #3354951 by Spokje: Update @todo comment in \Drupal\Core\Database\StatementInterface::fetchObject
• Issue #3268833 by quietone, xjm, jungle, ravi.shankar, smustgrave, daffie, Spokje, DanielVeza: Fix method comments in tests for Drupal.Commenting.DocComment.ShortSingleLine
• Issue #3175012 by anagomes, CurriedN, andregp, ptmkenny, longwave, klausi, mglaman, acbramley: Update PHPDoc for DataDefinition
• Issue #3268835 by quietone, smustgrave, ravi.shankar, xjm, borisson_, catch: Fix method comments in non tests for Drupal.Commenting.DocComment.ShortSingleLine
• Issue #3347919 by Spokje: Address @todo-comment linking to closed issue in feed-icon.html.twig
• Back to dev.