Drupal’s next major release will rest on third-party PHP dependencies.
Dries Buytaert, Drupal creator, confirmed on a blog post that they’re planning the release of Drupal 9 before Symfony ceases to support Symfony 3 in November 2021. At that point, Symfony 3 will no longer receive security fixes.
Ideal for any type of website, Drupal is an open source content management system (CMS) with an extensive library of extensions and modules to power up its functionality. It has a huge community of users and developers, making it one of the most widely used CMS. There are about 1.7 million live websites using Drupal as of this writing.
The CMS is notable for its sophisticated, enterprise-level of security, making governments (such as whitehouse.gov) chose to host their websites on Drupal. Based on a recent report, Drupal is the most secured platform compared to the other leading CMS platforms.
The driving factor in that discussion is security support for Drupal 8’s third party dependencies (e.g. Symfony, Twig, Guzzle, jQuery, etc). Our top priority is to ensure that all users are using supported versions of these components so that all Drupal sites remain secure.
So instead of adding features to Drupal 8, Buytaert said they are considering upgrading to Symfony 4 and releasing it as Drupal 9.
Nothing has been decided yet, but the current thinking is that we have to move Drupal to Symfony 4 or later, release that as Drupal 9, and allow enough time for everyone to upgrade to Drupal 9 by November 2021.
The initial plan did not take into account the other third-party components yet. However, Buytaert stated that they have already worked out the ways to make Drupal upgrades easy to ensure a smooth transition from version 8 to version 9. Furthermore, the founder is keen to upgrade Drupal’s already remarkable security program.
While nothing is set in stone yet, Buytaert is asking the Drupal community to join the discussion and share inputs to help them sew up the roadmap to Drupal 9.