This is a beta release for the next major version of Drupal. Drupal 9 beta releases are intended for site owners and module or theme authors to test compatibility and upgrade paths for Drupal 9.0. Beta releases are not intended for production.
This release fixes security vulnerabilities present in 9.0.0-beta1. Sites are urged to upgrade immediately after reading the security announcement and notes below:
- Symfony CVE-2020-5275: All "access_control" rules are required when a firewall uses the unanimous strategy
- Symfony CVE-2020-5274: Fix Exception message escaping rendered by ErrorHandler
- Symfony CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header
- minimist CVE-2020-7598 (development dependency)
Note that Drupal 8 is not affected by the Symfony vulnerabilities above.
Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 9 compatibility of modules, themes, and sites. For more information on 9.0.x development, see #3007300: [META] Release Drupal 9 on June 3 2020.
The 9.0.x branch also includes all the latest commits that will be backported to 8.9.x and earlier branches. 9.0.x and 8.9.x have the same APIs and features. The key changes in 9.0.x are:
- Deprecated code will be removed.
- Dependencies will be updated to new major versions as appropriate.
- Platform requirements (supported PHP and database versions) will be increased.
For all other changes, refer to the 8.9.x branch.Important update information
Symfony components have been updated from version 4.4.5 to version 4.4.7, and 4.4.7 is now required http-foundation. Other Symfony components will be updated with a 4.4.7 version requirement in a future release.
Drupal core themes, Bartik, Claro, Seven and Umami no longer depend on Stable. Prior to this change, these themes were also refactored to no longer depend on Classy. Now, all these themes set base theme: false. All templates and CSS not overridden in these themes will be inherited directly from core.
- #3123558 by alexpott, xjm, tedbow: Update Symfony to 4.4.7
- #3120494 by longwave, jungle: Bump minimist from ^1.2.0 to ^1.2.2
- #3121827 by dww: Documentation follow-up fixes for hook_update_last_removed() from #3098475
- #3122742 by alexpott: Fix PHP 5 tests on 8.7.x
- #3113992 by dww, tedbow, xjm, Meenakshi.g, benjifisher, kualee, tim.plunkett, webchick, AaronMcHale, ckrina, shaal, mandclu, klonos, lauriii, Gábor Hojtsy, worldlinemine, alexpott: The 'Update' page has no idea that some updates are incompatible
- #3104015 by alexpott, TravisCarden, xjm, longwave, Spokje, catch, fgm, Berdir, tedbow, Bruno Vincent: Replace ZendFramework/* dependencies with their Laminas equivalents
- #3115223 by bnjmnm, lauriii, tedbow, xjm, alexpott: Remove Stable as a base theme of core themes
- #3113403 by Beakerboy, neelam_wadhwani, daffie, alexpott: Make Drupal\Core\Database\Query\Condition driver overridable
- #3087562 by jhodgdon, Amber Himes Matz: Convert datetime, datetime_range, field, field_ui, link, options, telephone, text modules hook_help() to topic(s)
- #3041926 by jhodgdon, vadim.hirbu, anmolgoyal74, shwetaneelsharma, Amber Himes Matz, benjifisher, BramDriesen: Convert automated_cron, ban, dblog, syslog, system, update, and user module hook_help() to topic(s)
- #3121229 by alexpott: Hotfix cruft from alpha experimental module removal