[Security-news] Drupal 8 end-of-life on November 2, 2021 (four months from now) - PSA-2021-2021-06-29

security-news at drupal.org security-news at drupal.org
Tue Jun 29 23:22:54 UTC 2021 

View online: https://www.drupal.org/psa-2021-2021-06-29

Version: 8.9.x-dev
Date: 2021-June-29
Description: 
*Drupal 8 will reach its end-of-life on November 2, 2021*, before the release
of Drupal 9.3.0, due to Symfony 3's end-of-life [1]. If you are using Drupal
8, *you must upgrade to Drupal 9.2 before November to keep your site secure*.
(Drupal 9.1 security coverage ends shortly after the Drupal 8 end-of-life, so
updating to 9.2 directly is best.)

There is no vendor extended support program for Drupal 8.

Solution: 
.... How do I upgrade my Drupal 8 site to Drupal 9?

The Drupal 8 to Drupal 9 upgrade process is much easier than previous
major-version upgrades. There are many automated tools available to assist
with the upgrade. Learn more about upgrading your Drupal 8 site to Drupal 9
[2].

.. What if a module I need doesn't have a Drupal 9 release?

Many modules can be upgraded automatically. Check the module's issue queue
for an issue created by "Project Update Bot".

   1) If the "Project Update Bot" issue is not yet marked "Reviewed and Tested
      by the Community" ("RTBC"), review and test whether the module works for
      you on Drupal 9 with that patch applied to its code.
       * If the issue is set to "Needs review" and your testing does not
         encounter any problems, you can mark the issue RTBC, along with a
         comment explaining what you tested and how.
       * Otherwise, if it does not work or causes bugs that didn't happen
         before, mark the issue "Needs work" explaining what did not work with
         the Drupal 9 patch.

   2) If the existing issue is /already/ "Reviewed & Tested by the Community",
      test it yourself, and comment on the issue reporting what testing you
      did. Consider using the maintainer's contact form to reach out to them
      asking them to make a Drupal 9 release.
       
   3) If you have maintained contributed projects before and the patch has 
been
      RTBC for at least two weeks, consider taking over maintenance of the
      module [3]. Otherwise, if you work with an organization that provides
      Drupal services, ask that organization to consider taking over
      maintenance of the module.

If you cannot find anyone to maintain the module, try using the patch
directly with composer [4].

The Drupal Association will also be taking additional steps to help with the
creation of Drupal-9-compatible releases in the coming months.

.... What about Drupal 7?

Drupal 7 will still have community-based security coverage until November 28,
2022 [5]. The paid Drupal 7 Vendor Extended Support program [6] will continue
until November 2025.


[1] https://symfony.com/releases/3.4
[2]
https://www.drupal.org/docs/upgrading-drupal/how-to-prepare-your-drupal-7-or-8-site-for-drupal-9/upgrading-a-drupal-8-site
[3]
https://www.drupal.org/docs/develop/managing-a-drupalorg-theme-module-or-distribution-project/maintainership/taking-over
[4]
https://www.drupal.org/docs/upgrading-drupal/upgrading-from-drupal-8-to-drupal-9-or-later#s-installing-drupal-8-only-contributedmodule-with-drupal-9-patch
[5] https://www.drupal.org/psa-2020-06-24
[6] https://www.drupal.org/project/d7es

More information about the Security-news mailing list