Drupal 10.1.0

26 June 2023

Drupal version 10.1.0 is now available (major release).

Upgrading to Drupal 10.1.0

What's New in Drupal 10.1.0

• Sites using CKEditor 4 should upgrade to CKEditor 5 in Drupal 9.4 or 9.5 before updating to Drupal 10
  

• The root .htaccess file now unsets the X-Content-Type-Options header before setting it again. This prevents duplicate headers in some configurations of Apache. Site owners should update their .htaccess files with this change to avoid duplicate headers.
  
• The root .htaccess file now caches all files for one year instead of two weeks. This brings the value in line with industry standards.
  
• Drupal adds 'Samesite: Lax' as a session cookie attribute by default. This is configurable in default.services.yml and site owners should update their copy of the file to include the section.
  
• Sites using nginx and php-fpm may need to update their nginx.conf for changes to CSS and JavaScript aggregation.
  
• The file location for Drupal's asset aggregation system is now configurable. It can be set in settings.php via $settings['file_assets_path']. Existing sites will continue to use the public files location.
  
• A new setting $settings['sa_core_2023_004_phpinfo_flags'] in default.settings.php has been added to configure the behaviour of admin/reports/status/php.
  

• New permissions for managing custom blocks. Administrators can delegate the management of custom block content to users without granting the 'administer blocks' permission. The permissions allow for control by custom block type and access to block administration pages.
  
• Block content entities now have a UI for managing revisions. Users with sufficient permissions can view, revert and delete block content revisions.
  
• Content administrators can be given permission to delete any file, rather than just files they created. An operations field can be added to views on File entities to add a delete button. The view that ships with the File module has been updated to include the operations field. Existing sites need to add themselves.
  
• The timestamp default formatter has a setting "Display as a time difference. This allows the date/time to display as a time difference (e.g. '2 hours 23 minutes ago'). The refresh interval is configurable.
  
• The CKEditor code block is now configurable, allowing the list of languages that can be input to be changed in the editor configuration. Modules or install profiles that provide default editor configurations may need to update their shipped config.
  
• A new “Development settings” page at /admin/config/development/settings that contains Twig development settings, as well as the ability to disable various caches. The settings are stored within the state table (as opposed to configuration), so the settings cannot be accidentally committed and uploaded to production environments.
  

• Announcements (beta)
  
• Single Directory Components (beta)
  

• Some "notice" level user events are now logged at the lower-severity "info" level.
  
• The paths to manage custom-block types and block content (formerly custom blocks) have changed.
  
• /admin/structure/block/block-content/types is now /admin/structure/block-content and available as Block types from the Structure menu.
  
• /admin/structure/block/block-content is now /admin/content/block and available from the Blocks tab from the Content menu.
  
• /block/{block id} is now /admin/content/block/{block id}
  
• Drupal now uses the default PHP password_hash() and password_verify() functions in order to store and verify passwords securely. Backwards compatibility is provided by the new phpass module that will be installed on existing sites via an update.
  
• Passing a string to AddCssCommand is now deprecated, instead an array of attributes is expected like for AddJsCommand. CSS files added with Ajax commands are now loaded with loadjs and Ajax commands wait for all CSS files to load before executing the next commands.
  
• Passing an array value to a database condition without using a compatible operator is no longer supported and will result in an exception.
  
• The READ COMMITTED transaction isolation level is set by default for new installs on MySQL and equivalent databases such as MariaDB. This level has been recommended for several years and is configurable as before in the database connection settings. No change will be made for existing sites.
  
• A bug in Drupal's dependency injection container is fixed. The bug could allow certain private services to be accessed by $container->get() depending on code execution order. Custom or contributed module code accessing services in this way would have been fragile before the change, but will now always break. Public services are unaffected.
  
• Config dependencies now have validation constraints. These are not currently used by Drupal core. They will be used later for validating config entities at the data layer.
  
• Layout Builder field blocks will now display the user-specified label from the block configuration. Sites should review their existing blocks as this change may impact workflows that relied on the previous behavior.
  

• Only the CSS or JavaScript aggregate URL is built during the main request. Before the content of the aggregate was built and written to disk during the main request, which on complex pages could result in slow page loads. This now happens when the browser requests the CSS or JavaScript file.
  
• Comments and whitespace are removed from JavaScript files. This results in a significant file size reduction. Sites not using Drupal's aggregation should re-evaluate their aggregation and minification method.
  
• Responsive images now support lazy loading. Sites using the default responsive image configuration should update their config to include the new setting.
  
• The update to Symfony 6.3 includes a change to normalizers and denormalizers which should improve performance of JSON:API responses.
  

• It is possible to overflow the number of items allowed in Media Library
  
• Provide an upgrade path from "codesnippet" contrib CKEditor 4 plugin to "CodeBlock" core CKEditor 5 plugin
  
• Unable to override library auto-definition to add external CSS & JS
  
• [CKEditor5] Missing dependency on drupal.ajax
  
• [random failure] Curl error thrown for http in JSWebAssertTest
  
• Attached Library set to string instead of array
  
• [random test failure] \Drupal\Tests\ckeditor5\FunctionalJavascript\MediaTest::testViewMode random fail
  
• [random test failure] DrupalTestsmedia_libraryFunctionalJavascriptWidgetViewsTest::testWidgetViews random fail
  
• Remove truncation of path alias
  
• Remove outdated @todo's pointing to #3135457
  
• Phpdoc for ResourceTypeRepositoryInterface::get return value is incomplete
  
• Give users a way to access announcements if toolbar module is disabled
  
• Add "Edit permisisons" as local task on role edit form
  
• Add Lauri Eskola to Drupal core product managers
  
• CKEditor 5 Style plugin configuration tab does not appear
  
• OEmbedIframeController returns an HTTP response code that can be cached by forward proxies when it is given illegal parameters
  
• ContentTranslationContextualLinksTest should use API calls to set up translation
  
• [random test failure] MediaTest:: testEditableCaption()
  
• Add [#\ReturnTypeWillChange] attribute to TemporaryArrayObjectThrowingExceptions for PHP 8.3 compatibility
  
• Allow extending StatusMessages class
  
• Allow ?edit[field_xyz] as query parameter in contextual filter
  
• hook_condition_info_alter is not documented
  
• PhpMail : broken mail headers in PHP 8.0+ because of LF characters
  
• Uncomment assertions in StyleTest related to https://github.com/ckeditor/ckeditor5/issues/11709
  
• [regression] Inserting media via the media library modal when paged redirects to the wrong destination
  
• [random test failure] MediaTest::testLinkManualDecorator()
  
• [SDC] Improve error handling during prop validation errors
  
• [regression] route defaults are now automatically route parameters
  
• EntityCreateAnyAccessCheck::access() too restrictive
  
• SQL migrations cannot be instantiated if database is not available and Node, Migrate Drupal modules are enabled
  
• Better default base path in assets stream wrapper