Backdrop 1.29.3 Release Checklist

[quicksketch]

Release scheduled for January 8, 2025 10am - 4pm PT

Pre-release tasks

• Merge commits (@quicksketch)
• Create the next bugfix milestone (@quicksketch)
• Move all unfinished issues to the next bugfix release milestone (@quicksketch)
• Review all closed issues in milestone: (@jenlampton)
  • Issue titles should include a complete, but very brief summary of the problem.
  • Bug issue titles should start with Fix or Fixed,
  • New feature issue titles should start with Add or Added.
  • Each issue should have accurate labels, especially the "type - " labels.
• Close the milestone (@quicksketch)
• Draft Release notes (@quicksketch)
  • Include a short, descriptive summary of the release, for example:
    • "Security release for Backdrop CMS. This release fixes 1 security vulnerability:"
    • Include a list of SA's for commits to this release
  • Include a section heading **Notes for updating**
    • Note if any changes were made to files outside the core directory, for example:
      • - No changes have been made to the `.htaccess`, `robots.txt` or default `settings.php` files in this release. Updating customized versions of those files is not necessary.
      • See this example for updates to .htaccess
      • See this example or this example for updates to settings.php
    • Note if updates (update.php) needs to be run, for example:
      • Use the text The database update script does **not** need to be run.
      • or **It will be necessary to run the update script** (located at /core/update.php) for this release.
      • Note: you can use this command to see if any install files were changed:
        ls -1 core/modules/*/*.install | while read filename; do echo "$(git log -1 --pretty="format:%ad %f" --date=format:"%F %R" -- $filename)" $filename; done|sort
  • Include a section heading **Changes since version 1.xx.x** are listed below.
    • Navigate to Actions
    • Select the most recent time "Release Notes Generator" has been run.
    • Download the release-notes artifact attached to the generator.
    • Unzip the file, and copy/pate contents into release notes draft.
    • Remove any square brackets in the titles, and move those issues to their own section.
• Draft Security Advisories (assign to stpaultim / klonos / jenlampton herbdool / quicksketch)

Release tasks

• Update bootstrap.inc with version number (@quicksketch)
• Tag for release, and push tag to GitHub (@quicksketch)
• Revert version number back (@quicksketch)
• Create release notes on GitHub, and publish release (assign to jenlampton / herbdool / quicksketch)
• Publish Security Advisories on b.org (assign to stpaultim / klonos / jenlampton / herbdool / quicksketch)
• Mark the release node on b.org as a security release (assign to stpaultim / klonos / jenlampton / herbdool / quicksketch)
• Request a CVE (@jenlampton)
• Update the front page download link on b.org (assign to stpaultim / klonos / jenlampton / herbdool / quicksketch)
• Tweet that a new release is out (assign to stpaultim / jenlampton)
  • Use text like "There is a security release out for #BackdropCMS today, please update when you can. Backdrop core - Critical - Third-party libraries - BACKDROP-SA-CORE-2021-001"

Immediate Post-release tasks

• Update Tugboat @klonos
• Update Composer @herbdool
• Update Docker @Wylbur
• Update Pantheon @herbdool
• Update Platform.sh @herbdool
• Update Amezmo @jenlampton
• Update DrupalForge @izmeez
• Update the Wikipedia articles @klonos
  • https://en.wikipedia.org/w/index.php?title=Template:BackdropCMS_version&action=edit -
    • Auto applied to:
      • https://en.wikipedia.org/wiki/Backdrop_CMS
      • https://en.wikipedia.org/wiki/List_of_content_management_systems

Backdrop's Website updates

• backdropcms.org @jenlampton (or bugfolder)
• beta.backdropcms.org @bugfolder (or jenlampton)
• docs.backdropcms.org @jenlampton (or bugfolder)
• events.backdropcms.org @jenlampton (or bugfolder)
• forum.backdropcms.org @jenlampton (or bugfolder)
• localize.backdropcms.org @jenlampton (or bugfolder)

See Also

• Checklist for 1.28.5 release

[quicksketch]

Release notes draft:

---

Security release for Backdrop CMS. This release fixes 2 security vulnerabilities:

• BACKDROP-SA-CORE-2025-001
• BACKDROP-SA-CORE-2025-002

Notes for updating

• The .htaccess file has been modified with optional changes. Updating this file to match core may help improve compatibility with some web servers. See Issue #6734 for details or just the changed lines in the pull request.
• No changes have been made to the robots.txt or the default settings.php files in this release. Updating customized versions of those files is not necessary.
• It is not necessary to run the update script (located at /core/update.php) for this release.

In addition to the security fixes, this release also includes a number of bug fixes and UX improvements.

UX Improvements

• Expand the "Global settings" fieldset when creating new fields #5345
• Display "Conditions" admin preview in admin UI for "Existing content" block #6780
• Editors should have permission to download and edit own files on new installations #6484

Bug fixes

• Remove deprecated mbstring.http_input and mbstring.http_output from .htaccess #6734
• CKEditor 5 sometimes gets double-binded, duplicate editors #6774
• CKEditor 5 does not display on formatted text fields requiring different text formats #6771
• CKEditor 5 Link modal incorrectly limits the length of URLs #6740
• CKEditor 5 removes whitespace from within <pre> tags #6439
• Contextual menu outline some times not visible (especially on bottom) #6802
• Book and Link PHP 8.3 Test Deprecation Notice #6791
• Custom menu breakpoint makes parent Basis CSS load after the child theme skin CSS #6778
• Mail headers line endings need to be changed to CRLF for PHP 8 #6775
• Call to undefined function block_custom_block_load() #6773
• Warning thrown when importing a new field instance through configuration manager #6766
• PHP Warning: Undefined array key "alt" in theme_icon() #6760
• Self-update detection fails on shared hosting configuration #6759
• Remove the call to node_type_set_defaults() done right before calling node_type_save() #6413
• Views Permission Override for Display not working properly #5919
• MySQL Error in View of modules and themes - MySQL 8.0+ reserved word clash with system table #5795
• Add Apple mimetype files and extensions to accepted mimetypes #6680
• User edit form does not use flood control and allow for password brute force attacks #6452

Documentation updates

• Do not abbreviate Form API as "FAPI" #6793
• Better link for 'utf8mb4' documentation #6792
• Document _color_preview_theme() #6266
• Fix spelling and clean dictionary up #6302
• The code shown for callback_batch_operation() calls a function that Backdrop core does not implement #6634
• Typo in variable name in docblocks in system.api.php file #6273

[quicksketch]

Release is out and marked as a security release: https://github.com/backdrop/backdrop/releases/tag/1.29.3

[quicksketch]

Posted to Bluesky: https://bsky.app/profile/backdropcms.bsky.social/post/3lfbnfgfkyc2g

[findlabnet]

Note: #6680 is required to run the update script.

[quicksketch]

Thank you @findlabnet, I've updated the release notes.

[jenlampton]

I've updated all other backdropcms.org sites to 1.29.3

[laryn]

I've updated the Pantheon upstream.