MediaWiki 1.43.1

11 April 2025

MediaWiki version 1.43.1 is now available (major release).

Upgrading to MediaWiki 1.43.1

What's New in MediaWiki 1.43.1

• LogPager.php: Restriction enforcer functions do not correctly enforce suppression restrictions.
  
• Potential javascript injection attack enabled by Unicode normalization in Action API.
  
• i18n XSS vulnerability in HTMLMultiSelectField when sections are used.
  

• The format of parameters used by the Message class has changed. Instead of arrays in a special format, they are now MessageParam objects. Code that simply called methods like Message::numParam() and didn't look inside the values they return should be unaffected. Code that depended on the formatted params being arrays or accessed their keys will need updates. Example patches: https://gerrit.wikimedia.org/r/q/topic:message-param
  
• ErrorPageError public properties 'msg' and 'title' may now contain any MessageSpecifier object, not just Message.
  
• Reset button functionality suppressReset() and $mShowReset from HTMLForm was removed without replacement.
  
• UserGroupMembership::getGroupName(), deprecated in 1.38, and UserGroupMembership::getGroupMemberName(), deprecated in 1.40, have been removed.
  
• SerializedValueContainer::isUnified(), deprecated in 1.42, has been removed.
  
• Parser::getFreshParser(), deprecated in 1.39, has been removed.
  
• ParserOutput::getLanguageLinks() no longer returns a reference to the internal array.
  
• ConfigFactory::getDefaultInstance(), deprecated since 1.27, has been removed.
  
• wfGetLangObj(), deprecated since 1.41, has been removed in favor of LanguageFactory::getLanguage().
  
• wfRemoveDotSegments(), deprecated in 1.39, has been removed.
  
• IReadableDatabase::getReplicaPos() has been removed without deprecation as it's not used anywhere.
  
• CommentFormatter::formatStringsAsBlock() has been removed without deprecation as it's not used anywhere.
  
• ILoadBalancer::laggedReplicaUsed() has been moved to ILoadBalancerForOwner:: effectively making it internal.
  
• Define DB_MASTER, deprecated since 1.36, has been removed.
  
• ILoadBalancer::DB_MASTER, deprecated since 1.36, has been removed.
  
• Overriding MWException::getHTML(), ::getText(), ::getPageTitle(), and ::reportHTML() in order to display custom exception messages is no longer supported.
  
• In PageHandlerTestTrait, the newRouter() method was renamed to newRouterForPageHandler() to avoid a conflict with a method of the same name in RestTestTrait. Also, PageHandlerTestTrait is no longer marked as "stable to use". It was marked this way by accident, the functionality it provides is specific to certain handlers implemented in MediaWiki core.
  
• MediaWikiIntegrationTestCase::addCoreDBData(), deprecated since 1.41, has been removed.
  
• wfUnpack(), deprecated since 1.42, has been removed in favor of StringUtils::unpack().
  
• UIDGenerator, deprecated since 1.35, has been removed.
  
• TablePager::getBody(), final and deprecated since 1.24, has been removed. Use ::getBodyOutput() or ::getFullOutput() instead.
  
• ImportableUploadRevisionImporter::downloadSource(), deprecated in 1.31, is now private. Its only known external caller was removed in 1.40.
  
• The following methods in the User class have been removed: ( Deprecated in 1.33:,User::isBlockedFrom(),Deprecated in 1.34:,User::isBlocked(),Deprecated in 1.35:,User::addGroup(),User::getAllGroups(),User::getGroups(),User::getGroupMemberships(),User::getImplicitGroups(),User::getOption(),User::removeGroup(),Deprecated in 1.37:,User::isBlockedFromCreateAccount() )
  
• BotPassword::invalidateAllPasswordsForCentralId() and BotPassword::removeAllPasswordsForCentralId(), deprecated in 1.37, have been removed.
  
• Title::getBrokenLinksFrom(), deprecated in 1.42, has been removed.
  
• The $type parameter to Skin::getCopyright(), deprecated in 1.40, has been removed.
  
• The module `mediawiki.icon`, deprecated in 1.42, has been removed.
  
• The `@vue/composition-api` module, a deprecated alias for `vue` since 1.41, has been removed. Use `vue` directly.
  
• SiteConfiguration::extractVar() and ::extractGlobal(), deprecated in 1.41, have been removed.
  
• Skin::footerLink(), deprecated in 1.40, has been removed.
  
• Skin::getAction(), deprecated in 1.39, has been removed.
  
• Skin::makeSearchInput(), deprecated in 1.35, has been removed.
  
• Skin::makeSearchButton(), deprecated in 1.39, has been removed.
  
• SkinTemplate::buildContentNavigationUrls(), deprecated in 1.38, has been removed.
  
• Title::getCdnUrls() and Title::purgeSquid(), deprecated in 1.35, have been removed.
  
• The `mediawiki.pager.tablePager` module, deprecated in 1.38, has been removed in favor of the more generic `mediawiki.pager.styles`.
  
• BagOStuff::setNewPreparedValues(), deprecated in 1.40, has been removed.
  
• Constructing MWHttpRequest objects now requires timeout and connectTimeout to be set; this was deprecated in 1.35.
  
• Hooks that were run from SpecialContributions are now run from the parent, ContributionsSpecialPage. The page passed in is a ContributionsSpecialPage type, and documentation and type comparisons may need to be updated. Affected hooks are: ContributionsBeforeMainOutputHook, ContributionsToolLinksHook, SpecialContributions__getForm__filtersHook.
  
• Hooks that were run from ContribsPager are now run from the parent, ContributionsPager. If a pager is passed in, it is a ContributionsPager type, and documentation and type comparisons may need to be updated. Affected hooks are: ContribsPager__reallyDoQueryHook, ContribsPager__getQueryInfoHook, ContributionsLineEndingHook, SpecialContributions__formatRow__flagsHook.
  
• Hooks that were run from DeletedContribsPager are now run from the parent, ContributionsPager. If a pager is passed in, it is a ContributionsPager type, and documentation and type comparisons may need to be updated. Affected hooks are: DeletedContribsPager__reallyDoQueryHook and DeletedContributionsLineEndingHook.
  
• The public method ContributionsSpecialPage::getUserLinks has been made protected. Although not marked @internal, the method was public to be called from SpecialDeletedContributions (call now removed), and was not called from anywhere else.
  
• DatabaseBlock::purgeExpired, deprecated since 1.38, has been removed.
  
• AbstractBlock::getPermissionsError, deprecated since 1.35, has been removed.
  
• IDatabase::namedLocksEnqueue() has been removed without deprecation.
  
• IDatabase::getTopologyRole() has been removed without deprecation.
  
• IDatabase::getTopologyBasedServerId() has been removed without deprecation. Use IDatabase::getServerName() instead.
  
• IReadableDatabase::wasReadOnlyError() has been removed without deprecation. Use IDatabase::isReadOnly() instead.
  
• IReadableDatabase::wasDeadlock() has been removed without deprecation.
  
• ILoadBalancer::getWriterIndex() has been removed without deprecation. Use ServerInfo::WRITER_INDEX constant instead.
  
• MaintainableDBConnRef, deprecated since 1.39, has been removed.
  
• ILoadBalancer::reuseConnection(), deprecated since 1.39, has been removed.
  
• The $domain parameter to ILoadBalancer::getReadOnlyReason(), deprecated in 1.40, has been removed.
  
• WikiPage::doDeleteArticleBatched, hard deprecated since 1.37, has been removed.
  
• SpecialEmailUser::submit, deprecated since 1.41, has been removed.
  
• SpecialEmailUser::validateTarget, deprecated since 1.41, has been removed.
  
• SpecialEmailUser::getPermissionsError, deprecated since 1.41 has been removed.
  
• SpecialBlock::getTargetAndType, deprecated since 1.36, has been removed.
  
• ApiQueryBlockInfoTrait::addBlockInfoToQuery(), deprecated since 1.42, has been removed.
  
• Linker::makeExternalLink() has been deprecated in favor of LinkRenderer::makeExternalLink(), which has a improved API to help phan's SecurityCheckPlugin provide more accurate checks for escaping issues.
  
• Linker::makeHeadline(), Linker::generateTOC(), Linker::tocIndent(), Linker::tocUnindent(), Linker::tocLine(), Linker::tocLineEnd(), and Linker::tocList(), deprecated in 1.42, have been removed.
  
• Linker::formatComment(), Linker::formatLinksInComment(), Linker::commentBlock(), and Linker::revComment(), deprecated in 1.38, have been removed.
  
• UserCache::singleton(), deprecated in 1.43, now emits deprecation warnings. Use MediaWikiServices::getInstance()->getUserCache() instead.
  
• DummyLinker has been removed. The former DummyLinker parameter to the 'ImageBeforeProduceHTML' hook is now null.
  
• The following methods of IDatabase have been moved to internal interface IDatabaseForOwner without deprecation. These methods are internal and shouldn't be used outside of rdbms library: ( ::pendingWriteCallers(),::flushSession(),::lastDoneWrites(),::setTransactionListener(),::serverIsReadOnly(),::getPrimaryPos(),::pendingWriteQueryDuration(),::writesOrCallbacksPending(),::writesPending(),::primaryPosWait() )
  
• IMaintainableDatabase::listViews(), deprecated since 1.42, has been removed.
  
• IMaintainableDatabase::truncate(), deprecated since 1.42, has been removed.
  
• IMaintainableDatabase::textFieldSize() was removed without deprecation.
  
• ReplicatedBagOStuff, deprecated since 1.42, has been removed.
  
• The 'replicaOnly' option to SqlBagOStuff has been removed without deprecation. It existed for internal use by SqlBagOStuff only.
  
• Support for WinCache as local server cache has been removed, because WinCache is not available for supported versions of PHP. The WinCacheBagOStuff class has been removed. Use MediaWikiServices::getLocalServerObjectCache() instead, or the CACHE_ACCEL type instead, which automatically selects APCu when available.
  
• The "wincache" cache type (e.g. to ObjectCache::getInstance, and in "wg*CacheType" configuration) remains supported as an alias for CACHE_ACCEL.
  
• LockManager::sha1Base16Absolute(), has been removed without deprecation.
  
• The "options" parameter to User::createNew() and the $data parameter to UserOptionsManager::loadUserOptions() were removed.
  
• `.list-style-image()` mixin from mediawiki.mixins.less, deprecated since 1.38, has been removed.
  
• `.background-image()` mixin from mediawiki.mixins.less, deprecated since 1.38, has been removed.
  
• IDatabase::nextSequenceValue(), deprecated since 1.30, was removed.
  
• $wgAPIRequestLog was removed without deprecation. Use "api" and "api-request" $wgDebugLogGroups channels or SPI instead.
  
• The setStats() method in MediaWiki\Rest\Router now expects a StatsFactory rather than a StatsdDataFactoryInterface. The method has been marked @internal and should not be called by extensions.
  
• All `@width-breakpoint-*` Less variables have been removed. Use `@min-width-breakpoint-*`/`@max-width-breakpoint-*` instead.
  
• The MessageContent class, deprecated since 1.38, is now removed. This also means that the Message::content() method is also removed.
  
• The following ParserOption methods, deprecated since 1.35, were removed: - ::setAllowExternalImages() - ::setAllowExternalImagesFrom() - ::setEnableImageWhitelist()
  
• Sanitizer::removeHTMLtags(), deprecated since 1.38, has been removed.
  
• OutputPage::getCSPNonce(), deprecated since 1.35, has been removed.
  
• UserMailer::rfc822Phrase(), deprecated since 1.38, has been removed.
  
• QueryPage::getSQL(), deprecated since 1.39, has been removed. The replacement QueryPage::getQueryInfo() is now abstract.
  
• update-keys.sql was removed. It is not recommended to install MediaWiki by manually sourcing SQL files, but if you are doing this, run `update.php --initial` instead of sourcing update-keys.sql.
  
• MediaWikiVersionFetcher, deprecated since 1.42 has been removed.
  
• Support for using Skin::addToBodyAttributes() method, which was deprecated in 1.35, has been removed. Use OutputPageBodyAttributesHook instead.
  
• Skins since 1.39 have not supported rendering content outside the body tag. The bodyOnly=false option has now been removed, meaning this is no longer supported.
  
• CentralIdLookup::factoryNonLocal(), deprecated since 1.37, has been removed.
  
• CryptHKDF and MWCryptHKDF were removed without deprecation, in part because no past or present use could be found. hash_hkdf() can be used instead of HKDF(). While generate() and generateHex() have no direct replacement, random_bytes() and MWCryptRand::generateHex() can be used instead.
  

• Localisation updates.
  
• exception: Convert E_STRICT errors to E_USER_NOTICE.
  
• session: Do not set session.use_trans_sid.
  
• $wgDnsBlacklistUrls now defaults to an empty array. See the comment in the "Configuration changes for system administrators" section.
  
• MimeMap: add gltf and glb mime types.
  
• MimeAnalyzer: detect magic number for gltf binary.
  
• Commit swagger-ui's NOTICE.
  
• dumps: Use proc_close() to close proc_open() subprocess.
  
• MWExceptionHandler: Add error suppression to constant( 'E_STRICT' ).
  
• FormatMetadata: Prevent running preg_match() on null.
  
• specialpage: Improve handling of invalid lang codes on login/signup.
  
• resourceloader: Fix hash computation for virtual files with versionFilePath.
  
• MultiUsernameFilter: Don't try to split ids if they're not a string.
  
• parser: Gracefully handle invalid ParsoidRenderID keys.
  
• rest: Return a 400 for invalid render IDs.
  
• installer: Simplify the information box.
  
• installer: Fix conflation between warning and info messages.
  
• language: Use fallback chain to create NumberFormatter.
  
• installer: Restore success messages.
  
• installer: Restore "complete" success message.
  
• feeds: Fix str_replace() deprecation warnings on PHP 8.
  
• Revert "maintenance: Use DatabaseSqlite for type-hinting instead of DBConnRef".
  
• Add explanation text for "Allow emails from brand-new users".
  
• ExternalLinks: fix mailto: links reversal.
  
• RateLimiter: Fix peek mode.
  
• initEditCount: Join from user to actor to revision.
  
• SECURITY: Update wikimedia/parsoid to 0.20.2.
  
• Sanitizer::normalizeWhitespace warn on preg_replace error.
  
• RevDelList: Ensure setVisibility always includes itemStatuses in value if applicable.
  
• ImportImages: Exit with non-zero code if import fails.
  
• Request: Improve log message when headers already sent.
  
• REST page metadata endpoints: handle supressed data gracefully.
  
• Avoid trying to load the session user in MW_NO_SESSION endpoints.
  
• HttpError: Cast Message to string.
  
• permissions: Avoid potential infinite loop if BlockDisablesLogin = true.
  
• ApiLogin: Don't break BotPasswords if password or user is blank, just error.
  
• MagicWord::replace*: Make sure we don't pass null into preg_match/preg_replace.
  
• Html: Fix "substr(): Passing null to parameter #1 ($string) of type string is deprecated".
  
• Sanitizer::normalizeSectionNameWhitespace: Apply same anti-null fix as 270499b.
  
• upload: Suppress warnings from iconv().
  
• Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
  
• Fix GREATEST usage in site_stats.
  
• SECURITY: Apply proper restrictions on file revert action.
  
• SECURITY: PermissionManager: Differentiate between cascading protection of file content and file pages.
  
• ResourceLoader: update wikimedia/minify from 2.8.0 to 2.8.1.
  
• Upgrading pear/net_url2 (v2.2.2 => v2.2.3).
  
• ResourceLoader: update wikimedia/minify to 2.9.0.
  
• FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1 ($haystack).
  
• Parameterize ChangeTags::buildTagFilterSelector to support various tag sets.
  
• ChangeTags: Optimize label and description parsing.
  
• In .htaccess deny files, use "Satisfy All".
  
• REST: Remove unused setUseParserCache() as potential footgun.
  
• block: Fix DBS::acquireTarget() race using GET_LOCK().
  
• LanguageConverter: Only set mTablesLoaded once they're really loaded.
  
• RestrictionStore: Remove short-circuit mode when fetching cascading sources.
  

• It is now necessary that the OpenSSL PHP extension is installed.
  
• update.php updates the Linter database table with two migration scripts that can take a long time to run: with the provided settings, each migration script update roughly 500 rows per second. If at all possible, it is highly recommended to let update.php run these migration scripts.
  
• If this is deemed too long a maintenance operation (depending on the number of rows in the Linter database table), it is possible, for a upgrade from 1.40 onwards, to run the migration scripts before updating the MediaWiki and extensions files to 1.43. Set $wgLinterWriteNamespaceColumnStage and $wgLinterWriteTagAndTemplateColumnsStage to true, and run the extensions/Linter/maintenance/migrateNamespace.php and extensions/Linter/maintenance/migrateTagTemplate.php migration scripts before proceeding with any other code update. When upgrading from a version <= 1.39, a multi-step update is necessary to be able to run the migration scripts independently from update.php: first update to 1.42, then proceed as indicated.
  

• Use PHP 8.3 in MediaWiki-Docker
  
• Misaligned label margins on Special:MathStatus
  
• \overbrace rendered below (not above) in MathML and client-side Mathjax
  
• Math Popup not working in newer version of Popup-Extension
  
• This page is using the deprecated ResourceLoader module "mediawiki.Uri" on page load
  
• Preview has wrong location in MathML mode
  
• Preview not working with MathML rendering
  
• vertical space between multline equations is ignored
  
• mediawiki_function_names math functions eat the following paren in native MML mode
  
• Audit SUL3 shared-domain i18n messages for XSS
  
• PHP Deprecated: Creation of dynamic property MediaWiki\\Auth\\ButtonAuthenticationRequest::$skipReset is deprecated at AuthenticationRequest.php:182
  
• Define AbuseFilter consequence to display a CAPTCHA
  
• On private wikis the ellipsis should not appear above 720px (wikitech, office, translate wiki)
  
• When using the 'runMaintenance' method in a LoadExtensionSchemaUpdates hook handler, only the script's class name is required, not its path. (T367918)
  
• QueryPage::recache() (used by the updateSpecialPages.php maintenance script) no longer attempts to ignore database errors. (T278543)
  
• Class aliases to support the old PHPUnit 4 style un-namespaced `PHPUnit_` classes (such as PHPUnit_Framework_Error) have been removed.
  
• [Temporary accounts] If $wgAutoCreateTempUser is enabled, then MediaWiki will create a temporary account and log the user in for unsuccessful edit attempts and null edits, in addition to edits that change content. This is a change from the previous paradigm, where temporary accounts were created only for successful edits. This change is done to support better logging support and moderation, to ensure that hooks run in a pre-save context have a user object to associate log entries and other actions with.
  
• Several entries have been removed from the default list of interwikis used when installing new wikis. This does not affect existing wikis.
  
• User auto-creations are now performed as the target user instead of anonymous IP user.
  
• [Temporary accounts] T359043 Temporary accounts for anonymous edits are enabled in DevelopmentSettings.php. To disable the feature, set `$wgAutoCreateTempUser['enabled'] = false;` in LocalSettings.php
  
• Corrected the interpretation of empty arrays in extension configuration when the default value is null. Previously, an empty array specified by the administrator would transform into the default null value. It now appropriately retains its empty array state.
  
• Exempted "deletedhistory", "deletedtext", and "viewsuppressed" rights from namespace protection ($wgNamespaceProtection) since that's only meant to prevent write actions.
  
• Image captions are no longer trimmed.
  
• 'SpecialPasswordResetOnSubmit' hook handlers can now receive both the username and the email provided by the user, instead of only one of them.
  
• Searchindex now uses utf8mb4, si_page is marked as PK and si_title can handle longer title values.
  

• $wgBlockTargetMigrationStage, which was introduced in 1.42, is now deprecated and has no effect.
  

• $wgParserEnableLegacyHeadingDOM - Defaults to `true`, can be set to `false` to enable new, more accessible HTML markup for wikitext headings. Note that each skin must also use the 'supportsMwHeading' option to allow it. More information: https://www.mediawiki.org/wiki/Heading_HTML_changes In a future release the new markup will become the default, and later this option will be removed.
  
• $wgEnableProtectionIndicators - Defaults to false, setting it to true shows a lock icon indicator on protected pages.
  
• $wgSortedCategories - Defaults to false, setting it to true will sort the categories shown on article pages. This is an experimental setting; its future will depend on community adoption and feedback on the phab task is welcome.
  
• $wgAllowRawHtmlCopyrightMessages - Defaults to true, can be set to false to disable the use of the localisation messages 'copyright' and 'history_copyright' and the hook 'SkinCopyrightFooter', which have been deprecated in this release. This helps protect your wiki against attacks by a rogue administrator account and will become the default in the future.
  
• $wgParserEnableUserLanguage - Defaults to false, can be set to true to let {{USERLANGUAGE}} magic word return the user's language, instead of the page language. Beware that accessing the user language may reduce the efficiency of the parser cache.
  

• $wgPageLinksSchemaMigrationStage – (T299947) This temporary setting, which controls the database schema migration for the page links table, is now set by default to write to both old and new data and read from the new data.
  
• $wgFooterIcons – (T256190) The default "Powered by MediaWiki" button icon has been updated to an SVG icon, and the footer icons are now wrapped as buttons in HTML, rather than faking it within the icons themselves. You should adjust any footer icons you provide or over-ride to match.
  
• The "error-json" channel, configurable via $wgDebugLogGroups, has been removed. For structured logging, use the "error" channel directly instead. Since MediaWiki 1.25, structured logging is supported via Monolog for all channels, including the "error" channel. For silenced errors, you use the "silenced-error" channel added in MediaWiki 1.42. (T193472)
  
• $wgResourceLoaderUseObjectCacheForDeps - (T343492) This is now enabled by default. This means ResourceLoader writes information to the MainStash instead of a core database table, which can be set to a separate database via $wgMainStash. If you find issues, please drop a comment on T343492. It is now deprecated and will be removed in MediaWiki 1.44.
  

• $wgSessionInsecureSecrets has been removed since OpenSSL is now a required PHP extension.
  
• $wgTemplateLinksSchemaMigrationStage has been removed.
  
• $wgSamplingStatsdClient has been removed. It was introduced in MW 1.28 for use in the Wikibase extension, but never used. The new StatsFactory service should be used for new instrumentations, which already supports sampling. Beware that sampling is generally not needed even at scale, and that sampling does not significantly reduce runtime overhead, thus making it slow to instrument very hot code even with built-in sampling.
  
• The 'writeapi' userright, which controlled access to some API modules, has been removed.
  
• The variables $wgLinterWriteTagAndTemplateColumnsStage, $wgLinterUserInterfaceTagAndTemplateStage, $wgLinterWriteNamespaceColumnStage, and $wgLinterUseNamespaceColumnStage have been removed. The namespace, tag and template column of the Linter database table are now written and used. The existing data from the Linter database is migrated to the new columns by extensions/Linter/maintenance/migrateNamespace.php and extensions/Linter/maintenance/migrateTagTemplate.php, which are both called by the update script (T367207).
  

• Support reading XMP and EXIF from WebP files
  
• Wiki's with $wgAllowExternalImages enabled now detect urls with AVIF, SVG and WebP images.
  
• Special:TalkPage is a new special page that will redirect to the associated talk namespace page, e.g. Special:TalkPage/Foo redirects to Talk:Foo; Special:TalkPage/Project:Foo goes to Project talk:Foo. This allows for links by templates and tools without having to parse what namespaces are valid and have associated talk pages.
  
• New preference: "Send password reset emails only when both email address and username are provided."
  
• Added new magic word {{USERLANGUAGE}} which returns the language code of the interface set by the user.
  
• Special:NamespaceInfo is a new special page that displays a list of namespaces available on the wiki, their descriptions and configuration.
  

• StatusValue class gained new method getMessages(): MessageSpecifier[], allowing the errors to be inspected and displayed more easily, for example:
  
• The MessageValue class can now be used instead of Message in most places (in methods that accept the MessageSpecifier interface). This allows using localisation messages in code that doesn't know the user's language, such as many hooks, without relying on global state. To convert between them, use MessageValue::newFromSpecifier() and Message::newFromSpecifier().
  
• The REST API framework now supports defining redirects in route definition files. See MediaWiki\Rest\Handler\RedirectHandler for details.
  
• Skins can enable the 'supportsMwHeading' option for new, more accessible HTML markup for wikitext headings. MediaWiki's own styles and scripts have been updated to support it, but your skin may also need updates. More information: https://www.mediawiki.org/wiki/Heading_HTML_changes A future release will emit deprecation warnings for skins with 'supportsMwHeading' set to false.
  
• The AuthPreserveQueryParams hook was added.
  
• New `Language::formatDurationBetweenTimestamps()` function added which takes two timestamps and a precision in order to calculate a more accurate text representation of duration.
  
• Added an interactive mode to the install.php maintenance script.
  
• The ResourceLoaderModifyEmbeddedSourceUrls hook was added.
  
• The AuthManagerFilterProviders hook was added.
  
• The AuthManagerVerifyAuthentication hook was added.
  
• The OutputPageRenderCategoryLink hook was added, as a replacement for the deprecated OutputPageMakeCategoryLinks hook.
  
• PreAuthenticationProvider, PrimaryAuthenticationProvider, and SecondaryAuthenticationProvider now receive a `canAlwaysAutocreate` flag in the options of the `testUserForCreation` invocation. This flag is true when the session provider is exempt from autocreate user permissions checks.
  
• The CentralIdLookup service gained the isOwned() method, which can be used to check if a local username is reserved for a central user, even if a local user account does not exist yet. This can be used by extensions to look up information about the central user.
  
• A Jest-based test suite has been introduced for testing front-end code such as Vue components. Tests can be run via `npm run jest`, and test files live in `tests/jest/`. See https://www.mediawiki.org/wiki/Jest for more information.
  
• The SpreadAnyEditBlock hook was added.
  
• The ConditionalDefaultOptionsAddCondition hook was added.