Release notes/1.40


MediaWiki 1.40[edit]

MediaWiki 1.40.2[edit]

This is a security and maintenance release of the MediaWiki 1.40 branch.

Changes since MediaWiki 1.40.1[edit]

  • Localisation updates.
  • Updated symfony/polyfill-php80 from 1.27.0 to 1.28.0.
  • Updated symfony/polyfill-php81 from 1.27.0 to 1.28.0.
  • (T344912) mail: Encode period (ascii 46) if it appears in encoded email header.
  • Added symfony/polyfill-php82.
  • Added symfony/polyfill-php83.
  • Updated symfony/yaml from 5.4.17 to 5.4.23.
  • Updated wikimedia/timestamp from 4.1.0 to 4.1.1.
  • tests: Provide coverage for StatusValue::__toString.
  • StatusValue: Improve logging/debug output with multibyte characters.
  • (T347726, CVE-2023-PENDING) SECURITY: logging: Fix non-escaped messages used in rights log.
  • Updated wikimedia/parsoid from 0.17.0 to 0.17.1.
  • (T229992) LocalisationCache: Preserve fallback source language info.
  • (T340840) Title: Check local fallbacks for system message.
  • (T346332) Installer: Make Minerva works correctly for $wgDefaultSkin.
  • specials: Use options-messages on Special:RevisionDelete.
  • Fix use of buildComparison() in uppercaseTitlesForUnicodeTransition.php.
  • (T275085) Fix logging Status objects to 'authevents' channel.
  • (T341310) mention git clone and WSL.
  • (T351758) reword WSL instructions to include best practices.
  • (T350615) PoolCounterConnectionManager: Add support for ipv6.
  • ParsoidCachePrewarmJob::newSpec() now requires a PageRecord as the second parameter instead of a page ID.
  • (T341123) ParsoidCachePrewarmJob: enable deduplication.
  • (T349115) LocalisationCache: Fix a rare case in fallback source language.
  • (T351848) language: Avoid multiple signs in Language::userAdjust.
  • SwiftFileBackend: Fix "PHP Deprecated: strlen(): Passing null to parameter #1 ($string) of type string is deprecated".
  • maintenance: Add missing parenthesis to SQL in attachLatest.php.
  • (T321234) Make MagicWordArray not fail on old revs with broken UTF-8.
  • thumb: Fix "PHP Deprecated: strlen(): Passing null to parameter".
  • (T327007) htmlform: Correct validation for file input field.

MediaWiki 1.40.1[edit]

This is a security and maintenance release of the MediaWiki 1.40 branch.

Changes since MediaWiki 1.40.0[edit]

  • Localisation updates.
  • (task T333050, CVE-2023-45363) SECURITY: Fix infinite loop for self-redirects with variants conversion.
  • docs: Fix a few typos in MainConfigSchema.
  • (task T290464) Add DiscussionTools bundling to release notes.
  • (task T309714) mime: Add support for 'font/sfnt' MIME type.
  • (task T341434) WikiImporter: Improve error message output.
  • (task T341737) ApiBase: Cast $id to string in filterIDs.
  • (task T286291, task T296188) Merge zh and zh-tw namespace translations back to zh-hans, zh-hant, zh-hk respectively.
  • (task T337875) WRStats: Round up SequenceSpec::hardExpiry to the nearest integer.
  • (task T237898) installer: Check MariaDB version in updater/installer.
  • (task T342632) ApiComparePages: Add help url.
  • (task T326182, task T324903) EditPage: Add #[AllowDynamicProperties].
  • (task T342351) rdbms: Fix postgres db function call.
  • (task T343675) user: Use {@} to escape annotation when writting about annotation.
  • (task T343797) LanguageWa: Fix double timezone adjustment.
  • (task T343669) skins: Avoid function call on array.
  • (task T326454) Update pear/mail to 1.5.1.
  • (task T343622) docs: Set the <comment> tag back to optional.
  • (task T330528) Upgrade wikimedia/html-formatter from 3.0.1 to 4.0.3.
  • Updated jQuery from v3.6.1 to v3.7.1.
  • (task T337463) wdio-mediawiki: await saveScreenshot.
  • (task T208477) $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively.
  • doc: Improve description of "type" in extension.schema.v2.json.
  • Added PrivilegedGroups attribute for extension.json / skin.json, which lets you add any new user groups you define to wgPrivilegedGroups (see above).
  • (task T288624) MultiHttpClient: Unset $this->cmh after closing it.
  • (task T345039) Do not run SkinAfterBottomScripts hook twice unconditionally.
  • (task T265734) API Help: Note that parameters may be inherited from other context.
  • (task T285545) i18n: Split apihelp for standard dir parameter.
  • (task T285545) i18n: Split apihelp for redirects/linkshere/transcludedin/fileusage show.
  • (task T285545) i18n: Split apihelp for parameter list=deletedrevs&drprop=.
  • (task T285545) i18n: Split apihelp for parameter list=allpages&apprexpiry=.
  • (task T285545) i18n: Split apihelp for parameter action=opensearch&redirects=.
  • (task T285545) i18n: Split apihelp for parameter action=managetags&operation=.
  • (task T285545) api: Add message for list=watchlist&wlprop=expiry.
  • (task T334011) ApiComparePages: expose 'difftype' param if wikidiff2 is installed.
  • (task T342633) api: Add message for action=compare&prop=timestamp.
  • API: revids=… does not necessarily return the queried revisions.
  • (task T235207) Get correct main page in API call examples.
  • doc: Make extension.schema.v2.json a valid JSON schema.
  • (task T326696) Add since tag to UserOptionsManager::MAX_BYTES_OPTION_VALUE.
  • (T310378) Ensure that installer i18n is loaded by update.php.
  • updateSpecialPages.php: Avoid implicit float conversion on modulo.
  • (task T347227) ImportReporter: Make callback functions public.
  • (task T346898) importDump: Unconditionally call $importer->setUsernamePrefix().
  • (T204470) Remove feedback messages from RawHtmlMessages.
  • (T127268) MainConfigSchema: Update doc for "ResourceLoader: Default File modules to mobile and desktop targets".
  • (T264765, CVE-2023-45364) SECURITY: Article: Check permissions before showing link to view deleted revision.
  • doc: Improve description of type in extension.schema.v1.json.
  • (task T340217, CVE-2023-45359) SECURITY: Vector 2022: Numerous unescaped messages leading to potential XSS.
  • (task T340220, CVE-2023-45361) SECURITY: Vector 2022: vector-intro-page message is assumed to yield a valid title.
  • (task T340221, CVE-2023-45360) SECURITY: XSS via 'youhavenewmessagesmanyusers' and 'youhavenewmessages' messages.
  • (task T341529, CVE-2023-45362) SECURITY: diff-multi-sameuser ("X intermediate revisions by the same user not shown") ignores username suppression.
  • (task T341565, CVE-2023-3550) SECURITY: Stored XSS when uploading crafted XML file to Special:Upload (non standard configuration).

MediaWiki 1.40.0[edit]

Changes since MediaWiki 1.40.0-rc.0[edit]

  • Localisation updates.
  • (task T330464) Work around argument corruption bug in XMLReader::open.
  • build: Updating mediawiki/mediawiki-phan-config to 0.12.1.
  • Fix frame and frameless rdfa depending on file existing.
  • (task T329214) Pass whether current rev of file exists to Linker::makeBrokenImageLinkObj.
  • (task T334659) Handle thumb errors when !$enableLegacyMediaDOM.
  • A manualthumb that doesn't exist should be considered a thumb error.
  • (task T313157) IndexPager: Also protect against $offset being 0.
  • (task T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.

MediaWiki 1.40.0-rc.0[edit]

Upgrading notes for 1.40[edit]

Don't forget to always back up your database before upgrading!

See the file UPGRADE for more detailed per-version upgrade instructions from the oldest supported upgrading version, MediaWiki 1.35.

Some specific notes for MediaWiki 1.40 upgrades are below:

  • Maintenance scripts should now be executed using maintenance/run.php, e.g. maintenance/run.php update not maintenance/update.php as before.
  • Five extensions have now been bundled with MediaWiki:
    • The DiscussionTools extension, which provides a forum-like editing experience for wikitext-based discussion pages.
    • The Echo extension, which provides a system of user notifications.
    • The Linter extension, which warns about use of deprecated wikitext.
    • The LoginNotify extension, which warns users about failed attempted logins.
    • The Thanks extension, which lets users thank editors for edits.
  • The Renameuser extension has been moved to MediaWiki core. It is now possible to rename users without installing an extension. The extension had already been bundled with MediaWiki since 1.18.

For notes on 1.39.x and older releases, see HISTORY.

Configuration changes for system administrators in 1.40[edit]

  • When computing PBKDF2 password hashes, MediaWiki now detects and uses OpenSSL support if available, unless $wgPasswordConfig['pbkdf2']['class'] is set in LocalSettings.php. OpenSSL is more efficient, so if that setting is present, you should remove it (or set it to 'Pbkdf2PasswordUsingOpenSSL' if possible). If users get an internal error when trying to log in, you can try setting it to 'Pbkdf2PasswordUsingHashExtension'. In particular, this would be necessary if existing PBKDF2 password hashes were computed using a hash algorithm other than "sha512" or "sha256" (the current and prior defaults).
  • You should configure your webserver to return the http header 'X-Content-Type-Options: nosniff' for the /images directory. This will instruct browsers to not apply content sniffing when accessing the files. MediaWiki before 1.40 shipped with a content sniffer which disallowed potentially dangerous files at upload time, but this protection has now been removed in favor of this 'X-Content-Type-Options: nosniff' header and the installer will return a warning when it is not in place.
  • Support for MW_USE_LEGACY_DEFAULT_SETTINGS has been removed, setting this constant will not have any effect. Use of MW_USE_LEGACY_DEFAULT_SETTINGS had been deprecated since 1.39.

New configuration[edit]

  • $wgThumbnailNamespaces - This setting lets you define the namespaces for which image thumbnails (or a placeholder in the absence of a thumbnail) will be displayed on Special:Search.
  • $wgResourceLoaderClientPreferences – This experimental flag lets you enable client-side preferences for logged-out users.
  • $wgExternalLinksSchemaMigrationStage – This temporary flag lets you control the migration stage for the new schema for the external links database table. Ignore it unless you have a large wiki farm with complex migration needs.
  • $wgCommentTempTableSchemaMigrationStage – This temporary flag lets you control the migration stage for the temporary comment database table, from revision. Ignore it unless you have a large wiki farm with complex migration needs.
  • $wgSpecialContributeSkinsEnabled – This setting lets you list skins on which Special:Contribute is available, for where others don't work for the feature.
  • $wgPrivilegedGroups – Users belonging in some of the listed groups will be audited more aggressively.

Changed configuration[edit]

  • $wgPasswordPolicies – This setting, which controls what makes for a valid password for wiki accounts, has been adjusted to raise the minimal password length from 1 to 8 characters. The initial limit of 1 has been in place since MediaWiki 1.26. If you wish to allow shorter passwords, you can over-ride it in your LocalSettings following the guidance on
  • (task T254045) New accounts can no longer use an equals sign (=) in their usernames because of issues it causes in wikitext syntax. This can be adjusted by changing the value of $wgInvalidUsernameCharacters .
  • (task T314318) $wgParserEnableLegacyMediaDOM – This setting has been changed, so the alternative modern HTML structure for media is now the default. You can disable it for now by over-riding this back to `true` in LocalSettings, but this configuration will be removed in future versions of MediaWiki. For more details, see the documentation at:
  • $wgWatchlistExpiryMaxDuration – This setting, which controls the maximum allowed duration for users to set their temporary watchlist entries for expiry if that feature is enabled, has been increased from 6 months to 1 year.

Removed configuration[edit]

  • $wgShellboxUrl – This setting, deprecated in 1.37, has now been removed; use $wgShellboxUrls instead.
  • $wgMainWANCache and $wgWANObjectCaches – These never-used settings have been removed. To inject WANObjectCache parameters, use $wgWANObjectCache instead. These variables were introduced for multi-DC wiki farms to add a separate memcached proxy for cross-DC relaying of purges but never used because WANObjectCache works based on route prefixes, which can be transparently handled by the main memcached proxy.
  • $wgParserTestFiles – This setting, deprecated in 1.30, has now been removed; extensions can place their parser test files in `tests/parser` instead.
  • (task T231412) $wgAutoloadAttemptLowercase – This setting, deprecated in 1.35, no longer has any effect. If you run into difficulties, fix the names of miscased local files.
  • (task T309787) $wgVerifyMimeTypeIE – This setting, to provide extra security checks for very old versions of Internet Explorer clients, was removed. These user agents aren't used in practice, and haven't been served JavaScript content for years.

New user-facing features in 1.40[edit]

  • Special:Search can now show thumbnails for results for titles outside NS_FILE. This is controlled via the new onSearchResultProvideThumbnail hook.
  • A new preference ('search-thumbnail-extra-namespaces') to allow users to control whether to show more thumbnails (per $wgThumbnailNamespaces )
  • (task T324910) On pages using multi-content revisions, the raw content of a specific slot can be retrieved using the action=raw&slot=<role-name> query parameters.
  • (task T313804) The preferences page now provides a search bar to find preferences, regardless of the tab on which they appear.

New developer features in 1.40[edit]

  • The MediaWiki-Docker development environment is now configured to run on PHP 8.1 by default, up from PHP 7.4 now that that's EOL.
  • Vue development mode is enabled by default in DevelopmentSettings.php
  • (task T277618) The @noVarDump annotation from the DebugInfoTrait tool can now be added to references to stop them from being expanded when their object is passed to var_dump(), to make its use for debugging more feasible.
  • The ApiSandbox will now by default request responses in the latest API format, rather than the original format. Users can set `formatversion` to a different value if needed.
  • A new hook, GetBlockErrorMessageKeyHook, allows extensions' block error messages to be received and displayed by BlockErrorFormatter.
  • A new hook, SpecialCreateAccountBenefits, lets extensions and local code set custom content on the signup page about the benefits of using an account.
  • (task T321412) A new 'PageUndeleteComplete' hook has been added for more thorough information about a page post restoration than the 'PageUndelete' hook passes. This provides similar functionality to the 'PageDeleteComplete' hook.
  • The Linker::specialLink() method can now link to a Special page's with a sub-page or action parameter set, e.g. Special:Contributions/JohnDoe.
  • The PHPUnit entrypoints (tests/phpunit/phpunit.php and vendor/bin/phpunit) now check if composer dependencies are up-to-date, like update.php, using CheckComposerLockUpToDate. To disable this check, use MW_SKIP_EXTERNAL_DEPENDENCIES=1 environment flag when running PHPUnit.
  • ManualLogEntry::setForceBotFlag() has been added to allow the forcing of the bot flag for log entries which are inserted to the recent changes.

External library changes in 1.40[edit]

New external libraries[edit]

New development-only external libraries[edit]

Changed external libraries[edit]

Changed development-only external libraries[edit]

Removed external libraries[edit]

  • jquery.throttle-debounce, deprecated since MediaWiki 1.33.
  • WVUI, deprecated since MediaWiki 1.39.

Action API changes in 1.40[edit]

  • New `cancreateaccount` parameter on action=query&meta=userinfo that allows you to check if the user can create an account. Some of the errors that have previously been returned by action=query&list=users&usprop=cancreate are now returned here.

Languages updated in 1.40[edit]

MediaWiki supports over 400 languages. Many localisations are updated regularly. Below only new and removed languages are listed, as well as changes to languages because of Phabricator reports.

Breaking changes in 1.40[edit]

  • OutputPage::enableClientCache no longer accepts a parameter, nor does it return the current value. It simply sets the OutputPage::mEnableClientCache to true. Use OutputPage::disableClientCache to disable client side caching instead.
  • ResourceLoader::makeMessageSetScript, unused since 1.26, has been removed without deprecation.
  • Changes to skins:
    • The internal protected method Skin::getFooterLinks() was removed. It had no known usages. Different from SkinTemplate::getFooterLinks.
    • The internal public method Skin::getSiteFooterLinks() was removed. It had no known usages.
  • The 'oojs-router' module has been removed without deprecation in favour of the 'mediawiki.router' wrapper module.
  • BagOStuff::makeKeyInternal(), deprecated for public use in 1.36, is now a protected method of MediumSpecificBagOStuff.
  • WANObjectCache::reap() and WANObjectCache::reapCheckKey(), deprecated since 1.39, have been removed.
  • The EnqueueJob class, unused since 1.31, has been removed without deprecation.
  • JobQueueGroup::singleton() and ::destroySingletons(), deprecated since 1.37, have been removed.
  • JobRunner no longer supports manually calling the constructor, use MediaWikiServices::getInstance()->getJobRunner() instead.
  • JobRunner::setLogger, deprecated since 1.35, has been removed.
  • ContextSource::getStats, deprecated since 1.27, has been removed.
  • The following public properties of Parser, deprecated in 1.35, have been made private: Parser::$mLinkId, Parser::$mIncludeSizes, Parser::$mDoubleUnderscore, Parser::$mShowToc, Parser::$mRevisionId, Parser::$mRevisionTimestamp, Parser::$mRevisionUser, Parser::$mRevisionSize, Parser::$mInputSize, Parser::$mInParse, Parser::$mFirstCall, Parser::$mGeneratedPPNodeCount
  • The MWGrants class, deprecated since 1.38, has been removed.
  • PageProps::getInstance(), deprecated since 1.38, has been removed.
  • Global functions wfReadOnly and wfReadOnlyReason, deprecated since 1.38, have been removed.
  • Global function wfQueriesMustScale, deprecated since 1.39, has been removed.
  • Global function wfLogProfilingData, deprecated since 1.38, has been removed.
  • The HTMLCacheUpdate class, deprecated since 1.34, has been removed.
  • Linker::normaliseSpecialPage(), deprecated since 1.35, has been removed.
  • MWTimestamp::getHumanTimestamp(), deprecated since 1.26, has been removed.
  • Collation::singleton() and ::factory(), deprecated since 1.37, have been removed.
  • SpecialVersion::listToText() and SpecialVersion::arrayToString() have become private or internal without deprecation.
  • The 'ParserTestFiles' key in the schema for extension.json has been removed. This was deprecated in 1.30 and the corresponding $wgParserTestFiles configuration variable has also been removed in this release. Extensions can put parser test files in their `tests/parser` directory to have them automatically run.
  • DBLockManager, MySqlLockManager, and PostgreSqlLockManager have been removed without deprecation.
  • MediaWikiTestCaseTrait::checkPHPExtension() has been removed without deprecation. Use PHPUnit @requires annotations instead.
  • EditPage::getCopywarn(), deprecated since 1.38, has been removed.
  • EditPage::getCopyrightWarning() now requires a MessageLocalizer parameter. Use of other parameter types or omitting it was deprecated since 1.38.
  • Action constructor now requires Article and IContextSource parameters. Use of other parameter types or omitting them was deprecated since 1.35.
  • Article::viewRedirect(), deprecated since 1.30, has been removed.
  • Title::getNotificationTimestamp(), deprecated since 1.35, has been removed.
  • WikiRevision::$fileIsTemp property, deprecated since 1.29, has been removed.
  • Use of CommentStore::insertWithTempTable() with 'img_description' is no longer supported, it was deprecated since 1.32. Use CommentStore::insert() instead.
  • Return values in the parameter $pageLang of the PageContentLanguage hook with other types than a Language object, deprecated since 1.33 & emitting warnings since 1.38, now throws an exception.
  • FormatMetadata::flattenArrayContentLang(), deprecated since 1.36, has been removed.
  • WikiRevision::downloadSource() and ::importUpload(), deprecated since 1.31, have been removed.
  • DataUpdate::runUpdates(), deprecated since 1.28, has been removed.
  • CdnCacheUpdate::newFromTitles(), deprecated since 1.35, has been removed.
  • HtmlFileCacheUpdate::newFromTitles(), deprecated since 1.37, has been removed.
  • BaseTemplate::renderAfterPortlet() and ::getAfterPortlet(), has been removed. Use the corresponding methods in Skin class.
  • DifferenceEngine::textDiff(), deprecated since 1.32, has been removed.
  • Skin::getSearchPageTitle() and Skin::setSearchPageTitle(), deprecated since 1.38, have been removed.
  • DifferenceEngine::getDiffBodyCacheKey(), deprecated since 1.31, has been removed.
  • ForeignDBViaLBRepo::getMasterDB(), LocalRepo::getMasterDB(), and JobQueueDB::getMasterDB(), deprecated since 1.37, have been removed.
  • Clarified that the InitializeArticleMaybeRedirect hook should not change its $article parameter; the behavior when doing so was previously undocumented.
  • IDatabase::ping()'s $rtt parameter was removed without deprecation.
  • IDatabase::setBigSelects(), unused, was removed without deprecation.
  • IDatabase::attributesFromType(), unused, was removed without deprecation.
  • IMaintainableDatabase::deadlockLoop() was removed without deprecation.
  • DatabasePostgres::remappedTableName(), deprecated since 1.37, has been removed.
  • ILBFactory::getChronologyProtectorClientId and ::commitAll, unused, were removed without deprecation.
  • LoadBalancer::haveIndex() and ::isNonZeroLoad(), deprecated in 1.34, have been removed.
  • LoadBalancer::getLazyConnectionRef(), deprecated in 1.38, has been removed.
  • ILBFactory::forEachLB(), deprecated in 1.39, has been removed.
  • LoadBalancer::getTransactionRoundStage and ::commitAll, unused, were removed without deprecation.
  • ILoadBalancer::getLaggedReplicaMode, unused, was removed without deprecation. Use ILBFactory::laggedReplicaUsed() instead.
  • Optional parameters of ILoadBalancer::waitForPrimaryPos(), $pos and $timeout have been removed without deprecation as they are unused.
  • LoadMonitorMysql was removed without deprecation. Use LoadMonitor instead.
  • IDatabase::selectDB(), deprecated since 1.32, has been removed. Use IDatabase::selectDomain() instead.
  • The following deprecated hooks have been removed:
    • BaseTemplateAfterPortlet, deprecated in 1.35
    • BeforeParserFetchTemplateAndtitle, deprecated in 1.36
    • BeforeParserrenderImageGallery, deprecated in 1.35
    • InternalParseBeforeSanitize, deprecated in 1.35
    • LinksUpdateConstructed, deprecated in 1.38
    • LinksUpdateAfterInsert, deprecated in 1.38
    • ParserSectionCreate, deprecated in 1.35
    • ResourceLoaderTestModules, deprecated in 1.33
    • SpecialMuteSubmit, deprecated in 1.35
    • UserLoadFromDatabase, deprecated in 1.37
    • UserSetCookies, deprecated in 1.27
  • RemexDriver::__construct() now only accepts a ServiceOptions instance as the only argument. Passing an array was deprecated since 1.36.
  • TidyDriverBase::supportsValidate(), deprecated since 1.36, has been removed.
  • RevDelList::reloadFromMaster(), deprecated since 1.37, has been removed.
  • ExternalStoreDB::getMaster(), deprecated since 1.37, has been removed.
  • DeletePage::deletionWasScheduled(), deprecated since 1.38, has been removed.
  • The SearchResultProvideThumbnailHook (which was unstable) and now no longer used, has been removed. Use SearchResultProvideThumbnailHook in the search namespace: MediaWiki\Search\Hook\SearchResultProvideThumbnailHook.
  • Command::cgroup(), deprecated since 1.36, has been removed.
  • When running tests, the serialize_precision INI setting is now set to -1 (current PHP default) instead of 17. Extension tests may need to be adjusted accordingly; string representations of floating-point numbers in serialized or JSON-encoded data may change.
  • WikiRevision::$sha1base36 is now private.
  • IcuCollation::getUnicodeVersionForICU() was removed without deprecation.
  • LinkFilter::supportsIDN() was removed without deprecation.
  • The ability to pass null for the errorData parameter of HttpException and LocalizedHttpException was removed without deprecation.
  • ApiQueryExtLinksUsage::getProtocolPrefix() and ::prepareProtocols() have been moved to LinkFilter with the same name.
  • .box-sizing() Less mixin, deprecated since 1.37, has been removed. Use CSS box-sizing now.
  • MimeAnalyzer::getIEMimeTypes() and IEContentAnalyzer were removed.
  • Language::commafy and mw.language.commafy, deprecated since 1.36, has been removed.
  • BagOStuff::decr(), deprecated since 1.28, has been removed.
  • BagOStuff::incr(), deprecated since 1.28, has been removed.

Deprecations in 1.40[edit]

  • Changes to skins:
    • The public Skin::footerLink is deprecated. Use SkinComponentMenuLink::getTemplateData instead. It now emits deprecation warnings.
    • The protected Skin::lastModified is deprecated, and marked for @internal use and now emits deprecation warnings.
  • Manipulating $wgHooks after initialization is deprecated. HookContainer::register() or HookContainer::scopedRegister() should be used instead. During initialization, SettingsBuilder::registerHookHandlers can be used. For backwards compatibility, $wgHooks is replaced by a fake array that calls methods on HookContainer. $wgHooks can still be used as a configuration variable, only dynamic manipulation is deprecated.
  • ParserOptions::{get,set}ExternalLinkTarget() and ParserOptions::{get,set}MaxTemplateDepth() have been deprecated and marked for @internal use only.
  • ParserOutput::getCategories() has been deprecated; use ::getCategoryNames() and ::getCategorySortKey() instead.
  • ParserOutput::{get,set}TOCHTML() has been deprecated; use ::{get,set}TOCData() instead.
  • TransactionProfiler::setSilenced() is deprecated. Use TransactionProfiler::silenceForScope() instead.
  • The following methods in the Title class, deprecated since 1.37, emits deprecations warnings:
    • ::areCascadeProtectionSourcesLoaded()
    • ::areRestrictionsCascading()
    • ::areRestrictionsLoaded()
    • ::getAllRestrictions()
    • ::getCascadeProtectionSources()
    • ::getFilteredRestrictionTypes()
    • ::getRestrictionExpiry()
    • ::getRestrictionTypes()
    • ::getRestrictions()
    • ::isCascadeProtected()
    • ::isProtected()
    • ::isSemiProtected()
    • ::loadRestrictionsFromRows()
  • The class Pbkdf2Password was renamed to Pbkdf2PasswordUsingHashExtension, and the old name is now deprecated.
  • WikiPage::factory(), ::newFromID() and ::newFromRow, deprecated in 1.36, now emit deprecation warnings.
  • Manually constructing a LinkBatch object, deprecated in 1.35, now emits deprecation warnings. Use LinkBatchFactory instead.
  • Calling MediaWikiSite::getFileUrl() without a $path argument is deprecated. If you need the "generic" full file path, with $1 not replaced by anything, call $site->getPath( MediaWikiSite::PATH_FILE ) directly.
  • In SessionConsistentConnectionManager, the methods getReadConnectionRef() and getWriteConnectionRef() are deprecated; the ConnectionManager methods they override had been deprecated already.
  • Database::wasErrorReissuable() is deprecated.
  • MimeAnalyzer::isPHPImageType was not used and will now emit deprecation warnings.
  • GenericArrayObject, originally developed for Wikibase and SiteList, has been deprecated. Use built-in ArrayObject directly instead.
  • Parser::getFunctionLang() has been deprecated; use Parser::getTargetLanguage() instead.
  • MagicWordArray::getVariableRegex(), deprecated in 1.36, now emits deprecation warnings.
  • AbstractBlock::getId() now emits deprecation warnings in case of cross-wiki access. This use was deprecated in 1.38.
  • CommentStore::getStore, deprecated in 1.31, now emits deprecation warnings.
  • BacklinkCache::get(), ::getLinks() and ::getCascadeProtectedLinks(), deprecated in 1.37, now emit deprecation warnings.
  • LanguageConverterFactory::isTitleConversionDisabled(), deprecated in 1.36, now emits deprecation warnings.
  • Language::getFileName(), ::getMessagesFileName() and ::getJsonMessagesFileName(), deprecated in 1.34, now emit deprecation warnings.
  • Language::getLocalisationCache(), deprecated in 1.34, also Language::getMessagesFor(), ::getMessageFor() and ::getMessageKeysFor(), deprecated in 1.35, now emit deprecation warnings.
  • User::incEditCount(), deprecated in 1.37, now emits deprecation warnings.
  • User::idFromName(), deprecated in 1.37, now emits deprecation warnings.
  • The ability to override and use User::$mRights, deprecated in 1.34, now emits deprecation warnings.
  • IndexPager::getHookContainer is deprecated and emits deprecation warnings. Inject a HookContainer instead.
  • User::getGroupPermissions(), ::getGroupsWithPermission() and ::groupHasPermission(), deprecated in 1.34, now emit deprecation warnings.
  • PermissionManager::getGroupPermissions(), ::getGroupsWithPermission() and ::groupHasPermission(), deprecated in 1.36, now emit deprecation warnings.
  • Global function wfShowingResults is deprecated and emits deprecation warnings.
  • UserGroupMembership::getGroupMemberName is deprecated, the deprecation of UserGroupMembership::getGroupName in 1.38 missed a release note. Use Language::getGroupMemberName or ::getGroupName instead.
  • AbstractBlock::getPermissionsError(), deprecated in 1.35, now emits deprecation warnings.
  • SearchEngine::getNearMatcher() and ::getDefaultMatcher() have been deprecated in favor of MediaWikiServices::getInstance()->getTitleMatcher().
  • SearchNearMatcher class has been deprecated in 1.40 in favor of TitleMatcher.
  • The following functions are deprecated: User::isBlockedGlobally and User::getGlobalBlock. Use User::getBlock instead.
  • The UserIsBlockedGlobally hook is deprecated. Use GetUserBlock hook instead.
  • The SystemBlock type global-block is deprecated. GlobalBlocks are now added into CompositeBlocks via the GetUserBlock hook.
  • Language::isWellFormedLanguageTag(), deprecated in 1.39, now emits deprecation notices. Please use LanguageCode::isWellFormedLanguageTag() instead.
  • Language::fetchLanguageNames() and ::fetchLanguageName(), deprecated in 1.34, now emit deprecation warnings.
  • Language::getFallbackFor(), ::getFallbacksIncludingSiteLanguage() and ::getFallbacksFor(), deprecated in 1.35, now emit deprecation warnings.
  • Language::isSupportedLanguage(), ::isValidCode(), ::isValidBuiltInCode() and ::isKnownLanguageTag(), deprecated in 1.34, now emit deprecation warnings.
  • Language::getConverter(), ::autoConvert(), ::autoConvertToAllVariants(), ::convert(), ::convertNamespace(), ::convertHtml(), ::convertCategoryKey(), ::getVariants(), ::hasVariants(), ::hasVariant(), ::getDefaultVariant(), ::getURLVariant(), ::getExtraHashOptions(), ::getConvRuleTitle(), deprecated in 1.35, now emit deprecation warnings.
  • Language::factory() and ::getParentLanguage(), deprecated in 1.35, now emit deprecation warnings.
  • Executing maintenance scripts directly is deprecated. The maintenance/run.php entry point should be used instead.
  • MWHttpRequest::factory, deprecated in 1.34, now emits deprecation warnings.
  • Job::factory is deprecated, use JobFactory::newJob instead.
  • Http::request(), ::get(), ::post(), ::userAgent() and ::isValidURI(), deprecated in 1.34, now emit deprecation warnings.
  • Title.js's confusingly-named getName() and getNameText() methods, for using media files' pages, have been renamed to getFileNameWithoutExtension() and getFileNameTextWithoutExtension() respectively. The old names are deprecated.
  • Command::whitelistPaths() should now emit deprecation warnings. Make use of Command::allowPaths/disallowPaths() instead.
  • When manually creating an HTMLFormField (i.e. not via HTMLForm::factory), it is deprecated to not include the "parent" field as one of the parameters.
  • The MWException class is deprecated. Use native exceptions, either directly or as base classes.
  • SelectQueryBuilder::lockForUpdate() is deprecated. Use ::forUpdate() with ::fetchRowCount() or ::acquireRowLocks() instead.
  • ArticleUndelete hook is deprecated. Use PageUndeleteComplete hook instead.
  • The global function wfReportTime() is now deprecated.
  • PrevNextNavigationRenderer, deprecated in 1.39, now emits deprecation warnings.
  • PagerNavigationBuilder::setMakeLinkCallback(), deprecated in 1.39, now emits deprecation warnings.
  • IndexPager::getPagingLinks(), IndexPager::getLimitLinks() and IndexPager::buildPrevNextNavigation(), deprecated in 1.39, now emit deprecation warnings.
  • Overriding the method IndexPager::makeLink(), deprecated in 1.39, now emits deprecation warnings.
  • The following class names were namespaced (and, for the special pages, also renamed), and the old class names are now deprecated:
    • MostimagesPage -> MediaWiki\Specials\SpecialMostImages
    • MovePageForm -> MediaWiki\Specials\SpecialMovePage
    • UserrightsPage -> MediaWiki\Specials\SpecialUserRights
    • WantedFilesPage -> MediaWiki\Specials\SpecialWantedFiles
    • WantedPagesPage -> MediaWiki\Specials\SpecialWantedPages
    • DerivativeRequest -> MediaWiki\Request\DerivativeRequest
    • FauxRequest -> MediaWiki\Request\FauxRequest
    • FauxRequestUpload -> MediaWiki\Request\FauxRequestUpload
    • PathRouter -> MediaWiki\Request\PathRouter
    • WebRequestUpload -> MediaWiki\Request\WebRequestUpload
    • HeaderCallback -> MediaWiki\Request\HeaderCallback
    • FauxResponse -> MediaWiki\Request\FauxResponse
    • WebResponse -> MediaWiki\Request\WebResponse
    • ForeignResourceManager -> MediaWiki\ResourceLoader\ForeignResourceManager
    • DummyLinker -> MediaWiki\Linker\DummyLinker
    • Linker -> MediaWiki\Linker\Linker
    • PageProps -> MediaWiki\Page\PageProps
    • MagicWord -> MediaWiki\Parser\MagicWord
    • MagicWordArray -> MediaWiki\Parser\MagicWordArray
    • MagicWordFactory -> MediaWiki\Parser\MagicWordFactory
    • RawMessage -> MediaWiki\Language\RawMessage
    • ActorMigration -> MediaWiki\User\ActorMigration
    • ActorMigrationBase -> MediaWiki\User\ActorMigrationBase
    • CategoriesRdf -> MediaWiki\Category\CategoriesRdf
    • Category -> MediaWiki\Category\Category
    • CategoryViewer -> MediaWiki\Category\CategoryViewer
    • TrackingCategories -> MediaWiki\Category\TrackingCategories
    • EditPage -> MediaWiki\EditPage\EditPage
    • TemplatesOnThisPageFormatter -> MediaWiki\EditPage\TemplatesOnThisPageFormatter
    • ContentSecurityPolicy -> MediaWiki\Request\ContentSecurityPolicy
    • FormOptions -> MediaWiki\Html\FormOptions
    • Html -> MediaWiki\Html\Html
    • HtmlHelper -> MediaWiki\Html\HtmlHelper
    • TemplateParser -> MediaWiki\Html\TemplateParser
    • FormOptions -> MediaWiki\Html\FormOptions
    • WikiMap -> MediaWiki\WikiMap\WikiMap
    • WikiReference -> MediaWiki\WikiMap\WikiReference
    • MediaWiki\BadFileLookup -> MediaWiki\Page\File\BadFileLookup
    • FileDeleteForm -> MediaWiki\Page\File\FileDeleteForm
    • MergeHistory -> MediaWiki\Page\MergeHistory
    • MovePage -> MediaWiki\Page\MovePage
    • ProtectionForm -> MediaWiki\Page\ProtectionForm
    • LinkFilter -> MediaWiki\ExternalLinks\LinkFilter
    • TitleArray -> MediaWiki\Title\TitleArray
    • TitleArrayFromResult -> MediaWiki\Title\TitleArrayFromResult
    • TitleFactory -> MediaWiki\Title\TitleFactory
    • Title -> MediaWiki\Title\Title
    • ForkController -> MediaWiki\Maintenance\ForkController
    • OrderedStreamingForkController -> MediaWiki\Maintenance\OrderedStreamingForkController
    • AtomFeed -> MediaWiki\Feed\AtomFeed
    • ChannelFeed -> MediaWiki\Feed\ChannelFeed
    • FeedItem -> MediaWiki\Feed\FeedItem
    • FeedUtils -> MediaWiki\Feed\FeedUtils
    • RSSFeed -> MediaWiki\Feed\RSSFeed
    • DeprecatedGlobal -> MediaWiki\StubObject\DeprecatedGlobal
    • StubGlobalUser -> MediaWiki\StubObject\StubGlobalUser
    • StubObject -> MediaWiki\StubObject\StubObject
    • StubUserLang -> MediaWiki\StubObject\StubUserLang
  • ContentHandler::getParserOutputForIndexing() and ::getDataForSearchIndex() now take an optional RevisionRecord parameter.
  • The SearchDataForIndex hook is deprecated in favor of SearchDataForIndex2
  • IDatabase::lastQuery and IReadableDatabase::lastQuery are deprecated without without replacement.

Other changes in 1.40[edit]

  • Calling RecentChange::doMarkPatrolled() with $auto = true has no effect and logs a warning. Since 1.31, it would mark the change as manually patrolled, but would not log it as such in patrol log and would still require 'autopatrol' right (not 'patrol'). Generally, whether a change should become autopatrolled, is usually determined before it's inserted in the database.
  • In versions of MediaWiki before 1.39, the table of contents location was marked internally with <mw:toc>...</mw:toc>; in version 1.39 this was changed to an empty tag <mw:tocplace />. In 1.40 this has been changed a final time to use an empty <meta> tag for future Parsoid compatibility (see Parser::TOC_PLACEHOLDER). This may affect you if stale content is left in the ParserCache or if your skin did manual ToC replacement without using the recommended Parser::replaceTableOfContentsMarker() function.
  • Skins can now choose which Codex theme should be loaded by setting the SkinCodexThemes attribute in their skin.json file.
  • The parser test framework has been updated, and the 'pst', 'ill', 'cat' and 'showflags' options have slight differences in their output. These options are not much used outside core, but third parties may need to update parser tests.
  • (task T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter.


MediaWiki 1.40 requires PHP 7.4.3 or later and the following PHP extensions:

  • ctype
  • dom
  • fileinfo
  • iconv
  • intl
  • json
  • mbstring
  • xml

MariaDB is the recommended database software. MySQL, PostgreSQL, or SQLite can be used instead, but support for them is somewhat less mature.

The supported versions are:

  • MariaDB 10.3 or higher
  • MySQL 5.7.0 or higher
  • PostgreSQL 10 or later
  • SQLite 3.8.0 or later

Online documentation[edit]

Documentation for both end-users and site administrators is available on, and is covered under the GNU Free Documentation License (except for pages that explicitly state that their contents are in the public domain):

Mailing list[edit]

A mailing list is available for MediaWiki user support and discussion:

A low-traffic announcements-only list is also available:

It's highly recommended that you sign up for one of these lists if you're going to run a public MediaWiki, so you can be notified of security fixes.

IRC help[edit]

There's usually someone online in #mediawiki on