= MediaWiki 1.39 =
PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/
PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/
PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/
PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/
PHP 8.4 workboard: https://phabricator.wikimedia.org/tag/php_8.4_support/
== MediaWiki 1.39.13 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.12 ===
* Localisation updates.
* (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
* (T391867) http: Handle accept header with incomplete q.
* Update Pingback address.
* (T393879) objectcache: Cast explicitly to integer.
* (T394989) FormatMetadata::formatFraction: Don't risk passing null to
preg_match.
* (T395834) Treat File::getShortDesc() as possibly unsafe HTML.
* (T396766) ApiQueryRevisionsBase: Cast ctype_digit() param to string.
* (T221560) Remove hyphens from legal search characters for MySQL-based database
searches.
* ParserCache forward-compatibility: anticipate removal of OutputHooks.
* Protect against ParserOutput/CacheTime re-namespacing.
* ParserCache forward-compatibility: anticipate removal of TOCHTML.
* SerializationTestUtils: handle 1.xx_wmf* versions; don't fail immediately.
* AuthManager: Be consistent about the remember flag on autocreate.
* (T397883, T397643) htmlform: fix min/max validations on empty input in
int/float fields.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField
validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in
action=feedcontributions.
* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid
'format' is provided.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for
reauthentication.
== MediaWiki 1.39.12 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.11 ===
* Localisation updates.
* (T380755) session: Do not set session.use_trans_sid.
* (T382987) $wgDnsBlacklistUrls now defaults to an empty array. See the comment
in the "Configuration changes for system administrators" section.
* (T382484) dumps: Use proc_close() to close proc_open() subprocess.
* (T315202) Account for null values in Exif data.
* (T384879) FormatMetadata: Prevent running preg_match() on null.
* (T384995) specialpage: Improve handling of invalid lang codes on login/signup.
* (T385169) MultiUsernameFilter: Don't try to split ids if they're not a string.
* (T319219) Fix Site::getPath() + MediaWikiSite::getFileUrl() confusion.
* (T385332) feeds: Fix str_replace() deprecation warnings on PHP 8.
* (T379125) exception: Suppress dependency loop exception.
* (T381033) RateLimiter: Fix peek mode.
* (T387130, CVE-2025-32699) SECURITY: Update wikimedia/parsoid to 0.16.5.
* (T385519) Sanitizer::normalizeWhitespace warn on preg_replace error.
* (T387638) RevDelList: Ensure setVisibility always includes itemStatuses in
value if applicable.
* (T388296) ImportImages: Exit with non-zero code if import fails.
* Request: Improve log message when headers already sent.
* (T388066) Avoid trying to load the session user in MW_NO_SESSION endpoints.
* (T388171) HttpError: Cast Message to string.
* (T388255) ApiLogin: Don't break BotPasswords if password or user is blank,
just error.
* (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace: Apply same
anti-null fix as 270499b.
* (T387690) upload: Suppress warnings from iconv().
* (T388733) Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert
action.
* (T388924) MagicWord::replace*: Make sure we don't pass null into preg_match/
preg_replace.
* (T390063, T277675) ResourceLoader: update wikimedia/minify to 2.9.0.
* (T368921) ResourceLoader: Set "math=always" before Less.php 5.0 upgrade.
* (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1
($haystack).
* In .htaccess deny files, use "Satisfy All".
* (T389028) block: Fix DBS::acquireTarget() race using GET_LOCK().
* permissions: Check cascade protection only if page can exists.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
functions do not correctly enforce suppression restrictions,
* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
enabled by Unicode normalization in Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
HTMLMultiSelectField when sections are used.
== MediaWiki 1.39.11 ==
This is a maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.10 ===
* Localisation updates.
* (T377450) [DatabaseUpdater] Don't interact with updatelog on virtual domains.
* (T377916) specials: Avoid passing null to str_replace().
* (T378006, T372500) AutoLoader: Use require_once rather than require.
* (T378304) GlobalIdGenerator: Update str_getcsv() call for PHP 8.4.
* Upgrade php-session-serializer from 2.0.1 to 3.0.0.
* Upgrade xmp-reader from 0.8.6 to 0.9.2.
* (T372569) installer: Consistently use double quotes when outputting settings.
* (T362829) Correct range error in regexp of formatmetadata.
* (T381068) ButtonAuthenticationRequest: Add AllowDynamicProperties directive.
== MediaWiki 1.39.10 ==
This is a maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.9 ===
* Fix issue related to backport of AbuseFilter patch for T372998.
== Mediawiki 1.39.9 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.8 ===
* Localisation updates.
* (T303007) skins: Fix Skin::buildSidebar to not share cache between skins.
* (T367918) When using the 'runMaintenance' method in a
LoadExtensionSchemaUpdates hook handler, only the script's class name is
required, not its path.
* Clarify that $wgAllowCrossOrigin only applies to REST.
* (T370380) installer: Support MW_SKIP_EXTERNAL_DEPENDENCIES in update.php.
* composer.json: Add 5 more ext- to suggests.
* resources: Fix 404 Not Found for foreign Financial-Times/polyfill-library.
* ResourceLoader: Fix regression of color mapping in Less.php.
* ResourceLoader: Upgrade wikimedia/less.php to 4.4.1.
* SpecialExport: Prevent passing null to strtolower.
== MediaWiki 1.39.8 ==
This is a maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.7 ===
* Localisation updates.
* tests: Skip failing tests on php8.2 (and make pass).
* (T326480) ApiResult: Make array ordering consistent across PHP versions.
* (T352789, T287972) build: Raise TestingAccessWrapper from 2.0.0 to 3.0.0.
* (T326478) tests: Create new classes to hold dynamic properties in auth tests.
* (T326478) tests: Avoid dynamic properties in AuthenticationProvider Test.
* (T326466) Introduce and use DynamicPropertyTestHelper.
* tests: Skip failing tests on php8.3 (and make pass).
* (T352910) tests: Use TestingAccessWrapper::newFromClass in session tests.
* (T326478) tests: Avoid dynamic properties in auth tests.
* (T326479, T361985) StatusValue: Allow passing arbitrary data to augment
result.
* tests: Remove dead code from WikiPageDbTest::assertPreparedEditNotEquals.
* (T326478) tests: Avoid dynamic properties in SessionManagerTest.
* (T361990) Upgrading wikimedia/parsoid (v0.16.3 => v0.16.4).
* (T357760) Use i18n strings for truncated subpage message in SpecialMovePage.
* ArticleTest: Skip testGetOrSetOnNewProperty() if PHP >= 8.2.
* (T361982) Update wikimedia/less.php from 3.1.0 to 3.2.1.
* debug: Update PsySH 0.11.1 -> 0.12.3.
* (T361991) Fix slash-delimited regex from CLI on maintenence/grep.php.
* (T362078) Improve RestAPIAdditionalRouteFiles path expansion.
* (T352695) tests: Only set $dbSetup if setupTestDB() ends without throwing.
* (T302186) Add title cache for Title::newMainPage().
* objectcache: Fix flaky WANObjectCacheTest::testLockTSESlow case.
* (T362272) api: Replace null $httpCode by 0 in ApiBase::dieWithErrorOrDebug.
* (T150647, T216682) Make EncryptedPassword work with Argon2Password.
* (T327220) Special:ApiHelp: Move widths and floats in CSS to media query.
* (T364270) Fix long param names overlapping docs in API help pages.
* MaintenanceRunner.php: Add trailing newline to error message.
* wrapOldPasswords: Improve progress output and decrease batch size.
* (T361367) ApiFeedWatchlist: Fix handling of array parameters.
* (T132418) ResourceLoader: Add 1min grace via stale-while-revalidate
Cache-Control.
* (T366130) EncryptedPassword: Store default parameters as strings.
* Name the PagerTools array entries to allow hooks to unset them.
== MediaWiki 1.39.7 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since 1.39.6 ===
* Localisation updates.
* (T334992) Headings in the license pickers should not be selected.
* (T353929) ActiveUsersPager: Count actions only once.
* composer: Use @php instead of php.
* (T326065) Indent JsonContent using tabs.
* (T354541) authmanager: Improve AuthenticationRequest docs.
* (T355017) Add missing space in Special:RecentChangesLinked.
* (T355003) composer.json Add ext-bcmath and ext-gmp to suggests.
* PHPVersionCheck: Update text to match currently supported upstream PHP
versions (8.1+).
* (T354045) API: mark HTML output as non-cacheable.
* (T355530) filerepo: Fix img_major_mime for files with a non-standard
extensions.
* (T355530) MimeAnalyzer: Add @since to isValidMajorMimeType.
* (T317489, T319202) Mark some parserTests on talk pages Parsoid only on
REL1_39.
* (T350594) Update wikimedia/parsoid to 0.16.3.
* (T352554) ZhConverter: Fix language variant fallback chain.
* (T357668) Parser::getExternalLinkAttribs: Don't set rel attribute to null.
* LockManagerGroupIntegrationTest: Remove test depending on DBLockManager.
* (T357808) LinkRendererTest: Add missing import for LinkTarget.
* (T353305) ApiResetPassword: Allow both user and email parameters to be passed
for reset.
* (T358949) updateCollation: Explicitly cast $scale to int.
* (T359055) api: Improve linking of language codes lists in top level i18n
messages.
* (T359294) Make sure MovePage::isValidFileMove matches UploadBase::getTitle.
* (T230245) Respect $maxConcurrency when queuing async FileOps.
* (T352554) Follow-up "ZhConverter: Fix language variant fallback chain".
* (T292237, T317451) build: Restore Doxygen output for MediaWiki release tags.
* (T324903) HistoryPager: Add #[AllowDynamicProperties].
* (T360850) Update Apache config syntax in .htaccess files.
* (T309714, T354274) mime: Add support for 'font/woff' and 'font/woff2' mime
type.
* (T309714) mime: Make test cases use data provider.
* (T331608) installer: Bear with schema drift caused by running old updater.
* docs: Remove use of $IP from mwdocgen.php.
* (T317451) build: Restore Doxygen output for MediaWiki release tags (take 3).
* docs: Set stable permalink on markdown files.
* (T357019) allow maintenance/deleteBatch.php to accept page ID.
* (T355538, CVE-2024-34507) SECURITY: XSS in edit summary parser.
* (T357760, CVE-2024-34506) SECURITY: Denial of service vector via GET request
to Special:MovePage on pages with thousands of subpages.
== MediaWiki 1.39.6 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since MediaWiki 1.39.5 ===
* Localisation updates.
* Updated symfony/polyfill-php80 from 1.26.0 to 1.28.0.
* Updated symfony/polyfill-php81 from 1.26.0 to 1.28.0.
* (T344912) mail: Encode period (ascii 46) if it appears in encoded email
header.
* Added symfony/polyfill-php82.
* Added symfony/polyfill-php83.
* Updated symfony/yaml from 5.4.10 to 5.4.23.
* (T329609) ApiQueryLanguageinfoTest: Do not pass a float to setFakeTime.
* Updated wikimedia/timestamp from 4.0.0 to 4.1.1.
* tests: Provide coverage for StatusValue::__toString.
* StatusValue: Improve logging/debug output with multibyte characters.
* (T347726, CVE-2023-51704) SECURITY: logging: Fix non-escaped messages
used in rights log.
* Updated wikimedia/parsoid from 0.16.1 to 0.16.2.
* (T229992) LocalisationCache: Preserve fallback source language info.
* (T275085) Fix logging Status objects to 'authevents' channel.
* (T341310) DEVELOPERS.md: mention git clone and WSL.
* (T351758) DEVELOPERS.md: reword WSL instructions to include best practices.
* (T349115) LocalisationCache: Fix a rare case in fallback source language.
* SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null to parameter #1
($string) of type string is deprecated".
* maintenance: Add missing parenthesis to SQL in attachLatest.php.
* (T353472) maintenance: Fix join condition in DeduplicateArchiveRevId.
== MediaWiki 1.39.5 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since MediaWiki 1.39.4 ===
* Localisation updates.
* (T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects
with variants conversion.
* docs: Fix a few typos in MainConfigSchema.
* (T309714) mime: Add support for 'font/sfnt' mime type.
* (T341434) WikiImporter: Improve error message output.
* (T317255) VueComponentParser: Use Zest's getElementsByTagName() rather than
PHP's.
* (T341737) ApiBase: Cast $id to string in filterIDs.
* (T286291, T296188) Merge zh and zh-tw namespace translations back to zh-hans,
zh-hant, zh-hk respectively.
* (T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer.
* (T237898) installer: Check MariaDB version in updater/installer.
* (T342632) ApiComparePages: Add help url.
* (T326182, T324903) EditPage: Add #[AllowDynamicProperties].
* (T342351) rdbms: Fix postgres db function call.
* (T343675) user: Use {@} to escape annotation when writting about annotation.
* (T343797) LanguageWa: Fix double timezone adjustment.
* (T326454) Update pear/mail to 1.5.1.
* (T343622) docs: Set the <comment> tag back to optional.
* (T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
* (T337463) wdio-mediawiki: await saveScreenshot.
* (T274041) Include core PSR-4 classes in the generated classmap.
* (T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups
will be audited more aggressively.
* doc: Improve description of "type" in extension.schema.v2.json.
* Added PrivilegedGroups attribute for extension.json / skin.json, which lets
you add any new user groups you define to wgPrivilegedGroups (see above).
* HTMLForm: Fix E_NOTICE when hide-if is used with setFormIdentifier.
* (T288624) MultiHttpClient: Unset $this->cmh after closing it.
* (T345039) Do not run SkinAfterBottomScripts hook twice unconditionally.
* (T265734) API Help: Note that parameters may be inherited from other context.
* API: Make continue parameter help description more specific.
* (T285545) i18n: Split apihelp for standard dir parameter.
* (T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage
show.
* (T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=.
* (T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=.
* (T285545) i18n: Split apihelp for parameter action=opensearch&redirects=.
* (T285545) i18n: Split apihelp for parameter action=managetags&operation=.
* (T285545) api: Add message for list=watchlist&wlprop=expiry.
* (T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed.
* (T342633) api: Add message for action=compare&prop=timestamp.
* API: revids=… does not necessarily return the queried revisions.
* (T326696) user: Truncate option value in UserOptionsManager.
* (T326696) ApiOptions: Give warning if the value is too long.
* API i18n: Add {{PLURAL:}} for byte count messages.
* (T235207) Get correct main page in API call examples.
* doc: Make extension.schema.v2.json a valid JSON schema.
* updateSpecialPages.php: Avoid implicit float conversion on modulo.
* (T347227) ImportReporter: Make callback functions public.
* (T346898) importDump: Unconditionally call $importer->setUsernamePrefix().
* (T204470) Remove feedback messages from RawHtmlMessages.
* (T264765, CVE-2023-45364) SECURITY: Article: Check permissions before
showing link to view deleted revision.
* (T310378) Ensure that installer i18n is loaded by update.php.
* doc: Improve description of type in extension.schema.v1.json.
* (T340217, CVE-2023-45359) SECURITY: Vector 2022: Numerous unescaped
messages leading to potential XSS.
* (T340220, CVE-2023-45361) SECURITY: Vector 2022: vector-intro-page
message is assumed to yield a valid title.
* (T340221, CVE-2023-45360) SECURITY: XSS via
'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
* (T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser
("X intermediate revisions by the same user not shown") ignores
username suppression.
* (T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted
XML file to Special:Upload (non-standard configuration).
== MediaWiki 1.39.4 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since MediaWiki 1.39.3 ===
* Localisation updates.
* (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1.
* (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
(2.4.0 => 2.4.5).
* (T333776) {{ACTIVEUSERS}} wasn't being updated without updateSpecialPages.php.
* (T258860) Prevent LogicCache exception from message cache during IO errors
from memcache.
* (T336868) Improve idempotency of postgres index upgrades.
* (T322944) Add Authorization to default $wgAllowedCorsHeaders.
* (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter.
* A fake MessageLocalizer for use in unit tests.
* (T338114) Title: Add forward alias.
* composer: Add symfony/polyfill-php81 like symfony/polyfill-php80.
* (T330464) Work around argument corruption bug in XMLReader::open.
* Fix frame and frameless rdfa depending on file existing.
* Fixes for the phan upgrade, part 1.
* Fixes for the phan upgrade, part 2.
* (T298571) build: Update mediawiki/mediawiki-phan-config to 0.12.0.
* build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
* (T329214) Pass whether current rev of file exists to
Linker::makeBrokenImageLinkObj.
* (T334659) Handle thumb errors when !$enableLegacyMediaDOM.
* A manualthumb that doesn't exist should be considered a thumb error.
* (T313157) IndexPager: Also protect against $offset being 0.
* (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.
== MediaWiki 1.39.3 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since MediaWiki 1.39.2 ===
* Localisation updates.
* (T328477) LinksUpdate: Use DB key for category links table.
* GlobalFunctions: Remove check for MEDIAWIKI constant.
* (T329484) API: Fix query+allimages user parameter description.
* (T330529) SpecialEditTags: Set default of '' for wpReason.
* (T330382) postgres: Make the upgrade ignore dropping indexes that
might not exist.
* (T330526) htmlform: Handle null from HTMLFormField::getDefault in
multiselects.
* (T291753) rdbms: escape backslashes in makeConnectionString for PostgreSQL.
* (T325529) Fix total breakage of wgCanonicalServer fallback.
* (T318103) mediawiki.storage: Disable async GC during integration test.
* (T332461, T332397) TempFSFile: Keep the WeakMap alive.
* (T332902) page: fix InvalidArgumentException in SQLPlatform::makeList.
* (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted
XFF headers.
== MediaWiki 1.39.2 ==
This is a maintenance release of the MediaWiki 1.39 branch.
=== Changes since MediaWiki 1.39.1 ===
* Localisation updates.
* (T325872) ChangeTags: Remove table name from condition.
* (T324895) MWCallbackStream: Add explicit $stream property.
* (T297031, T326039) PostgresUpdater: Move setDefault ahead of
changeNullableField.
* (T321319) Produce HTML for invalid JSON.
* (T215466, T326071) MigrateActors: Write to revision table (Follow-up 24115a8).
* (T223027) ReservedUsernames config: Add reserved names from maintenance
scripts.
* (T325000, T324896, T307631) Updated OOUI from v0.44.3 to v0.44.5.
* Remove /images .htaccess rules that are no longer relevant.
* Disable php in .htaccess of images directory as a hardening measure.
* (T322583) Include missing message parameter in message.
* LocalFileTest: use encodeBlob/decodeBlob for img_metadata.
* DatabaseSqlite: fix null blobs.
* rdbms: avoid pg_escape_bytea() call-style deprecation notices.
* (T322278) Improve LocalisationCache post-merge validation check.
* (T324408, T326367) Updated wikimedia/remex-html from 3.0.2 to 3.0.3.
* (T322278) Fix the remaining Phan failures on PHP 8.1.
* (T322278, T326367) Respond to some messages from Phan on PHP 8.1.
* Fix phan error when Excimer is enabled.
* (T326021) Add matrix: to $wgUrlProtocols.
* (T314099) stream wrapper: Declare $context class property.
* (T314099) libs\jsminplus: Declare JSNode::$expression.
* (T314096) composer.json: Updated composer/spdx-licenses from 1.5.6 to 1.5.7.
* (T326472) Upgrading cssjanus/cssjanus (v2.1.0 => v2.1.1).
* (T308536) rdbms: Remove deprecation mark for $wgSharedDB.
* (T215466, T326071) installer: Split drop action out of the SQL patch for actor
migration.
* (T322603) SqliteMaintenance.php: Fix fatally broken instanceof check.
* (T326377) rdbms: Use DBConnRef in SelectQueryBuilder.
* api/en.json: api-help-datatype-expiry add missing 'may'.
* (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code.
* (T328222) Pass empty string to strlen() if schema is null for
PostgresDatabase.
* (T289926) SpecialRevisionDelete: Set default of '' for wpReason.
* (T155582, T328503) Fix XML dumps for content types with non-string
getNativeData().
* (T326886) PoolCounterRedis: Fix wrong cast, locks weren't being released.
* (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses
* (T327821) skin: Restore default 'value' attribute in makeSearchButton().
* (T329198) ParamValidator: Improve paramvalidator-help-multi-max message.
* (T329415) Clear the statsd data buffer regardless of StatsdServer config.
* (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text' tag.
* (T330049) UnregisteredLocalFile: Don't call MimeAnalyzer if no path.
* (T324894 TempFSFile: Use a WeakMap for reference tracking if available.
* (T295637) Add no to fallback chain of nb and nn.
== MediaWiki 1.39.1 ==
This is a security and maintenance release of the MediaWiki 1.39 branch.
=== Changes since MediaWiki 1.39.0 ===
* Localisation updates.
* PostgresUpdater: Remove trailing space from 'user_id ' column.
* (T304515) LCStoreStaticArray: atomically replace the cache file.
* (T324516) postgres: Fix upgrade for templatelinks primary key.
* (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2.
* (T324513) uuid\GlobalIdGenerator: Check if getmyuid() exists.
* (T314099) OutputPage: Remove unused dynamic property ParserOptions->isBogus.
* (T314099) api: Remove use of undeclared property in action=comparepages.
* Upgrading wikimedia/xmp-reader (0.8.5 => 0.8.6).
* (T324489) Upgrading wikimedia/parsoid (v0.16.0 => v0.16.1).
* Updated pear/mail (v1.4.1 => v1.5.0).
* Removed wikimedia/dodo (v0.4.0).
* (T324910) On pages using multi-content revisions, the raw content of a
specific slot can be retrieved using the action=raw&slot=<role-name> query
parameters.
* (T322637) SECURITY: sqlite should not create DB file world-readable.
== MediaWiki 1.39.0 ==
=== Changes since MediaWiki 1.39.0-rc.1 ===
* Localisation updates.
* exception: Tolerate no service container when trying DB rollback.
* (T320282) Upgrading wikimedia/xmp-reader (0.8.3 => 0.8.4).
* objectcache: Deprecate WANObjectCache::reap() and ::reapCheckKey().
* (T320864) When calling mail(), use an array for headers.
* Upgrading wikimedia/xmp-reader (0.8.4 => 0.8.5).
* (T321154) Call setFormIdentifier() on LogEventsList form.
* When importing revision with same timestamp as latest revision, treat
it as the new latest.
* (T320726) RandomImageGenerator::getImageSpec: Don't pass a float to mt_rand(),
for PHP 8.1.
* (T298485, T322360) WikiExporter: Avoid calling reload in processing every row.
* (T321551) pager: Fix null used for foreach in Pager::getNavigationBar.
* (T321551) pager: Remove unused AlphabeticPager::getOrderTypeMessages()
support.
* pager: Remove unused PagerNavigationBuilder::setExtra().
* PagerNavigationBuilder: Document that nulls in setLinkQuery() etc. are
allowed.
* (T322335) ApiQueryRevisionsBase: Fix 'rvdiffto' parameter handling on PHP 8.0.
* (T314096) TestFileEditor: Fix string interpolation.
* (T289926) api: Fix minor PHP 8.1 incompatibility in ApiOptions.
* (T322803) SpecialBotPasswords: Don't pass null to trim().
* (T289926) Fix incomplete ITextFormatter mocks.
* Language: Handle ronna and quetta.
* (T72510) rdbms: make SqlitePlatform::tableName() apply double quotes.
* (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0.
* .gitattributes: Ship docker-compose.yml to the tarball.
== MediaWiki 1.39.0-rc.1 ==
=== Changes since MediaWiki 1.39.0-rc.0 ===
* Localisation updates.
* (T318481) composer: Drop symfony/php73-polyfill.
* (T318460) SpecialChangeEmail: Set default for returntoquery.
* (T318307) HTMLFormField::validate(): Update docs to permit all data types
* (T306802) docker: update to latest published images.
* (T318754) WebInstallerOptions::addPersonalizationOptions(): Close fieldset.
* (T227047) Soft-deprecate the remainder of ActorMigration.
* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
in an IP range check on Special:Contributions.
* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
of hidden users.
* (T307278, CVE-2022-41766) SECURITY: On action=rollback the message
"alreadyrolled" can leak revision deleted user name.
* (T319186) .phan/config.php: Update minimum_target_php_version.
* Tests: Explicit cast to int in RandomImageGenerator test (php8 warnings).
* (T319186) .phan/config.php: Update minimum_target_php_version.
* (T310243) Deprecate use of 'wvui-search' package.
* utils: Fix return doc about false/null for UrlUtils::expand.
* (T319000) WebInstaller: Don't try and run trim() on null.
* In the event of preg failure in MagicWordArray throw exception.
* (T318753) Installer: Disable logo dropper for now.
== MediaWiki 1.39.0-rc.0 ==
== Upgrading notes for 1.39 ==
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed per-version upgrade instructions from the
oldest supported upgrading version, MediaWiki 1.31.
Some specific notes for MediaWiki 1.39 upgrades are below:
* (T278139) Drop PHP 7.3 support in MediaWiki 1.39; require 7.4.3 or higher.
For notes on 1.38.x and older releases, see HISTORY.
=== Configuration changes for system administrators in 1.39 ===
* (T382987) The default value of 'http.dnsbl.sorbs.net.' in $wgDnsBlacklistUrls
has been removed. This is because sorbs.net have stopped providing their
services. This means that if you have $wgEnableDnsBlacklist set to true, it
will no longer provide any value unless you add other servers to
$wgDnsBlacklistUrls.
==== New configuration ====
* $wgAutoCreateTempUser – This configures automatic user creation on page save.
* $wgCopyUploadAllowOnWikiDomainConfig – This configures if administrators can
use the MediaWiki:Copyupload-allowed-domains system message to define which
domains can be used with the upload-by-url tool.
* $wgCdnMatchParameterOrder – This can be set to false if MediaWiki is behind a
CDN that re-orders query parameters. This will make the code that matches
request URLs to canonical CDN URLs insensitive to parameter order.
* $wgMultiShardSiteStats – This allows you to split site_stats across multiple
rows. Only useful for very large, heavily edited wikis. (T306589)
* $wgPrivilegedGroups – Users belonging in some of the listed groups will be
audited more aggressively.
==== Changed configuration ====
* $wgInvalidUsernameCharacters – This setting now contains the char '>', which
is now the reserved delimiter for external user names.
* $wgLocalFileRepo – The default serialization method for file meta-data has
been changed to JSON. You can revert it to PHP by setting the property
'useJsonMetadata' to false.
* $wgLBFactoryConf – The 'configCallback' flag can now be set to a callback
function that returns an array with keys to update in $wgLBFactoryConf. This
can be used to update the database configuration on the fly, e.g. to take
replica hosts out of rotation.
* $wgDBservers and $wgLBFactoryConf – The DBO_SSL flag in has been deprecated in
favour of a boolean "ssl" parameter.
* $wgObjectCaches – The 'globalKeyLB' and 'localKeyLB' flags are no longer
supported.
==== Removed configuration ====
* $wgMultiContentRevisionSchemaMigrationStage - This transition flag, deprecated
since MediaWiki 1.35, has been removed; the data migration is over.
* $wgActorTableSchemaMigrationStage - This transition flag has been removed; the
data migration is over.
* $wgWikiFarmSiteDetector – This experimental setting has been removed without
replacement. Use the MW_WIKI_NAME environment variable to specifiy the name of
the site for which to load configuration. Using the WIKI_NAME environment
variable for this purpose is deprecated.
* $wgParserCacheUseJson - The ParserCache now always uses JSON serialization.
Reading old non-JSON cache entries is still supported. The setting had been
deprecated since 1.36.
* $wgAllowJavaUploads - To allow uploads of JAR files, remove application/java
from $wgMimeTypeExclusions.
* $wgMaxRedirects – This broken feature was removed, as it never worked as
intended (T296430).
* $wgElementTiming – This experimental, default-disabled feature has been
removed without replacement.
* $wgPriorityHints and $wgPriorityHintsRatio – The related experimental feature
has been removed without replacement.
* $wgIncludeLegacyJavaScript – This flag has been removed, without loss of any
functionality in this release. Most former "wikibits" functions were removed
after deprecation in previous releases. The remaining functions, such as
importScript, are now available unconditionally.
* $wgLegacySchemaConversion - This unused setting has been removed.
* $wgInterwikiPrefixDisplayTypes - This unused setting has been removed.
* $wgMangleFlashPolicy – This is no longer functional, and is now deprecated.
Users who are somehow still using Flash as a browser extension will be exposed
to CSRF vulnerabilities.
=== New user-facing features in 1.39 ===
* Optional automatic user creation on page save ($wgAutoCreateTempUser)
* Administrators now have the option to delete/undelete the associated "Talk"
page when they are (un)deleting a given page. `deletetalk` and `undeletetalk`
options were added to the 'delete' and 'undelete' action APIs in MW 1.38.
* `{{=}}` is now a wikitext built-in magic word, expanding to `=`. This is
conventionally used as an escape mechanism to allow the use of `=` in
unnamed template arguments. Defining [[Template:=]] to expand to something
other than `=` has been deprecated since 1.36, with affected pages put into
a special tracking category for migration.
* (T284020) Bot passwords are now supported when using the REST API.
=== New developer features in 1.39 ===
* Added optional $size param to SearchResultProvideThumbnail hook.
* SearchResultProvideThumbnail hook interface moved from MediaWiki\Rest\Hook
namespace to MediaWiki\Search\Hook.
* JsonValidateSaveHook has been added to allow extensions to set additional
pre-save validations for specific JSON pages (T313254)
* Added 'PermissionErrorAudit' hook, enabling extensions to audit permission
errors on specfic actions. For instance account registration failed attempts
due to a block (T306018).
=== External library changes in 1.39 ===
==== New external libraries ====
* Added Codex v0.1.1. This replaces the now deprecated wvui library.
* Added symfony/polyfill-php81.
* Added symfony/polyfill-php82.
* Added symfony/polyfill-php83.
===== New development-only external libraries =====
* Updated QUnit from 2.18.0 to 2.18.2.
==== Changed external libraries ====
* Updated jQuery from v3.6.0 to v3.6.1.
* Updated OOUI from v0.43.2 to v0.44.5.
* Updated composer/semver from 3.2.6 to 3.3.2.
* Updated cssjanus/cssjanus fromv2.1.0 to v2.1.1.
* Updated pear/mail from v1.4.1 to v1.5.1.
* Updated symfony/polyfill-php80 from 1.25.0 to 1.28.0.
* Updated symfony/yaml from 5.4.3 to 5.4.23.
* Updated vue/compat from 3.2.23 to 3.2.37.
* Updated wikimedia/base-convert from 2.0.1 to 2.0.2.
* Updated wikimedia/html-formatter from 3.0.1 to 4.0.3.
* Updated wikimedia/ip-set from 3.0.0 to 3.1.0.
* Updated wikimedia/minify from 2.2.6 to 2.3.0.
* Updated wikimedia/php-session-serializer from 2.0.0 to 3.0.0.
* Updated wikimedia/remex-html from 3.0.2 to 3.0.3.
* Updated wikimedia/running-stat from 1.2.1 to 2.1.0.
* Updated wikimedia/scoped-callback from 3.0.0 to 4.0.0.
* Updated wikimedia/services from 2.0.1 to 3.0.0.
* Updated wikimedia/timestamp from 3.0.0 to 4.1.1.
* Updated wikimedia/xmp-reader from 0.8.1 to 0.9.2.
===== Changed development-only external libraries =====
* Updated composer/spdx-licenses from 1.5.5 to 1.5.7.
* Updated doctrine/dbal for PHP < 7.3 from 2.13.6 to 2.13.9.
* Updated doctrine/dbal for PHP >= 7.3 from 3.1.5 to 3.4.2.
* Updated mediawiki/mediawiki-phan-config from 0.11.1 to 0.12.1.
==== Removed external libraries ====
* Removed wikimedia/dodo (v0.4.0).
=== Bug fixes in 1.39 ===
* (T314013) $wgExtraNamespaces no longer overrides canonical namespace names
specified in extension.json files. While this setting can still be used to
rename extension-defined namespaces, system administrators may need to run
namespaceDupes.php after upgrading.
=== Action API changes in 1.39 ===
* New `undeletetalk` parameter on action=undelete that allows you to restore
all revisions of the associated talk page.
=== Languages updated in 1.39 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.
* Actual localization was added for several languages, which were already
in Names.php and even used for a Wikipedia:
** (T313200) Added language support for Rundi (Kirundi, rn).
** (T310976) Added language support for Tumbuka (ChiTumbuka, tum).
** (T314270) Added language support for Kanuri (kr).
* (T313199) Added language support for Sylheti (syl).
* (T311975) Added language support for Ghanaian Pidgin (gpe).
* (T307080) Added language support for Okinawan (ryu).
* (T307887) Added language support for Mooré (mos).
* (T308813) Added language support for Nigerian Pidgin (pcm).
* (T309763) Added language support for Tai Nüa (tdd).
* (T310040) Added language support for Fante (fat).
* (T311034) Added language support for Campidanese Sardinian (sro).
* (T315406) Fix the autonym of the Iñupiaq language to "Iñupiatun".
* (T315677) Removed French fallback from the Fula language (ff).
* (T304920) In Swahili, The "Media" namespace is now "Media", as in English,
and the "File" namespace is now "Faili". The old name of the "File" namespace
was "Picha", and it's kept for backwards compatibility. If you manage a wiki
in Swahili, and you use "Faili:" as a namespace anywhere in wikitext, and
you mean to use it as "Media:", these need to be replaced to "Media:".
* (T309866) Some namespace translations were updated for Kyrgyz (ky). The old
ones are retained as aliases for backwards compatibility.
* (T117845) Started the renaming of the language codes for Serbian from sr-ec
and sr-el to sr-cyrl and sr-latn.
* (T295637) Add no to fallback chain of nb and nn.
=== Breaking changes in 1.39 ===
* Basic non-JavaScript (Grade C) support has been dropped for Internet Explorer
9-10, Firefox 27-38, and Android 4.3-4.4.
* The following methods, deprecated since 1.37, have been removed from IDatabase
- ::fetchObject()
- ::fetchRow()
- ::numRows()
- ::freeResult()
* Title::getDefaultNamespace(), deprecated since 1.37, has been removed.
* The DBPrimaryPos class alias 'DBMasterPos' has been removed.
* The global function wfGetLB(), deprecated since 1.27, has been removed.
* Passing a db to BlockRestrictionStore::loadByBlockId() is no longer supported.
BlockRestrictionStoreFactory should be used to fetch a correct
BlockRestrictionStore instead. This was deprecated since 1.38.
* The global function wfGetCache(), deprecated since 1.32, has been removed. You
can use ObjectCache::getInstance() instead.
* The global function wfGetMainCache(), deprecated since 1.32, has been removed.
You can use ObjectCache::getLocalClusterInstance() instead.
* MovePage::__construct() now requires that all parameters be passed. The
fallback to MediaWikiServices emitted deprecation notices since 1.37.
* WikiPage::doEditContent(), deprecated since 1.32, was removed.
* WikiPage::prepareContentForEdit() now requires a UserIdentity parameter to be
provided. Not providing one has been deprecated since 1.37.
* EventRelayerKafka, deprecated in 1.38, was removed.
* MediaWiki\Logger\Monolog\KafkaHandler, deprecated in 1.38, was removed.
* The "trace" option of SectionProfiler, deprecated in 1.38, was removed.
* The global function wfWikiID(), deprecated since 1.35, has been removed.
* Database::wasKnownStatementRollbackError() was removed. Subclasses should
override isKnownStatementRollbackError() instead.
* Database::wasQueryTimeoutError() was removed. Subclasses should
override isQueryTimeoutError() instead.
* Database::buildSuperlative() has been removed without deprecation.
* The following methods, deprecated in 1.37, have been removed:
- Linker::setStubThreshold(), ::getStubThreshold().
- LinkRendererFactory::createForUser().
- ParserOptions::getStubThreshold(), ::setStubThreshold().
* Changes to ResourceLoader modules:
- The mediawiki.viewport module, deprecated in 1.37 has been
removed. Use IntersectionObserver instead.
* If you manage a wiki in Swahili, and you use "Faili:" as a namespace anywhere,
and you mean to use it as "Media:", replace it with "Media:". See T304920.
* Changes to skins:
- Skin::getCopyrightIcon(), ::getPoweredBy(), deprecated in 1.37 have been
removed.
- Skin::bottomScripts, deprecated in 1.37, now emits deprecation notices.
Skins using SkinTemplate must set bodyOnly as a skin option and
remove lines of code generating html, body and head elements.
- Skin::makeSearchButton and Skin::makeSearchInput were deprecated in 1.38.
Use SkinTemplate methods with the same name or Skin::getTemplateData
instead.
- Styles for the HTML classes `warningbox`, `errorbox` and `successbox` have
been removed in favor of Html class methods.
- The feature `legacy` used inside ResourceLoaderSkinModule,
deprecated in 1.37, will no longer ship any styles.
- Skin::getSkinStylePath, deprecated since 1.36, has been removed.
- Skin::getPortletData has been made private.
- SkinTemplate::getPersonalToolsList(), deprecated in 1.35 has been
removed.
- The following SkinTemplate template data, deprecated in 1.37,
have been removed:
- poweredbyico
- copyrightico
- The following hooks, deprecated in 1.37, have been removed:
- SkinGetPoweredBy: SkinGetPoweredByHook
- The following hooks are deprecated and replaced with
SkinTemplateNavigation::Universal:
- SkinTemplateNavigation::SpecialPage
- SkinTemplateNavigation
- PersonalUrls
- The mediawiki.skinning.content.externallinks module, which was
deprecated in 1.36 has been removed. Skins that still rely on it
will lose the icon styling of external links by type.
* Experimental wiki farm support: Automatic detection of the requested site
within a wiki farm based on the requested domain has been removed.
Use the MW_WIKI_NAME environment variable to specify the name of the site
to load configuration for. Using the WIKI_NAME environment variable for this
purpose is deprecated. This is only relevant if you have been using
$wgWikiFarmSettingsDirectory to load wiki farm config.
* MWExceptionHandler::installHandler was marked @internal and had required
arguments added. This method is intended for use in bootstrap code and is
unused in known extensions.
* MWException::useOutputPage was made private without deprecation.
This method was apparently only public for testing and is unused in known
extensions.
* Calling getId() on a User or UserIdentityValue from the wrong wiki, deprecated
since 1.36, now throws an exception.
* The following methods have been removed from ExtensionRegistry without
deprecation and without replacement. They had been introduced in 1.35 for use
in the testing framework, and were not in use by any known extension:
- exportAutoloadClassesAndNamespaces
- exportTestAutoloadClassesAndNamespaces
* The MWNamespace class, deprecated since 1.34, has been removed. Use the
NamespaceInfo service instead.
* The UnknownContent and UnknownContentHandler class aliases have been removed,
use FallbackContent and FallbackContentHandler instead.
* IResultWrapper::next() now returns void, to match the Iterator interface that
it implements. fetchObject() has the same behavior as next() used to.
* In HTMLForm HTMLAutoCompleteSelectFields, the parameters 'autocomplete' and
'autocomplete-messages', which were deprecated in MediaWiki 1.29, were
removed. Instead, use 'autocomplete-data' and 'autocomplete-data-messages'.
* The global $wgParser, deprecated in 1.32, was removed. Use
MediaWikiServices::getInstance()->getParser() instead.
* ParserOutput::setText will now set the ParserOutput's text to null if
given null. Previously it did nothing if given null.
* The default value for the first argument to the ParserOutput constructor
is now null instead of ''.
* IDatabase::lockTables() and IDatabase::unlockTables(), deprecated since 1.38,
have been removed.
* The $context parameter to `new HTMLForm( … )` and `HTMLForm::factory( … )`
is now required.
* The class alias for revision related classes in namespace MediaWiki\Storage
has been removed. Classes are IncompleteRevisionException,
MutableRevisionRecord, MutableRevisionSlots, RevisionAccessException,
RevisionArchiveRecord, RevisionFactory, RevisionLookup, RevisionRecord,
RevisionSlots, RevisionStore, RevisionStoreRecord, SlotRecord, and
SuppressedDataException.
* Calling getBy() on an AbstractBlock from the wrong wiki, deprecated since
1.38, now throws an exception.
* Passing a MediaWiki\Linker\LinkTarget to EditPage::makeTemplatesOnThisPageList
or TemplatesOnThisPageFormatter::format is no longer supported,
a MediaWiki\Page\PageIdentity is required.
* The deprecated class alias FakeConverter has been removed, use
TrivialLanguageConverter instead.
* The deprecated ApiQueryContributions class alias has been removed, use
ApiQueryUserContribs instead.
* The deprecated MediaWiki\Special\SpecialPageFactory class alias has been
removed, use MediaWiki\SpecialPage\SpecialPageFactory instead.
* The following skin modules, deprecated in 1.37, have been removed:
- mediawiki.skinning.elements
- mediawiki.skinning.content
- mediawiki.toc.styles
- mediawiki.legacy.config
- mediawiki.legacy.shared
- mediawiki.legacy.commonPrint
* FileModule::compileLessFile(), deprecated since 1.35, has been removed. Use
::compileLessString() instead.
* LogFormatter::styleRestricedElement(), deprecated since 1.37, has been
removed. Use ::styleRestrictedElement() instead.
* Title::isNamespaceProtected(), deprecated in 1.34, has been removed.
* ApiStashEdit::parseAndStash(), deprecated in 1.34, has been removed.
* LinkCache::forUpdate(), deprecated in 1.34, has been removed.
* Passing null instead of a NamespaceInfo instance to LinkCache::__construct()
is not supported anymore. It is recommended to request an instance from the
service container.
* ApiQueryBase::showHiddenUsersAddBlockInfo(), deprecated in 1.34, has been
removed. Use ApiQueryBlockInfoTrait instead.
* ApiQueryBase::prefixedTitlePartToKey(), deprecated in 1.35, has been removed.
Use ::parsePrefixedTitlePart() instead.
* ExternalStoreDB::getSlave(), deprecated in 1.34, has been removed. Use
ExternalStoreDB::getReplica() instead.
* ChangesListSpecialPage::checkStructuredFilterUiEnabled() and
SpecialWatchlist::checkStructuredFilterUiEnabled() now support UserIdentity
as the only argument. Passing Config argument was deprecated in 1.34.
* DatabaseUpdater::ifNoActorTable(), deprecated in 1.35, has been removed. Use
::ifTableNotExists() instead.
* MediaWiki\Revision\RevisionStoreFactory::getRevisionStore was documented
to allow passing bool true as a dbDomain, this is no longer possible,
because that is an invalid value for a dbDomain.
* LinkHolderArray::__construct() had its signature changed. The class was marked
internal in 1.35.
* SpecialMute::isTargetBlacklisted(), deprecated in 1.35, has been removed. Use
::isTargetMuted() instead.
* WebRequest::checkUrlExtension(), deprecated in 1.35, has been removed.
* ContentHandler::cleanupHandlersCache(), deprecated in 1.35, has been removed.
* SpecialVersion::getExtAuthorsFileName, deprecated in 1.35, has been removed.
Use MediaWiki\ExtensionInfo::getAuthorsFileName.
* SpecialVersion::getExtLicenseFileName, deprecated in 1.35, has been removed.
Use MediaWiki\ExtensionInfo::getLicenseFileNames.
* CategoryPage::getCategoryViewerClass and ::setCategoryViewerClass, deprecated
in 1.35, have been removed.
* SqlBlobStore::getLegacyEncodingConversionLang(), deprecated in 1.34, has been
removed.
* wfCanIPUseHTTPS(), deprecated in 1.37, has been removed.
* wfGetScriptUrl(), deprecated in 1.35, has been removed.
* The following methods of Database class, are no longer stable to override:
- ::implicitOrderby()
- ::selectSQLText()
- ::bitNot()
- ::bitAnd()
- ::bitOr()
- ::buildConcat()
- ::buildGreatest()
- ::buildLeast()
- ::buildSubstring()
- ::buildStringCast()
- ::buildIntegerCast()
- ::tableName()
- ::addIdentifierQuotes()
- ::buildLike()
- ::limitResult()
- ::unionSupportsOrderAndLimit()
- ::unionQueries()
- ::conditional()
- ::strreplace()
- ::timestamp()
- ::getInfinity()
- ::setTableAliases()
- ::setIndexAliases()
- ::buildGroupConcatField()
* SpecialUnblock::processUnblock(), deprecated in 1.36, has been removed. Use
UnblockUser instead.
* wfLocalFile() and wfFindFile(), deprecated in 1.34, have been removed.
* Maintenance script resetUserTokens.php, deprecated in 1.27, has been removed.
* These methods in Database have been removed without deprecation as they are
not used outside core. Users should override corresponding methods in
SQLPlatform instead:
- Database::doInsert -> SQLPlatform::insertSqlText
- Database::doDropTable -> SQLPlatform::dropTableSqlText
- Database::doRollback -> SQLPlatform::rollbackSqlText
- Database::doSavepoint -> SQLPlatform::savepointSqlText
- Database::doReleaseSavepoint -> SQLPlatform::releaseSavepointSqlText
- Database::doRollbackToSavepoint -> SQLPlatform::rollbackToSavepointSqlText
* The following protected methods of Database class have been removed without
deprecation as they are not used outside core. Users should call
corresponding methods in SQLPlatform:
- Database::makeInsertLists -> SQLPlatform::makeInsertLists
- Database::isFlagInOptions -> SQLPlatform::isFlagInOptions
- Database::normalizeOptions -> SQLPlatform::normalizeOptions
- Database::fieldNameWithAlias -> SQLPlatform::fieldNameWithAlias
- Database::isTransactableQuery -> SQLPlatform::isTransactableQuery
* $wgCanonicalNamespaceNames no longer includes custom namespaces defined using
$wgExtraNamespaces. Extensions should use the NamespaceInfo service instead
of accessing this configuration setting directly.
* The following hook, deprecated in 1.35, has been removed:
- ParserGetVariableValueVarCache: ParserGetVariableValueVarCacheHook
* The $variableCache parameter to the ParserGetVariableValueSwitch hook is
no longer used; non-standard use of this parameter has been deprecated since
1.35.
* These methods have been moved from IDatabase to IMaintainableDatabase:
- IDatabase::fieldExists -> IMaintainableDatabase::fieldExists
- IDatabase::indexExists -> IMaintainableDatabase::indexExists
- IDatabase::tableExists -> IMaintainableDatabase::tableExists
* DBConnRef doesn't accept live connection in constructor anymore.
Only parameters for getting connection should be provided.
* IDatabase::getTopologyRootPrimary() was removed.
* User::blockedBy(), deprecated since 1.38, has been removed.
* User::getBlockId(), deprecated since 1.38, has been removed.
* AlphabeticPager::getOrderTypeMessages(), unused since 1.13, has been removed
without deprecation.
=== Deprecations in 1.39 ===
* PageProps::getInstance(), deprecated since 1.38, emits deprecations warnings.
* The global function wfGetDB() has been deprecated. Use
LoadBalancer::getConnection() instead.
* SpecialRedirectWithAction::__construct without SearchEngineFactory argument
will now emit a deprecation notice.
* Use of the SiteStatsUpdate constructor has been deprecated in favor of
the ::factory() method.
* AuthManager::checkAccountCreatePermissions has been deprecated. Use
AuthManager::authorizeCreateAccount or AuthManager::probablyCanCreateAccount
instead.
* Title::getSelectFields() has been deprecated in favor of
PageStore::newSelectQueryBuilder()
* Title::newFromTitleValue(), deprecated since in 1.34, now emits deprecation
warnings. Use ::newFromLinkTarget() instead.
* ExtensionRegistry::readFromQueue() has been marked @internal. Extensions
should use ExtensionProcessor instead.
* Processor::getExtraAutoloaderPaths() and
ExtensionProcessor::getExtraAutoloaderPaths() have been deprecated, use get
getExtractedAutoloadInfo() instead.
* The following global functions are deprecated in favor of the listed UrlUtils
methods.
- wfExpandUrl -> UrlUtils::expand
- wfGetServerUrl -> UrlUtils::getServer
- wfAssembleUrl -> UrlUtils::assemble
- wfRemoveDotSegments -> UrlUtils::removeDotSegments
- wfUrlProtocols -> UrlUtils::validProtocols
- wfUrlProtocolsWithoutProtRel -> UrlUtils::validAbsoluteProtocols
- wfParseUrl -> UrlUtils::parse
- wfExpandIRI -> UrlUtils::expandIRI
- wfMatchesDomainList -> UrlUtils::matchesDomainList
These methods are exact replacements except that
1) they return null instead of false or empty string on error (where
applicable);
2) UrlUtils::validProtocols does not take a parameter (documentation said not
to pass one to wfUrlProtocols anyway);
3) they use type hints (don't try passing null instead of string, etc.).
* MaintainableDBConnRef is deprecated, use DBConnRef instead.
* Loading DefaultSettings.php is deprecated. To get default values of main
config settings, use MainConfigSchema::listDefaultValues() or
MainConfigSchema::getDefaultValue().
* AbstractContent::getRedirectChain() and
AbstractContent::getUltimateRedirectTarget() are now emitting deprecation
warnings (T296430).
* (T244138) QueryPage::getSQL() is deprecated. Instead QueryPage::getQueryInfo()
should be overridden.
* Calling new JobRunner() directly without $serviceOptions now emits
deprecation warnings. Use MediaWikiServices::getInstance()->getJobRunner()
instead.
* Passing an array of targets to Article::getRedirectHeaderHtml() is
deprecated. Supply a single redirect target instead (T296430).
* The following Less mediawiki.mixins have been deprecated:
- .animation()
- .animation-delay()
- .transform-rotate()
* Skin::getAction is deprecated. Use IContextSource::getActionName instead.
* User::getOption, deprecated since 1.35, now emits deprecation warnings.
Use UserOptionsLookup::getOption instead.
* ILBFactory::forEachLB() is deprecated. Use ::getAllLBs().
* LoadBalancer::forEachOpenConnection() and ::forEachOpenPrimaryConnection()
are deprecated without replacement.
* The following classes were moved from the root namespace to the
MediaWiki\ResourceLoader namespace, the old names becoming deprecated aliases:
ResourceLoader, MessageBlobStore, VueComponentParser.
* The following classes had the "ResourceLoader" prefix stripped while being
moved to the MediaWiki\ResourceLoader namespace, the old names becoming
deprecated aliases: DerivativeResourceLoaderContext,
ResourceLoaderCircularDependencyError, ResourceLoaderClientHtml,
ResourceLoaderCodexModule, ResourceLoaderContext, ResourceLoaderFileModule,
ResourceLoaderFilePath, ResourceLoaderForeignApiModule, ResourceLoaderImage,
ResourceLoaderImageModule, ResourceLoaderLanguageDataModule,
ResourceLoaderLessVarFileModule, ResourceLoaderModule,
ResourceLoaderMwUrlModule, ResourceLoaderOOUIFileModule,
ResourceLoaderOOUIIconPackModule, ResourceLoaderOOUIImageModule,
ResourceLoaderOOUIModule, ResourceLoaderSiteModule,
ResourceLoaderSiteStylesModule, ResourceLoaderSkinModule,
ResourceLoaderStartUpModule, ResourceLoaderUserModule,
ResourceLoaderUserOptionsModule, ResourceLoaderUserStylesModule,
ResourceLoaderWikiModule.
* WANObjectCache::reap() and WANObjectCache::reapCheckKey() have been
deprecated without replacement.
* The following methods in WikiRevision and their interfaces
ImportableUploadRevision and ImportableOldRevision are deprecated:
- ::getUserObj() → ::getUser()
- ::setUserObj() → ::setUsername()
- ::setUserIP() → ::setUsername()
* ObjectCache::addBusyCallback() is deprecated and non-functional.
* MWTimestamp::getHumanTimestamp(), deprecated in 1.26, now emits deprecation
warnings.
* Article::viewRedirect(), deprecated in 1.30, now emits deprecation warnings.
* Parser::getFreshParser() is deprecated, use ParserFactory::getInstance().
* CoreParserFunctions::mwnamespace() is deprecated and emits deprecation
warnings, use CoreParserFunctions::namespace() instead.
* Registering magic variables whose names include a colon is deprecated.
* User::blockedFor(), deprecated in 1.35, now emits deprecation warnings.
* Access to previously public properties AbstractBlock::$mExpiry,
AbstractBlock::$mHideName, AbstractBlock::$mTimestamp, DatabaseBlock::$mAuto,
and DatabaseBlock::$mParentBlockId, deprecated in 1.34, now emits deprecation
warnings.
* Access to previously public properties User::$mBlock, User::$mBlockedby, and
User::$mHideName, deprecated in 1.35, now emits deprecation warnings.
* JobQueueGroup::singleton() and ::destroySingletons(), deprecated in 1.37, now
emit deprecation warnings.
* Title::getNotificationTimestamp(), deprecated in 1.35, now emits deprecation
warnings.
* Global functions wfReadOnly and wfReadOnlyReason, deprecated in 1.38, now
emit deprecation warnings.
* Overriding or calling DifferenceEngine::getDiffBodyCacheKey(), deprecated in
1.31, now emits deprecation warnings.
* Access to previously public property WikiRevision::$fileIsTemp, deprecated in
1.29, now emits deprecation warnings.
* wfQueriesMustScale() has been deprecated and emits deprecation warnings.
* ContextSource::getStats(), RequestContext::getStats(), and
DerivativeContext::getStats(), deprecated in 1.27, now emit deprecation
warnings.
* ManualLogEntry::setTags(), deprecated in 1.33, now emits deprecation warnings.
* WikiRevision::downloadSource(), deprecated in 1.31, now emits deprecation
warnings.
* DifferenceEngine::textDiff(), deprecated in 1.32, now emits deprecation
warnings.
* FormatMetadata::flattenArrayContentLang(), deprecated in 1.36, now emits
deprecation warnings.
* SkinTemplate::getNameSpaceKey(), deprecated in 1.35, now emits deprecation
warnings.
* EnqueueJob::newFromJobsByWiki(), deprecated in 1.33, now emits deprecation
warnings.
* The following methods of the MWGrants class, all deprecated since 1.38,
are now emitting deprecation warnings:
- getValidGrants
- getRightsByGrant
- grantName
- grantNames
- getGrantRights
- grantsAreValid
- getGrantGroups
- getHiddenGrants
- getGrantsLink
- getGrantsWikiText
* DataUpdate::runUpdates(), deprecated in 1.28, now emits deprecation warnings.
* CdnCacheUpdate::newFromTitles(), deprecated in 1.35, now emits deprecation
warnings.
* Instantiating HTMLCacheUpdate class, deprecated in 1.34, now emits deprecation
warnings.
* ISQLPlatform::tableNames() (implemented by IDatabase) is now deprecated.
None of the tableName*() functions should be used by most users;
if you absolutely must use raw SQL, write several tableName() calls instead.
* Language::isWellFormedLanguageTag() has been deprecated in favor of
LanguageCode::isWellFormedLanguageTag().
* The PrevNextNavigationRenderer helper class has been deprecated in favor of
the new PagerNavigationBuilder one.
* The methods IndexPager::getPagingLinks(), IndexPager::getLimitLinks() and
IndexPager::buildPrevNextNavigation() have been deprecated in favor of
IndexPager::getNavigationBuilder().
* Overriding the method IndexPager::makeLink() has been deprecated.
* ActorMigration is deprecated. The temporary table is no longer needed, the
actor table can be directly joined to the revision table, which is simple
enough to not need a helper class. See the methods of ActorMigration for more
specific information on replacements. ActorMigrationBase remains usable for
migrations in extension tables.
=== Other changes in 1.39 ===
* Dynamic default values are now applied before extension registration callbacks
are run. This way, extensions have a complete view of config variables, with
all defaults applied. For example, when the default value of X used to be
static but becomes dynamic, and an extension reads the value of X in the
registration callback, it will now continue to function as expected. In some
cases however, this may cause an undesired change in behavior: if the dynamic
default of setting X depends on the value of setting Y, and an extension
changes Y, the changed value of Y will no longer affect the value of X.
== Compatibility ==
MediaWiki 1.39 requires PHP 7.4.3 or later and the following PHP extensions:
* ctype
* dom
* fileinfo
* iconv
* intl
* json
* mbstring
* xml
MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can
be used instead, but support for them is somewhat less mature.
The supported versions are:
* MariaDB 10.3 or higher
* MySQL 5.7.0 or higher
* PostgreSQL 10 or later
* SQLite 3.8.0 or later
== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):
https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation
== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
A low-traffic announcements-only list is also available:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.
== IRC help ==
There's usually someone online in #mediawiki on irc.libera.chat.
Generated by dwww version 1.15 on Sat Aug 30 13:00:01 CEST 2025.