| Version | Change log |
| Drupal 11.2.8 Nov 13, 2025 | This release fixes security vulnerabilities. |
| Drupal 11.2.7 Nov 6, 2025 | This release fixes a regression in Drupal 11.2.6 which caused an unintended backwards compatibility break with the webform module. There are no other changes compared to 11.2.6. |
| Drupal 11.2.5 Oct 3, 2025 |
All changes since 11.2.4: Issue #3522754 by hfernandes, catch, joaopauloc.dev, alexpott: Access to systemAdminMenuBlockPage is denied if it contains links using the url attribute Issue #3549023 by joachim, ishani patel: remove obsolete comment about issue 2513094 Issue #3532771 by jepster_, quietone, smustgrave, xjm, dcam, poker10: Misleading method parameter comment for Issue #3537413 by codebymikey, smustgrave, quietone: Add codebymikey as a subsystem maintainer for the Basic Auth module Issue #3541862 by avpaderno, smustgrave: The output shown for example code is wrong Issue #3408607 by larowlan, poker10, smustgrave, akhil babu, ghost of drupal past, chhavi.sharma, luismagr: Document that EntityAccessControlHandler::checkFieldAccess returns AccessResultAllowed by default Issue #3489026 by phenaproxima, ajinkya45: Document InputCollectorInterface Issue #3544005 by benjifisher, nicxvan, luismagr: hook_field_type_category_info_alter should not be in group field_purge Issue #3052479 by hart0554, longwave, andregp, catch, alexpott, pflora, asad_ahmed, smustgrave, dcam, abhijith s, pooja saraah, aarti zikre, ravi.shankar, xjm: ShortcutSetForm ID element description is wrong and misleads users Issue #3543939 by penyaskito, grimreaper, catch: SDC `ComponentRenderTest` is error-prone Issue #2334319 by joelpittet, berdir, fabianx, thenchev, calebtr, xjm, slashrsm, dawehner, andypost, alexpott, lauriii, webflo, duaelfr, godotislate, acbramley, wim leers, manuel garcia, quietone: {% trans %} does not support render array and MarkupInterface valued expressions Issue #3537382 by jurgenhaas, smustgrave: Link attributes in top bar are lost for featured links Issue #3542967 by dcam, smustgrave, mondrake: Bad test in LinkNotExistingInternalConstraintValidatorTest Issue #3269890 by prudloff, smustgrave, catch, shalini_jha, alexpott, oily: #date_year_range is not validated server-side Issue #3539537 by drunken monkey: Deprecation warning in DefaultPluginManager::__construct() is too |
| Drupal 11.2.1 Jun 26, 2025 |
All changes since Drupal 11.2.0: Issue #3340142 by mstrelan, quietone, xjm: Convert testJail() to use expectException Issue #3525174 by benjifisher, smustgrave, greggles, catch, larowlan, mcdruid: Clean up unserialize() in the config system Issue #3494354 by catch, mstrelan, acbramley, smustgrave: AssetResolver::getJsAssets cache id doesn't consider attached settings, leads to ajax issues Issue #2987548 by alexpott, johnv, euphoric_mv, HbtTundar, cilefen, xjm, samlerner, pratip.ghosh, jrochate, alezu: LogicException: The database connection is not serializable Issue #3530730 by catch: Remove catch as maintainer of the 'path' and 'taxonomy' modules Issue #3531412 by alexpott, xjm, nicxvan, catch, longwave: New constants in DrupalCoreThemeRegistry are private but they are accessed with static:: Issue #3521884 by nigelcunningham, nod_, smustgrave, catch: tableresponsive.js causes huge page load time for extensions page Issue #3531044 by godotislate, nicxvan, zigazou: Unknown fieldViewsDataHelper method called from deprecated datetime_type_field_views_data_helper function Issue #2866619 by acbramley, kksandr, shabana.navas, hkirsman: Don't use link in message after node save if user doesn't have permissions Issue #3414173 by joelpittet, anybody, nicxvan: Add support for minified external CSS libraries Issue #1822440 by mohit_aghera, acbramley, smustgrave, dawehner, ezra-g, catch: "Content access" filter should check for node_grants implementations before adding node access grant queries Issue #3109284 by prudloff: locale_translation queue loop Issue #2776661 by brandonlira, ameymudras, er.pushpinderrana, quietone, joachim: incorrect uses of isRebuilding() in inline docs in processForm() Issue #3525031 by mondrake, andypost: [CI] Run PHPStan job on PHP 8.4 Issue #3530843 by catch, mondrake: Adjust performance test job for new phpunit discovery |
| Drupal 11.2.0 Jun 19, 2025 |
All changes since Drupal 11.2.0-rc2: Issue #3514262 by berdir, smustgrave, xjm, quietone: entity_browser_entity_form_field_widget_third_party_settings_form hooks can no longer return NULL Issue #3530363 by catch, smustgrave: Add @group #slow to some additional tests Issue #3526397 by catch: Split PackageInstallTest into two Issue #3497431 by mondrake, catch, larowlan, godotislate, jonathan1055, fjgarlin, xjm: Deprecate TestDiscovery test file scanning, use PHPUnit API instead Issue #3497647 by prudloff, xjm, quietone: StringDatabaseStorage::deleteStrings() does not work Issue #3529714 by mstrelan, xjm, smustgrave, acbramley: Add return types to EntityDefinitionTestTrait Issue #3476224 by pwolanin, heddn, bbrala, tstoeckler: JSON:API assumes entity reference field's main property must be the entity ID Issue #2473093 by acbramley, xjm: Node access default grant behavior is not clear Issue #3497431 by mondrake, catch, larowlan, godotislate, fjgarlin: Deprecate TestDiscovery test file scanning, use PHPUnit API instead |
| Drupal 11.1.8 Jun 12, 2025 |
All changes since Drupal 11.2.0-beta1: Issue #3526142 by mondrake, xjm: Update PHPStan to 2.1.17 Issue #3529504 by acbramley, cmlara, nicxvan: Fix phpstan errors in UpdatePathTestTrait Issue #3528998 by grimreaper, larowlan, pdureau, xjm, wim leers, catch, penyaskito: Follow-up: SDC `enum` props should have translatable labels: use `meta:enum` Issue #3527142 by andypost, catch, longwave, xjm: Update Composer and development dependencies for 11.2.0 Issue #3522406 by quietone, longwave, klausi, bbrala: Update Coder to 8.3.30 Issue #3523018 by godotislate, longwave, quietone, xjm, catch, salmonek, smustgrave: Update CKEditor 5 to 45.2.0 Issue #3528680 by godotislate, xjm, longwave: Update to Symfony 7.3.0 Issue #3523705 by amateescu, rkoller, poker10: InvalidComponentException when workspaces ui is installed Issue #3518273 by bbrala, wim leers, phenaproxima: The ConfigExists validation constraint should support dynamic type expressions Issue #3493070 by penyaskito, griffynh, wim leers, longwave, pdureau, effulgentsia, xjm, phenaproxima, mradcliffe, danielveza, lauriii, catch: SDC `enum` props should have translatable labels: use `meta:enum` Issue #3526266 by mherchel, finnsky, andy-blum: Navigation top bar should utilize Drupal.displace() Issue #3527518 by phenaproxima, tim.plunkett: Package Manager's direct-write mode still tries to check for rsync Issue #3527314 by amateescu: Stop creating a "Stage" workspace by default on module installation Issue #3519766 by amateescu: WorkspacesHtmlEntityFormController builds entity forms twice Issue #3429849 by longwave, andypost, spokje: Make doctrine/lexer:^3.0 compatible with DrupalComponentAnnotationDoctrine Issue #3521953 by tom konda, smustgrave, quietone: Existence check for JavaScript object and it's property across multi-lines can replace with optional chaining Issue #3526180 by mherchel, godotislate: Regression: Drupal.displace() not working on new Navigation module in 11.2 Issue #3523078 by sd9121, longwave, |
| Drupal 11.1.7 May 9, 2025 |
Issue #3161212 by joseph.olstad, acbramley, asubit, eduardo morales alberti, sandeepsingh199, berdir, catch: Node add/edit gives a Call to a member function getAccountName() on null when author is NULL Issue #3511434 by juandhr, [email protected], sivaji_ganesh_jojodae, alberto56, quietone, ghost of drupal past, quadrexdev: There are leftover references in comments to long ago renamed ListDefinitionInterface Issue #3512835 by nicxvan: [11.1.x] Add BC stubs for Hook ordering Issue #3511186 by grimreaper: Media Library currentSelection not reset properly Issue #3518952 by avpaderno, prabha1997, smustgrave: Fix grammar in FormattableMarkup::placeholderFormat() comments Issue #3411185 by govind_giri_goswami, brandonlira, santhosh@21, rodrigoaguilera, joachim, smustgrave, borisson_: docs for return values from various EntityDisplayRepositoryInterface() are unclear Revert "Issue #3478408 by jaydev bhatt, quietone, goonerw: Fix errors in update-countries.sh" Issue #3478408 by jaydev bhatt, quietone, goonerw: Fix errors in update-countries.sh Issue #3521438 by mstrelan: Bump php-tuf/composer-stager to 2.0.1 Issue #3424720 by vidorado, douggreen, immaculatexavier, smustgrave, uri_frazier: LanguageNegotiationUrl unnecessarily adds domain to outbound URL's Issue #3511566 by prudloff, smustgrave: Remove srcdoc attributes in Xss::filter() Issue #3518967 by quadrexdev, joachim: incorrect @return docs for ElementInfoManagerInterface::getInfo() Issue #2586483 by brandonlira, snehi, anil280988, rakesh.gectcr, David_Rothstein, jhodgdon, trobey, alexpott: Update documentation for project versions in DrupalCoreExtensionInfoParserInterface::parse Issue #3200162 by brandonlira, ksenzee, ultimike, larowlan, cecelias, xjm: Improve documentation for Graph component Issue #3498468 by nexusnovaz, avpaderno, wombatbuddy, poker10: The example code given for FormattableMarkup::placeholderFormat() contains typos and syntax errors Issue #3516253 by lostcarpark, mradcliffe, rachel_norfol |
| Drupal 11.1.5 Mar 20, 2025 |
Issue #3508733 by gábor hojtsy, griffynh: Add griffynh as provisional core team facilitator Issue #3498326 by rinku jacob 13, rkoller, smustgrave, ckrina: Focus outline has a too low color contrast and uses a different green than Claro Issue #3487014 by liam morland, nod_, smustgrave, quietone: Fix documentation for optional params in MessengerInterface Issue #3493858 by vidorado, xavier.masson, smustgrave: Extend ViewsBlockBase to merge cache metadata from display handler Issue #3496485 by annmarysruthy, wombatbuddy, thejimbirch, smustgrave: example recipe.yml has incorrect comment above "actions" section Issue #3490948 by rowrowrowrow, bbrala: Change hardcoded entity key 'uid' to getKey in ResourceTestBase Issue #3508028 by markconroy: Offer to become maintainer of Stable9 Merged 11.1.3. Issue #3499275 by acbramley: Remove --quiet from updatedb in Validatable config job Issue #3501237 by nikolay shapovalov, nicxvan: Improve HookCollectorPass test Issue #3056698 by mondrake, quietone: Sqlite Connection::createConnectionOptionsFromUrl should not convert relative paths to full Issue #3497758 by nicxvan, oily, alexpott, cilefen, catch, longwave, wlofgren, dries, wim leers, smustgrave: Regression: RssResponseCdata filtering out common HTML tags from RSS feeds Issue #3469116 by prashant.c, pameeela, kostask, shalini_jha, sagarmohite0031, benjifisher, mrdalesmith, smustgrave, kristiaanvandeneynde, quietone, b_sharpe, nod_: Logout confirmation form shows inappropriate confirmation description Issue #3504265 by finnsky, ksenzee, smustgrave: Yarn watch task broken Issue #3096570 by recrit, raman.b, ameymudras, ranjith_kumar_k_u, Oscaner, smustgrave, peterwcm, pameeela: Redirect correct language page after node save Issue #2927338 by berdir, anmolgoyal74, swatichouhan012, smustgrave, alexpott, gábor hojtsy: Ensure config entity langcode property does not change when installing, adding or editing a language Issue #3503190 by phenaproxima, thejimbirch: Allow recipe |
| Drupal 11.1.4 Mar 6, 2025 |
Issue #3508733 by gábor hojtsy, griffynh: Add griffynh as provisional core team facilitator Issue #3498326 by rinku jacob 13, rkoller, smustgrave, ckrina: Focus outline has a too low color contrast and uses a different green than Claro Issue #3487014 by liam morland, nod_, smustgrave, quietone: Fix documentation for optional params in MessengerInterface Issue #3493858 by vidorado, xavier.masson, smustgrave: Extend ViewsBlockBase to merge cache metadata from display handler Issue #3496485 by annmarysruthy, wombatbuddy, thejimbirch, smustgrave: example recipe.yml has incorrect comment above "actions" section Issue #3490948 by rowrowrowrow, bbrala: Change hardcoded entity key 'uid' to getKey in ResourceTestBase Issue #3508028 by markconroy: Offer to become maintainer of Stable9 Merged 11.1.3. Issue #3499275 by acbramley: Remove --quiet from updatedb in Validatable config job Issue #3501237 by nikolay shapovalov, nicxvan: Improve HookCollectorPass test Issue #3056698 by mondrake, quietone: Sqlite Connection::createConnectionOptionsFromUrl should not convert relative paths to full Issue #3497758 by nicxvan, oily, alexpott, cilefen, catch, longwave, wlofgren, dries, wim leers, smustgrave: Regression: RssResponseCdata filtering out common HTML tags from RSS feeds Issue #3469116 by prashant.c, pameeela, kostask, shalini_jha, sagarmohite0031, benjifisher, mrdalesmith, smustgrave, kristiaanvandeneynde, quietone, b_sharpe, nod_: Logout confirmation form shows inappropriate confirmation description Issue #3504265 by finnsky, ksenzee, smustgrave: Yarn watch task broken Issue #3096570 by recrit, raman.b, ameymudras, ranjith_kumar_k_u, Oscaner, smustgrave, peterwcm, pameeela: Redirect correct language page after node save Issue #2927338 by berdir, anmolgoyal74, swatichouhan012, smustgrave, alexpott, gábor hojtsy: Ensure config entity langcode property does not change when installing, adding or editing a language Issue #3503190 by phenaproxima, thejimbirch: Allow recipe |
| Drupal 11.1.3 Feb 20, 2025 |
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements: Drupal core - Critical - Cross-Site Scripting - SA-CORE-2025-001 Drupal core - Moderately critical - Access Bypass - SA-CORE-2025-002 Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-003 No other fixes are included. Drupal 11.1.x will receive security coverage until December 2025 when Drupal 11.3.0 is released. Sites on Drupal 11.0.x should update immediately to Drupal 11.0.12. Sites on Drupal 10.4.x should update immediately to Drupal 10.4.3. Sites on Drupal 10.3.x should update immediately to Drupal 10.3.13. Drupal 10.2.x and below are end-of-life and do not receive security coverage. |
