Drupal 10.4.4
5 March 2025
Drupal version 10.4.4 is now available (major release).
Upgrading to Drupal 10.4.4
Drupal 10.4.4 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 10.4.4 upgrade prior to applying it live. Get started managing your Drupal installations with Installatron
What's New in Drupal 10.4.4
Security
- Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
- Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
- Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
- SA-CORE-2024-008
- SA-CORE-2024-007
- SA-CORE-2024-006
- SA-CORE-2024-004
- SA-CORE-2024-003
10.4.4
- Add griffynh as provisional core team facilitator
- Fix documentation for optional params in MessengerInterface
- Extend ViewsBlockBase to merge cache metadata from display handler
- Regression: RssResponseCdata filtering out common HTML tags from RSS feeds
10.4.2
- Firefox retains form_build_id on form reloads, causing old form cache entry to be used and creating weird behavior for the Media Library widget
- Wrong Regular Expression for string comparison in Nightwatch.js assertion
- Twig needs updating for CVE-2025-24374
- Menu APIs provide invalid CSRF tokens
- Remove claudiu.cristea from MAINTAINERS.txt
- Remove chr.fritsch from MAINTAINERS.txt
- Remove dawehner from MAINTAINERS.txt
- run-tests.sh cannot handle unicode in PHPUnit output
- ContentEntityBase::createDuplicate() should reset default revision flag
- Fix handling of unknown file extensions in FileMediaFormatterBase
- Add daily testing with PHP 8.4
- [random test failure] LanguageNegotiationInfoTest::testInfoAlterations
- UserRolesCacheContext can lead to poisoned cache returns for user 1
- RuntimeException: Adding non-existent permissions to a role is not allowed
- Better warning message when variation cache detects an incompatible CacheRedirect
10.4.1
- Add bradjones1 as Serialization subsystem maintainer
- [random test failure] LayoutSectionTest::testLayoutSectionFormatterAccess
- When Batch ID doesn't exist, Drupal should emit a 404
- [random test failure] EditorSecurityTest::testEditorXssFilterOverride
- [random test failure] LayoutBuilderBlocksTest::testBlockPlaceholder failing
- [random test failure] ImageStylesPathAndUrlTest
- Fatal error: Uncaught TypeError: Drupal\Core\Extension\ThemeHandler::addTheme()
- BreadcrumbManager ignores cacheability when no builders apply"
- BreadcrumbManager ignores cacheability when no builders apply
- Ensure invalid items are not written to FastBackend in ChainedFast
- Navigation Top Bar hides entity local tasks even if the user has no access to the bar
- Refactor Claro's dialog stylesheet
- Status report confuses null email with duplicate email
- BlockLibraryController typehints LazyContextRepository, not the interface
- symfony/http-foundation Follow up issue for isAdminPath validator
- Document that invalid IDs are not present in the return array or EntityStorageInterface::loadMultiple
10.4.0
- Update all JavaScript dependencies which cause no changes
- Block visibility settings have summary duplicated in the title
- Bump cspell to 8.16.1
- Remove oEmbed security warning
- The default content importer should handle Layout Builder section data
- [regression] DateHelper::dayOfWeekName() returns untranslated name
- Remove drupalci.yml
- Revisit large numbers of @see in text element docs
- Update lifecycle link for sdc
- Catch potential exception when calling Request::create() in PathBasedBreadcrumbBuilder
- ExtensionMimeTypeGuesser::guessMimeType must support file names with "0" (zero) in the extension parts like foo.0.zip
- Update stylelint* to latest releases
- Update Composer dependencies for 10.4.0
- Use the new equivalent updates API to prevent updates from 10.4.0 to 11.0.0
- Improve the exception message for unsupported entity types in a workspace
- Update CKEditor 5 to 44.0.0
- Replace eslint-plugin-jquery with eslint-plugin-no-jquery
- Access cacheability is not correct when "view own unpublished content" is in use"
- Catch potential exception when calling Request::create() in PathBasedBreadcrumbBuilder"
- Upgrade twig/twig to 3.15.0
- Replace abandoned, not working with latest stylelint, leon0399/stylelint-formatter-gitlab with gitlab-formatters/stylelint-formatter-gitlab
- Backport Hook and LegacyHook Attribute
10.4.0-beta1
- Catch potential exception when calling Request::create() in PathBasedBreadcrumbBuilder
- Access cacheability is not correct when "view own unpublished content" is in use
- Fix bogus mocking in \Drupal\Tests\Core\Update\UpdateRegistryTest
- docs for EntityTypeInterface::getBundleOf() should say entity type *id*
- EntityAccessCheck documentation contains errors
- DefaultExceptionHtmlSubscriber should not clone the request for 400/BadRequestException
- Stop passing E_USER_ERROR to trigger_error() on PHP 8.4
- Improve Dynamic Page Cache header assertions in JSON:API tests
- Fix lifecycle_links for deprecated or obsolete modules
- Use focus-within in hidden.module.css
- Upgrade twig/twig to 3.15.0"
- Upgrade twig/twig to 3.15.0
- symfony/http-foundation commit 32310ff breaks PathValidator
- field:not(:last-child) does not work with layout builder in olivero
- Ensure tests don't run twice
- Update cspell to latest
- Remove the createCopy action from EntityDisplayBase, and make cloneAs compatible with wildcards
- Bump ckeditor 43.1.1 => 43.3.1
- incorrect docs for MenuLinkFieldDefinitions
- hook_requirements() doesn't say that severity is optional, or what the default is
- Fix incorrect message after resetting password
- The PlaceBlock config action breaks when placing a block in an empty region
- Hardcode security coverage EOL dates for Drupal 10.last-1 and 10.last
- Add a trait for forms that want to collect input on behalf of a recipe"
- Add a trait for forms that want to collect input on behalf of a recipe
- upgrade prophecy to 1.20
- Update Composer dependencies for 10.4.0-beta1
- Performance Degraded after update to twig 3.14.2
- TypeError: Cannot assign string to property $_serviceIds of type array in ContentEntityCloneTest::testEntityPropertiesModifications
- RecipeConfigurator::getIncludedRecipe() should statically cache recipe objects to avoid performance problems
- CSS linting (stylelint): npx update-browserslist-db@latest
- Fix usage of str_getcsv() and fgetcsv() for PHP 8.4
- Password and confirm password should be mandatory fields while setting up password using one time link following by email
- RecipeConfigurator::getIncludedRecipe() should statically cache recipe objects to avoid performance problems
- DefaultExceptionHtmlSubscriber should not clone the request for 400/BadRequestException"
- DefaultExceptionHtmlSubscriber should not clone the request for 400/BadRequestException
- Regression: Deprecation of `yaml_parser_class` setting in 10.3 breaks sites < 11.0