wiki.techinc.nl/RELEASE-NOTES-1.43

= MediaWiki 1.43 =

PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/
PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/
PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/
PHP 8.4 workboard: https://phabricator.wikimedia.org/tag/php_8.4_support/

== MediaWiki 1.43.4 ==

THIS IS NOT A RELEASE YET

=== Changes since MediaWiki 1.43.3 ===
* Localisation updates.
* Rest: Move ModuleConfigurationException into correct folder.
* Cache: Move MessageCache hook interfaces into correct folder.
* uppercaseTitlesForUnicodeTransition: Add missing return.
* installer: Always check return of IDatabase::fieldInfo in postgres.
* autoload: Expand Autoloader::CORE_NAMESPACES.
* (T378163) mediawiki.page.ready: Fix undefined mw.user during temp user logout.
* (T375530) Define and store MediaWiki REST API ‘page’ endpoint responses as
  JSON schemas.
* (T376603) REST: JSON schema definitions for additional response bodies.
* (T399672) mime: Add mime types for *.less.
* (T391180) docs: Add link to CORS setting for REST API.
* (T388729) Parser: Handle regex failure in extractBody method.
* (T399064) Parser::extractBody: Use possessive matcher and once-only
  subpattern.
* (T399793) PermissionManager: Fix missingPermissionError() not returning early
  when $short is true.
* rdbms: Fix GTID style detection for MySQL servers.
* ParserCacheSerializationTestCases: back port ParserOutput changes from 1.45.
* ParserCacheSerializationTestCases: distinguish empty ToC from missing ToC.
* Fix attachLatest --regenerate-all creating invalid SQL command.
* diff: Avoid Phan warning with some Wikidiff2 versions.
* (T327439) ParserOutput: Prepare to allow JsonCodec serialization of TOCData.
* media: Remove pass-by-ref in Exif::exifGPStoNumber.
* (T386208) Exif: Handle malformed gps tags.
* i18n: Add Special:MyLanguage to mediawiki.org links.
* (T380423) Show user a human readable message when $wgLocaltimezone is set to
  an invalid timezone.
* maintenance: Fix sql for touched-only option of refreshLinks script.
* (T393028) ImagePage: Remove PNG previews line for native SVG rendering.
* (T374042) PostgresUpdater: Fix typo in sites_group index renaming instruction.
* (T401088) maintenance: Fix paging in findMissingFiles.php.
* (T401570) rdbms: Fix read-only detection for MariaDB 12.
* (T400881) filerepo: Improve identification of ForeignAPIRepo requests.
* (T397900) Don't use RequestContext in CommentParserFactory construction.
* (T402037) config: Change Reauthenticate Time Default.
* WebPHandler: Read all of the VP8L canvas height.
* (T264389, T161647) Make Content JsonCodecable.
* maintenance: Fix SQL range for moveToExternal.
* Use JsonCodec to serialize SelserContext.
* Forward-compat data for SelserContext w/ JSON-encoded Content.
* (T372444, T404230) DeletedContribsPager: Use the UserIdentity object instead
  of the raw target string.

== MediaWiki 1.43.3 ==

This is a maintenance release of the MediaWiki 1.43 branch.

=== Changes since MediaWiki 1.43.2 ===
* Localisation updates.
* Fix test failures related to 1.43.2.
* (T398269) Fixup vendor issues related to symfony/polyfill-php.

== Mediawiki 1.43.2 ==

This is a security and maintenance release of the MediaWiki 1.43 branch.

=== Changes since MediaWiki 1.43.1 ===
* Localisation updates.
* (T388708) Diffs: avoid getContentHandler on null error.
* filebackend: Avoid passing null to FileBackend::normalizeContainerPath.
* (T390001) UploadBase: makeWarningsSerializable() should accept MessageParam
  objects.
* tests: Add test cases for UploadFromChunks.
* (T382086) swagger-ui: Add licenses of packages used by Swagger UI bundle.
* (T392086) specials: Fix PHP Warning on Special:PasswordReset for crafted
  input.
* (T386175, CVE-2025-32072) SECURITY: Escape newpage message in FeedUtils.
* (T391179) installer: fix MySQL create user permissions check.
* (T391169) INSTALL: Document requirement for bcmath/gmp on 32-bit systems.
* (T389260) language: Avoid warning when 'namespaceGenderAliases' is null.
* (T391867) http: Handle accept header with incomplete q.
* Update Pingback address.
* (T387684) filerepo: No exception on redirect without width in
  ThumbnailEntryPoint.
* (T393879) objectcache: Cast explicitly to integer.
* tests: Use GLOB_BRACE in JsonSchemaAssertionTraitTest.
* tests: Fix casing of MediaWiki in @covers.
* (T394989) FormatMetadata::formatFraction: Don't risk passing null to
  preg_match.
* (T374314) Link mw.Uri migration guide in docs and log warnings.
* (T395214) title: Reset cached Title objects between tests.
* (T395214) phpunit: Remove superfluous Title::clearCaches() calls.
* (T221560) Remove hyphens from legal search characters for MySQL-based database
  searches.
* (T393628) Use anonymous user when creating named account from temp account.
* (T71997, T382963) Update RfC links to bypass redirect.
* (T351055) Improve BrokenRedirects display.
* (T382963) Sync up core repo with Parsoid.
* (T382963) Update wikimedia/parsoid to 0.20.3.
* (T395834) Treat File::getShortDesc() as possibly unsafe HTML.
* tests: Match deprecation message under php8.4 in DeprecationHelperTest.
* (T379445) debug: Migrate E_USER_ERROR to throw Error in DeprecationHelper.
* (T221560) Setup: Switch vendor error from echo+E_USER_ERROR to echo+exit.
* Setup: Update error message for composer dependencies check.
* (T381341, T379445) widget: Remove outdated try/catch wrapper from
  SpinnerWidget.
* (T379445) phpunit: Remove unused trigger_error from TestLogger.
* (T356451) logger: Make log() methods return void.
* (T328921, T359868) Drop PHP 7.4/8.0 support from master (forward-port from MW
  1.42).
* Drop a few phan PhanImpossibleTypeComparison suppressions now we've dropped
  PHP 7.4.
* Clean up resource type and phan suppression in postgres code.
* structure tests: allow PHP 8.1 syntax and autoload enums.
* rdbms: fix table prefixing in "FOR UPDATE" clause generation in Postgres.
* (T388406) RefreshLinksJob: Check hastext before comparing HTML.
* (T397521) Api: Fix permission checks in action=compare.
* (T397883, T397643) htmlform: fix min/max validations on empty input in
  int/float fields.
* specials: SpecialTalkPage: Use config from request context.
* (T380456) exception: Avoid service container init in exception handler.
* (T387408) exception: Skip use of HookRunner when not autoloaded.
* (T397470) Remove feature flagged Swagger UI based Special:RestSandbox.
* (T391343, CVE-2025-6589) SECURITY: BlockList: Hide rows containing suppressed
  users.
* (T392746, CVE-2025-6590) SECURITY: Escape usernames in HTMLUserTextField
  validation errors.
* (T392276, CVE-2025-6591) SECURITY: API: Escape i18n messages in
  action=feedcontributions.
* (T396230, T31856, CVE-2025-6593) SECURITY: fix IP leak to unverified email.
* (T395063, CVE-2025-6594) SECURITY: apisandbox: Fix reflected XSS when invalid
  'format' is provided.
* (T389009, CVE-2025-6597) SECURITY: Do not treat autocreation as login for
  reauthentication.
* (T389010, CVE-2025-6926) SECURITY: Allow extensions to supress the reauth
  flag on login.
* (T397595, CVE-2025-6927) SECURITY: Fix autoblocks visibility when
  bl_deleted=1.
* (T397595, CVE-2025-6927) SECURITY: Fix leak of hidden usernames via autoblocks
  of those users.

== MediaWiki 1.43.1 ==

This is a security and maintenance release of the MediaWiki 1.43 branch.

=== Changes since MediaWiki 1.43.0 ===
* Localisation updates.
* (T375707) exception: Convert E_STRICT errors to E_USER_NOTICE.
* (T380755) session: Do not set session.use_trans_sid.
* (T382987) $wgDnsBlacklistUrls now defaults to an empty array. See the comment
  in the "Configuration changes for system administrators" section.
* (T383037) MimeMap: add gltf and glb mime types.
* (T383037) MimeAnalyzer: detect magic number for gltf binary.
* Commit swagger-ui's NOTICE.
* (T382484) dumps: Use proc_close() to close proc_open() subprocess.
* (T375707) MWExceptionHandler: Add error suppression to constant( 'E_STRICT' ).
* (T384879) FormatMetadata: Prevent running preg_match() on null.
* (T384995) specialpage: Improve handling of invalid lang codes on login/signup.
* (T385055) resourceloader: Fix hash computation for virtual files with
  versionFilePath.
* (T385169) MultiUsernameFilter: Don't try to split ids if they're not a string.
* (T385567) parser: Gracefully handle invalid ParsoidRenderID keys.
* (T385568) rest: Return a 400 for invalid render IDs.
* (T383646) installer: Simplify the information box.
* (T384524) installer: Fix conflation between warning and info messages.
* (T376711) language: Use fallback chain to create NumberFormatter.
* (T384524) installer: Restore success messages.
* (T384524) installer: Restore "complete" success message.
* (T385332) feeds: Fix str_replace() deprecation warnings on PHP 8.
* (T386891) Revert "maintenance: Use DatabaseSqlite for type-hinting instead of
  DBConnRef".
* (T381205) Add explanation text for "Allow emails from brand-new users".
* (T380880) ExternalLinks: fix mailto: links reversal.
* (T381033) RateLimiter: Fix peek mode.
* initEditCount: Join from user to actor to revision.
* (T387130,CVE-2025-32699) SECURITY: Update wikimedia/parsoid to 0.20.2.
* (T385519) Sanitizer::normalizeWhitespace warn on preg_replace error.
* (T387638) RevDelList: Ensure setVisibility always includes itemStatuses in
  value if applicable.
* (T388296) ImportImages: Exit with non-zero code if import fails.
* Request: Improve log message when headers already sent.
* (T386368, T387397) REST page metadata endpoints: handle supressed data
  gracefully.
* (T388066) Avoid trying to load the session user in MW_NO_SESSION endpoints.
* (T388171) HttpError: Cast Message to string.
* (T384197) permissions: Avoid potential infinite loop if BlockDisablesLogin =
  true.
* (T388255) ApiLogin: Don't break BotPasswords if password or user is blank,
  just error.
* (T388924) MagicWord::replace*: Make sure we don't pass null into preg_match/
  preg_replace.
* (T388944) Html: Fix "substr(): Passing null to parameter #1 ($string) of type
  string is deprecated".
* (T388728, T385519) Sanitizer::normalizeSectionNameWhitespace: Apply same
  anti-null fix as 270499b.
* (T387690) upload: Suppress warnings from iconv().
* (T388733) Sanitizer::normalizeWhitespace: simplify redundant preg_replace.
* (T315573) Fix GREATEST usage in site_stats.
* (T304474, CVE-2025-32696) SECURITY: Apply proper restrictions on file revert
  action.
* (T24521, T62109, T140010, CVE-2025-32697) SECURITY: PermissionManager:
  Differentiate between cascading protection of file content and file pages.
* (T387507) ResourceLoader: update wikimedia/minify from 2.8.0 to 2.8.1.
* (T388273, T388335) Upgrading pear/net_url2 (v2.2.2 => v2.2.3).
* (T390063, T277675) ResourceLoader: update wikimedia/minify to 2.9.0.
* (T384851) FileBackend: PHP Deprecated: strrpos(): Passing null to parameter #1
  ($haystack).
* (T378622) Parameterize ChangeTags::buildTagFilterSelector to support various
  tag sets.
* (T344352) ChangeTags: Optimize label and description parsing.
* In .htaccess deny files, use "Satisfy All".
* (T322672, T387478) REST: Remove unused setUseParserCache() as potential
  footgun.
* (T389028) block: Fix DBS::acquireTarget() race using GET_LOCK().
* (T388807) LanguageConverter: Only set mTablesLoaded once they're really
  loaded.
* RestrictionStore: Remove short-circuit mode when fetching cascading sources.
* (T385958, CVE-2025-32698) SECURITY: LogPager.php: Restriction enforcer
  functions do not correctly enforce suppression restrictions.
* (T387130, CVE-2025-32699) SECURITY: Potential javascript injection attack
  enabled by Unicode normalization in Action API.
* (T358689, CVE-2025-3469) SECURITY: i18n XSS vulnerability in
  HTMLMultiSelectField when sections are used.

== MediaWiki 1.43.0 ==

=== Changes since MediaWiki 1.43.0-rc.0 ===
* (T381728) Use PHP 8.3 in MediaWiki-Docker
* (T382375) Misaligned label margins on Special:MathStatus
* (T382196) \overbrace rendered below (not above) in MathML and client-side
  Mathjax
* (T381310) Math Popup not working in newer version of Popup-Extension
* (T380079) This page is using the deprecated ResourceLoader module
  "mediawiki.Uri" on page load
* (T381311) Preview has wrong location in MathML mode
* (T381046) Preview not working with MathML rendering
* (T381102) <math>\left(a\right)'</math> in MathML and MathJax renders
  with one prime symbol too much
* (T380184) <math>\operatorname{vec}</math> crashes with native MathML
* (T380654) vertical space between multline equations is ignored
* (T375274) mediawiki_function_names math functions eat the following paren in
  native MML mode
* (T373732) Audit SUL3 shared-domain i18n messages for XSS
* (T381068) PHP Deprecated: Creation of dynamic property
  MediaWiki\\Auth\\ButtonAuthenticationRequest::$skipReset is deprecated
  at AuthenticationRequest.php:182
* (T20110) Define AbuseFilter consequence to display a CAPTCHA
* (T332743) On private wikis the ellipsis should not appear above 720px
  (wikitech, office, translate wiki)

== MediaWiki 1.43.0-PRERELEASE ==

== Upgrading notes for 1.43 ==
Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed per-version upgrade instructions from the
oldest supported upgrading version, MediaWiki 1.35.

Some specific notes for MediaWiki 1.43 upgrades are below:

* It is now necessary that the OpenSSL PHP extension is installed.
* update.php updates the Linter database table with two migration scripts that
  can take a long time to run: with the provided settings, each migration
  script update roughly 500 rows per second. If at all possible, it is
  highly recommended to let update.php run these migration scripts.

  If this is deemed too long a maintenance operation (depending on the number
  of rows in the Linter database table), it is possible, for a upgrade from
  1.40 onwards, to run the migration scripts before updating the MediaWiki
  and extensions files to 1.43. Set $wgLinterWriteNamespaceColumnStage and
  $wgLinterWriteTagAndTemplateColumnsStage to true, and run the
  extensions/Linter/maintenance/migrateNamespace.php and
  extensions/Linter/maintenance/migrateTagTemplate.php migration scripts
  before proceeding with any other code update.
  When upgrading from a version <= 1.39, a multi-step update is necessary to
  be able to run the migration scripts independently from update.php: first
  update to 1.42, then proceed as indicated.

For notes on 1.42.x and older releases, see HISTORY.

=== Configuration changes for system administrators in 1.43 ===

* $wgBlockTargetMigrationStage, which was introduced in 1.42, is now deprecated
  and has no effect.
* (T382987) The default value of 'http.dnsbl.sorbs.net.' in $wgDnsBlacklistUrls
  has been removed. This is because sorbs.net have stopped providing their
  services. This means that if you have $wgEnableDnsBlacklist set to true, it
  will no longer provide any value unless you add other servers to
  $wgDnsBlacklistUrls.

==== New configuration ====

* (T13555) $wgParserEnableLegacyHeadingDOM - Defaults to `true`, can be set to
  `false` to enable new, more accessible HTML markup for wikitext headings.
  Note that each skin must also use the 'supportsMwHeading' option to allow it.
  More information: https://www.mediawiki.org/wiki/Heading_HTML_changes
  In a future release the new markup will become the default,
  and later this option will be removed.
* (T12347) $wgEnableProtectionIndicators - Defaults to false, setting it to true
  shows a lock icon indicator on protected pages.
* (T373480) $wgSortedCategories - Defaults to false, setting it to true will
  sort the categories shown on article pages.  This is an experimental setting;
  its future will depend on community adoption and feedback on the phab task
  is welcome.
* (T45646) $wgAllowRawHtmlCopyrightMessages - Defaults to true, can be set to
  false to disable the use of the localisation messages 'copyright' and
  'history_copyright' and the hook 'SkinCopyrightFooter', which have been
  deprecated in this release. This helps protect your wiki against attacks by
  a rogue administrator account and will become the default in the future.
* (T4085) $wgParserEnableUserLanguage - Defaults to false, can be set to
  true to let {{USERLANGUAGE}} magic word return the user's language,
  instead of the page language. Beware that accessing the user language may
  reduce the efficiency of the parser cache.

==== Changed configuration ====

* wgPageLinksSchemaMigrationStage – (T299947) This temporary setting, which
  controls the database schema migration for the page links table, is now set
  by default to write to both old and new data and read from the new data.
* wgFooterIcons – (T256190) The default "Powered by MediaWiki" button icon has
  been updated to an SVG icon, and the footer icons are now wrapped as buttons
  in HTML, rather than faking it within the icons themselves. You should adjust
  any footer icons you provide or over-ride to match.
* The "error-json" channel, configurable via $wgDebugLogGroups, has been
  removed. For structured logging, use the "error" channel directly instead.
  Since MediaWiki 1.25, structured logging is supported via Monolog for all
  channels, including the "error" channel. For silenced errors, you use the
  "silenced-error" channel added in MediaWiki 1.42. (T193472)
* wgResourceLoaderUseObjectCacheForDeps - (T343492) This is now enabled by
  default. This means ResourceLoader writes information to the MainStash
  instead of a core database table, which can be set to a separate database
  via wgMainStash. If you find issues, please drop a comment on T343492.
  It is now deprecated and will be removed in MediaWiki 1.44.

==== Removed configuration ====

* wgSessionInsecureSecrets has been removed since OpenSSL is now a required
  PHP extension.
* $wgTemplateLinksSchemaMigrationStage has been removed.
* $wgSamplingStatsdClient has been removed. It was introduced in MW 1.28 for
  use in the Wikibase extension, but never used. The new StatsFactory service
  should be used for new instrumentations, which already supports sampling.
  Beware that sampling is generally not needed even at scale, and that sampling
  does not significantly reduce runtime overhead, thus making it slow to
  instrument very hot code even with built-in sampling.
* (T294397) The 'writeapi' userright, which controlled access to some API
  modules, has been removed.
* (T331883) The variables $wgLinterWriteTagAndTemplateColumnsStage,
  $wgLinterUserInterfaceTagAndTemplateStage, $wgLinterWriteNamespaceColumnStage,
  and $wgLinterUseNamespaceColumnStage have been removed. The namespace,
  tag and template column of the Linter database table are now written and used.
  The existing data from the Linter database is migrated to the new columns
  by extensions/Linter/maintenance/migrateNamespace.php and
  extensions/Linter/maintenance/migrateTagTemplate.php, which are both called
  by the update script (T367207).

=== New user-facing features in 1.43 ===

* (T338341) Support reading XMP and EXIF from WebP files
* (T365636) Wiki's with wgAllowExternalImages enabled now detect urls
  with AVIF, SVG and WebP images.
* (T242346) Special:TalkPage is a new special page that will redirect to the
  associated talk namespace page, e.g. [[Special:TalkPage/Foo]] redirects to
  [[Talk:Foo]]; [[Special:TalkPage/Project:Foo]] goes to [[Project talk:Foo]].
  This allows for links by templates and tools without having to parse what
  namespaces are valid and have associated talk pages.
* New preference: "Send password reset emails only when both email address
  and username are provided."
* (T4085) Added new magic word {{USERLANGUAGE}} which returns the language code
  of the interface set by the user.
* (T263513) Special:NamespaceInfo is a new special page that displays a list
  of namespaces available on the wiki, their descriptions and configuration.

=== New developer features in 1.43 ===

* StatusValue class gained new method getMessages(): MessageSpecifier[],
  allowing the errors to be inspected and displayed more easily, for example:
    foreach ( $status->getMessages() as $msg ) {
      if ( $msg->getKey() !== 'ignored-message' ) {
        $this->getOutput()->addWikiMsg( $msg );
      }
    }
* (T358779) The MessageValue class can now be used instead of Message in most
  places (in methods that accept the MessageSpecifier interface). This allows
  using localisation messages in code that doesn't know the user's language,
  such as many hooks, without relying on global state. To convert between them,
  use MessageValue::newFromSpecifier() and Message::newFromSpecifier().
* The REST API framework now supports defining redirects in route definition
  files. See MediaWiki\Rest\Handler\RedirectHandler for details.
* (T13555) Skins can enable the 'supportsMwHeading' option for new, more
  accessible HTML markup for wikitext headings. MediaWiki's own styles and
  scripts have been updated to support it, but your skin may also need updates.
  More information: https://www.mediawiki.org/wiki/Heading_HTML_changes
  A future release will emit deprecation warnings for skins with
  'supportsMwHeading' set to false.
* The AuthPreserveQueryParams hook was added.
* (T219397) New `Language::formatDurationBetweenTimestamps()` function added
  which takes two timestamps and a precision in order to calculate a more
  accurate text representation of duration.
* Added an interactive mode to the install.php maintenance script.
* The ResourceLoaderModifyEmbeddedSourceUrls hook was added.
* The AuthManagerFilterProviders hook was added.
* The AuthManagerVerifyAuthentication hook was added.
* The OutputPageRenderCategoryLink hook was added, as a replacement for the
  deprecated OutputPageMakeCategoryLinks hook.
* PreAuthenticationProvider, PrimaryAuthenticationProvider, and
  SecondaryAuthenticationProvider now receive a `canAlwaysAutocreate` flag in
  the options of the `testUserForCreation` invocation. This flag is true when
  the session provider is exempt from autocreate user permissions checks.
* The CentralIdLookup service gained the isOwned() method, which can be used
  to check if a local username is reserved for a central user, even if a local
  user account does not exist yet. This can be used by extensions to look
  up information about the central user.
* (T251790) A Jest-based test suite has been introduced for testing front-end
  code such as Vue components. Tests can be run via `npm run jest`, and test
  files live in `tests/jest/`. See https://www.mediawiki.org/wiki/Jest
  for more information.
* The SpreadAnyEditBlock hook was added.
* The ConditionalDefaultOptionsAddCondition hook was added.

=== External library changes in 1.43 ===

* The OOjs Router library has been merged into core and will be archived
  upstream.

===== New development-only external libraries =====

* (T251790) Some development-only external libraries have been added for the new
  testing tools for front-end Vue components:
  * Added jest and jest-environment-jsdom at v29.7.0.
  * Added @vue/test-utils v2.4.6.
  * Added @vue/vue3-jest v29.2.6.
  * Added @babel/preset-env v7.25.4.
  * Added pinia v2.0.16 (already available via ResourceLoader).
  * Added @pinia/testing v0.0.12.
  * Codex, already available via ResourceLoader, now has the npm versions, i.e.
    @wikimedia/codex and @wikimedia/codex-icons, also installed for testing.

==== Changed external libraries ====

* Updated codex, codex-design-tokens and codex-icons
  from v1.3.6 to v1.14.0.
* Updated composer/semver from 3.4.0 to 3.4.3.
* Updated guzzlehttp/guzzle from 7.7.1 to 7.9.2.
* Updated jquery.i18n from 1.0.7 to 1.0.10.
* Updated justinrainbow/json-schema from 5.2.13 to 5.3.0.
* Updated pear/mail from 1.6.0 to 2.0.0.
* Updated pear/net_smtp from 1.11.1 to 1.12.1.
* Updated mck89/peast from v1.16.2 to 1.16.3.
* Updated monolog/monolog from 2.9.2 to 2.9.3.
* Updated symfony/yaml from 5.4.35 to 5.4.45.
* Updated OOUI from v0.49.1 to v0.51.2.
* Updated wikimedia/at-ease from 2.1.0 to 3.0.0.
* Updated wikimedia/json-codec from 3.0.1 to 3.0.3.
* Updated wikimedia/less.php from 4.2.1 to 5.1.2.
* Updated wikimedia/minify from 2.7.0 to 2.9.0.
* Updated wikimedia/normalized-exception from 1.0.1 to 2.0.0.
* Updated wikimedia/php-session-serializer from 2.0.1 to 3.0.0.
* Updated wikimedia/purtle from 1.0.8 to 2.0.0.
* Updated wikimedia/relpath from 4.0.0 to 4.0.1.
* Updated wikimedia/remex-html from 4.1.0 to 4.1.1.
* Updated wikimedia/request-timeout from 1.2.0 to 2.0.0.
* Updated wikimedia/scoped-callback from 4.0.0 to 5.0.0.
* Updated wikimedia/services from 3.0.0 to 4.0.0.
* Updated wikimedia/shellbox from 4.0.2 to 4.1.1.
* Updated wikimedia/xmp-reader from 0.9.1 to 0.9.4.
* Updated vue from 3.3.9 to 3.4.27.
* Updated symfony/polyfill-php80 from 1.29.0 to 1.31.0.
* Updated symfony/polyfill-php81 from 1.29.0 to 1.31.0.
* Updated symfony/polyfill-php82 from 1.29.0 to 1.31.0.
* Updated symfony/polyfill-php83 from 1.29.0 to 1.31.0.

===== Changed development-only external libraries =====

* Updated doctrine/dbal from 3.7.2 to 3.8.4.
* Updated eslint-config-wikimedia from 0.26.0 to 0.27.0.
* Updated mediawiki/mediawiki-codesniffer from 43.0.0 to 45.0.0.
* Updated phpunit/phpunit from 9.6.16 to 9.6.19.
* Updated seld/jsonlint from 1.10.1 to 1.10.2.

=== Bug fixes in 1.43 ===

* When using the 'runMaintenance' method in a LoadExtensionSchemaUpdates hook
  handler, only the script's class name is required, not its path. (T367918)
* QueryPage::recache() (used by the updateSpecialPages.php maintenance script)
  no longer attempts to ignore database errors. (T278543)

=== Action API changes in 1.43 ===

* APIQueryUserInfo now returns null in the field registrationdate for users
  created before December 2005 (their registration date was not recorded).

=== Languages updated in 1.43 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.

* (T375891) Updated the autonym for Kadazan Dusun (dtp)
* (T357853) Added unidirectional script conversion for Meitei to Bengali script.
* (T367377) Updated the autonym for Tai Nuea (tdd)
* (T375947) Updated the autonym for Komering (kge)
* (T354937, T362041) Added language support for Minnan (Traditional Han script)
  (nan-hant).
* (T290657) Added language support for Levantine Arabic (apc).
* (T364291) Added language support for Musi, also known as Palembang (mui).
* (T364737) Added language support for Haryanvi (bgc).
* (T365365) Added language support for Chakma (ccp).
* (T367991) Added language support for Iban (iba).
* (T367688) Added language support for Interslavic (Latin) (isv-latn).
* (T375360) Added language support for Interslavic (Cyrillic) (isv-cyrl).
* (T370123) Added language support for Nupe (nup).
* (T371051) Added language support for Saint Lucian Creole (acf).
* (T354937, T370987) Added language support for Minnan (Pe̍h-ōe-jī)
  (nan-latn-pehoeji).
* (T354937, T369899) Added language support for Minnan (Tâi-lô)
  (nan-latn-tailo).
* (T375052) Added language support for Tigre (tig).
* (T375999) Added language support for Luba-Lulua (lua).
* (T376248) Added language support for Duala (dua).
* (T375377) Added language support for Southern Ndebele (nr).
  This is done experimentally, with only a Names.php entry and
  namespace translations, before we have actual localized strings.
  For details, see https://www.mediawiki.org/wiki/Future_of_Language_Incubation.
* (T356144) Deprecated the Kanuri language (kr) and replaced it
  with Central Kanuri (knc). The language code kr is kept for
  backwards compatibility and falls back to knc.

=== Breaking changes in 1.43 ===

* (T358779) The format of parameters used by the Message class has changed.
  Instead of arrays in a special format, they are now MessageParam objects.
  Code that simply called methods like Message::numParam() and didn't look
  inside the values they return should be unaffected. Code that depended on
  the formatted params being arrays or accessed their keys will need updates.
  Example patches: https://gerrit.wikimedia.org/r/q/topic:message-param
* ErrorPageError public properties 'msg' and 'title' may now contain
  any MessageSpecifier object, not just Message.
* Reset button functionality suppressReset() and $mShowReset from HTMLForm
  was removed without replacement.
* UserGroupMembership::getGroupName(), deprecated in 1.38, and
  UserGroupMembership::getGroupMemberName(), deprecated in 1.40, have
  been removed.
* SerializedValueContainer::isUnified(), deprecated in 1.42, has been
  removed.
* Parser::getFreshParser(), deprecated in 1.39, has been removed.
* ParserOutput::getLanguageLinks() no longer returns a reference to the
  internal array.
* ConfigFactory::getDefaultInstance(), deprecated since 1.27, has been
  removed.
* wfGetLangObj(), deprecated since 1.41, has been removed in favor of
  LanguageFactory::getLanguage().
* wfRemoveDotSegments(), deprecated in 1.39, has been removed.
* IReadableDatabase::getReplicaPos() has been removed without deprecation
  as it's not used anywhere.
* CommentFormatter::formatStringsAsBlock() has been removed without deprecation
  as it's not used anywhere.
* ILoadBalancer::laggedReplicaUsed() has been moved to ILoadBalancerForOwner::
  effectively making it internal.
* Define DB_MASTER, deprecated since 1.36, has been removed.
* ILoadBalancer::DB_MASTER, deprecated since 1.36, has been removed.
* Overriding MWException::getHTML(), ::getText(), ::getPageTitle(), and
  ::reportHTML() in order to display custom exception messages is no
  longer supported.
* In PageHandlerTestTrait, the newRouter() method was renamed to
  newRouterForPageHandler() to avoid a conflict with a method of the same
  name in RestTestTrait. Also, PageHandlerTestTrait is no longer marked as
  "stable to use". It was marked this way by accident, the functionality it
  provides is specific to certain handlers implemented in MediaWiki core.
* MediaWikiIntegrationTestCase::addCoreDBData(), deprecated since 1.41, has
  been removed.
* wfUnpack(), deprecated since 1.42, has been removed in favor of
  StringUtils::unpack().
* UIDGenerator, deprecated since 1.35, has been removed.
* TablePager::getBody(), final and deprecated since 1.24, has been removed.
  Use ::getBodyOutput() or ::getFullOutput() instead.
* ImportableUploadRevisionImporter::downloadSource(), deprecated in 1.31, is now
  private. Its only known external caller was removed in 1.40.
* The following methods in the User class have been removed:
  * Deprecated in 1.33:
    * User::isBlockedFrom()
  * Deprecated in 1.34:
    * User::isBlocked()
  * Deprecated in 1.35:
    * User::addGroup()
    * User::getAllGroups()
    * User::getGroups()
    * User::getGroupMemberships()
    * User::getImplicitGroups()
    * User::getOption()
    * User::removeGroup()
  * Deprecated in 1.37:
    * User::isBlockedFromCreateAccount()
* BotPassword::invalidateAllPasswordsForCentralId() and
  BotPassword::removeAllPasswordsForCentralId(), deprecated in 1.37,
  have been removed.
* Title::getBrokenLinksFrom(), deprecated in 1.42, has been removed.
* The $type parameter to Skin::getCopyright(), deprecated in 1.40, has been
  removed.
* The module `mediawiki.icon`, deprecated in 1.42, has been removed.
* The `@vue/composition-api` module, a deprecated alias for `vue` since 1.41,
  has been removed. Use `vue` directly.
* SiteConfiguration::extractVar() and ::extractGlobal(), deprecated in 1.41,
  have been removed.
* Skin::footerLink(), deprecated in 1.40, has been removed.
* Skin::getAction(), deprecated in 1.39, has been removed.
* Skin::makeSearchInput(), deprecated in 1.35, has been removed.
* Skin::makeSearchButton(), deprecated in 1.39, has been removed.
* SkinTemplate::buildContentNavigationUrls(), deprecated in 1.38,
  has been removed.
* Title::getCdnUrls() and Title::purgeSquid(), deprecated in 1.35, have been
  removed.
* The `mediawiki.pager.tablePager` module, deprecated in 1.38, has been
  removed in favor of the more generic `mediawiki.pager.styles`.
* BagOStuff::setNewPreparedValues(), deprecated in 1.40, has been removed.
* Constructing MWHttpRequest objects now requires timeout and connectTimeout to
  be set; this was deprecated in 1.35.
* Hooks that were run from SpecialContributions are now run from the parent,
  ContributionsSpecialPage. The page passed in is a ContributionsSpecialPage
  type, and documentation and type comparisons may need to be updated. Affected
  hooks are: ContributionsBeforeMainOutputHook, ContributionsToolLinksHook,
  SpecialContributions__getForm__filtersHook.
* Hooks that were run from ContribsPager are now run from the parent,
  ContributionsPager. If a pager is passed in, it is a ContributionsPager type,
  and documentation and type comparisons may need to be updated. Affected
  hooks are: ContribsPager__reallyDoQueryHook, ContribsPager__getQueryInfoHook,
  ContributionsLineEndingHook, SpecialContributions__formatRow__flagsHook.
* Hooks that were run from DeletedContribsPager are now run from the parent,
  ContributionsPager. If a pager is passed in, it is a ContributionsPager type,
  and documentation and type comparisons may need to be updated. Affected
  hooks are: DeletedContribsPager__reallyDoQueryHook and
  DeletedContributionsLineEndingHook.
* The public method ContributionsSpecialPage::getUserLinks has been made
  protected. Although not marked @internal, the method was public to be called
  from SpecialDeletedContributions (call now removed), and was not called from
  anywhere else.
* DatabaseBlock::purgeExpired, deprecated since 1.38, has been removed.
* AbstractBlock::getPermissionsError, deprecated since 1.35, has been removed.
* IDatabase::namedLocksEnqueue() has been removed without deprecation.
* IDatabase::getTopologyRole() has been removed without deprecation.
* IDatabase::getTopologyBasedServerId() has been removed without deprecation.
  Use IDatabase::getServerName() instead.
* IReadableDatabase::wasReadOnlyError() has been removed without deprecation.
  Use IDatabase::isReadOnly() instead.
* IReadableDatabase::wasDeadlock() has been removed without deprecation.
* ILoadBalancer::getWriterIndex() has been removed without deprecation.
  Use ServerInfo::WRITER_INDEX constant instead.
* MaintainableDBConnRef, deprecated since 1.39, has been removed.
* ILoadBalancer::reuseConnection(), deprecated since 1.39, has been removed.
* The $domain parameter to ILoadBalancer::getReadOnlyReason(), deprecated in
  1.40, has been removed.
* WikiPage::doDeleteArticleBatched, hard deprecated since 1.37, has been
  removed.
* SpecialEmailUser::submit, deprecated since 1.41, has been removed.
* SpecialEmailUser::validateTarget, deprecated since 1.41, has been removed.
* SpecialEmailUser::getPermissionsError, deprecated since 1.41 has been
  removed.
* SpecialBlock::getTargetAndType, deprecated since 1.36, has been removed.
* ApiQueryBlockInfoTrait::addBlockInfoToQuery(), deprecated since 1.42, has been
  removed.
* Linker::makeExternalLink() has been deprecated in favor of
  LinkRenderer::makeExternalLink(), which has a improved API to help phan's
  SecurityCheckPlugin provide more accurate checks for escaping issues.
* Linker::makeHeadline(), Linker::generateTOC(), Linker::tocIndent(),
  Linker::tocUnindent(), Linker::tocLine(), Linker::tocLineEnd(), and
  Linker::tocList(), deprecated in 1.42, have been removed.
* Linker::formatComment(), Linker::formatLinksInComment(),
  Linker::commentBlock(), and Linker::revComment(), deprecated in 1.38,
  have been removed.
* UserCache::singleton(), deprecated in 1.43, now emits deprecation warnings.
  Use MediaWikiServices::getInstance()->getUserCache() instead.
* DummyLinker has been removed. The former DummyLinker parameter
  to the 'ImageBeforeProduceHTML' hook is now null.
* The following methods of IDatabase have been moved to internal interface
  IDatabaseForOwner without deprecation. These methods are internal and
  shouldn't be used outside of rdbms library:
  - ::pendingWriteCallers()
  - ::flushSession()
  - ::lastDoneWrites()
  - ::setTransactionListener()
  - ::serverIsReadOnly()
  - ::getPrimaryPos()
  - ::pendingWriteQueryDuration()
  - ::writesOrCallbacksPending()
  - ::writesPending()
  - ::primaryPosWait()
* IMaintainableDatabase::listViews(), deprecated since 1.42, has been removed.
* IMaintainableDatabase::truncate(), deprecated since 1.42, has been removed.
* IMaintainableDatabase::textFieldSize() was removed without deprecation.
* ReplicatedBagOStuff, deprecated since 1.42, has been removed.
* The 'replicaOnly' option to SqlBagOStuff has been removed without deprecation.
  It existed for internal use by SqlBagOStuff only.
* Support for WinCache as local server cache has been removed, because WinCache
  is not available for supported versions of PHP. The WinCacheBagOStuff class
  has been removed. Use MediaWikiServices::getLocalServerObjectCache() instead,
  or the CACHE_ACCEL type instead, which automatically selects APCu when
  available.
  The "wincache" cache type (e.g. to ObjectCache::getInstance, and in
  "wg*CacheType" configuration) remains supported as an alias for CACHE_ACCEL.
* LockManager::sha1Base16Absolute(), has been removed without deprecation.
* The "options" parameter to User::createNew() and the $data parameter to
  UserOptionsManager::loadUserOptions() were removed.
* `.list-style-image()` mixin from mediawiki.mixins.less, deprecated since 1.38,
  has been removed.
* `.background-image()` mixin from mediawiki.mixins.less, deprecated since 1.38,
  has been removed.
* IDatabase::nextSequenceValue(), deprecated since 1.30, was removed.
* $wgAPIRequestLog was removed without deprecation. Use "api" and "api-request"
  wgDebugLogGroups channels or SPI instead.
* The setStats() method in MediaWiki\Rest\Router now expects a StatsFactory
  rather than a StatsdDataFactoryInterface. The method has been marked @internal
  and should not be called by extensions.
* All `@width-breakpoint-*` Less variables have been removed. Use
  `@min-width-breakpoint-*`/`@max-width-breakpoint-*` instead.
* The MessageContent class, deprecated since 1.38, is now removed. This also
  means that the Message::content() method is also removed.
* The following ParserOption methods, deprecated since 1.35, were removed:
  - ::setAllowExternalImages()
  - ::setAllowExternalImagesFrom()
  - ::setEnableImageWhitelist()
* Sanitizer::removeHTMLtags(), deprecated since 1.38, has been removed.
* OutputPage::getCSPNonce(), deprecated since 1.35, has been removed.
* UserMailer::rfc822Phrase(), deprecated since 1.38, has been removed.
* QueryPage::getSQL(), deprecated since 1.39, has been removed. The replacement
  QueryPage::getQueryInfo() is now abstract.
* update-keys.sql was removed. It is not recommended to install MediaWiki by
  manually sourcing SQL files, but if you are doing this, run
  `update.php --initial` instead of sourcing update-keys.sql.
* MediaWikiVersionFetcher, deprecated since 1.42 has been removed.
* Support for using Skin::addToBodyAttributes() method, which was deprecated
  in 1.35, has been removed. Use OutputPageBodyAttributesHook instead.
* Skins since 1.39 have not supported rendering content outside the body tag.
The bodyOnly=false option has now been removed, meaning this is no longer
supported.
* CentralIdLookup::factoryNonLocal(), deprecated since 1.37, has been removed.
* CryptHKDF and MWCryptHKDF were removed without deprecation, in part because no
  past or present use could be found. hash_hkdf() can be used instead of HKDF().
  While generate() and generateHex() have no direct replacement, random_bytes()
  and MWCryptRand::generateHex() can be used instead.

=== Deprecations in 1.43 ===

* The methods StatusValue::getErrors() and StatusValue::getErrorsByType(),
  as well as Status::getErrorsArray() and Status::getWarningsArray(), have
  been deprecated in favor of new method StatusValue::getMessages().
* PermissionManager::getPermissionErrors() has been deprecated in favor
  of getPermissionStatus().
* PermissionStatus::toLegacyErrorArray() is deprecated with no replacement.
* PermissionsError properties $errors and $permission are deprecated.
  To display the error, throw it or use ->report().
* (T166010) All PHP code in MediaWiki is slowly being moved to be in a class
  namespace as appropriate, so that we can use PSR-4 auto-loading, which will
  speed up general code loading of MediaWiki. The old global namespace class
  names are being left behind as deprecated aliases.

  In this release of MediaWiki, 2236 classes now have a namespace and 509 do
  not yet (81% done, up from 69% in MediaWiki 1.42.0). The following have newly
  been moved:
  - MediaWiki\Api:
    - ApiAMCreateAccount
    - ApiAcquireTempUserName
    - ApiAuthManagerHelper
    - ApiBase
    - ApiBlock
    - ApiBlockInfoTrait
    - ApiCSPReport
    - ApiChangeAuthenticationData
    - ApiChangeContentModel
    - ApiCheckToken
    - ApiClearHasMsg
    - ApiClientLogin
    - ApiComparePages
    - ApiContinuationManager
    - ApiCreateTempUserTrait
    - ApiDelete
    - ApiDisabled
    - ApiEditPage
    - ApiEmailUser
    - ApiErrorFormatter
    - ApiErrorFormatter_BackCompat
    - ApiExpandTemplates
    - ApiFeedContributions
    - ApiFeedRecentChanges
    - ApiFeedWatchlist
    - ApiFileRevert
    - ApiFormatBase
    - ApiFormatFeedWrapper
    - ApiFormatJson
    - ApiFormatNone
    - ApiFormatPhp
    - ApiFormatRaw
    - ApiFormatXml
    - ApiFormatXmlRsd
    - ApiHelp
    - ApiHelpParamValueMessage
    - ApiImageRotate
    - ApiImport
    - ApiImportReporter
    - ApiLinkAccount
    - ApiLogin
    - ApiLogout
    - ApiMain
    - ApiManageTags
    - ApiMergeHistory
    - ApiMessage
    - ApiMessageTrait
    - ApiModuleManager
    - ApiMove
    - ApiOpenSearch
    - ApiOpenSearchFormatJson
    - ApiOptions
    - ApiOptionsBase
    - ApiPageSet
    - ApiParamInfo
    - ApiParse
    - ApiPatrol
    - ApiProtect
    - ApiPurge
    - ApiQuery
    - ApiQueryAllCategories
    - ApiQueryAllDeletedRevisions
    - ApiQueryAllImages
    - ApiQueryAllLinks
    - ApiQueryAllMessages
    - ApiQueryAllPages
    - ApiQueryAllRevisions
    - ApiQueryAllUsers
    - ApiQueryAuthManagerInfo
    - ApiQueryBacklinks
    - ApiQueryBacklinksprop
    - ApiQueryBase
    - ApiQueryBlockInfoTrait
    - ApiQueryBlocks
    - ApiQueryCategories
    - ApiQueryCategoryInfo
    - ApiQueryCategoryMembers
    - ApiQueryContributors
    - ApiQueryDeletedRevisions
    - ApiQueryDeletedrevs
    - ApiQueryDisabled
    - ApiQueryDuplicateFiles
    - ApiQueryExtLinksUsage
    - ApiQueryExternalLinks
    - ApiQueryFileRepoInfo
    - ApiQueryFilearchive
    - ApiQueryGeneratorBase
    - ApiQueryIWBacklinks
    - ApiQueryIWLinks
    - ApiQueryImageInfo
    - ApiQueryImages
    - ApiQueryInfo
    - ApiQueryLangBacklinks
    - ApiQueryLangLinks
    - ApiQueryLanguageinfo
    - ApiQueryLinks
    - ApiQueryLogEvents
    - ApiQueryMyStashedFiles
    - ApiQueryPagePropNames
    - ApiQueryPageProps
    - ApiQueryPagesWithProp
    - ApiQueryPrefixSearch
    - ApiQueryProtectedTitles
    - ApiQueryQueryPage
    - ApiQueryRandom
    - ApiQueryRecentChanges
    - ApiQueryRevisions
    - ApiQueryRevisionsBase
    - ApiQuerySearch
    - ApiQuerySiteinfo
    - ApiQueryStashImageInfo
    - ApiQueryTags
    - ApiQueryTokens
    - ApiQueryUserContribs
    - ApiQueryUserInfo
    - ApiQueryUsers
    - ApiQueryWatchlist
    - ApiQueryWatchlistRaw
    - ApiRawMessage
    - ApiRemoveAuthenticationData
    - ApiResetPassword
    - ApiResult
    - ApiRevisionDelete
    - ApiRollback
    - ApiRsd
    - ApiSerializable
    - ApiSetNotificationTimestamp
    - ApiSetPageLanguage
    - ApiStashEdit
    - ApiTag
    - ApiUnblock
    - ApiUndelete
    - ApiUpload
    - ApiUsageException
    - ApiUserrights
    - ApiValidatePassword
    - ApiWatch
    - ApiWatchlistTrait
    - IApiMessage
    - SearchApi
  - MediaWiki\Content:
    - AbstractContent
    - CodeContentHandler
    - Content
    - ContentHandler
    - ContentModelChange
    - CssContent
    - CssContentHandler
    - FallbackContent
    - FallbackContentHandler
    - FileContentHandler
    - JavaScriptContent
    - JavaScriptContentHandler
    - JsonContent
    - JsonContentHandler
    - TextContent
    - TextContentHandler
    - WikitextContent
    - WikitextContentHandler
    - WikiTextStructure
  - MediaWiki\Debug:
    - DeprecationHelper
    - MWDebug
  - MediaWiki\Deferred:
    - RefreshSecondaryDataUpdate
  - MediaWiki\FileBackend:
    - FileBackendGroup – FIXME: Should this be in Wikimedia\FileBackend instead?
  - MediaWiki\Json:
    - FormatJson
  - MediaWiki\Language:
    - Language
    - LanguageCode
    - ILanguageConverter
    - LanguageConverter
    - ConverterRule
    - ReplacementArray
  - MediaWiki\Maintenance:
    - BackupDumper
    - Benchmarker
    - DeleteLocalPasswords
    - FakeMaintenance
    - LoggedUpdateMaintenance
    - MWDoxygenFilter
    - Maintenance
    - SchemaMaintenance
    - SevenZipStream
    - TextPassDumper
  - MediaWiki\Parser:
    - BlockLevelPass
    - CacheTime
    - CoreMagicVariables
    - CoreParserFunctions
    - CoreTagHooks
    - DateFormatter
    - DateFormatterFactory
    - LinkHolderArray
    - MWTidy
    - PPCustomFrame_Hash
    - PPDPart_Hash
    - PPDStackElement_Hash
    - PPDStack_Hash
    - PPFrame
    - PPFrame_Hash
    - PPNode
    - PPNode_Hash_Array
    - PPNode_Hash_Attr
    - PPNode_Hash_Text
    - PPNode_Hash_Tree
    - PPTemplateFrame_Hash
    - ParserCache
    - ParserFactory
    - ParserOptions
    - Preprocessor
    - Preprocessor_Hash
    - StripState
  - MediaWiki\RCFeed:
    - FormattedRCFeed
    - IRCColourfulRCFeedFormatter
    - JSONRCFeedFormatter
    - MachineReadableRCFeedFormatter
    - RCFeed
    - RCFeedFormatter
    - RedisPubSubFeedEngine
    - UDPRCFeedEngine
    - XMLRCFeedFormatter
  - MediaWiki\RenameUser:
    - RenameUserJob
  - MediaWiki\Registration:
    - ExtensionDependencyError
    - ExtensionJsonValidationError
    - ExtensionJsonValidator
    - ExtensionProcessor
    - ExtensionRegistry
    - MissingExtensionException
    - Processor
    - VersionChecker
  - MediaWiki\RevisionList:
    - RevisionItem
    - RevisionItemBase
    - RevisionList
    - RevisionListBase
  - MediaWiki\Watchlist:
    - ActivityUpdateJob
    - ClearUserWatchlistJob
    - ClearWatchlistNotificationsJob
    - NoWriteWatchedItemStore
    - WatchedItem
    - WatchedItemQueryService
    - WatchedItemQueryServiceExtension
    - WatchedItemStore
    - WatchedItemStoreInterface
    - WatchlistExpiryJob
  - MediaWiki\Xml:
    - Xml
    - XmlSelect
  - Wikimedia\FileBackend:
    - FSFileBackend
    - FSFileBackendDirList
    - FSFileBackendFileList
    - FSFileBackendList
    - FileBackend
    - FileBackendError
    - FileBackendMultiWrite
    - FileBackendStore
    - FileBackendStoreShardDirIterator
    - FileBackendStoreShardFileIterator
    - FileBackendStoreShardListIterator
    - FileOpBatch
    - HTTPFileStreamer
    - MemoryFileBackend
    - SwiftFileBackend
    - SwiftFileBackendDirList
    - SwiftFileBackendFileList
    - SwiftFileBackendList
    - Wikimedia\FileBackend\FileOps:
      - CopyFileOp
      - CreateFileOp
      - DeleteFileOp
      - DescribeFileOp
      - FileOp
      - FileStatePredicates
      - MoveFileOp
      - NullFileOp
      - StoreFileOp
    - Wikimedia\FileBackend\FileOpHandle:
      - FSFileOpHandle
      - SwiftFileOpHandle
      - FileBackendStoreOpHandle
    - Wikimedia\FileBackend\FSFile:
      - FSFile
      - TempFSFile
      - TempFSFileFactory
  - Wikimedia\Http:
    - MultiHttpClient
  - Wikimedia\Message:
    - MessageSpecifier
  - Wikimedia\Mime:
    - MSCompoundFileReader
    - MimeAnalyzer
    - XmlTypeCheck
  - Wikimedia\ObjectCache:
    - APCUBagOStuff
    - BagOStuff
    - CachedBagOStuff
    - EmptyBagOStuff
    - HashBagOStuff
    - IStoreKeyEncoder
    - MediumSpecificBagOStuff
    - MemcachedBagOStuff
    - MemcachedPeclBagOStuff
    - MemcachedPhpBagOStuff
    - MultiWriteBagOStuff
    - RESTBagOStuff
    - RedisBagOStuff
    - WANObjectCache
    - WinCacheBagOStuff
    - RedisConnectionPool
    - RedisConnRef
  - Wikimedia\Rdbms:
    - DBAccessObjectUtils
    - IDBAccessObject
  - Wikimedia\Stats:
    - BufferingStatsdDataFactory
    - IBufferingStatsdDataFactory
    - NullStatsdDataFactory
    - PrefixingStatsdDataFactoryProxy
    - SamplingStatsdClient
    - StatsdAwareInterface
* MessageCache::get() with $language other than Language or null is
  deprecated and emits deprecation warnings. For high-level access,
  use wfMessage() or RequestContext::msg() instead.
* Manually constructing a Language object, deprecated in 1.35, now emits
  deprecation warnings. Use LanguageFactory instead.
* MediaWiki\Languages\Data\Names::$names is deprecated.
* SearchEngineConfig::getConfig() has been deprecated, use DI with
  ServiceOptions to inject the required options.
* ObjectCache::isDatabaseId() and ::getLocalClusterInstance() have been
  deprecated. Use their equivalents in ObjectCacheFactory.
* Using the "post" source in parameter declarations returned from
  Handler::getParamSettings() is deprecated, use "body" instead.
* ISQLPlatform::tableNamesN() is now deprecated.
* The implementation in SQLPlatform of ISQLPlatform::tableNames(), deprecated in
  MediaWiki 1.39, now emits deprecation warnings.
* Title::getTitleProtection(), deprecated in 1.37, now emits warnings. You can
  use RestrictionStore::getCreateProtection() instead.
* Title::loadRestrictions(), deprecated in 1.37, now emits warnings.
* Title::flushRestrictions(), deprecated in 1.37, now emits warnings.
* Title::getPageViewLanguage(), deprecated in 1.42, now emits warnings.
* wfUrlProtocols(), deprecated in 1.39, now emits warnings.
* wfGetServerUrl(), deprecated in 1.39, now emits warnings.
* wfExpandIRI(), deprecated in 1.39, now emits warnings.
* The following methods, previously deprecated, now emit deprecation warnings:
  - ContentHandler::getDefaultModelFor(), deprecated since 1.33
  - ContentHandler::getAllContentFormats(), deprecated since 1.35
  - ContentHandler::getContentModels(), deprecated since 1.35
  - ContentHandler::getForContent(), deprecated since 1.35
  - ContentHandler::getForModelID(), deprecated since 1.35
  - ContentHandler::getContentText(), deprecated since 1.37
* Passing a Message argument to OutputPage::setPageTitle(), which was
  deprecated in 1.41, now emits warnings.
* OutputPage::showFatalError() is deprecated, use showErrorPage() instead.
* OutputPage::showPermissionsErrorPage() is deprecated,
  use showPermissionStatus() instead.
* OutputPage::formatPermissionsErrorMessage(), deprecated since 1.36,
  now emits deprecation warnings. Use formatPermissionStatus() instead.
* OutputPage::setCategoryLinks() has been deprecated and emits deprecation
  warnings.  Use ::addCategoryLinks() instead.
* OutputPage::setLanguageLinks() has been deprecated; use ::addLanguageLinks()
  instead.
* Passing 'index' to OutputPage::setIndexPolicy() and
  OutputPage::setRobotPolicy() after previously passing 'noindex' has
  been deprecated; in a future release OutputPage will behave like
  ParserOutput::setIndexPolicy(), where 'noindex' takes precedence
  over 'index'.
* (T375975) Language::embedBidi() has been deprecated; use <bdi> HTML tag
  instead.
* (T375975) Language::getDirMark() has been deprecated; use <bdi> HTML tag
  instead.
* (T375975) Language::getDirMarkEntity() has been hard deprecated; use
  <bdi> HTML tag instead.
* (T375975) The unused third parameter of Language::specialList is removed as
  the method isolates the title unconditionally from the details.
* LoadBalancer::getConnectionRef(), deprecated since 1.39, now emits deprecation
  warnings. Use ::getConnection() instead.
* DBAccessObjectUtils::getDBOptions() is deprecated, use
  SelectQueryBuilder::recency() instead.
* IDatabase::lockForUpdate is deprecated, use
  SelectQueryBuilder::acquireRowLocks instead.
* ILBFactory::flushReplicaSnapshots() is deprecated no longer needed.
* wfGetUrlUtils() is deprecated; instead, get a UrlUtils from services.
* DerivedPageDataUpdater::getPreparedEdit(), provided for back-compatibility, is
  now deprecated; use the getters directly, instead.
* AuthManager::forcePrimaryAuthenticationProviders(), provided for back-
  compatibility, is now deprecated.
* WikiPage::hasDifferencesOutsideMainSlot(), provided as a stop-gap before
  refactoring to support MCR, is now deprecated.
* ChangesList::getTimestamp() has been deprecated; use ::revDateLink() instead.
* RecentChange::doMarkPatrolled() is deprecated, use
  RecentChange::markPatrolled() instead.
* LogFormatter::newFromRow() and LogFormatter::newFromEntry(), deprecated since
  1.42, now emit deprecation warnings.
* LinksUpdate::getAddedLinks(), ::getRemovedLinks(), deprecated since 1.38, now
  emit deprecation warnings.
* TitleLinksTable::getTitleArray(), deprecated since 1.38, now emits deprecation
  warnings.
* SiteConfig::variants() has been deprecated; use ::variantsFor().
* ObjectCache::$instances and ::getInstance() have been deprecated; instead, use
  ObjectCacheFactory::getInstance().
* WANObjectCache::clearLastError() and BagOStuff::clearLastError have been hard
  deprecated, use ::watchErrors() together with ::getLastErrors() instead.
* BagOStuff::getSegmentationSize() and ::getSegmentedValueMaxSize() no longer
  have any usage. The subclass' method in MediumSpecificBagOStuff overrides also
  have no usage as well.
* ApiBase::errorArrayToStatus() is deprecated with no replacement.
* ApiTestCase::setExpectedApiException() has been deprecated; instead, use
  ::expectApiErrorCode() to test error codes instead of messages.
* ApiPageSet::getTitles(), ApiPageSet::getGoodTitles(),
  ApiPageSet::getMissingTitles(), ApiPageSet::getGoodAndMissingTitles(),
  ApiPageSet::getRedirectTitles() and ApiPageSet::getSpecialTitles, deprecated
  since 1.37, now emit deprecation warnings.
* QueryPage::setDBLoadBalancer() and ::getDBLoadBalancer() have been deprecated,
  use QueryPage::setDatabaseProvider() or ::getDatabaseProvider() instead.
* User::isBlockedGlobally(), deprecated since 1.40, now emits deprecation
  warnings.
* User::isBlockedFromEmailuser() and User::canSendEmail(), deprecated since
  1.41, now emit deprecation warnings.
* wfMergeErrorArrays() has been deprecated.
* wfArrayDiff2() has been deprecated.
* User::whoIs() and User::whoIsReal(), have been deprecated.
* UserCache class and MediaWikiServices::getUserCache(), have been deprecated.
* JsonUnserializable and related classes have been renamed to JsonDeserializable
  to make it clearer that they're related to converting serialized content back
  into JSON, rather than stating that things are not representable in JSON. The
  previous class names have been left behind as deprecated aliases:
   - JsonUnserializable -> JsonDeserializable
   - JsonUnserializableTrait -> JsonDeserializableTrait
   - JsonUnserializer -> JsonDeserializer
  Additionally, JsonCodec's unserialize() and unserializeArray() methods have
  also been renamed to deserialize() and deserializeArray(), with the old names
  deprecated.
* In the REST framework, the the BodyValidator interface and all functionality
  related to it are deprecated. They have been replaced by
  Handler::getBodyParamSettings() and Handler::parseBodyData(). The following
  interfaces, classes, and methods are affected:
  - interface BodyValidator
  - class JsonBodyValidator
  - class NullValidator
  - function Handler::getBodyValidator
  - function Validator::validateBody
* StatusValue will emit deprecation warnings when an error is given as
  a MessageSpecifier combined with a parameters array, which is usually
  a mistake, as the parameters have always been ignored.
* In StatusValue::replaceMessage(), ::hasMessage() and ::hasMessagesExcept()
  passing MessageSpecifier or MessageValue as $source has been deprecated.
* PageArchive::undeleteAsUser, deprecated since 1.35, now emits deprecation
  warnings.
* DatabaseBlock::getQueryInfo() and DatabaseBlock::getRangeCond() are
  deprecated and emit deprecation warnings. Use the equivalent methods in
  DatabaseBlockStore.
* DatabaseBlockStore::getReadStage() and ::getWriteStage() are deprecated.
  Use the new schema unconditionally.
* UserOptionsManager::resetOptions(), ::listOptionKinds and ::getOptionKinds are
  deprecated and will emit deprecation warnings. Use the corresponding methods
  in PreferencesFactory and UserOptionsManager::resetOptionsByName().
* The `i18n-all-lists-margins` and `interface-message-box` module of SkinModule
  are deprecated. The former has been merged into the `elements` module, the
  latter has no required replacement. See JavaScript console for instructions.
* ParsoidOutputAccess and all of its methods have been deprecated.  Use
  ParserOutputAccess with ParserOptions::setUseParsoid() instead.
* ParserOutput::addJsConfigVars(), deprecated since 1.38, now emits deprecation
  warnings. Use ParserOutput::setJsConfigVar() instead.
* The following methods of ParserOutput, most of which used to return an
  array by reference, have been deprecated.  Use the
  ParserOutput::getLinkList(...) method with an appropriate link type
  instead:
  * ParserOutput::getFileSearchOptions() - ParserOutputLinkTypes::MEDIA
  * ParserOutput::getImages()            - ParserOutputLinkTypes::MEDIA
  * ParserOutput::getInterwikiLinks()    - ParserOutputLinkTypes::INTERWIKI
  * ParserOutput::getLanguageLinks()     - ParserOutputLinkTypes::LANGUAGE
  * ParserOutput::getLinks()             - ParserOutputLinkTypes::LOCAL
  * ParserOutput::getLinksSpecial()      - ParserOutputLinkTypes::SPECIAL
  * ParserOutput::getTemplates()         - ParserOutputLinkTypes::TEMPLATE
  * ParserOutput::getTemplateIds()       - ParserOutputLinkTypes::TEMPLATE
* ParserOutput::setLanguageLinks(null) now emits deprecation warnings.  Use
  an empty array as an argument, not `null`.
* ParserOutput::setPageProperty() now emits deprecation warnings when called
  with non-string values, which has been deprecated since 1.42.
* Use of the reference to the internal array returned by
  ParserOutput::getExternalLinks() has been deprecated.  In a future release
  it will return a copy of the array.
* To support a future change allowing serializing of MessageValue objects
  as JSON, the methods MessageValue::objectParams(), Message::objectParams()
  and Message::objectParam() are deprecated. The UserGroupMembershipParam
  class and the ParamType::OBJECT constant are likewise deprecated.
* Passing null or boolean values as message parameters, which are converted
  to strings "" and "1", is deprecated.
* The Less mixin .column-break-after-avoid() is deprecated. Use just the
  CSS rule `break-after: avoid-column;` instead now.
* The Less mixins .horizontal-gradient and .vertical-gradient are deprecated.
  Use CSS rule linear-gradient directly.
* The following method are deprecated; instead call the appropriate
  constructor method in PageRestHelperFactory with the appropriate
  initialization arguments:
  * HtmlOutputRendererHelper::init()
  * HtmlMessageOutputHelper::init()
  * HtmlInputTransformHelper::init()
  Similarly, calling the constructor method in PageRestHelperFactory
  without the appropriate initialization arguments is now deprecated.
* Calling HtmlToContentTransform::setMetrics() and
  HtmlInputTransformHelper::setMetrics() with a StatsdDataFactoryInterface
  is deprecated and emits warnings. Pass a StatsFactory instead.
* HTMLForm methods getPreText, setPreText, addPreText, getPostText,
  setPostText, addPostText, getHeaderText, setHeaderText, addHeaderText,
  getFooterText, setFooterText and addFooterText, deprecated since 1.38, now
  emit deprecation warnings.
* FormSpecialPage methods preText and postText, deprecated since 1.38, now
  emit deprecation warnings.
* EditPage::internalAttemptSave() is deprecated as part of cleaning up how
  edits are saved, see T157658 for details.
* The MessageCache::get hook, deprecated since 1.41, now emits deprecation
  warnings.
* Twelve deprecated properties of OutputPage now will emit warnings; their
  relevant getters or setters should be used instead:
  * mCategoryLinks       - getCategoryLinks() and setCategoryLinks()
  * mCategories          - getCategories()
  * mIndicators          - getIndicators() and setIndicators()
  * mHeadItems           - getHeadItemsArray(), hasHeadItem(), addHeadItem(),
                           and addHeadItems()
  * mModules             - getModules() and addModules()
  * mModuleStyles        - getModuleStyles() and addModuleStyles()
  * mJsConfigVars        - getJsConfigVars() and addJsConfigVars()
  * mTemplateIds         - getTemplateIds()
  - mEnableClientCache   - Set with enableClientCache() and disableClientCache()
  - mNewSectionLink      - Get with showNewSectionLink()
  - mHideNewSectionLink  - Set with forceHideNewSectionLink()
  - mNoGallery           - getNoGallery()
* The following methods from the OutputPage class were deprecated; use
  corresponding methods on the ParserOutput returned from
  OutputPage::getMetadata() instead. (For example, instead of
  $output->setIndexPolicy() use $output->getMetadata()->setIndexPolicy().)
   - ::getIndexPolicy()
   - ::setIndexPolicy()  (setting 'index' after 'noindex' is deprecated)
   - ::getPreventClickjacking()
   - ::setPreventClickjacking()
* The hook OutputPageMakeCategoryLinks is deprecated. Use the new hook
  OutputPageRenderCategoryLink instead.
* mw.cookie.getCrossSite() has been deprecated due to the removal of
  $wgUseSameSiteLegacyCookies in MW 1.42. Use mw.cookie.get().
* The 'help' key in HTMLForm descriptors is deprecated. Use the 'help-raw'
  key instead.
* ImageGalleryBase::setWidths() and ::setHeights() will now emit a deprecation
  warning if they are called without ImageGalleryBase::setParser() having been
  called.  Please set the parser appropriately when using the image gallery.
* (T45646) The localisation messages 'copyright' and 'history_copyright' are
  deprecated in favor of 'copyright-footer' and 'copyright-footer-history'.
  The new messages are parsed as wikitext instead of being treated as raw HTML.
* (T45646) The hook 'SkinCopyrightFooter' is deprecated in favor of
  'SkinCopyrightFooterMessage'. The new hook allows specifying copyright
  messages that are parsed as wikitext instead of being treated as raw HTML.
* (T374314) The 'mw.Uri' module has been deprecated in favour of the browser-
  native URL interface, which is now provided in all supported user agents. For
  details, see <https://developer.mozilla.org/en-US/docs/Web/API/URL>.
* The parameter $default in WebRequest::getRawVal() is deprecated. Use ??
  instead.
* SpecialBlock::processForm(), SpecialBlock::parseExpiryInput() and
  SpecialBlock::canBlockEmail(), deprecated since 1.36, and
  SpecialBlock::getSuggestedDurations(), deprecated since 1.42, now emit
  deprecation warnings.
* The following soft deprecated Skin methods will now emit warnings:
  - Skin::makeSpecialUrl (use SkinComponentUtils::makeSpecialUrl instead)
  - Skin::makeSpecialUrlSubpage (use SkinComponentUtils::makeSpecialUrlSubpage
    instead)
* The SkinFactory::getSkinNames deprecated in 1.37 now emits warnings,
   use getInstalledSkins instead.

=== Other changes in 1.43 ===

* Class aliases to support the old PHPUnit 4 style un-namespaced `PHPUnit_`
  classes (such as PHPUnit_Framework_Error) have been removed.
* [Temporary accounts] If $wgAutoCreateTempUser is enabled, then MediaWiki
  will create a temporary account and log the user in for unsuccessful edit
  attempts and null edits, in addition to edits that change content. This is
  a change from the previous paradigm, where temporary accounts were created
  only for successful edits. This change is done to support better logging
  support and moderation, to ensure that hooks run in a pre-save context have
  a user object to associate log entries and other actions with.
* Several entries have been removed from the default list of interwikis used
  when installing new wikis. This does not affect existing wikis.
* User auto-creations are now performed as the target user instead of
  anonymous IP user.
* [Temporary accounts] T359043 Temporary accounts for anonymous edits are
  enabled in DevelopmentSettings.php. To disable the feature, set
  `$wgAutoCreateTempUser['enabled'] = false;` in LocalSettings.php
* Corrected the interpretation of empty arrays in extension configuration when
  the default value is null. Previously, an empty array specified by the
  administrator would transform into the default null value. It now
  appropriately retains its empty array state.
* (T362536) Exempted "deletedhistory", "deletedtext", and "viewsuppressed"
  rights from namespace protection ($wgNamespaceProtection) since that's
  only meant to prevent write actions.
* Image captions are no longer trimmed.
* 'SpecialPasswordResetOnSubmit' hook handlers can now receive both the
  username and the email provided by the user, instead of only one of them.
* (T231827, T249976) Searchindex now uses utf8mb4,
  si_page is marked as PK and si_title can handle longer title values.

== Compatibility ==

MediaWiki 1.43 requires PHP 8.1.0 or later and the following PHP extensions:

* ctype
* dom
* fileinfo
* iconv
* intl
* json
* mbstring
* openssl
* xml

MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can
be used instead, but support for them is somewhat less mature.

The supported versions are:

* MariaDB 10.3 or higher
* MySQL 5.7.0 or higher
* PostgreSQL 10 or later
* SQLite 3.8.0 or later

== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

  <https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation>

== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:

  <https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/>

A low-traffic announcements-only list is also available:

  <https://lists.wikimedia.org/postorius/lists/mediawiki-announce.lists.wikimedia.org/>

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==
There's usually someone online in #mediawiki on irc.libera.chat.