path: root/RELEASE-NOTES-1.31

== MediaWiki 1.31.16 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

This is intended to be the final release of the MediaWiki 1.31 branch,
and as such, 1.31 is now considered End of Life.

=== Changes since MediaWiki 1.31.15 ===
* (T283273) Make postgres IRC channel point to libera.chat.
* (T289108) ExtensionProcessor: Remove loaderScripts from
  extension.json schemas.
* (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in
  Special:Search.
* (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full
  table scan.
* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of
  Special:Contributions.

== MediaWiki 1.31.15 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.14 ===
* (T270988) Fixup issues in SpecialChangeContentModel.php.
* (T278026) rdbms: Add DB_PRIMARY to replace DB_MASTER.
* (T276945) Define a batch size in maintenance/manageJobs.php.
* (T276945) Implement JobQueueDB::getAllAbandonedJobs.
* (T281549) WebInstaller: Don't show the announce-l subscribe
  checkbox temporarily.
* (T283247) Freenode -> Libera per wikimedia moving from
  freenode to libera.
* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from
  purging pages.

== MediaWiki 1.31.14 ==

This is a maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.13 ===
* Make Title implement IDBAccessObject.

== MediaWiki 1.31.13 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.12 ===
* (T115436) resourceloader: CSSMin::getLocalFileReferences now strips
  anchors.
* Updating php-parallel-lint/php-parallel-lint (0.9.2 => 1.0.0).
* Updating mediawiki/codesniffer (19.1.0 => 19.4.0).
* DefaultSettings.php: Update $wgPingback documentation.
* PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0.
* (T275261) Escape wikitext in the title in invalid title error messages.
* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access
  Special:ResetTokens.
* pageExist.php: Output trailing newlines.
* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages
  on ChangesList pages.
* (T277414) HTMLFormField: Use non namespaced class name rather than
  static::class.
* (T268230) Switch to new MediaWiki logo by Serhio Magpie.
* (T271735) Expand config-pingback-help, link to privacy policy in
  config-pingback.
* Fix documentation of user-global in $wgRateLimits.
* BackupDumper: Add -o as shortcode for --output.
* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-*
  messages on Special:NewFiles.
* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection
  they have right to do so via action=protect.
* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in
  fast double move.
* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user
  can create pages.
* (T276843, CVE-2021-20270, CVE-2021-27291) SECURITY:
  SyntaxHighlight_GeSHi: Various lexers have been disabled due to DoS
  vectors.

== MediaWiki 1.31.12 ==

This is a maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.11 ===
* Fixed issues relating to User::isRegistered() not existing in 1.31.

== MediaWiki 1.31.11 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.10 ===
* Fix undefined $wgRedirectOnLogin.
* (T251661, T265313) CentralIdLookup::factoryNonLocal can return null.
* (T263592) media: Fix case of FlashPixVersion in
  FormatMetadata::makeFormattedData().
* (T265223) BaseTemplate: Guard against passing zero arg to array_merge().
* (T266418) composer.json: add requirement for composer-plugin-api ^1.1.
* (T260631, T260633), BotPassword::save() now returns a Status object for the
  result rather than a bool. The length of the bot password grants and
  restriction fields are now validated, and an error will be thrown if it
  would be truncated by the database.
* (T264536, T233012) SectionProfiler: Do not attempt to use null values as arrays.
* (T269178) MemcachedClient: Cast Resource to integer.
* (T268917, CVE-2020-35475) SECURITY: Use Xml::element in SpecialUserrights for
  sanity.
* (T268938, CVE-2020-35479) SECURITY: BlockLogFormatter can output raw html.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries
  when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and
  user pages of hidden users and missing users.

== MediaWiki 1.31.10 ==

This is a maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.9 ===
* Fixed issues relating to backporting of changes for T260485.

== MediaWiki 1.31.9 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.8 ===
* In the web installer, use secure session cookies.
* (T257207) shell: Expand documentation in firejail.profile.
* Added $wgForceHTTPS, which makes the HTTP to HTTPS redirect be unconditional
  and suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We
  recommend this be set to true on pure HTTPS wikis.
* Added $wgCookieSameSite, which allows login cookies to be sent with
  SameSite=None. This is required for cross-site CentralAuth autologin after
  Chrome 84.
* Added $wgUseSameSiteLegacyCookies, which adds a compatibility hack to
  SameSite=None cookies for browsers which implemented an incompatible draft
  version of the specification.
* (T191537) Disable WebResponse setters for post-send processing.
* (T198525) WebReponse: Use values altered in 'WebResponseSetCookie' hook.
* Fix runBatchedQuery.php for no result from select.
* (T130906) Add Edge to MediaWiki:Clearyourcache.
* Use IPset in MWRestrictions::checkIP.
* (T260031) Add application/font-sfnt to MimeMap for ttf files.
* shell: Make ->restrict( RESTRICT_NONE ) actually work.
* (T183759) Fixes shell edge-cases in Windows.
* (T258390) Add CentralIdLookup::factoryNonLocal().
* (T246991) User: Fix pingLimiter() to use makeGlobalKey() for global rate
  limits.
* (T251661, CVE-2020-25827) SECURITY: User::pingLimiter: add user-global rate
  limit type.
* (T246991) User: enforce pingLimiter() expiry time.
* (T260232) don't include null page ids in query list for category dumps.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T263455 T247285) Set EnableJavaScriptTest to true in
  includes/DevelopmentSettings.php.
* (T232568, CVE-2020-25813) SECURITY: Special:UserRights exposes the existence
  of hidden users.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
  firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
  'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
  mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct
  database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.

== MediaWiki 1.31.8 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.7 ===
* (T199809) Don't invalidate BotPasswords if a password reset email is sent.
* (T247017) PasswordReset performance improvements.
* (T250568) Work around change in SimpleXMLElement behavior introduced in PHP
  7.3.17.
* Remove some rotten and out of date documentation.
* (T252311) Improvements to some older SQLite update patches.
* (T240307) Minor fixes to extension.schema.v2.json and extension.schema.v1.json.
* (T199474) Set rc_patrolled to 2 for autopatrolled changes in
  rebuildrecentchanges.php.
* (T229461) Update the change_tag table in rebuildrecentchanges.php.
* (T206476) Call ob_start() before running tests.
* (T234450) Per-user concurrency in SpecialContributions can now be limited by
  setting $wgPoolCounterConf['SpecialContributions'] appropriately.
* (T248947) SECURITY: img_auth.php may leak private extension images into the
  public cache.

== MediaWiki 1.31.7 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.6 ===
* (T193565, T234022) Re-add DB domain sanity checks to LoadBalancer.
* Use proper SemVer comparison in CheckComposerLockUpToDate.
* (T212738) Add the MW_VERSION constant, global $wgVersion is soft deprecated.
* Update comment about PHP versions supported by The PHP Group.
* (T247215) Fix output of RecountCategories::doWork().
* Add check for page existence to view.php maintenance script.
* (T247580) Disable some broken Selenium tests.
* (T236509) SECURITY: Fix HTML escaping in UserGroupMembership::getLink().
* (T246602) SECURITY: jquery.makeCollapsible allows applying event handler to any
  CSS selector.

== MediaWiki 1.31.6 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.5 ===
* (T181658) Do not insert page titles into querycache.qc_value.
* (T206013) Suppress errors when reading invalid XML file properties.
* (T237931) Remove references to pg_attrdef.adsrc in Postgres code.
* Use correct value for 'sslmode' in DatabasePostgres.
* (T232866) Fix support for HTTP/2 in MultiHttpClient.
* (T227461) Stop calling deprecated Redis delete functions.
* (T239561) Mark options as requiring parameters in addSite.php.
* (T239734) Replace deprecated lSize with lLen in Redis code.
* (T192134) SECURITY: Do not allow user scripts on Special:PasswordReset.
* (T239428) ApiEditPage: Test for bad redirect targets.
* (T233342) rdbms: Log debug message traces as 'exception.trace' instead of
  'trace'.
* (T226751) media: Log and fail gracefully on invalid EXIF coordinates.
* (T212067) Work around PHP bug in parse_url.

== MediaWiki 1.31.5 ==

This is a maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.4 ===
* Fix extra newlines in installer.
* Followup T230402, PermissionManager doesn't exist until 1.33, so fix the
  backported patches to use User::isAllowed() instead.

== MediaWiki 1.31.4 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.3 ===
* (T207100) Updated LanguageTr for dotted and dotless I in PHP 7.3.
* The ImgAuthModifyHeaders hook was added to img_auth.php to allow modification
  of headers in private wikis.
* (T230402) SECURITY: Add permission check for suppressed account to
  Special:Redirect.
* Add helper for HTTPFileStreamer header syntax.
* (T118799) Fix XMP parser errors due to trailing nullchar.
* (T233119) Improve documentation for the MinimumPasswordLengthToLogin policy.
* (T202183) Give more specific error messages on Special:Redirect.
* Cache redirects from Special:Redirect.
* (T231386) dispatchUser() should use a 302 http status code.
* (T227662) Split down patch-comment-table.sql and patch-actor-table.sql into
  separate files to help allieviate potential migration problems.
* Make SQLite's patch-add-3d.sql a no-op to prevent clobbering other database
  updates.

== MediaWiki 1.31.3 ==

This is a maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.2 ===
* (T225558) Update installer link to PHP intl.
* (T225496) Detect APC for MainCacheType in CLI installer.
* (T226766) Remove jetbrains/phpstorm-stubs from composer dev dependancies.
* (T202211) Fix SQLite patch-(image|page|template)links-fix-pk.sql column order.

== MediaWiki 1.31.2 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

Required PHP version has been increased from 7.0.0 to 7.0.13.

=== Changes since MediaWiki 1.31.1 ===
* (T204729) WatchedItemStore::countVisitingWatchersMultiple() shouldn't query all
  titles when asked for none.
* (T205967) Fix syntax error typo in postgres database upgrade file.
* (T200254) Add pear/Net_SMTP 1.7.3 to composer dependencies.
* (T206765) Load installer i18n when running update.php.
* (T109121) Remove deprecated pear/mail_mime-decode from composer suggested libraries.
  [Also in the bundled composer /vendor directory.]
* Various PHP 7.2 and 7.3 compatibility fixes:
  * (T200595, T206974) Fix PHP 7.3 warnings of using "continue" in some scenarios instead
    of "break".
    * (T206976, T206977) Also in the bundled LocalisationUpdate and ParserFunctions extensions.
  * (T206979) Fix PHP 7.3 warnings of using "compact()" when some variables may
    not be set.
  * (T215632) FormatMetadata and UploadStash regexes fixed to be PHP 7.3-compatible.
  * Fix PHP warnings "preg_replace(): [...] invalid range in character class.
  * Avoid PHP 7.2 warnings in DBConRefTest about count() on non-Countable.
  * Suppress "Headers already sent" in PHP 7.2 too.
  * (T206476) Output only to stderr in unit tests.
  * (T207112) Add session_write_close() calls to SessionManager tests.
  * oyejorge/less.php replaced with our fork wikimedia/less.php
  * (T209756) Updated wikimedia/ip-set from 1.2.0 to 1.3.0.
  * (T213489) Avoid session double-start in Setup.php.
  * (T206975) Switch to our fork of less.php.
* (T207540) Include IP address in "Login for $1 succeeded" log entry.
* (T201781) Database: Allow selectFieldValues() to accept SQL fragments.
* (T205765) installer: Don't link to the obsolete "Extension Matrix" page.
* (T206013) Update ImportableUploadRevisionImporter for interwiki usernames.
* (T207541) Pass an email address, not a MailAddress, to mail().
* (T207603) SECURITY: User JS may no longer be loaded with mime type text/javascript if
  there is no account associated with the username.
* (T112937, T113042) SECURITY: Do not allow loading pages raw with a text/javascript MIME
  type if non-admins can edit the page.
* (T17491) <ins>/<del> elements can be phrasing or flow.
* (T200827) RemexCompatMunger: Don't call endTag() in case B/b
* (T207088) Upgrade wikimedia/remex-html to 2.0.1.
  [Also in the bundled composer /vendor directory.]
* (T194052) Updated wikimedia/base-convert from 1.0.1 to 2.0.0.
  [Also in the bundled composer /vendor directory.]
* (T199494) Fix notices in maintenance/removeUnusuedAccounts.php.
* Require ext-fileinfo in composer.json, per PHPVersionCheck.
* (T176390) Bundled LocalisationUpdate extension: Handle exceptions from GitHubFetcher.
* (T208255) Completion search should not change the search query.
* (T209870) Fix SQL syntax error in MS-SQL initialisation file for new wikis.
* (T185049) LogFormatter: Fail softer when trying to link an invalid titles.
* (T210998) Properly set $wgLanguageCode in the generated LocalSettings.php
  if --lang is used with the command-line installer (install.php).
* (T211061) ImageListPager: Actor migration for buildQueryConds().
* (T209335) Clarify the default sidebar 'Help' link is about MediaWiki itself.
* Fix addition of ug_expiry column to user_groups table on MSSQL.
* (T204767) Add join conditions to ActiveUsersPager.
* (T210621) User: Bypass repeatable-read when creating an actor_id.
* (T204531) rdbms: reduce LoadBalancer replication log spam.
* (T195525) Fix db error outage page.
* (T208871) The hard-coded Google search form on the database error page was
  removed.
* (T176097) Fix flaky MessageBlobStoreTest assertion failures.
* (T209423) Update required PHP version to 7.0.13.
* (T209885) Prevent populateSearchIndex.php from breaking once actor migration
  has been started.
* (T216968) Return pageid as int in both list=iwbacklinks and list=langbacklinks.
* (T215169) Fix for Database::update() with IGNORE option fails on PostgreSQL.
* (T204423) Backport support for hyphenated DB names in JobQueueGroup.
* (T199474) Fix typo in rebuildrecentchanges.php resulting in rogue flags.
* (T218608) SECURITY: Fix an issue that prevents Extension:OAuth working when
  $wgBlockDisablesLogin is true.
* (T216029) Chrome redirects to Special:BadTitle after editing a section with
  a non-Latin name on a page with non-Latin characters in title.
* (T219728) Added support for new Japanese era name "Reiwa".
* (T25227) SECURITY: action=logout now requires to be posted and have a csrf token.
* Updated cssjanus/cssjanus from 1.2.0 to 1.3.0.
* (T222385) resourceloader: Use AND instead of OR for upsert conds in
  saveFileDependencies().
* (T224374) Fix message parameters so that the message that says SQLite is out of date
  makes sense.
* SpecialPage::checkLoginSecurityLevel() will now preserve POST data when
  reauthenticating.
* FormSpecialPage::execute() will now call checkLoginSecurityLevel() if
  getLoginSecurityLevel() returns non-false.
* (T197279) SECURITY: Fix reauth in Special:ChangeEmail.
* (T208881) SECURITY: blacklist CSS var().
* (T209794) SECURITY: rate-limit and prevent blocked users from changing email.
* (T199540) SECURITY: API: Respect $wgBlockCIDRLimit in action=block.
* (T212118) SECURITY: Fix cache mode for (un)patrolled recent changes query.
* (T222036, T222038) SECURITY: Add permission check for user is permitted to
  view the log type.
* (T221739) SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358.

== MediaWiki 1.31.1 ==

This is a security and maintenance release of the MediaWiki 1.31 branch.

=== Changes since MediaWiki 1.31.0 ===
* (T169545, CVE-2018-0503) SECURITY: $wgRateLimits entry for 'user' overrides
  'newbie'.
* (T194605, CVE-2018-0505) SECURITY: BotPasswords can bypass CentralAuth's
  account lock.
* (T199029, CVE-2018-13258) SECURITY: Tarball was missing .htaccess files.
* (T197229) Bundle Nuke extension, it was accidentally omitted.
* (T193995) Fix undefined patchPath() method call in parser tests.
* (T198687) Fix various selectFields methods to use the string 'NULL', not null.
* Special:BotPasswords now requires reauthentication.
* (T191608, T187638) Add 'logid' parameter to Special:Log.
* (T193829) Indicate when a Bot Password needs reset.
* (T198037) GitInfo: Don't try shelling out if it's disabled.
* (T151415) Log email changes.
* (T197206) Fix performance regression when multiple DB used without caching.
* (T197030) PHPSessionHandler: Suppress headers warnings in initialize().
* (T182377, T196793) Exif: Guard against uncountable tag values.
* (T200861) Fix total breakage of SQLite web upgrade.
* (T200864) Fix pingback over-reporting on non-MySQL databases
* (T202550) Unbreak SpecialListusersHeaderForm and SpecialListusersHeader
  hooks.

=== Changes since MediaWiki 1.31.0-rc.2 ===
* (T195783) Initialize PSR-4 namespaces at same stage as normal autoloader.
* (T196092) Hide MySQL binary/utf-8 charset option in the installer.
* (T196185) Don't allow setting $wgDBmysql5 in the installer.
* (T196125) php-memcached 3.0 (provided with PHP 7.0) is now supported.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+
* (T118683) Fix exception from &$user deref on HHVM in the TitleMoveComplete hook.
* (T196672) The mtime of extension.json files is now able to be zero
* (T180403) Validate $length in padleft/padright parser functions.
* (T143790) Make $wgEmailConfirmToEdit only affect edit actions.

=== Changes since MediaWiki 1.31.0-rc.0 ===
* (T33223) Drop archive.ar_text and ar_flags.
* Add default edit rate limit of 90 edits/minute for all users.
* (T187645) Use codepoint as tiebreaker when getting first-letters in
  IcuCollation.
* (T191947) Don't shell during the installer if shelling out is disabled.
* (T194319) Improve duplicate config setting exception as part of extension
  registration.
* (T195211) Don't require trailing slash in PSR-4 autoloader directory.
* (T186565) Fix PHP Notice from `ob_end_flush()` in `FileRepo::streamFile()`.
* Do not incorrectly hide namespace input field in the installer.
* (T186456) Refactor checks looking for PEAR maik libraries to be clearer.

=== Important pre-upgrade notes for 1.31 ===
* If you're using MySQL, SQLite, or MSSQL, are not using update.php to apply
  schema changes, and cannot have downtime to run migrateArchiveText.php and
  apply patch-drop-ar_text.sql manually, you'll have to apply a default value
  to the ar_text and ar_flags columns of the archive table or make those
  columns nullable before upgrading to MediaWiki 1.31.
  maintenance/archives/patch-nullable-ar_text.sql shows how to do this for MySQL.
* The CologneBlue and Modern skins are no longer bundled with the tarball. You
  will need to remove the wfLoadSkin() calls from your LocalSettings.php or
  download them separately
  (<https://www.mediawiki.org/wiki/Special:SkinDistributor>).

=== Configuration changes in 1.31 ===
* $wgEnableAPI and $wgEnableWriteAPI are now deprecated and will be removed in
  a future version. The API is now considered to be stable, secure and
  essential.
* $wgUsejQueryThree was removed, as it is now the default. This was documented
  as a temporary variable during the migration period, deprecated since 1.29.
* $wgLogoHD has been updated to support svg images and uses $wgLogo where
  possible for fallback images such as png.
* (T44246) $wgFilterLogTypes will no longer ignore 'patrol' when user does not
  have the right to mark things patrolled.
* Wikis that contain imported revisions or CentralAuth global blocks should run
  maintenance/cleanupUsersWithNoId.php.
* The configuration settings $wgResourceLoaderMinifierStatementsOnOwnLine and
  $wgResourceLoaderMinifierMaxLineLength, deprecated since 1.27, were removed.
* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that
  are not using the latest version of the Referrer Policy specification.
* $wgFragmentMode is now set to [ 'legacy', 'html5' ] by default. This is a
  first step of migration to human-readable section IDs that will later result
  in 'html5' being the default mode.
* CACHE_ACCEL now only supports APC(u) or WinCache. XCache support was removed
  as upstream is inactive and has no plans to move to PHP 7.
* The old CategorizedRecentChanges feature, including its related configuration
  option $wgAllowCategorizedRecentChanges, has been removed.
* (T188472) The 'comma' value for $wgArticleCountMethod is no longer supported
  for performance reasons, and installations with this setting will now work as
  if it was configured with 'any'.
* (T185753) MediaWiki now defaults to using RemexHtml to tidy up user input,
  rather than being off by default. If you wish to disable HTML tidying
  entirely, set $wgTidyConfig to null; if you wish to use the old, deprecated
  Tidy external binary, both set $wgTidyConfig to null and $wgUseTidy to true.
* $wgLogAutopatrol now defaults to false instead of true.
* $wgValidateAllHtml was removed and will be ignored.
* $wgScriptExtension, deprecated and ignored since 1.25, was removed. See the
  1.25 release notes for more information.
* $wgUseAjax is now marked as deprecated, just like the deprecated AJAX
  framework that it enables. Some extensions mistakenly used this to check
  whether any AJAX functionality at all should be enabled, further making this
  problematic to retain.
* $wgDBmysql5 is now deprecated, and will be removed in a future version. It
  has been marked as experimental ever since it was introduced.
* Fix $magicWords for the Sanskrit language

=== New features in 1.31 ===
* (T76554) User sub-pages named ….json are now protected in the same way that
  ….js and ….css pages are, so that configuration options can safely be placed
  there.
* Wikimedia\Rdbms\IDatabase->select() and similar methods now support joins
  with parentheses for grouping.
* As a first pass in standardizing dialog boxes across the MediaWiki product,
  Html class now provides helper methods for messageBox, successBox, errorBox
  and warningBox generation.
* (T9240) Imports will now record unknown (and, optionally, known) usernames in
  a format like "iw>Example".
* (T20209) Linker (used on history pages, log pages, and so on) will display
  usernames formed like "iw>Example" as interwiki links, as if by wikitext like
  [[iw:User:Example|iw>Example]].
* (T111605) The 'ImportHandleUnknownUser' hook allows extensions to auto-create
  users during an import.
* Added a hook, ParserOutputPostCacheTransform, to allow extensions to affect
  the ParserOutput::getText() post-cache transformations.
* Added a hook, UploadForm:getInitialPageText, to allow extensions to alter the
  initial page text for file uploads.
* (T181651) The info page for File pages now displays the file's base-16 SHA1
  hash value in the table of basic information.
* Style tags with a 'data-mw-deduplicate' attribute will be deduplicated as a
  ParserOutput::getText() post-cache transformation. This may be disabled by
  passing 'deduplicateStyles' => false to that method.
* The identity of the logged-in or IP "actor" for logged actions is being moved
  into a new actor table, with the rows in tables such as revision and logging
  referring to the actor ID instead of storing the user ID and name/IP in
  every row.
  * This is currently gated by $wgActorTableSchemaMigrationStage. Most wikis
    can set this to MIGRATION_NEW and run maintenance/migrateActors.php as
    soon as any necessary extensions are updated.
  * Most code accessing rows for logged actions from the database should use
    the relevant getQueryInfo() methods to get the information needed to build
    the SQL query. The ActorMigration class may also be used to get feature
    -flagged information needed to access actor-related fields during the
    migration period.
* Added Wikimedia\Rdbms\IDatabase::cancelAtomic(), to roll back an atomic
  section without having to roll back the whole transaction.
* Wikimedia\Rdbms\IDatabase::doAtomicSection(), non-native ::insertSelect(),
  and non-MySQL ::replace() and ::upsert() no longer roll back the whole
  transaction on failure.
* (T189785) Added a monthly heartbeat ping to the pingback feature.
* The CLI installer (maintenance/install.php) learned to detect and include
  extensions. Pass --with-extensions to enable that feature.
* (T184791) rc_patrolled now has three states: "0" for unpatrolled,
  "1" for manually patrolled and "2" for autopatrolled actions.
* Extensions can now set their type to "editor" if they provide an editor or
  enhance the editing experience.
* Extensions can use a PSR-4 autoloader by setting an "AutoloadNamespaces"
  property in extension.json. See the documentation at
  <https://mediawiki.org/wiki/Manual:Extension.json/Schema#AutoloadNamespaces>
  for more details and an example.
* (T19099) Tabs which link to pages that don't exist (like those to uncreated
  discussion pages) now have a tooltip to indicate state, not just colour.

=== External library changes in 1.31 ===
* pear/mail, pear/mail_mime and pear/mail_mime-decode have been moved from
  suggested to required. These packages now must be installed via composer
  and not via PEAR itself.

==== Upgraded external libraries ====
* Updated jquery.chosen from v0.9.14 to v1.8.2.
* Updated composer/spdx-licenses from 1.1.4 to 1.3.0 (development dependency).
* Updated nikic/php-parser from 2.1.0 to 3.1.3 (development dependency).
* Updated wikimedia/ip-set from 1.1.0 to 1.2.0.
* Updated wikimedia/relpath from 2.0.0 to 2.1.1.
* Updated wikimedia/running-stat from 1.1.0 to 1.2.0.
* Updated wikimedia/wrappedstring from 2.2.0 to 2.3.0.
* Updated mediawiki/at-ease from 1.1.0 to 1.2.0.
* Updated wikimedia/php-session-serializer from 1.0.4 to 1.0.6.
* Updated wikimedia/remex-html from 1.0.2 to 1.0.3.
* Updated wikimedia/html-formatter from 1.0.1 to 1.0.2.

==== New external libraries ====
* Added wikimedia/object-factory 1.0.0

==== Removed and replaced external libraries ====
* (T17845) The deprecated 'jquery.badge' module was removed.
* The deprecated 'jquery.autoEllipsis' module was removed. Use the CSS
  text-overflow property instead.
* The deprecated 'jquery.placeholder' module was removed.
* The deprecated 'jquery.appear' module was removed. Use the
  'mediawiki.viewport' module instead.
* mediawiki/at-ease was replaced with wikimedia/at-ease.

=== Bug fixes in 1.31 ===
* (T90902) Non-breaking space in header ID breaks anchor.
* (T189375) CSSMin now allows quoted urls in `url()` syntax to start with a
  space.
* (T2087, T10897, T87753, T174639) Whitespace created by category and language
  links is now stripped rather than leaving blank lines in odd places.
* (T3780) Uploads with UTF-8 names now work on PHP7.1+ on Windows servers.
* (T182366) UploadBase::checkXMLEncodingMissmatch() now works on PHP 7.1+

=== Action API changes in 1.31 ===
* (T185058) The 'name' value to tgprop for action=query&list=tags has been
  removed. It has never made a difference in the output, the name was always
  returned regardless.
* The 'watch' and 'unwatch' parameters for action=move have been removed. They
  were deprecated and also accidentally nonfunctional since 1.17 in 2010. Use
  'watchlist' instead.

=== Action API internal changes in 1.31 ===
* ApiBase::getProfileDBTime, deprecated since 1.25, was removed.
* ApiBase::getModuleProfileName, deprecated since 1.25, was removed.
* ApiBase::getProfileTime, deprecated since 1.25, was removed.

=== Languages updated in 1.31 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.

* (T180052) Mirandese (mwl) now supports gendered NS_USER/NS_USER_TALK.
* (T182305) New language support: Nyungar (nys).
* (T186359) New language support: Siberian Tatar [cебертатар] (sty).
* (T186635) New language support: Guianan Creole (gcr).
* (T186647) New language support: Kumyk [къумукъ] (kum).
* (T187750) New language support: Spanish formal address (es-formal).
* (T187824) New language support: Hungarian formal address (hu-formal).
* (T189127) New language support: Gorontalo (gor).

=== Breaking changes in 1.31 ===
* MessageBlobStore::insertMessageBlob(), deprecated in 1.27, was removed.
* The OutputPage class constructor now requires a context parameter.
  Instantiating without context was deprecated in 1.18.
* The mw.page JavaScript singleton, deprecated in 1.30, was removed.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
  related WikiPage::PURGE_* constants, deprecated in 1.29, were removed.
* The Article::selectFields(), ::onArticleCreate(), ::onArticleDelete(), and
  ::onArticleEdit() methods, deprecated in 1.24, were removed.
* Installer::locateExecutable() and ::locateExecutableInDefaultPaths() were
  removed. Use ExecutableFinder::findInDefaultPaths() instead.
* The deprecated MW_DIFF_VERSION constant was removed.
  DifferenceEngine::MW_DIFF_VERSION should be used instead.
* Due to significant refactoring, method ContribsPager::getUserCond() that had
  no access restriction has been removed.
* The Block class will no longer accept usable-but-missing usernames for
  'byText' or ->setBlocker(). Callers should either ensure the blocker exists
  locally or use a new interwiki-format username like "iw>Example".
* The following methods and constants from the WatchedItem class, which were
  deprecated in 1.27, have been removed:
  * WatchedItem::getTitle()
  * WatchedItem::fromUserTitle()
  * WatchedItem::addWatch()
  * WatchedItem::removeWatch()
  * WatchedItem::isWatched()
  * WatchedItem::duplicateEntries()
  * WatchedItem::IGNORE_USER_RIGHTS
  * WatchedItem::CHECK_USER_RIGHTS
  * WatchedItem::DEPRECATED_USAGE_TIMESTAMP
* The $statementsOnOwnLine parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierStatementsOnOwnLine, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The $maxLineLength parameter of JavaScriptMinifier::minify was removed.
  $wgResourceLoaderMinifierMaxLineLength, the corresponding configuration
  variable, has been deprecated since 1.27 and was removed as well.
* The HtmlFormatter class, deprecated in 1.27, was removed. The namespaced
  HtmlFormatter\HtmlFormatter class should be used instead.
* The driver 'mysql' for MySQL, deprecated in MediaWiki 1.30, has been removed.
  The driver has been deprecated since PHP 5.5 and was removed in PHP 7.0. The
  default driver for MySQL has been 'mysqli' since MediaWiki 1.22.
* The following properties of PreparedEdit were deprecated in 1.21 and have
  been removed:
  * PreparedEdit->newText
  * PreparedEdit->oldText
  * PreparedEdit->pst
* ParserOutput objects which are generated using a non-default value for
  ParserOptions::setWrapOutputClass() can no longer be added to the parser
  cache.
* The following deprecated methods from the OutputPage class have been removed:
  * OutputPage::addExtensionStyle(); deprecated in 1.27
  * OutputPage::getExtStyle(); deprecated in 1.27
  * OutputPage::setETag(); deprecated in 1.28 (obsolete no-op)
  * OutputPage::setSquidMaxage(); deprecated in 1.27
  * OutputPage::readOnlyPage(); deprecated in 1.25
  * OutputPage::rateLimited(); deprecated in 1.25
  * Additionally, the protected OutputPage::$mExtStyles array, only accessed
    through the above and with no known uses, was removed.
* The no-op method Skin::showIPinHeader(), deprecated in 1.27, was removed.
* The following variables and methods in EditPage, deprecated in MediaWiki 1.30,
  were removed:
  * $isCssJsSubpage — use ::isUserConfigPage()
  * $isCssSubpage — use ::isUserCssConfigPage()
  * $isJsSubpage — use ::isUserJsConfigPage()
  * $isWrongCaseCssJsPage – use ::isWrongCaseUserConfigPage()
  * ::getSummaryInput() – use ::getSummaryInputWidget()
  * ::getSummaryInputOOUI() – use ::getSummaryInputWidget()
  * ::getCheckboxes() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
  * ::getCheckboxesOOUI() – use ::getCheckboxesWidget() or
      ::getCheckboxesDefinition()
* ResourceLoaderModule::getPosition(), deprecated in 1.29, has been removed.
* In User, the cookie-related methods which were wrappers for the functions on
  the response object, and were deprecated in 1.27, have been removed:
  * ::setCookie()
  * ::clearCookie()
  * ::setExtendedLoginCookie()
  Note that User::setCookies() remains, and is not deprecated.
* Also in User, some auth-related methods which were deprecated in 1.27 have
  been removed:
  * ::getEditTokenTimestamp() – use MediaWiki\Session\Token::getTimestamp()
  * ::getPasswordFactory() – create a PasswordFactory directly
  * ::passwordChangeInputAttribs()
* The global functions wfProfileIn and wfProfileOut, deprecated in 1.25, have
  been removed.
* SpecialPageFactory::getList(), deprecated in 1.24, has been removed. You can
  use ::getNames() instead.
* OpenSearch::getOpenSearchTemplate(), deprecated in 1.25, has been removed. You
  can use ApiOpenSearch::getOpenSearchTemplate() instead.
* The global function wfBaseConvert, deprecated in 1.27, has been removed. Use
  Wikimedia\base_convert() directly.
* Calling Database::begin() explicitly during an implicit transaction or when
  DBO_TRX is set results in an exception. Calling Database::commit() explicitly
  for an implicit transaction also results in an exception. Previously these
  were logged as errors. The startAtomic() and endAtomic() methods, or
  AtomicSectionUpdate should be used instead.
* The global function wfOutputHandler() was removed, use the its replacement
  MediaWiki\OutputHandler::handle() instead. The global function was only
  sometimes defined. Its replacement is always available via the autoloader.
* ChangeTags::listExtensionActivatedTags and ::listExtensionDefinedTags,
  deprecated in 1.28, have been removed. Use ::listSoftwareActivatedTags() and
  ::listSoftwareDefinedTags() instead.
* Title::getTitleInvalidRegex(), deprecated in 1.25, has been removed. You can
  use MediaWikiTitleCodec::getTitleInvalidRegex() instead.
* HTMLForm & VFormHTMLForm::isVForm(), deprecated in 1.25, have been removed.
* The ProfileSection class, deprecated in 1.25 and unused, has been removed.
* The ResourceLoaderGetLessVars hook, deprecated in 1.30, has been removed. Use
  ResourceLoaderModule::getLessVars() to expose local variables instead of
  global ones.
* As part of work to modernise user-generated content clean-up, a config option
  and some methods related to HTML validity were removed without deprecation.
  The public methods MWTidy::checkErrors() and the path through which it was
  called, TidyDriverBase::validate(), are removed, as are the testing methods
  MediaWikiTestCase::assertValidHtmlSnippet() and ::assertValidHtmlDocument().
  The $wgValidateAllHtml configuration option is removed and will be ignored.
* Execution of external programs using MediaWiki\Shell\Command now applies
  the RESTRICT_DEFAULT Firejail restriction by default.
* The ResourceLoaderModule::getHashMtime() and ::getDefinitionMtime() methods,
  deprecated in 1.26, were removed.
* The deprecated 'mediawiki.widgets.CategorySelector' module alias was removed.
  Use the 'mediawiki.widgets.CategoryMultiselectWidget' module directly.

=== Deprecations in 1.31 ===
* The Revision class was deprecated in favor of RevisionStore, BlobStore, and
  RevisionRecord and its subclasses.
* The global function wfBCP47 is deprecated in favour of LanguageCode::bcp47.
* The global function wfCountDown is now deprecated in favor of
  Maintenance::countDown.
* Several methods for returning lists of fields to select from the database
  have been deprecated in favor of similar methods that also return the tables
  to select from and the join conditions for those tables.
  * Block::selectFields() → Block::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * ArchivedFile::selectFields() → ArchivedFile::getQueryInfo()
  * LocalFile::selectFields() → LocalFile::getQueryInfo()
  * LocalFile::getCacheFields() with a prefix no longer works
  * LocalFile::getLazyCacheFields() with a prefix no longer works
  * OldLocalFile::selectFields() → OldLocalFile::getQueryInfo()
  * RecentChange::selectFields() → RecentChange::getQueryInfo()
  * Revision::userJoinCond() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::selectUserFields() → Revision::getQueryInfo( [ 'user' ] )
  * Revision::pageJoinCond() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectPageFields() → Revision::getQueryInfo( [ 'page' ] )
  * Revision::selectTextFields() → Revision::getQueryInfo( [ 'text' ] )
  * Revision::selectFields() → Revision::getQueryInfo()
  * Revision::selectArchiveFields() → Revision::getArchiveQueryInfo()
  * User::selectFields() → User::getQueryInfo()
  * WikiPage::selectFields() → WikiPage::getQueryInfo()
* Revision::setUserIdAndName() was deprecated.
* Access to TitleValue class properties was deprecated, the relevant getters
  should be used instead.
* DifferenceEngine::getDiffBodyCacheKey() is deprecated. Subclasses should
  override DifferenceEngine::getDiffBodyCacheKeyParams() instead.
* Use of Maintenance::error( $err, $die ) to exit script was deprecated. Use
  Maintenance::fatalError() instead.
* Passing a ParserOptions object to OutputPage::parserOptions() is deprecated.
* The RevisionInsertComplete hook is now deprecated; use instead the hook
  RevisionRecordInserted. RevisionInsertComplete is still called, but the second
  and third parameter will always be null. Hard deprecation is scheduled for 1.32.
* The following methods that get and set ParserOutput state are deprecated.
  Callers should use the new stateless $options parameter to
  ParserOutput::getText() instead.
  * ParserOptions::getEditSection()
  * ParserOptions::setEditSection()
  * ParserOutput::getEditSectionTokens()
  * ParserOutput::setEditSectionTokens()
  * ParserOutput::getTOCEnabled()
  * ParserOutput::setTOCEnabled()
  * OutputPage::enableSectionEditLinks()
  * OutputPage::sectionEditLinksEnabled()
  * The public ParserOutput state fields $mTOCEnabled and $mEditSectionTokens
    are also deprecated.
* License::getLicenses has been deprecated; use License::getLines instead.
* QuickTemplate::setRef() was deprecated in favour of QuickTemplate::set().
  Setting template variables by reference allowed violating the principle of
  data being immutable once added to the skin template. In practice, this method
  was not being used for that. Rather, setRef() existed as memory optimisation
  for PHP 4.
* QuickTemplate::setTranslator() and MediaWikiI18N::set() were deprecated in
  favour of Skin::msg() parameters.
* MediaWikiI18N::translate() was deprecated in favour of Skin::msg() or
  wfMessage().
* Passing false to ParserOptions::setWrapOutputClass() is deprecated. Use the
  'unwrap' transform to ParserOutput::getText() instead.
* \ObjectFactory (no namespace) is deprecated, the namespaced class
  \Wikimedia\ObjectFactory from the wikimedia/object-factory library should be
  used instead.
* CommentStore::newKey is deprecated. Instead, get an instance from
  MediaWikiServices.
* The following CommentStore methods have had their signatures changed to
  introduce a $key parameter, usage of the methods on instances retrieved from
  CommentStore::newKey will remain unchanged but deprecated:
  * CommentStore::getFields
  * CommentStore::getJoin
  * CommentStore::getComment
  * CommentStore::getCommentLegacy
  * CommentStore::insert
  * CommentStore::insertWithTemplate
* The following methods in Title have been renamed, and the old ones are
  deprecated:
  * Title::getSkinFromCssJsSubpage – use ::getSkinFromConfigSubpage
  * Title::isCssOrJsPage – use ::isSiteConfigPage
  * Title::isCssJsSubpage – use ::isUserConfigPage
  * Title::isCssSubpage – use ::isUserCssConfigPage
  * Title::isJsSubpage – use ::isUserJsConfigPage
* The following methods related to caching of half-parsed HTML were deprecated:
  * Parser::serializeHalfParsedText()
  * Parser::unserializeHalfParsedText()
  * Parser::isValidHalfParsedText()
  * StripState::getSubState()
  * StripState::merge()
* The DeferredStringifier class is deprecated, use Message::listParam() instead.
* The type string for the parameter $lang of DateFormatter::getInstance is
  deprecated.
* Wikimedia\Rdbms\SavepointPostgres is deprecated.
* The DO_MAINTENANCE constant is deprecated. RUN_MAINTENANCE_IF_MAIN should be
  used instead.
* The function wfShellWikiCmd() has been deprecated, use
  MediaWiki\Shell::makeScriptCommand().
* In the future, the hooks 'PreferencesFormPreSave' and 'PreferencesGetLegend'
  will be allowed to provide any HTMLForm object rather than PreferencesForm.

=== Other changes in 1.31 ===
* Browser support for Internet Explorer 10 was lowered from Grade A to Grade C.
* Browser support for Opera 12 and older was dropped entirely. Opera 15+
  continues at Grade A.
* Multi-content-revision capability was introduced into the storage layer. See
  <https://mediawiki.org/wiki/Requests_for_comment/Multi-Content_Revisions>.
* The "free" CSS class is now only applied to unbracketed URLs in wikitext.
  Links written using square brackets will get the class "text" not "free".
* RFC 157418: Whitespace is trimmed from wikitext headings, wikitext list items,
  wikitext table captions, wikitext table headings, wikitext table cells. HTML
  headings, HTML list items, HTML table captions, HTML table headings, HTML
  table cells will not have this trimming behavior.

== Compatibility ==
MediaWiki 1.31 requires PHP 7.0.13 or later. Although HHVM 3.18.5 or later is
supported, it is generally advised to use PHP 7.0.13 or later for long term
support. MediaWiki requires that the mbstring, xml, ctype, json, iconv and
fileinfo PHP extensions are loaded to work.

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.

The supported versions are:

* MySQL 5.5.8 or later
* PostgreSQL 9.2 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)

== Upgrading ==
1.31 has several database changes since 1.30, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.

For notes on 1.30.x and older releases, see HISTORY.

== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==
There's usually someone online in #mediawiki on irc.libera.chat.