| Version | Change log |
| Drupal 11.1.3 Feb 20, 2025 |
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements: Drupal core - Critical - Cross-Site Scripting - SA-CORE-2025-001 Drupal core - Moderately critical - Access Bypass - SA-CORE-2025-002 Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-003 No other fixes are included. Drupal 11.1.x will receive security coverage until December 2025 when Drupal 11.3.0 is released. Sites on Drupal 11.0.x should update immediately to Drupal 11.0.12. Sites on Drupal 10.4.x should update immediately to Drupal 10.4.3. Sites on Drupal 10.3.x should update immediately to Drupal 10.3.13. Drupal 10.2.x and below are end-of-life and do not receive security coverage. |
| Drupal 11.1.2 Feb 7, 2025 |
All changes in this release: Issue #3495881 by godotislate, bkosborne, catch, kushagra.goyal: Firefox retains form_build_id on form reloads, causing old form cache entry to be used and creating weird behavior for the Media Library widget Issue #3503556 by tom konda: Wrong Regular Expression for string comparison in Nightwatch.js assertion Issue #3503195 by alexpott, longwave, loopy1492: Twig needs updating for CVE-2025-24374 Issue #3486797 by alecsmrekar, shalini_jha, smustgrave, amateescu: Updating path alias language in workspace does not work Issue #3502466 by alexpott, borisson_: Fix reference to core_field_views_data() Issue #3493410 by plopesc, catch, smustgrave: Consider a more substantial shortcuts placeholder Issue #3502487 by lauriii, oily, ckrina: Make the menu link form less verbose Issue #3485174 by fago, arthur_lorenz, alexpott, smustgrave: Menu APIs provide invalid CSRF tokens Issue #3502427 by alexpott, smustgrave: Fix references to DrupalTestsKernelTestBase Issue #3501059 by claudiu.cristea: Remove claudiu.cristea from MAINTAINERS.txt Issue #3501361 by chr.fritsch: Remove chr.fritsch from MAINTAINERS.txt Issue #3501210 by dawehner: Remove dawehner from MAINTAINERS.txt Issue #3489179 by godotislate, ghost of drupal past: Referring the same entity multiple times breaks _referringItem Issue #3462700 by niklan, richardgaunt, smustgrave, pdureau: Update ComponentValidator to always include the component ID Issue #3488293 by oily, maneesha binish, plopesc, m4olivei, pameeela: Help link always appears in navigation Issue #3367556 by vensires, danchadwick, detroz, g089h515r806, groendijk: SDC components CSS & JS generated wrong url in windows / XAMPP Issue #2886800 by jonathanshaw, claudiu.cristea, quietone, hctom, geek-merlin, larowlan, sam152, joachim, smustgrave: EntityAccessControlHandler::createAccess() returns false positive cache hits because it ignores context Issue #3500774 by kul.pratap, benjifisher: Fix errors in SourcePluginBase doc block Issue |
| Drupal 11.1.0 Dec 19, 2024 |
This is a a feature minor release of Drupal 11 and is ready for use on production sites. Learn more about Drupal 11 and the Drupal core release cycle. This minor release provides improvements and new functionality. It does not break backward compatibility (BC) for public APIs. There may be changes in internal APIs and experimental modules. If so, contributed and custom modules and themes may need updating. This is according to Drupal core's backward compatibility and experimental module policies. This release may include string changes and additions. Translators can review the latest translation status on localize.drupal.org. Drupal 11.1.x will receive security support until December 2025. Drupal 11.0.x will continue to receive security support until June 2025. 11.1.0 tag has been moved: Due to a packaging issue the 11.1.0 tag has been moved and recreated. This will not affect anything unless you fetched tags between Friday December 13th 2024 and Monday December 16th 2024. Changes to site-owner-managed files A directive has been added to the default .htaccess file that attaches the correct image/webp header for webp images when the MIME Apache module is enabled. This is needed for sites hosted on Apache web servers running on operating systems that do not support the webp image MIME type. These sites should update their .htaccess files to take advantage of this improvement. The sid_length and sid_bits_per_character configuration options are no longer supported in PHP 8.4 or Symfony 7.2, so they have been removed from default.services.yml. Sites should remove these settings from any services.yml files. The "Access the Content blocks overview page" permission is no longer required to create blocks. This means that roles that have "Create new content block" permission for a given block type will be able to create these blocks when they could not in previous releases. Site owners should audit their Block Content permissions to ensure that block creat |
| Drupal 11.0.9 Nov 23, 2024 |
All changes since 11.0.7: Issue #3487031 by larowlan, alexpott, themodularlab, ericgsmith, longwave, spokje: Performance Degraded after update to twig 3.14.2 Merged 11.0.8. Issue #3477324 by andypost, alexpott: Fix usage of str_getcsv() and fgetcsv() for PHP 8.4 Issue #3488179 by phenaproxima, thejimbirch: RecipeConfigurator::getIncludedRecipe() should statically cache recipe objects to avoid performance problems Issue #3487482 by amateescu, catch, benjifisher, ekes, finn lewis, fabianx, larowlan: Creating a published moderated entity in a workspace shouldn't make it published in Live Issue #3480293 by gapple: ConfigTarget::__construct() documentation references incorrect ToConfig enum name Issue #3483931 by mondrake: [CI] Use testdox and colors in tests spawned by run-tests.sh |
| Drupal 11.0.8 Nov 21, 2024 |
All changes in this release: Issue #3486195 by longwave, alexpott, dmundra: An update to symfony/http-foundation plus a trailing space took down the views UI Issue #3485956 by mradcliffe, jan kellermann, gillesbailleux, raphaelbertrand, cilefen, larowlan: Recursion limit exceeded with Twig v3.14.1 when editing a node or a block |
| Drupal 11.0.7 Nov 14, 2024 |
All changes in this release: Issue #3486195 by longwave, alexpott, dmundra: An update to symfony/http-foundation plus a trailing space took down the views UI Issue #3485956 by mradcliffe, jan kellermann, gillesbailleux, raphaelbertrand, cilefen, larowlan: Recursion limit exceeded with Twig v3.14.1 when editing a node or a block |
| Drupal 11.0.6 Nov 8, 2024 |
All changes in this release: Issue #3482062 by quietone, phenaproxima: Remove phenaproxima as a Migrate subsystem maintainer Issue #3483515 by megakeegman, mlncn: D7 node_revision table is referred to as node_revisions Issue #3481418 by tomdearden, longwave: Typo in error message when MySQL socket connection fails Issue #3477346 by mondrake, smustgrave, larowlan: ExtensionMimeTypeGuesser::guessMimeType returns less accurate MIME type when file extensions have multiple parts Issue #3463111 by sanket.tale, jaydeep_patel, yujiman85, sheetal.pathak, rachel_norfolk, sagarmohite0031, rduterte, binssss, smustgrave: Spacing issue between Checkbox label and button Issue #3344765 by lauriii, nayana_mvr, kleiton_rodrigues, smustgrave: Inconsistencies in system-status-counter RTL styles Issue #2479449 by sudiptadas19, smustgrave, akashkumar07, rithesh bk, rpayanm, pradhumanjain2311, tstoeckler, mrinalini9, tatisilva, larowlan, andypost, dawehner, xjm, yesct: contact_menu_local_tasks_alter() should check whether ['tabs'][0] is set Issue #3477613 by quietone: Add doc block for $modules in tests Issue #3475753 by quietone: Use install/uninstall in layout builder expose all field Issue #3469607 by murz, drumm, mcdruid, greggles: Nightwatch tests from submodules do not run in Gitlab CI because of missing option to follow symlinks Issue #3473999 by mondrake, smustgrave, catch: Ajax-enabled image effect forms do not update to the latest ajax processed configuration Issue #3319601 by pooja_sharma, sunlix, bkosborne, quietone, smustgrave, longwave, lendude: Media image thumbnail incorrectly ends up as NULL when it should be an empty string Issue #3479857 by amateescu: User login and password reset forms should be workspace-safe Issue #1427838 by sukr_s, smustgrave, quietone, tim.plunkett, alexpott: password_confirm children do not pick up #states or #attributes Issue #3478166 by quietone, smustgrave, mstrelan: Add MissingParamType for form, form_state and form_id Issue #3458215 by finns |
| Drupal 11.0.5 Oct 4, 2024 |
Important changes in this release: Webpack is updated to version 5.95.0 to incorporate a security release which does not affect Drupal core. This update introduces a change to the supported browser list, which allows more modern CSS to be produced, notably the :dir pseudo class. Drupal core has required all browser versions to support :dir since December 2023, so this is applying what was already an existing policy. All changes in this release: Issue #3457781 by catch, longwave, senscybersecurity, cmlara, cilefen, poker10, greggles, alexpott, ericgsmith, xjm: Maintenance pages leak sensitive environment information Issue #3456699 by nicoschi, joelpittet, doxigo: The dotfiles are ignored when copied over in Starterkit Issue #3477805 by spokje, longwave: Update Webpack to 5.95.0 Issue #3477373 by finnsky, bbrala, longwave: Fix "Not passing an instance of "TwigFunction" when creating a function of type "FunctionExpression" is deprecated." Issue #3477374 by finnsky, longwave, bbrala: Fix "The "tag" constructor argument of the "DrupalCoreTemplateTwigNodeTrans" class is deprecated and ignored" Issue #3474692 by longwave, foxtrotcharlie, bbrala: Fix "TwigNodexpressionFilterExpression" deprecation introduced in twig/twig 3.12.0 Issue #3457168 by raphaelbertrand, gauravvvv, bbrala, longwave: Since twig/twig 3.9: error with "twig_escape_filter" function usage in /core/lib/Drupal/Core/Template/TwigExtension.php Issue #3470641 by bbrala, catch, mstrelan, cmlara, nicoloye: gitlab artifact caching doesn't work due to differences with project ID and build directories Issue #3458565 by nishtha.pradhan, sadamafridi, joachim, smustgrave, vinmayiswamy, rodrigoaguilera, dksdev01, bibliophileaxe, devjuarez: TablesInterface::addField() doesn't document that $field can contain relationships Issue #3302833 by akhil babu, b_sharpe, alexpott, oily, smustgrave: Improve PluginNotFound exception to include possible |
| Drupal 11.0.4 Sep 12, 2024 | This release reverts #3471741: Fix null $cid in CacheCollector classes, released in 11.0.3, which conflicted with Menu Trail by Path, Entity Manager and Gin Toolbar modules. |
| Drupal 11.0.3 Sep 12, 2024 | This release reverts #3471741: Fix null $cid in CacheCollector classes, released in 10.3.4, which conflicted with Menu Trail by Path, Entity Manager and Gin Toolbar modules. |
