= MediaWiki 1.35 =

MediaWiki 1.35 should mostly work on PHP 8.0/8.1, however it is not
currently actively supported. Testing (on a development wiki!) is
appreciated, and bugs with PHP 8.0/8.1 on MediaWiki 1.35 will be accepted.

It is anticipated that in a later MediaWiki 1.35 point release, we can
declare 1.35 as supporting PHP 8.0/8.1.

PHP 8.0 workboard: https://phabricator.wikimedia.org/tag/php_8.0_support/
PHP 8.1 workboard: https://phabricator.wikimedia.org/tag/php_8.1_support/
PHP 8.2 workboard: https://phabricator.wikimedia.org/tag/php_8.2_support/
PHP 8.3 workboard: https://phabricator.wikimedia.org/tag/php_8.3_support/

== MediaWiki 1.35.12 ==

THIS IS NOT A RELEASE YET

=== Changes since MediaWiki 1.35.11 ===
* Localisation updates.

== MediaWiki 1.35.11 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.10 ===
* Localisation updates.
* (T333990) composer.json: Explicitly pin psr/http-message to 1.0.1.
* (T335203, CVE-2023-29197) SECURITY: Upgrading guzzlehttp/psr7
  (1.9.0 => 1.9.1).
* (T269636) Add Access-Control-Max-Age to $wgAllowedCorsHeaders.
* (T322944) Add Authorization to default $wgAllowedCorsHeaders.
* (T332889, CVE-2023-36675) SECURITY: Fix escaping in BlockLogFormatter.
* (T297917) objectcache: avoid use of ctype_digit() in
  WANObjectCache::adaptiveTTL().
* (T330464) Work around argument corruption bug in XMLReader::open.
* (T313157) IndexPager: Also protect against $offset being 0.
* (T335612, CVE-2023-36674) SECURITY: Move badFile lookup to Linker.

== MediaWiki 1.35.10 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.9 ===
* Localisation updates.
* (T324895) MWCallbackStream: Add explicit $stream property.
* Remove /images .htaccess rules that are no longer relevent.
* Disable php in .htaccess of images directory as a hardening measure.
* (T322583) Include missing message parameter in message.
* Fix phan error when Excimer is enabled.
* (T274966) tests: Make pass on php8.0.
* (T323373) Parser: Fix extractSections() behavior for PHP >= 8.0.
* (T326021) Add matrix: to $wgUrlProtocols.
* api/en.json: api-help-datatype-expiry add missing 'may'.
* (T225218) Wait until the recent changes are updated.
* (T328222) Pass empty string to strlen() if schema is null for
  PostgresDatabase.
* (T317329) OutputPage: Fix undefined ['host'] in ImagePreconnect code.
* (T289926) SpecialRevisionDelete: Set default of '' for wpReason.
* (T155582, T328503) Fix XML dumps for content types with non-string
  getNativeData().
* (T295958, T278847) MediaWiki-Docker: Switch PHP images to PHP7.4.
* (T314099) revisiondelete: Replace dynamic property Status::$itemStatuses.
* (T329198) ParamValidator: Improve paramvalidator-help-multi-max message.
* (T292348) WikiImporter: do not fail if upload entry in dump lacks 'text'
  tag.
* (T329484) API: Fix query+allimages user parameter description.
* (T330529) SpecialEditTags: Set default of '' for wpReason.
* (T330526) htmlform: Handle null from HTMLFormField::getDefault in
  multiselects.
* (T285159, CVE-2023-29141) SECURITY: Do not apply autoblocks to untrusted
  XFF headers.

== MediaWiki 1.35.9 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.8 ===
* Localisation updates.
* (T319000) WebInstaller: Don't try and run trim() on null.
* (T320864) When calling mail(), use an array for headers.
* (T311567) In ManualLogEntry, cast the comment to string.
* (T323082) Upgrading wikimedia/xmp-reader (0.7.0 => 0.8.5).
* Language: Handle ronna and quetta.
* (T304515) LCStoreStaticArray: atomically replace the cache file.
* (T324890, T324891, T324901) Parser: Allow dynamic properties on PHP 8.2.
* (T322637) SECURITY: sqlite should not create DB file world-readable.

== MediaWiki 1.35.8 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.7 ===
* Localisation updates.
* (T311568) UploadBase::setTempFile() handle $tempPath being passed as null.
* (T311559) SpecialListFiles: user parameter isn't always present.
* (T311561) ImageListPager: Don't call htmlspecialchars() on null.
* (T311920) SpecialBlockList: Prevent passing null to trim().
* (T311921) SpecialUserrights: Don't pass null to str_replace.
* (T311570) SpecialWithoutInterwiki: Don't pass null through to
  Title::capitalize().
* (T311574, T311576) SpecialLinkSearch: Don't pass null through to the parser.
* (T312519, T312520) Parser::extensionSubstitution() Don't run substr() on null.
* (T287564) populateInterwiki: Include not null columns iw_api/iw_wikiid.
* (T312302) SpecialRedirect: Don't pass null to explode.
* RemoveInvalidEmails: Fix quoting for postgres.
* (T312678) import: UploadSourceAdapter::stream_read() don't pass null to
  strlen().
* (T312300) SpecialDiff: Don't pass null to explode().
* (T312680) parser: Fix CoreParserFunctions::urlencode() null coalescence $arg.
* (T289926) Handle null passed to wfShorthandToInteger() and Html::element().
* (T289926) Ensure that strlen() does not get passed a (valid) null.
* (T312301) SpecialDiff: Don't pass null to trim().
* Hooks: Use more meaningful name for SkinAfterPortlet hook parameter.
* (T289926) Ensure we don't pass null to mb_strlen.
* (T312305, T311572, T311571, T311578) HtmlForm: Null coalescence in trim()
  calls.
* (T289926) site: Consistently return null from Site::getDomain().
* (T307304, T289879) filebackend,jobqueue: Add signature for
  FilterIterator::accept().
* (T312183) rdbms: Adapt hasOrMadeRecentPrimaryChanges test mock for PHP 8.1.
* Add application/vnd.ms-opentype to MIME list.
* Allow composer/installers plugin in composer.json.
* (T313663) Make HandlerTestTrait compatible with php8.1.
* (T313663) [php8.1] Change override of $wgResourceBasePath for CSP tests.
* Change type hints for BatchRowIterator and NotRecursiveIterator for
  compatibility with PHP 8.1.
* (T313663) [php8] Don't use strlen on potentially null string.
* (T313663) [php8.1] Suppress test warning about providing null.
* (T313663) Parser will use current timestamp instead of null if passed a
  RevisionRecord that does not have a timestamp.
* (T313663) Add explicit null check for $sha in FileBackend [php8.1].
* (T313663) LogFormatter: Cast argument of ctype_digit to string [php8.1].
* (T289879, T289926) Get rid of warnings on PHP 8.1.
* rdbms: fix some PHP 8 warnings in Database/LoadBalancer/LBFactory.
* (T313663) Avoid testing strlen on null in ApiQuerySiteinfo [php 8.1 compat].
* Fix a couple deprecation warnings in the installer under PHP 8.1.
* (T313663) Use default timezone UTC for SpecialWatchlistTest [php 8.1].
* (T314096) Migrate use of ${var}-style string interpolation.
* (T313663, T313662) Make default value for optional args {{PAGESINCAT:..}} be
  '' not null.
* (T314225) SpecialCategories: Null coalescene $par.
* (T314099) User: Allow dynamic properties on PHP 8.2.
* (T314404) SpecialGoToInterwiki: Null coalescene $par.
* (T314397) SpecialBlock: Better handle null in getTargetUserTitle.
* (T314099) phpunit: Fix trivial dynamic property usages in tests.
* (T314405) UploadStash: Check if us_prop is set in the fileMetadata.
* (T314550) SpecialMergeHistory: Set timestamp to '' if no mergepoint.
* (T314551) SpecialMergeHistory: Set defaults for target and dest parameters.
* api: Add rel=nofollow to help examples.
* (T314824) tests: Update parser test after i18n change.
* (T263927) Add autocomplete HTML attribute to common auth form fields.
* (T307613) Validate length of user email on Special:ChangeEmail/
  Special:CreateAccount.
* (T314906, T314907) SpecialBlock: Set defaults for wpPageRestrictions and
  wpNamespaceRestrictions.
* (T315309) ImportStreamSource::newFromURL() Prevent passing null to fwrite.
* (T315892) composer.json: Pin phpunit to 8.5.28.
* (T229092) MigrateActors.php: ignore duplicate creations of actors.
* (T313049) Bump wikimedia/parsoid to v0.12.3.
* (T317750) session: Fix broken SessionTest case due to PHPUnit dependency
  change.
* (T318460) SpecialChangeEmail: Set default for returntoquery.
* (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results
  in an IP range check on Special:Contributions.
* (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes existence
  of hidden users.

== MediaWiki 1.35.7 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.6 ===
* Localisation updates.
* (T289879) Type hints for ArrayAccess.
* (T304783) TemplateParser: avoid warnings when called by NoLocalSettings.
* Rebuilt vendor with composer 2.3.3.
* (T289879) Address some deprecations for PHP 8.1.
* Fix old_name in UserLogoutComplete hook.
* (T286260, T307979) objectcache: normalize $exptime to a TTL in
  APCUBagOStuff/WinCacheBagOStuff.
* MediaSearchWidget should declare an explicit dependency on mediawiki.user
  module.
* (T288423) WikiImporter: Replace deprecated WikiRevision::setText.
* (T309377, CVE-2022-29248, T311384, CVE-2022-27776) Updating guzzlehttp/guzzle
  (6.5.5 => 6.5.8).
* (T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage().
* (T311272) Call parent constructor of AddSite maintenance script first.
* MediaWiki: Don't eagerly initialize action name.
* (T289926) Avoid passing null to trim() in SkinTemplate.
* (T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
* (T311552) ChangesListSpecialPage: Don't pass null to FormatJson::decode().
* (T311569) FileBackend::isStoragePath() Handle being passed null.
* (T311544) Pass int to ApiUsageException::newWithMessage()'s $httpCode param.
* (T311678) SpecialEditWatchlist: Prevent passing null to strtolower().
* (T281741) ChangeTags: Fix adding CSS classes for hidden tags.
* (T296642) changetags: Fix management of a '0' tag.
* (T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null.
* (T303033) Handle null in ChangeTags::modifyDisplayQuery.

== MediaWiki 1.35.6 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.5 ===
* (T298261) Fix support for Composer 2.2.
* (T298283) composer.json: Add wikimedia/composer-merge-plugin to allow-plugins.
* Update doctrine/dbal (3.0.0 => 3.1.5).
* (T298564) MemcachedClient: Add support for IPv6.
* (T297543, CVE-2022-28202) SECURITY: properly escape output used within
  galleries and Special:RevisionDelete.
* (T268847) Suppress deprecation warnings from libxml_disable_entity_loader().
* (T283275) Fix PHP 8.0 failure of WikiExporterFactoryTest.
* (T274966) Upgrading wikimedia/html-formatter (1.0.2 => 2.0.1).
* Fix the json schema and the extension processor for Parsoid extension modules.
* (T299696) update.php: Avoid passing null to substr.
* In PHP 8.1 don't throw exceptions from mysqli.
* (T289926) SiteConfiguration: Don't pass null to str_replace().
* (T264735) Fix deprecation warning from CURLPIPE_HTTP1.
* (T260735) Stop using is_resource() where possible.
* (T289879) Apply ReturnTypeWillChange to various implementations of built in
  interfaces.
* (T299312) Implement __serialize/__unserialize for PHP 8.1 support.
* ExtensionRegistry: Add process cache for lazy attributes.
* (T301041) ApiPageSet: Add "missing": true to missing revisions.
* Allow ParsoidModules extension schema to register services.
* (T297708) Allow setting max execution time to several special pages.
* Upgrading wikimedia/object-factory (v2.1.0 => v2.2.0).
* (T302540) composer.json: Add ext-calendar to require.
* (T302540) composer.json: Add ext-simplexml to require-dev.
* (T302540) composer.json: Add various PHP extensions to suggests.
* Upgrading symfony/polyfill-php80 (v1.23.1 => v1.25.0).
* (T303871) Add Title::getId() as an alias for ::getArticleId().
* (T304008) Don't re-check "Move subpages" on Special:MovePage after a warning.
* (T293576) listFiles: Display file name instead of version.
* (T303560) Installer: Check correct PCRE_CONFIG_NEWLINE value.
* wrapOldPasswords: add \n to two output calls.
* (T304993) Make editcontentmodel a part of editpage grant.
* (T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion
  loop if it points to a local interwiki.
* (T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file
  uploads with actor as a condition can result in a DoS.

== MediaWiki 1.35.5 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.4 ===
* (T290697) Add symfony/polyfill-php80.
* IcuCollation: Add some more icu to unicode version mappings.
* ApiBase: Annotate deprecated constants individually.
* PHPVersionCheck: Mark PHP 7.4.0 - 7.4.2 as buggy.
* (T293044) installer: Fix 5th param to sourceFile() in DatabaseUpdater.
* (T291127) Always encode spaces in cookie values as "%20".
* Use LocalFile::getHookRunner instead of LocalFile::hookRunner.
* HistoryBlobStub: add getLocation() to get $mOldId.
* Fix checkStorage.php.
* checkStorage: pass no parameters to WikiRevision::getContent().
* (T292763, CVE-2021-44854) SECURITY: Do not cache private wiki completion
  results.
* (T294316) Revert "Mark ApiClientLogin/ApiLogin as requiring write mode".
* (T250068) resources: Upgrade jQuery from 3.4.1 to 3.6.0.
* (T250068) resources: Upgrade jquery-migrate from 3.1.0 (patched) to 3.3.2
  (patched).
* (T294796) JobQueueRedis: Replace deprecated zSize with zCard.
* (T212428, T267468) Allow populateContentTables to continue when there are
  bad blobs.
* (T295191) ApiQuerySiteinfo: Fix "rightsinfo"/"url" when $wgRightsPage is
  set.
* Update pear/mail_mime to 1.10.11.
* Update deprecated Guzzle Psr7 function calls.
* Tweak error message for missing composer dependencies.
* (T296112) Allow inserting new sections named '0'.
* nukeNS: don't run purgeRedundantText() after every change.
* (T225888) RollbackAction: fix missing pagetitle.
* (T297322, CVE-2021-44858, CVE-2021-44857) SECURITY: Fix permissions checks in
  undo actions.
* (T297574, CVE-2021-45038) SECURITY: Fix permissions check in action=rollback.
* (T34716, T297416) SECURITY: Require 'read' right for most actions.
* (T271037, CVE-2021-44856) SECURITY: Fix use of EditFilterMergedContent hook
  when changing content model.

== MediaWiki 1.35.4 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.3 ===
* (T283394) Mark ApiClientLogin/ApiLogin as requiring write mode.
* (T283273) Make postgres IRC channel point to libera.chat.
* (T289108) ExtensionProcessor: Remove loaderScripts from extension.json
  schemas.
* (T281549) Installer: Fix mediawiki-announce auto subscription code.
* FormatJson: Optimize encode() for supported PHP versions.
* (T290398) renameRestrictions.php: Update protected_titles as well.
* $wgMimeTypeBlacklist - This configuration array now prohibits the RFC 4329
  form of JavaScript, 'application/javascript', as well as previous MIME types.
* (T51097, T290273) resourceloader: Call getStyleFiles from
  FileModule::getFileHashes.
* (T277788) parser: Avoid calling ParserOptions::getOption() too many times.
* (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search.
* (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full
  table scan.
* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of
  Special:Contributions.

== MediaWiki 1.35.3 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

=== Changes since MediaWiki 1.35.2 ===
* (T259685) SQLite compatibility with ZeroConf VisualEditor was fixed in 1.35.2.
* (T196906, T242751) Fix the test MonologSpiTest::testDefaultChannel.
* (T279964) Parser: Trim trailing whitespace as the last step in pre-save
  transform.
* (T278026) rdbms: Add DB_PRIMARY to replace DB_MASTER.
* (T252853) Update updateSearchIndex.php to 2006+ standards.
* (T276945) Define a batch size in maintenance/manageJobs.php.
* (T276945) Implement JobQueueDB::getAllAbandonedJobs.
* (T269676) authevents: strval() variables passed to status when logging.
* (T280944) $wgIncludejQueryMigrate - This setting allows the jQuery Migrate
  plugin to be disabled. It has been enabled by default since MediaWiki 1.27.
* (T281584) apihelp-query+iwlinks-param-prop: s/interlanguage/interwiki/.
* (T281635) Delete maintenance/cleanupAncientTables.php.
* (T282133) RedisConnectionPool: Suppress phan issue.
* (T281549) WebInstaller: Don't show the announce-l subscribe
  checkbox temporarily.
* (T278266) Fix annoying E_NOTICE about undefined 'alt' index in
  Skin#makeFooterIcon.
* (T264214) UserRightsProxy::addGroup has to be allowed to update the
  old group as well, which is used for granting interwiki rights.
* (T269776, T278266) getFooterIcons should not return empty arrays.
* (T274966) Skip AvroFormatterTest::testSchemaNotAvailable on PHP 8.0.
* phpunit: fail on warnings.
* (T283247) Freenode -> Libera per wikimedia moving from
  freenode to libera.
* (T243124) Make phpunit:unit accept extension*.json to populate the classes.
* (T142663) Add extension.json merge strategy "provide_default".
* (T283540) HookContainer: Fix normalization of callback for static handler.
* (T283464) Fix array order for array_replace_recursive merge strategy.
* (T247223) Optimise MessageCache::isMainCacheable() for the single-message
  case.
* (T278579) Don't send headers on ob_end_clean().
* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging
  pages.

== MediaWiki 1.35.2 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

MediaWiki 1.35.2 supports Composer 2.0. It is recommended to make sure your
libraries are up to date on Composer 1.x, before running Composer 2.x.

While normally running update.php isn't required for point releases,
it is recommended to run it for 1.35.2 so that iwlinks.iwl_prefix is
updated to take 32 characters.

=== Changes since MediaWiki 1.35.1 ===
* (T270450) The confusingly-named User->isLoggedIn() method has been deprecated
  in favour of the method it wraps, User->isRegistered().
* Upgrade pimple/pimple from 3.3.0 to 3.3.1 for PHP 8.0 support.
* Upgrade seld/jsonlint from 1.7.1 to 1.8.3 for PHP 8.0 support.
* Upgrade doctrine/dbal from 2.10.4 to 3.0.0 for PHP 8.0 support.
* (T270734) Fix display of Special:Preferences URL in password reset email.
* (T252774, T271441) resourceloader: Give SkinModule 'features' option an
  extensible default.
* (T271441) Unknown features shouldn't break style output.
* (T264986) Make use of CURLMOPT_MAX_HOST_CONNECTIONS conditional on having
  curl >= 7.30.0.
* DefaultSettings.php: Update $wgPingback documentation.
* Fix docs for LanguageConverter::translate.
* (T272250) Don't rely on implicit string->int cast in comparison.
* (T272327) Exif::isSlong: Cast input to float so PHP 8.0 abs() doesn't whine.
* (T272328) UploadBase: Don't call MimeAnalyzer if mTempPath is null.
* Remove nonfunctional default sampling for WANObjectCache metrics.
* (T258851) Prevent service injection to LoadExtensionSchemaUpdates hook.
* (T270852) Hooks: Map dash character to underscore when generating hook names.
* (T271551, T270145) Fix fetching ipblock-exempt within
  BlockManager::getUserBlock.
* PHPVersionCheck: The PHP Group only supports PHP >= 7.3.0.
* (T248925) Set empty closures in DatabaseTest to fix PHP 8 tests.
* (T34217) rdbms: Remove outdated MySQL 4 references and fix doc URLs.
* (T248925) Special:Contributions reports negative namespace error on PHP 8.
* (T248925) objectcache: Fix non-numeric string check in HashBagOStuff for
  PHP 8.
* (T248925) Fix CacheTime::getCacheExpiry for PHP 8.
* (T259685) Allow REST API POST handlers to opt out of mandatory SQLite locking.
* (T91820, T259685) MWLBFactory: rename magic HTTP header for opting out of
  SQLite write lock.
* (T272326) Fix DeprecationHelperTest on PHP 8.
* Upgrade wikimedia/less.php from 3.0.0 to 3.1.0 for PHP 8.0 support.
* (T236639) OutputPage: Make $wgDebugRedirects work again.
* (T274648) registration: Allow reusing cached metadata between wikis.
* CdnCacheUpdate: Send full URL instead of path to Curl for purge.
* Upgrade monolog/monolog from 1.25.3 to 2.2.0 for PHP 8.0 support.
* FileBackend: Do not use SOCKET_ENOENT on windows.
* (T275441) ApiQueryUserInfo: Allow all uiprops to be requested at once.
* (T275261) Escape wikitext in the title in invalid title error messages.
* (T275242) Extend iwlinks.iwl_prefix to VARBINARY(32) on MySQL.
* (T246594, T270228) PHPVersionCheck: Complain about known-bad versions above
  minimum.
* (T275824) Upgrade wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1 for
  Composer 2.0 support.
* (T269293) Record all used options in metadata.
* Allow usage of Composer 2.0 to install MediaWiki's dependencies.
* (T259872) skins: Call headElement() after getTemplateData() in SkinMustache.
* (T277009, CVE-2021-30158) SECURITY: Allow blocked users to access
  Special:ResetTokens.
* (T272412) Add "Account data" section to user preferences.
* (T268310) Add list of thumbnail urls to LocalFilePurgeThumbnails hook.
* (T277520) registration: Allow specifying immovable namespaces in
  extension.json.
* (T275619) Maintenance::hasOption and Maintenance::getOption now behave as
  documented and are not altered by previous calls to these methods.
* (T254688) Remove page inner join from subquery in SpecialWhatLinksHere.
* (T122124) signup: added help message for security.
* (T278014, CVE-2021-30154) SECURITY: Escape mediastatistics-header-* messages
  on Special:NewFiles.
* (T278058, CVE-2021-30157) SECURITY: Escape rcfilters-filter-* messages on
  ChangesList pages.
* (T277414) HTMLFormField: Use non namespaced class name rather than
  static::class.
* (T268673) maintenance: Don't create SearchUpdate in rebuildtextindex.php
  for page_namespace below 0.
* (T246594, T270228) Mark ParserOptionsTests skipped on PHP 7.4.0-7.4.8.
* (T268230) Switch to new MediaWiki logo by Serhio Magpie.
* (T271735) Expand config-pingback-help, link to privacy policy in
  config-pingback.
* Fix documentation of user-global in $wgRateLimits.
* BackupDumper: Add -o as shortcode for --output.
* (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
* (T270713, CVE-2021-30152) SECURITY: Allow user to only apply protection they
  have right to do so via action=protect.
* (T272386, CVE-2021-30159) SECURITY: Non-admin deleted enwiki page in fast
  double move.
* (T270988, CVE-2021-30155) SECURITY: ContentModelChange: Check that user can
  create pages.
* (T279451, CVE-2021-30458) SECURITY: Parsoid comment fostering allows for
  inserting mostly arbitrary <meta> tags.

== MediaWiki 1.35.1 ==

This is a security and maintenance release of the MediaWiki 1.35 branch.

While normally running update.php isn't required for point releases,
it is recommended to run it for 1.35.1 so that sites.site_language is
updated to take 35 characters.

Watchlist Expiry is no longer considered experimental, but is off by default.
To enable it, set $wgWatchlistExpiry = true; in your LocalSettings.php.

=== Changes since MediaWiki 1.35.0 ===
* (T263929) purgeList.php Fix all-namespaces option to match one used in code.
* (T248719) ParserCache::get - fix wfDeprecated call.
* (T261430) WatchlistExpiryWidget: Move focus to expiry dropdown after hitting
  Tab.
* Preload mediawiki.watchstar.widgets before api request.
* (T261030) ApiEditPage: Show existing watchlist expiry if status is not being
  changed.
* (T264502) Fix PHP 8 compat with strcspn() $length parameter exceeding string.
* (T248925) Remove final modifier on private function.
* (T264683) Remove ipb_anon_only from ipb_address_unique index addition.
* (T261415) Add days left messages to changes-lists' clock icons.
* Fix order of wfDeprecated parameters in ExternalStoreDB::getSlave.
* (T261260) Preload class used in HeaderCallback.
* (T260868, T260009) Normalize WatchedItem expiry field.
* (T264683) Remove doTable check from (Mysql|Sqlite)Updater::indexHasFields.
* (T264534) ApiPageSet: Avoid infinite loop when merging redirects.
* (T196906) Empty Monolog loggers are now real blackholes.
* (T258649) WatchAction: avoid UPDATE when old and new watch period is
  indefinite.
* Parser: Adjust typehint to show that getTitle can return null.
* (T263592) media: Fix case of FlashPixVersion in
  FormatMetadata::makeFormattedData().
* (T265223) BaseTemplate: Guard against passing zero arg to array_merge().
* (T264965) Fix base path handling for MessagePosterModule registration.
* (T252183) Fix Database::getTempTableWrites for multi table DDLs.
* (T182546) Fix switch/case indentation per mediawiki coding conventions.
* Flip Yoda conditionals.
* (T263213) Move SkinTemplate::getFooterLinks() to Skin.
* build: Updating mediawiki/mediawiki-codesniffer to 33.0.0.
* (T267105) Make ImageBuilder::checkMissingImage public.
* Updating guzzlehttp/guzzle (6.5.4 => 6.5.5).
* (T266681) Support new style hook registration on install and update.
* (T266980) Fix unsetting of copyright icon in FooterIcons.
* upload.js: Don't assume that warnings array will include 'code' key.
* upload.js:  Fix typo in upload API.
* (T264333, T190988, T266903) Pass along ignorewarnings param to all
  individual chunks being uploaded.
* (T267558) importTextFiles.php: Replace deprecated WikiRevision:setText().
* (T266418) composer.json: add requirement for composer-plugin-api ^1.1.
* (T261431) Add ARIA attributes to watchlink and its notification.
* (T258877) Change invalid 'Content-Encoding: none' header.
* Fix trailing ; in patch-sites-site_language-35.sql.
* (T248852) wfAssembleUrl: Handle empty query field in URL bits.
* (T268846) Updating wikimedia/testing-access-wrapper (1.0.0 => 2.0.0).
* (T268887) migrateComments: Cast array keys back to string before passing
  to the DB.
* (T266619) Introduce new $wgThumbPath config.
* (T269178) MemcachedClient: Cast Resource to integer.
* (T263925) Use the old HookContainer to set up the post-reset services.
* Change "site cache" to just "cache" in the right-purge message.
* [UploadedFileStreamTest] Skip test with chmod.
* (T269710) Updating composer/semver (1.5.1 => 1.7.2).
* (T269710) Updating mediawiki/mediawiki-codesniffer (33.0.0 => 34.0.0).
* (T260631, T260633), BotPassword::save() now returns a Status object for the
  result rather than a bool. The length of the bot password grants and
  restriction fields are now validated, and an error will be thrown if it
  would be truncated by the database.
* (T265778) Fix English/*nix specific error messages in FSFileBackend.
* (T267543) Split dropping of image.img_user_timestamp.
* [FileTest] Do not assume /tmp exists on windows.
* Clean up temp files correctly after unit tests.
* Skip undo related phpunit tests when diff3 is missing.
* (T269964) rdbms: Remove outer parentheses in insert query for Postgres.
* (T263911) In MWExceptionHandler::report(), catch all throwables.
* (T268894, CVE-2020-35474) SECURITY: Use Html::element in
  ChangeListSpecialPage for sanity.
* (T268917) Use Xml::element in SpecialUserrights for sanity.
* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: Pass escaped html
  to LogFormatter::makePageLink for sanity.
* (T268938) Fixed mixed escaping in Language::translateBlockExpiry.
* (T263911) UserOptionsManager: don't differentiate anons caches.
* (T261260) HeaderCallback: pre-cache request ID.
* Parsoid updated to v0.12.1.
* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log
  entries when MediaWiki:Mainpage uses Special:MyLanguage.
* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions
  and user pages of hidden users and missing users.
* (T270145) Fix condition that can lead to using APCOND_BLOCKED in
  $wgAutopromote to cause an OOM in PHP.

== MediaWiki 1.35.0 ==

=== Changes since MediaWiki 1.35.0-rc.3 ===
* (T261258) Remove checks for ancient ImageMagick versions in BitmapHandler.
* (T260232) Don't include null page ids in query list for category dumps.
* (T260009) Check existing watchitem when saving action=watch.
* (T259055) Correct success messages for action=watch.
* mediawiki.page.ready: Simpler tablesorter/makeCollapsible call.
* mediawiki.page.ready: Fix skin override config flags, wrong way round.
* (T262175, T248512) Remove requirement for ApiWatchlistTrait to be in ApiBase.
* (T259053, T260434) Watchlist: Fix updateWatchLink removing css class when
  action=watch.
* (T261901, T261476) mediawiki.notification: Don't close notif when clicking
  <select> element.
* (T251506) Sanitizer: Truncate IDs to a reasonable length.
* (T259452) Parsoid updated to v0.12.0.
* (T261970) watch.ajax: Add expiry support to watchpage.mw event.
* (T262900) Fix failure of rebuildLocalisationCache.php due to ResourceLoader
  hook.
* (T263014) Hard deprecate File::userCan() with $user=null.
* (T262547) Use localized success message after watching via action=watch.
* (T201491) Fix typo 'Watchlst' in `apihelp-edit-param-watchlistexpiry`.
* (T261081) Installer: consistently reset Language objects.
* (T250449, T250450) Installer: consistently reset Language objects.
* Explicitly wrap some XML calls in libxml_disable_entity_loader().
* (T262934) Ensure dropdown label is always on its own line.
* (T246855) resourceloader: Use a local HookRunner.
* (T263604) Have findBadBlobs.php require Maintenance.php rather than
  cleanupTable.inc.
* (T263606) Set fake time, to avoid flaky tests.
* (T261325) Add FindMissingActors script.
* (T262364) shell: Don't blacklist /run/firejail.
* (T263655) NewPagesPager: Ignore nonexistent namespaces.
* Update specialPageAliases and magicWords for Egyptian Arabic (arz).
* (T261347) ParserOutput: don't throw on bad editsection.
* (T232568, CVE-2020-25813) SpecialUserrights: If a viewer lacks `hideuser`,
  ignore hidden users.
* (T255918, CVE-2020-25812) SECURITY: Unescaped message used in HTML on
  Special:Contributions.
* (T256171, CVE-2020-25815) SECURITY: Unescaped message used in HTML within
  LogEventsList.
* (T258763, CVE-2020-17367, CVE-2020-17368) SECURITY: Prevent invoking
  firejail's --output functionality.
* (T86738, CVE-2020-25814) SECURITY: mediawiki.jqueryMsg: Sanitize URLs and
  'style' attribute.
* (T115888, CVE-2020-25828) SECURITY: mediawiki.js: Escape HTML in
  mw.message( ... ).parse().
* (T260485, CVE-2020-25869) SECURITY: ActorMigration: Load user from the correct
  database.
* (T260485, CVE-2020-25869) SECURITY: ensure actor ID from correct wiki is used.
* Add Finnish special page aliases.
* Fix GuzzleHttpRequest request headers.
* Fix description for pruneFileCache.php.
* emptyUserGroup.php: handle more than 5000 users.
* Make ApiSandbox copyable URL absolute.
* (T261087) Add a link from a deleted page to that page's logs.

== MediaWiki 1.35.0-rc.3 ==

=== Changes since MediaWiki 1.35.0-rc.2 ===
* (T258662) mediawiki.visibleTimeout: Update the nextVisibleTimeoutId value.
* Ensure Parsoid doesn't throw when <ref> is used w/o Cite installed.
* Remove maintenance/createCommonPasswordCdb.php.
* (T260468) Increase "sites.site_global_key" to varbinary(64).
* (T183759) Fix shell edge-cases in Windows.
* (T257879) Drop PHP 7.2 support; require 7.3.19.
* (T251661, CVE-2020-25827) SECURITY: User::pingLimiter: add user-global
  rate limit type.
* (T246991) User: enforce pingLimiter() expiry time.
* (T256831) Rest: Handle Uri constructor exception.
* (T259094) Fix RequestFromGlobalsTest failing in Travis CI.
* (T256831, T261344) Rest: Use try/catch to handle URIs with embedded colon.

== MediaWiki 1.35.0-rc.2 ==

=== Changes since MediaWiki 1.35.0-rc.1 ===
* (T259693) uuid: Fix filenames on Windows.
* Remove Gruntfile.js and package-lock.json from the tarball.
* firejail: Strengthen by copying from Wikimedia's profile.
* (T260059) ResourceLoaderOOUIImageModule: loadOOUIDefinition() may return
  false.
* (T30162, T245387) The installer supports using a Postgres server running
  on a custom port other than 5432.
* (T260201) Support private wikis in Parsoid zero configuration mode.
* Fix bad use of `|=` PHP bit operation where `= … ||` bool is intended.
* (T259212) SpecialBlock: Show error if a block could not be inserted or found.
* (T255842) UserOptionsManager: fix options reset.
* (T258649) WatchAction: avoid unnecessary UPDATEs when expiry is unchanged.
* (T250851) Allow skins to override mediawiki.page.ready initialisation.
* (T250851) mediawiki.page.ready: Allow skins to disable search lazy load.
* (T253135, T255632) Update language in watchlist expiry.
* Use IPset in MWRestrictions::checkIP.
* (T259564) Fix race condition on edit page.
* (T260759) Hide watchlist expiry label in edit form.
* mime: Fix docs of MIME_EXTENSIONS, they're arrays, not space-seperated.
* (T260031) Add application/font-sfnt to MimeMap for ttf files.
* (T259379) WatchedItemStore: Cache single WatchedItems with preexisting expiry.
* Add a maintenance script to create bot passwords.
* (T201269) Add Traditional Chinese zh-hant as fallback for Amis (ami).
* Improve wfParseUrl docs.
* (T251038) Add multi index fields in ImageListPager for unique paginate.
* (T259916) Guard against 'Widget not found' error.

== MediaWiki 1.35.0-rc.1 ==

=== Changes since MediaWiki 1.35.0-rc.0 ===
* (T252136) Fix RecentChanges watchlist filters when WatchlistExpiry is off.
* (T258662) Update time period for watchlist expiry pop-up.
* (T258443) Fix expiry dropdown not getting disabled on edit page.
* (T259398) Add license information for promise-polyfill.
* Remove executable bit from scripts without shebang.
* (T256526) Fix bold of watched items on Special:RecentChangesLinked.
* (T259060) Edit page expiry dropdown should keep state after
  disabling/enabling.
* (T259009) Translate expiry period in pop-up message for watchlist expiry.
* (T258310) Add watchlist clock icon to RecentChanges.
* (T259362) Permit temporary table writes on replica DB connections.
* (T250214) Add UI support in Special:EditWatchlist for watchlist expiry.
* (T72470) Disable wgLegacyJavaScriptGlobals by default.
* (T130906) Add Edge to MediaWiki:Clearyourcache.
* (T257279) Add mediawiki.ui Less variable deprecation note.
* (T249521) Fixed reassignEdits.php to work with anonymous users.
* (T259448) Fix Circular dependency when creating service in
  DBLoadBalancerFactory.
* (T257259) Default to using watchlist expiry of old page when moving pages.

== MediaWiki 1.35.0-rc.0 ==

== Upgrading notes for 1.35 ==
1.35 requires PHP 7.3.19 or above (up from 7.2.9). (T257879)

1.35 has several database changes since 1.34, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).

Don't forget to always back up your database before upgrading!

MediaWiki 1.35 is the next LTS after 1.31, and will be supported for around 3
years.

MediaWiki has a lot of both soft and hard deprecations, and code removed. As
always, make sure your versions of extensions match the MediaWiki version,
and updates may be required to any custom extensions.

See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.

Some specific notes for MediaWiki 1.35 upgrades are below:
* (T259685) When using SQLite as the database backend for MediaWiki,
  Zeroconf (zero-configuration) VisualEditor/Parsoid only works with
  MediaWiki 1.35.2 and above.  It is still recommended to use
  MySQL/MariaDB rather than SQLite when using VisualEditor.

For notes on 1.34.x and older releases, see HISTORY.

=== Configuration changes for system administrators in 1.35 ===

* (T72470) $wgLegacyJavaScriptGlobals is now false by default. This feature
  will be completely removed in a later MediaWiki release.

==== New configuration ====
* $wgDiffEngine — This can be used to specify the difference engine to use,
  rather than MediaWiki choosing the first of $wgExternalDiffEngine, wikidiff2,
  or php that is usable.
* $wgSearchMatchRedirectPreference — This configuration setting controls whether
  users can set a new preference, search-match-redirect, which decides if search
  should redirect them to exact matches is available. By default, this is set to
  false, which maintains the previous behaviour without preference bloat. Change
  your site's default by setting $wgDefaultUserOptions['search-match-redirect'].
* $wgPoolCounterConf['SpecialContributions'] — Per-user concurrency in the use
  of SpecialContributions can now be limited by setting this appropriately.
* $wgPasswordPolicy — PasswordCannotBeSubstringInUsername is a new password
  policy check. Similar to the existing PasswordCannotMatchUsername check, this
  check ensures that a user's (case-insensitive) password cannot be a part of
  their username. e.g. password = MyPass, username = ThisUsersPasswordIsMyPass.
* $wgLogos — This new configuration setting combines the now-deprecated $wgLogo
  and $wgLogoHD settings into a single, associative array. It provides support
  for a new key, 'wordmark', for setting a horizontal wordmark to show next to
  the graphical logo. To do this, set 'wordmark' to an array with 'src' set to
  the path of the wordmark image, and 'width' and 'height' for its dimensions
  in pixels. $wgLogos inherits the existing support provided by its predecessor
  settings: '1x' mapping to the path of the logo as a 135x135px raster image
  (equivalent to $wgLogo), and '1.5x', '2x', and 'svg' operating as before for
  $wgLogoHD. If $wgLogos is unset, $wgLogo and $wgLogoHD values are read for
  temporary backwards compatibility. (T232140)
* $wgWatchlistExpiry — (EXPERIMENTAL) This enables the new watchlist expiry
  feature. The database table (watchlist_expiry) for this is created regardless
  of this setting, but all other aspects of the expiry feature are controlled
  by it. Enabling in production is discouraged for the time being. A future
  MediaWiki 1.35 release will advertise this feature once it is stable.
* $wgWatchlistPurgeRate — This sets the chance of expired watchlist items being
  purged on each page edit. Only has effect if $wgWatchlistExpiry is true.
* $wgWatchlistExpiryMaxDuration — This is the maximum definite relative duration
  for watchlist expiries. Only has effect if $wgWatchlistExpiry is true.
* $wgImgAuthPath – This can be used to override the path prefix used when
  handling img_auth.php requests. (T235357)
* $wgAllowedCorsHeaders — This is a list of headers which can be used in a
  cross-site API request.
* $wgHTTPMaxTimeout and $wgHTTPMaxConnectTimeout — These allow site
  administrators to limit the timeouts used by the HTTP client libraries.
  This only affects callers using HttpRequestFactory and the deprecated
  wrappers in the Http class.
* $wgCdnMaxageStale — This controls the Cache-Control s-maxage header for page
  views when PoolCounter lock contention indicates that a stale cache entry
  should be sent.
* $wgForceHTTPS — This makes the HTTP to HTTPS redirect be unconditional and
  suppresses various hacks needed to support mixed HTTP/HTTPS wikis. We
  recommend this be set to true on pure HTTPS wikis.
* $wgCookieSameSite — This setting allows login cookies to be sent with
  SameSite=None. This is required for cross-site CentralAuth auto-login after
  Chrome 84.
* $wgUseSameSiteLegacyCookies — This adds a compatibility hack to
  SameSite=None cookies for browsers which implemented an incompatible draft
  version of the specification.

==== Changed configuration ====
* $wgResourceLoaderMaxage (T235314) — This configuration array controls the
  max-age for HTTP caching through the Cache-Control header. It has uses the
  "versioned" key for urls that do have a version parameter, and the
  "unversioned" key for urls without a version parameter. The sub keys for
  "client" and "server" are no longer supported in MediaWiki 1.35.
* $wgEnableOpenSearchSuggest — This boolean variable is deprecated and no longer
  used. The OpenSearch API is now always enabled.
* $wgAuthManagerConfig and $wgAuthManagerAutoConfig — These can now use the
  'services' option in provider specifications.
* $wgVirtualRestConfig['modules']['parsoid'] —
  - The defaults have been updated. If you were relying on the default values,
    you may need to update your configuration.
  - The 'URL' parameter, previously allowed for backwards-compatibility, has
    been deprecated. Use 'url' instead.
* $wgXmlDumpSchemaVersion — Default is now set to XML_DUMP_SCHEMA_VERSION_11, so
  dumps use the new dump format per default. Consumers of XML dumps should not
  be affected if they ignore any unknown tags they encounter. Also, the format
  is effectively unchanged for revisions that only contain the main slot. The
  --schema-version option can be used with the dumpBackup.php script to set the
  dump format. (T238921)
* $wgParserConf — This configuration is now deprecated. It has been
  effectively constant since 2008, and is ignored by core code.
  Configure the ParserFactory service in order to customize the Parser used.
* $wgAutoloadAttemptLowercase — This has been deprecated, and the default value
  changed to false.
* $wgAllowImageMoving — This configuration setting is now deprecated. Instead,
  use $wgGroupPermissions; e.g., to revoke sysops' ability to move images use
  $wgGroupPermissions['sysop']['movefile'] = false.
* $wgAllowImageTag — This configuration is now deprecated; future parsers will
  not support direct use of the HTML <img> tag in wikitext.
* $wgUseTwoButtonsSearchForm — This has been deprecated. If you maintain a skin
  that relies on this and wishes to let system administrators change it, you
  should convert it to a config variable specific to your skin. If you're using
  it to configure your wiki, you should check individual skins to see whether
  they have local skin config for the feature and use that.
* $wgPasswordPolicy — The deprecated policy 'PasswordCannotBePopular' has been
  removed. Use PasswordNotInCommonList instead which covers many more passwords.
* Backwards compatibility for using an associative array
  (e.g. [ '127.0.0.1' => 'bad-ip' ]) for $wgProxyList has been removed. This
  was deprecated since 1.30. Please convert these arrays to indexed/sequential
  ones (e.g. [ '127.0.0.1' ]).
* $wgShellRestrictionMethod — This now defaults to 'autodetect', which will
  enable sandboxing for shell commands using firejail, if it's installed. To
  disable restrictions, set it to false.
* $wgLegacyJavaScriptGlobals – This deprecated setting now default to false,
  instead of true, ahead of its planned removal.

==== Removed configuration ====
* $wgSysopEmailBans — This setting, deprecated in 1.34, was removed. To let
  sysops block email access, use $wgGroupPermissions['sysop']['blockemail'].
* $wgDBWindowsAuthentication — This setting had no effect anymore after support
  for SQL Server was removed in 1.34. (T230418)
* $wgProfileOnly — This setting, deprecated in 1.23, was removed. The profiler
  output should instead be configured via $wgProfiler['output'].
* $wgProfileLimit — This setting, deprecated in 1.25, was removed.
  Set $wgProfiler['threshold'] instead.
* $wgDebugTimestamps — This setting was removed. It affected the text output
  produced via $wgDebugComments, if enabled.
* $wgSkipSkin — This setting, deprecated in 1.23, was removed. To disable a
  skin from being shown, use $wgSkipSkins.
* $wgUseSquid, $wgSquidServers, $wgSquidServersNoPurge, and $wgSquidMaxage —
  These, deprecated in 1.34, have been removed. Use $wgUseCdn, $wgCdnServers,
  $wgCdnServersNoPurge, or $wgCdnMaxAge instead.
* $wgDisableCounters — This, deprecated in 1.25, was removed. The feature that
  it controlled was already removed in 1.26, but the variable remained existent
  with a value of `false` for backward-compatibility.
* $wgMaxGeneratedPPNodeCount — This setting was removed. It only affected
  Preprocessor_DOM, which was deprecated in 1.34 and removed in this release.
* $wgFixArabicUnicode and $wgFixMalayalamUnicode — These, deprecated in 1.33,
  were removed. The fixes are now always enabled for their respective languages.
* $wgAllowTitlesInSVG — This, unused and deprecated since 1.34, was removed.
* $wgEnablePartialBlocks — This setting, deprecated when it was added in 1.33,
  was removed. Partial blocks are now always enabled.
* $wgLocalInterwiki — This setting, deprecated in 1.23, has been removed.
* $wgContentHandlerUseDB — This setting, deprecated in 1.34, has been removed.
* $wgMultiContentRevisionSchemaMigrationStage — This setting must no longer
  be set locally. If the migration stage was set to anything other than
  SCHEMA_COMPAT_NEW locally, update.php must be run after removing the setting.
  Usage of the setting in code is deprecated. The setting will be removed
  completely in 1.36.
* $wgEnableRestAPI — This setting is no longer obeyed by MediaWiki core, and
  should not be set set locally. Usage of the setting in code is deprecated; it
  is now set true by default. The setting will be removed completely in 1.36.
* $wgObjectCaches — The 'slaveOnly' option for SqlBagOStuff, deprecated in 1.34,
  was removed. Use 'replicaOnly' instead.

=== New user-facing features in 1.35 ===
* (T204618) Whitelisted the aria-hidden HTML attribute for all elements in
  wikitext.
* (T13456) Special:EditPage, Special:PageHistory, Special:PageInfo, and
  Special:Purge have been created as shortcuts for each action.
  Special:EditPage/Foo redirects to title=foo&action=edit, with PageHistory,
  PageInfo, and Purge corresponding to action= history, info, and purge
  respectively. When linked to, its subpage is used as the target. Otherwise,
  it displays a basic interface to allow the end user to specify the target
  manually.
* (T139221) The generated table of contents is now a navigation landmark role
  for assistive technologies.
* (T245931) interwiki map API doesn't report foreign language if
  $wgInterwikiMagic=false
* The form at ?action=watch has a new dropdown list to support expiry dates for
  watchlist items (if $wgWatchlistExpiry is true).

=== New developer features in 1.35 ===
* A Docker based local development develpoment environment configuration is
  included (T238224) and DEVELOPERS.md has been added with usage documentation
  and links to further help.
* If CSP is enabled, extensions can now add additional sources using the
  ContentSecurityPolicy::addDefaultSource, ::addStyleSrc and ::addScriptSrc
  methods (e.g. $context->getOutput()->getCSP()->addDefaultSrc( 'example.com' ))
* Extensions can now specify classes and namespaces to be autoloaded by the
  test autoloader, by setting the "TestAutoloadNamespaces" and
  "TestAutoloadClasses" properties in extension.json. (T196090)
* (T250977) extension.json now allows "SearchMappings" which maps the canonical
  name of the search engine (used in wgSearchType and wgSearchTypeAlternatives)
  to a specification using the ObjectFactory specification. This allows
  extensions to register Search Engines using namespaced classes.
* Added getters for OutputPage's robot, index and follow policies;
  getRobotPolicy() returns the entire policy as a string in the form
  <index policy>,<follow policy> while getIndexPolicy() and getFollowPolicy()
  return their respective policies as a string.
* The ResourceLoaderSiteModulePages and ResourceLoaderSiteStylesModulePages
  hooks were added to allow changing which wiki pages these modules contain.
* The SkinFactory now allows skins to be specified as an ObjectFactory spec,
  allowing the construction of skins with services injected.
* ContentHandlerFactory for most ContentHandler static methods. It has been
  added to the constructors for many classes to improve SOLID / GRASP.
* FileDeleteForm's constructor now accepts a user as the second parameter.
  Support for not passing a user has also been hard-deprecated and will be
  removed in 1.36.
* The ParserPreSaveTransformComplete hook was added.
* The ParserBeforePreprocess hook was added.
* The ResourceLoaderSkinModule class now has a "legacy" feature that loads
  the stylesheets previously part of the "mediawiki.legacy.shared" and
  "mediawiki.legacy.commonPrint" module.
  Those modules are now deprecated and no longer loaded by skins.
  For skins needing to retain these styles, you will need to load these
  styles via a module using the ResourceLoaderSkinModule class.
  See Vector and Monobook for examples.
* ParserOutput now has methods addExtraCSPStyleSrc, addExtraCSPDefaultSrc
  addExtraCSPScriptSrc for parser tags/functions to be able to add sources
  to the Content Security Policy.
* The HtmlCacheUpdater service was added to unify the logic of purging CDN cache
  and HTML file cache to simplify callers and make them more consistent.
* The MultiHttpClient code will fallover to non-curl if curl_multi* is blocked.
* Preferences which use HTMLTitlesMultiselectField can make use of
  MultiTitleFilter class for saving title text to/from article IDs in user
  preferences.
* OutputPage::addHtmlClasses() was added to allow injecting CSS classes on
  to the <html> element on page load.
* The SkinAddFooterLinks hook is added to allow extensions to add items to skin
  footers. Previously this had to be done via SkinTemplateOutputPageBeforeExec.
  Doing so using that hook is now hard deprecated.
* A new BlockPermissionChecker service was introduced for checking
  block-related permissions.
* The support of 'database' type of extensions has been added to allow 3d party
  databases like Percona be used as storage. See T226857, T253248.
* Three new return parameters have been added to the
  EditPageGetCheckboxesDefinition hook. Handlers of this hook are no longer
  restricted to defining checkboxes. See the documentation of
  EditPage::getCheckboxesDefinition() for more details.
* New flag File::RENDER_TMP was added in order to allow
  File::generateAndSaveThumb and File::trasform to render a thumbnail without
  saving it to the storage.

=== External library changes in 1.35 ===

==== New external libraries ====
* Added wikimedia/ip-utils 1.0.0.
* Added wikimedia/parsoid 0.12.3.
* Added wikimedia/services 2.0.1.
* Added taylorhakes/promise-polyfill v8.1.3.
* Added vuejs v2.6.11.
* Added vuex v3.1.3.
* Added symfony/symfony/polyfill-php80 1.25.0.

===== New development-only external libraries =====
* Added doctrine/dbal 3.1.5.
* Added doctrine/sql-formatter 1.1.0.
* Added pimple/pimple 3.3.1.

==== Changed external libraries ====
* pear/mail_mime was upgraded from 1.10.2 to 1.10.11.
* wikimedia/less.php was upgraded from 1.8.0 to 3.1.0.
* Updated oojs from 3.0.0 to 5.0.0.
* Updated OOUI from 0.35.1 to 0.39.3.
* zordius/lightncandy was upgraded from 0.23.0 to 1.2.5.
* Updated jQuery from v3.3.1 to v3.6.0.
* Updated jQuery Migrate from v3.0.1 to v3.3.2.
* Updated wikimedia/assert from 0.2.2 to 0.5.0.
* Updated pear/net_smtp from 1.8.1 from to 1.9.1.
* Updated psr/log from 1.0.2 to 1.1.3.
* Updated jquery.i18n from 1.0.5 to 1.0.7.
* Updated guzzlehttp/guzzle from 6.3.3 to 6.5.8.
* Updated wikimedia/xmp-reader from 0.6.3 to 0.8.5.
  Fixes error log spam with too-large XMP data, and adds support for GPano tags.
* Updated wikimedia/base-convert from v2.0.0 to v2.0.1.
* Updated composer/semver from 1.5.0 to 1.7.2.
* Updated wikimedia/remex-html from 2.1.0 to 2.2.0.
* Replaced wikimedia/password-blacklist 0.1.4 with wikimedia/common-passwords
  0.2.0.
* Updated wikimedia/composer-merge-plugin from 1.4.1 to 2.0.1.
* Updated wikimedia/html-formatter from 1.0.2 to 2.0.1.
* Updated wikimedia/object-factory from 2.1.0 to 2.2.0.

===== Changed development-only external libraries =====
* Updated symfony/yaml from 3.4.28 to 5.0.5.
* Updated nikic/php-parser from 3.1.5 to 4.4.0.
* Updated php-parallel-lint/php-console-highlighter from v0.3.2 to v0.5.
* Updated php-parallel-lint/php-parallel-lint from v0.9.2 to v1.2.0.
* Updated psy/psysh from 0.9.9 to 0.10.4.
* Updated monolog/monolog from 1.24.0 to 2.2.0.
* Upgrade mediawiki-codesniffer from 28.0.0 to 38.0.0.
* Updated composer/spdx-licenses from 1.5.1 to 1.5.3.
* Updated monolog/monolog from 1.25.2 to 1.25.3.
* Updated qunit from 2.9.1 to 2.10.0.
* Updating wikimedia/testing-access-wrapper from 1.0.0 to 2.0.0.
* Updated seld/jsonlint from 1.7.1 to 1.8.3.

==== Removed external libraries ====
* phpunit/php-invoker (dev-only).
  Removing this unbreaks development on Windows systems, in exchange for losing
  time limits in running unit tests.
* The jquery.getAttrs module was removed.

=== Action API changes in 1.35 ===
* The 'suggest' parameter of action=opensearch has been deprecated.
  The API behaves the same with and without this parameter.
  It was previously used by $wgEnableOpenSearchSuggest to partially
  disable the API if set to false. Specifically, it would deny internal
  frontend requests carrying this parameter, whilst accepting other requests.
* Integer-type parameters are now validated for syntax rather than being
  interpreted in surprising ways. For example, the following will now return a
  badinteger error:
  - "1.9" (formerly interpreted as "1")
  - " 1" (formerly interpreted as "1")
  - "1e1" (formerly interpreted as "1" or "10", depending on the PHP version)
  - "1foobar" (formerly interpreted as "1")
  - "foobar" (formerly intepreted as "0")
  parameters. Ranges should be assumed to be enforced.
* Many user-type parameters now accept a user ID, formatted like "#12345".
* The 'assert' parameter used by all API modules now supports the value 'anon'.
  When specified, the API will return the 'assertanonfailed' error if the user
  is logged in.
* action=edit now supports  the 'baserevid' parameter for edit conflict
  detection, as an alternative to 'basetimestamp'. Note that self-conflicts
  will continue to be ignored if 'basetimestamp' is set, but not if only
  'baserevid' is set.
* A new module was added to change the content model of existing pages.
  Use action=changecontentmodel. Unlike Special:ChangeContentModel, the api
  module does not work for pages that do not already exist.
* If $wgWatchlistExpiry is true, the following API changes are made:
  - action=watch accepts a new 'expiry' parameter analagous to the expiry
    accepted by action=userrights, action=block, etc., except it must be no
    greater than $wgWatchlistExpiryMaxDuration, or an infinity value.
  - action=query&list=watchlistraw returns pages' watchlist expiry dates.
* (T249526) action=login will now return Failed rather than NeedToken on
  session loss.

=== Action API internal changes in 1.35 ===
* The Action API now uses the Wikimedia\ParamValidator library for parameter
  validation, which brings some new features and changes. For the most part
  existing module code should work as it did before, but see subsequent notes
  for changes.
  - The values for all ApiBase PARAM_* constants have changed. Code should have
    been using the constants rather than hard-coding the values.
  - Several ApiBase PARAM_* constants have been deprecated, see the in-class
    documentation for details. Use the equivalent ParamValidator constants
    instead.
  - The value returned for 'upload'-type parameters has changed from
    WebRequestUpload to Psr\Http\Message\UploadedFileInterface.
* Validation of 'user'-type parameters is more flexible. PARAM constants exist
  to specify the type of "user" allowed and to request UserIdentity objects
  rather than name strings. The default is to accept all types (name, IP,
  range, and interwiki) that were formerly accepted.
* Maximum limits are no longer ignored in "internal mode".
* The $paramName to ApiBase::handleParamNormalization() should now include the
  prefix.
* (T245931) meta=siteinfo&siprop=interwikimap no longer reports language or
  extralanglink when $wgInterwikiMagic is false.

=== Languages updated in 1.35 ===
MediaWiki supports over 350 languages. Many localisations are updated regularly.
Below only new and removed languages are listed, as well as changes to languages
because of Phabricator reports.

* The default targets for the ISBN search from Special:BookSources in English
  have been updated for better international suppport. They will now be
  BetterWorldBooks.com, OpenLibrary.org and Worldcat.org.
* (T237672) Changed the Moroccan Arabic language (ary) to the Arabic script.
* (T201269) Added language support for Amis (ami).
* (T248299) Added language support for Inari Sami (smn).
* (T251369) Added language support for Ladin (lld).
* (T251369) Added language support for Seediq (trv), also known as Taroko.
* (T254854) Added language support for Southern Altay (alt).

=== Breaking changes in 1.35 ===
* MediaWiki no longer supports PHP 7.2; use PHP 7.3.19+ (T228346, T257879).
* ResourceLoader::getLessVars(), deprecated in 1.32, was removed.
  Use ResourceLoaderModule::getLessVars() instead.
* The jquery.tabIndex module, deprecated in 1.34, has been removed.
* The mediawiki.RegExp module alias, deprecated in 1.34, was removed.
  Use the mediawiki.util module instead.
* The easy-deflate.inflate module, unused since 1.32, was removed.
* The easy-deflate.deflate module was removed. Use the mediawiki.deflate
  module instead.
* The mediawiki.notify module was removed. The mw.notify() shortcut is now
  available by default, without any dependency.
* (T219604) The "jquery.ui.*" and "jquery.effects.*" module aliases,
  deprecated in 1.34, have been removed. Use "jquery.ui" instead.
* (T235457) The "user.tokens" module has been removed.
  Use "user.options" instead.
* (T251855) The mw.Map#exists method in JavaScript no longer supports checking
  multiple keys. This affects mw.config.exists() and mw.user.tokens.exists().
* The internal variable $constructorOptions for the Parser & SpecialPageFactory,
  exposed only for integration purposes, are now each replaced by a const called
  CONSTRUCTOR_OPTIONS. This was a breaking change made without deprecation.
* ObjectCache::getWANInstance, deprecated in 1.34, was removed.
  Use MediaWikiServices::getMainWANObjectCache instead.
* ObjectCache::newWANCacheFromParams, deprecated in 1.34, was removed.
  Construct WANObjectCache directly instead, or use MediaWikiServices.
* (T231366) The ProfilerOutputDb class and profileinfo.php entry point,
  deprecated in 1.34, was removed.
* SiteConfiguration->localVHosts, deprecated in 1.25, was removed.
  Use $wgLocalVirtualHosts instead.
* The $wgContLanguageCode read-only variable was removed.
  It has been a non-configurable copy of $wgLanguageCode since MW 1.8 (2006).
  Use $wgLanguageCode directly instead.
* ApiQueryUserInfo::getBlockInfo, deprecated in 1.34, was removed. Use
  ApiBlockInfoTrait::getBlockDetails instead.
* Password::equals(), deprecated in 1.33, was removed. Use Password::verify().
* QuickTemplate::setRef(), deprecated in 1.31, was removed. Use set().
* The mediawiki.ui.text module, deprecated in 1.28 and unused, was removed.
* AbstractBlock::mReason, deprecated in 1.34, is no longer public.
* The GetBlockedStatus and UserIsHidden, deprecated in 1.34, has been removed.
  Instead, use the GetUserBlock hook.
* As part of work to replace the Parser, a large number of breaking changes have
  been made, principally in related methods and properties being removed or made
  private:
  - disableCache(), deprecated in 1.28.
  - serializeHalfParsedText() and the helpers unserializeHalfParsedText(),
    isValidHalfParsedText(), and StripState::getSubState() and
    StripState::merge(), all deprecated in 1.31. The helper functions
    LinkHolderArray::mergeForeign() and LinkHolderArray::getSubArray()
    were also removed.
  - getConverterLanguage(), deprecated in 1.32. Use getTargetLanguage() instead.
  - A large set of methods exposed only for historical reasons, deprecated in
    1.34, have now been removed or made private:
    - areSubpagesAllowed()
    - armorLinks()
    - createAssocArgs()
    - doAllQuotes()
    - doDoubleUnderscore()
    - doHeadings()
    - doMagicLinks()
    - formatHeadings()
    - getImageParams()
    - getVariableValue()
    - initialiseVariables()
    - makeKnownLinkHolder()
    - maybeDoSubpageLink()
    - parseLinkParameter()
    - replaceExternalLinks()
    - replaceInternalLinks()
    - replaceInternalLinks2()
    - replaceLinkHoldersText().
    - splitWhitespace()
    - stripAltText()
    - testPreprocess()
    - testPst()
    - testSrvus()
  - incrementIncludeSize(), setTransparentTagHook(), replaceTransparentTags(),
    and $mTransparentTagHooks have been removed without deprecation.
  - The following constants have been made private without deprecation:
    - ::EXT_LINK_ADDR
    - ::EXT_IMAGE_REGEX
    - ::SPACE_NOT_NL
  - The following properties have been removed without deprecation:
    - ::$mDefaultStripList
    - ::$mIncludeCount
    - ::$mRevIdForTs
  - The following properties have been made private without deprecation:
    - ::$mFunctionSynonyms
    - ::$mFunctionTagHooks
    - ::$mStripList
    - ::$mVarCache
    - ::$mImageParams
    - ::$mImageParamsMagicArray
    - ::$mSubstWords
    - ::$mVariables
    - ::$mConf (deprecated in 1.34)
    - ::$mExtLinkBracketedRegex
    - ::$mUrlProtocols
    - ::$mAutonumber
    - ::$mLinkHolders
    - ::$mDefaultSort
    - ::$mTplRedirCache
    - ::$mForceTocPosition
    - ::$mTplDomCache
    - ::$mOutputType
    - ::$mLangLinkLanguages
    - ::$currentRevisionCache
    - ::$mProfiler
    - ::$mLinkRenderer
  - Parser::getTitle() will now throw a TypeError if $mTitle is uninitialized.
    This use pattern was deprecated in 1.34.
  - ContentHandler::makeParserOptions(), deprecated in 1.32, was removed. Use
    WikiPage::makeParserOptions() or ParserOptions::newCanonical() instead.
  - The ParserAfterUnstrip hook, believed to be unused, was removed without
    deprecation.
  - Preprocessor_DOM and related classes, deprecated in 1.34, have been removed.
    Consequently, the related ParserOptions::getMaxGeneratedPPNodeCount() and
    ::setMaxGeneratedPPNodeCount() have been removed without deprecation.
  - The support for the old signature for ParserFactory::__construct, which was
    deprecated in 1.34, has been removed.
  - Parser::getDefaultPreprocessorClass(), deprecated in 1.34, has been removed.
* MediaWikiTestCase::prepareServices(), deprecated in 1.32, has been removed
* The method ContentHandler::getSlotDiffRendererInternal is replaced with
  ContentHandler::getSlotDiffRendererWithOptions. This breaks consumers which
  call parent::getSlotDiffRendererInternal (no instances of which are known).
* TextContent::getHighlightHtml, deprecated since 1.24, has been removed. Use
  TextContent::getHtml instead.
* ExtensionRegistry::load(), deprecated in 1.34, was removed. Instead, use
  ExtensionRegistry::queue().
* MWMessagePack class, deprecated in 1.34, was removed.
* The cdb.php maintenance script was removed. Use the 'cdb' command from the
  wikimedia/cdb library instead.
* User::addNewUserLogEntryAutoCreate, deprecated in 1.27, was removed.
* FileBasedSiteLookup class, deprecated in 1.33, was removed.
* The wfGlobalCacheKey global function, deprecated in 1.30, was removed.
* The APCBagOStuff class was removed. MediaWiki requires PHP 7.2+ (support
  for HHVM was dropped) and these versions of PHP only support apcu. The default
  "apc" entry in $wgObjectCaches now refers to APCUBagOStuff.
* Database::bufferResults(), deprecated in 1.34, has been removed.
* CannotReplaceActiveServiceException, ContainerDisabledException,
  DestructibleService, NoSuchServiceException, SalvageableService,
  ServiceAlreadyDefinedException, ServiceContainer and ServiceDisabledException
  in the global namespace, deprecated in 1.33, were removed. Use the classes in
  the MediaWiki\\Services namespace instead.
* The following methods in the Interwiki class were removed: ::fetch(),
  ::isValidInterwiki(), ::invalidateCache(), and ::getAllPrefixes().
* The UsersMultiselectWidget config 'allowArbitrary' is now false by default. To
  accept arbitrary entries, pass in true for this config.
* OutputPage::parse() and OutputPage::parseInline(), deprecated in 1.32, have
  been removed. Use ::parseAsContent() or ::parseAsInterface(), as
  appropriate.
* WikiPage::selectFields, deprecated in 1.31, was removed. Use ::getQueryInfo.
* The remaining static methods for MagicWord, deprecated in 1.32, were removed.
  These were MagicWord::get(), ::getSubstIDs(), ::getDoubleUnderscoreArray(),
  ::getVariableIDs(), and ::getCacheTTL(). Instead, use MagicWordFactory (via
  MediaWikiServices).
* ApiBase::checkTitleUserPermissions no longer accepts a User as the third
  parameter. Passing a user was deprecated in 1.33.
* Sanitizer::setupAttributeWhitelist() and Sanitizer::attributeWhitelist(),
  deprecated in 1.34, have been removed. They should not have been public.
* Passing a sequential array as the second parameter to
  Sanitizer::validateAttributes() has been deprecated; use an associative
  array where keys are the allowed attributes.
* The $warnCallback parameter to Sanitizer::removeHTMLtags, deprecated since
  its introduction in 1.28, has been removed.
* SpecialRecentChanges::filterByCategories(), deprecated in 1.31, was removed.
* The `ArticleContentViewCustom` hook, deprecated in 1.32, was removed.
* AuthManager::callLegacyAuthPlugin, deprecated in 1.33, was removed.
* wfGetMessageCacheStorage was removed without deprecation.
* Title::moveSubpages, deprecated in 1.34, was removed. Use the MovePage class
  and MovePage::moveSubpages instead.
* Article::doEditContent, deprecated in 1.29, was removed. Instead, use
  WikiPage::doEditContent.
* CommentStore::newKey, deprecated in 1.31, was removed.
* EditPage::$hookError was changed from public to private.
* Title::isValidMoveOperation, ::moveTo, and ::isValidMoveTarget, deprecated
  in 1.25, were removed. Use the MovePage class and its methods instead.
* Title::getUserCaseDBKey(), deprecated in 1.33, was removed. Use ::getDBkey().
* StringUtils::explodeMarkup() was removed without deprecation.
* AjaxResponse methods that were unused have been removed without deprecation:
  - checkLastModified
  - loadFromMemcached
  - storeInMemcached
  - setCacheDuration
  - setVary
* ApiDelete::delete and ::deleteFile, both of which were protected methods,
  have been made private to allow a signature change.
* HistoryPager::revLink, ::curLink, ::lastLink, and ::diffButtons, which had
  no visibilities defined, have been made private to allow signature changes.
* SpecialNewpages::revisionFromRcResult, which previously was protected, has
  been made private to allow a signature change.
* DifferenceEngine::$mOldRev and $mNewRev, deprecated for public access in
  1.32, have been removed.
* DifferenceEngine::revisionDeleteLink, which was previosuly protected, has
  been made private to allow a signature change.
* DifferenceEngine::getParserOutput, which is protected, has had a breaking
  signature change: the second parameter must be a RevisionRecord object,
  rather than a Revision object.
* WikiPage::setLastEdit, which was previously protected, has been made
  private to allow a signature change.
* Skin::getSkinNameMessages() deprecated in 1.34, has been removed.
* Skin::escapeSearchLink() deprecated in 1.34, has been removed, use
  Skin::getSearchLink() instead.
* Skin::shouldPreloadLogo() deprecated in  1.32, has been removed.
* Revision::loadFromId and RevisionStore::loadRevisionFromId have been
  removed.
* OutputPage::parserOptions doesn't accept an $options parameter anymore.
* MessageCache::getParserOptions previously did not have a visibility set.
  It has been made private.
* SpecialUndelete::showDiff previously did not have a visibilty set. It
  hav been made private to allow a signature change.
* The Skin no longer loads the "mediawiki.legacy.shared" or
  "mediawiki.legacy.commonPrint" modules. The legacy shared styles must now
  be loaded by the skin explicitly, either inherited via the
  "mediawiki.skinning.*" modules, or by making your skin's main styles
  module use the ResourceLoaderSkinModule class with the "legacy" attribute.
  See Vector and Monobook for examples.
* Passing an ApiMain to the constructor of ApiResult is no longer supported.
  This was deprecated in 1.25.
* ResourceLoaderWikiModule::invalidateModuleCache has been declared to
  be @internal as part of a signature change. No known uses exist outside
  of MediaWiki core.
* The ArticleAfterFetchContentObject hook, deprecated in 1.32, was removed.
  Use ArticleRevisionViewCustom to control output.
* DatabaseBlock::isValid, deprecated in 1.33, was removed.
* HTMLUserTextField and HTMLUsersMultiselectField previously implied
  required=true when exists=true. Form fields that use exists=true should also
  set required=true if they are required.
* In DatabaseUpdater, the following methods are no longer public: dropTable(),
  modifyTable(), modifyField(), runMaintenance(), copyFile(), appendLine().
  In PostgresUpdater, the following methods are no longer public:
  addPgEnumValue(), addPgIndex(), addPgExtIndex(). This change was made without
  deprecation due to immediate danger of data corruption and loss, see T157651.
  Extensions should instead use dropExtensionTable(),
  modifyExtensionExtensionTable(), modifyExtensionField(), addExtensionUpdate().
  The addExtensionUpdate() method can still be used to access any of the
  protected methods on DatabaseUpdater.
* ResourceLoader no longer provides the (always-true) variables for wgEnableAPI
  and wgEnableWriteAPI; they were deprecated in MediaWiki 1.31 and removed from
  the PHP environment in MediaWiki 1.32.
* The wfSetupSession global function, deprecated in 1.27, was removed. Use the
  persist() method of the right MediaWiki\Session\SessionManager object instead.
* The wfIsHHVM global function, deprecated in 1.34, was removed.
* GenderCache::doTitlesArray no longer accepts string values in its $titles
  array parameter. Use Title objects (or other LinkTarget) instead.
* Unused CommentStore::MAX_COMMENT_LENGTH has been removed.
* User::checkTemporaryPassword() and User::checkPassword(), deprecated in 1.27,
  were removed. Use AuthManager instead.
* All constants and class functions now have explicit visibility modifiers. This
  means, per [[mw:Stable interface policy]], that these should now be considered
  stable. This also helps MW align with PSR 2 and PSR 12. This was done based on
  audits of the corpus of skins and extensions hosted in Gerrit. If you find any
  that you need to be less restrictive (i.e. public or protected), please report
  these so that we can re-evaluate or suggest workarounds.
* BaseTemplate::msgWiki(), deprecated in 1.33, was removed. Use ->msg() or
  ->getMsg() instead.
* QuickTemplate::msgWiki(), deprecated in 1.33, was removed. Use ->msg()
  instead.
* WebInstaller::getErrorBox() and ::getWarningBox(), deprecated in 1.34,
  were removed. Use Html::errorBox() or ::warningBox() instead.
* SpecialVersion::getExtensionCredits() and SpecialVersion::getSkinCredits()
  have become private without deprecation.
* As part of the migration to a new hook system (T240307), the following classes
  now require an additional HookContainer constructor parameter:
    - AuthManager
    - BadFileLookup
    - BlockManager
    - ClassicInterwikiLookup
    - ContentHandlerFactory
    - ContentSecurityPolicy
    - DefaultOptionsManager
    - DerivedPageDataUpdater
    - FullSearchResultWidget
    - HtmlCacheUpdater
    - LanguageFactory
    - LanguageNameUtils
    - LinkRenderer
    - LinkRendererFactory
    - LocalisationCache
    - MagicWordFactory
    - MessageCache
    - NamespaceInfo
    - PageEditStash
    - PageHandlerFactory
    - PageUpdater
    - ParserFactory
    - PermissionManager
    - RevisionStore
    - RevisionStoreFactory
    - Router
    - SearchEngineConfig
    - SearchEngineFactory
    - SearchFormWidget
    - SearchNearMatcher
    - SessionBackend
    - SpecialPageFactory
    - UserNameUtils
    - UserOptionsManager
    - WatchedItemQueryService
    - WatchedItemStore
* The following classes now require setHookContainer() to be called after
  construction:
    - AuthenticationProvider
    - ResourceLoaderModule
    - SearchEngine
* The parameters to ChronologyProtector::getTouched() and
  ILBFactory::getChronologyProtectorTouched() were changed without backwards
  compatibility.
* The deprecated $blacklist parameter to wfIsBadImage() has been removed.
* SpecialBlock::checkUnblockSelf no longer accepts an integer representing
  an user ID as part of ongoing refactoring of SpecialBlock class.
* User::setInternalPassword() and User::setPassword(), deprecated in 1.27, have
  been removed. Use User::changeAuthenticationData() instead.
* User::selectFields(), deprecated in 1.31, has been removed. Use
  User::getQueryInfo() instead.
* The "legacy" serialization type in RESTBagOStuff, deprecated in 1.34,
  has been removed.
* The populateContentModel.php maintenance script was removed. It has
  been replaced by the populateContentTables.php script.
* The findHooks.php maintenance script, for the old hooks system, was removed.
* (T257278) Calling MediaWiki\Shell\Command::restrict() will now overwrite
  any previous restrictions rather than adding to them, making it possible to
  disable the default restrictions.

=== Deprecations in 1.35 ===
* The PHPUnit4And6Compat class, used to provide compatibility with PHPUnit 4, is
  now deprecated. MediaWiki support for PHPUnit 4 ended with the removal of HHVM
  support.
* LockManagerGroup::getDefault() and LockManagerGroup::getAny() are deprecated.
  They seem to be unused. Just use get() directly, and catch any exception.
* AbstractBlock::getPermissionsError and AbstractBlock::getBlockErrorParams are
  deprecated. Use BlockErrorFormatter::getMessage instead.
* The IP class is deprecated. Please instead use the Wikimedia\IPUtils class
  from the new wikimedia/ip-utils library instead. Additionally, the RE_IP_*
  constants are also deprecated. RE_IP_BYTE can be replaced with a class
  constant on the IPUtils class, while the others will eventually be made
  private.
* The following Language methods are deprecated: getFallbackFor,
  getFallbacksFor, getFallbacksIncludingSiteLanguage. Use the corresponding new
  methods on the LanguageFallback class: getFirst, getAll, and
  getAllIncludingSiteLanguage.
* FileJournal::factory is deprecated. Use the constructor directly instead.
* AbstractBlock methods setBlocker(), getBlocker() are deprecated and will
  become internal implementation of DatabaseBlock.
* Title::countRevisionsBetween has been deprecated and moved into RevisionStore.
* FileBackendGroup::singleton() is deprecated. Use MediaWikiServices instead.
* FileBackendGroup::destroySingleton() is deprecated. Test frameworks should
  instead reset MediaWikiServices between test runs.
  (MediaWikiIntegrationTestCase does this automatically.)
* GenderCache::singleton(), deprecated in 1.28, is hard deprecated. Use
  MediaWikiServices::getGenderCache() instead.
* MediaWikiIntegrationTest::setContentLang() has been deprecated. Use
  setMwGlobals( 'wgLanguageCode', 'xxx' ) to set a different site language
  code, or setService( 'ContentLanguage', $myObj ) to set a specific Language
  object. Service resets and $wgContLang will be handled automatically.
* MediaWikiIntegrationTest::assertType() has been deprecated, as part of the
  work to move to PHPUnit 8; PHPUnit's assertInternalType() was deprecated, and
  will be removed in PHPUnit 9. MediaWikiIntegrationTest::assertTypeOrValue(),
  a wrapper for assertType(), has been removed immediately, without deprecation.
* AbstractBlock::getReason is deprecated, since reasons are actually stored as
  CommentStoreComments, and getReason returns a string with no caller control
  over language or formatting. Instead use AbstractBlock::getReasonComment,
  which returns the CommentStoreComment.
* The global function wfGetRusage() is deprecated and will now always call the
  getrusage() function without checking for its existence.
* The properties User::mBlock, User::mBlockedby and User::mHideName are
  deprecated. Instead, use User::getBlock to get the block, then use
  AbstractBlock::getByName or AbstractBlock::getHideName.Use the GetUserBlock
  hook to set, unset or modify a block, including hiding or unhiding a user.
* Directly calling the MergeHistory constructor is deprecated. Instead, use the
  new MergeHistoryFactory class.
* Language::factory() and Language::getParentLanguage() are deprecated, and so
  is directly calling the Language constructor. Use the new LanguageFactory
  class instead.
* Language::classFromCode() is deprecated. There is no reason it should be used
  outside the Language class itself.
* Language::clearCaches() is deprecated. Instead, reset all services and set
  Language::$mLangObjCache = [].
* The following functions from Language class are deprecated in favour of
  respective functions in LanguageConverter:
  - autoConvert
  - autoConvertToAllVariants
  - convert
  - convertTitle
  - convertNamespace
  - hasVariants
  - hasVariant
  - convertHtml
  - convertCategoryKey
  - getVariants
  - getPreferredVariant
  - getURLVariant
  - findVariantLink
  - getExtraHashOptions
  - updateConversionTable
* Language::classFromCode() is hard deprecated and should be removed in 1.36
* Language::getConverter() is deprecated and should be removed in 1.36
* Language::MESSAGES_FALLBACKS, Language::STRICT_FALLBACKS were deprecated.
  Use LanguageFallback::MESSAGES and LanguageFallback::STRICT respectively
* Language::$mLangObjCache is deprecated and should be removed in 1.36. Use
  MediaWikiServices instead to get a LanguageFactory.
* Language::getMessagesFor(), getMessageFor(), and getMessageKeysFor() are
  deprecated. Use LocalisationCache's getItem(), getSubitem(), and
  getSubitemList() methods directly.
* OutputPage::getCSPNonce() is deprecated, use OutputPage::getCSP()->getNonce()
  instead.
* DerivedPageDataUpdater::prepareUpdate accepted as its second parameter an
  optional array of options. Specifying the value of the `oldrevision` key of
  the array to be a Revision object, rather than a RevisionRecord object, is
  hard deprecated. The same applies to the options parameter in
  WikiPage::doEditUpdates.
* Skin::makeI18nUrl() and makeNSUrl() have been deprecated, no longer used.
* Title::countAuthorsBetween and Title::getAuthorsBetween were hard deprecated.
  Use respective methods in RevisionStore instead.
* Remove deprecated SkinCopyrightFooter &$forContent parameter
* The following Language class static variables have been replaced with
  constants and deprecated: $mWeekdayMsgs, $mWeekdayAbbrevMsgs, $mMonthMsgs,
  $mMonthGenMsgs, $mMonthAbbrevMsgs, $mIranianCalendarMonthMsgs,
  $mHebrewCalendarMonthMsgs, $mHebrewCalendarMonthGenMsgs,
  $mHijriCalendarMonthMsgs and $durationIntervals.
* As part of dropping security support for IE 6 and IE 7,
  WebRequest::checkUrlExtension() has been deprecated, and now always returns
  true.
* The following ApiBase::PARAM_* constants have been deprecated in favor of
  equivalent ParamValidator constants: PARAM_DFLT, PARAM_ISMULTI, PARAM_TYPE,
  PARAM_MAX, PARAM_MAX2, PARAM_MIN, PARAM_ALLOW_DUPLICATES, PARAM_DEPRECATED,
  PARAM_REQUIRED, PARAM_SUBMODULE_MAP, PARAM_SUBMODULE_PARAM_PREFIX, PARAM_ALL,
  PARAM_EXTRA_NAMESPACES, PARAM_SENSITIVE, PARAM_DEPRECATED_VALUES,
  PARAM_ISMULTI_LIMIT1, PARAM_ISMULTI_LIMIT2, PARAM_MAX_BYTES, PARAM_MAX_CHARS.
* ApiBase::explodeMultiValue() is deprecated. Use
  ParamValidator::explodeMultiValue() instead.
* ApiBase::parseMultiValue() is deprecated. No replacement is provided;
  generally this sort of thing should be handled by fully validating the
  parameter.
* ApiBase::validateLimit() and ApiBase::validateTimestamp() are deprecated.
  Use ApiParamValidator::validateValue() with an appropriate settings array
  instead.
* ContentHandler (use ContentHandlerFactory):
  - getForTitle
  - getForContent
  - getForModelID
  - getContentModels
  - getAllContentFormats
  - protected $handler (not need anymore)
  - cleanupHandlersCache (not need anymore)
* (T212738) The $wgVersion global is deprecated; instead, use MW_VERSION.
* $wgMemc is deprecated, use MediaWikiServices::getLocalServerObjectCache()
  instead.
* ObjectCache::detectLocalServerCache() is deprecated, instead use
  MediaWikiServices::getLocalServerObjectCache() or
  ObjectCache::makeLocalServerCache().
* ImagePage::getImageLimitsFromOptions() is deprecated. Use static function
  MediaFileTrait::getImageLimitsFromOptions() instead.
* As part of work to replace the Parser, alongside the breaking changes listed
  above, a large number of deprecations changes been made, to simplify the API
  or because they will not be supported in replacement:
  - Parser::doBlockLevels() (and BlockLevelPass class has been marked @internal)
  - Parser::setFunctionTagHook()
  - Parser::attributeStripCallback()
  - Parser::fetchTemplate() - use Parser::fetchTemplateAndTitle() instead.
  - Parser::enableOOUI() - use $parser->getOutput()->enableOOUI() instead.
  - LinkHolderArray has been deprecated for public usage and will be
    internal part of parser.
  - The following parser-related hooks have been deprecated:
    - InternalParseBeforeSanitize
        Use an alternative hook which doesn't expose internal half-parsed state,
        like ParserBeforeInternalParse or ParserAfterTidy
    - ParserFetchTemplate
        Use BeforeParserFetchTemplateAndTitle
    - ParserSectionCreate
        No replacement; <section> tag wrapping will be done by core in future.
    - BeforeParserrenderImageGallery
        No replacement; MediaHandler provides for customizable media rendering
    - ParserBeforeTidy
        Use ParserAfterTidy instead to avoid exposing internal half-parsed state
    - ParserBeforeStrip
        No replacement; stripping is no longer supported.
    - ParserAfterStrip
        No replacement; stripping is no longer supported.
  - The accessor/mutator methods Parser::Options(), Parser::OutputType(), and
    Parser::Title() have been deprecated; use the appropriate Parser::get* or
    Parser::set* methods instead.
  - Parser::firstCallInit() has been deprecated. The parser is initialized
    fully on construction and so ::firstCallInit() no longer has any effect
    when manually invoked.
  - ParserOptions::setAllowExternalImages(), ::setAllowExternalImagesFrom(),
    and ::setEnableImageWhitelist() have been deprecated.  Future parsers
    will not allow per-parser configuration of image filtering; use
    site configuration instead.
  - ParserOptions::getTidy() and ParserOptions::setTidy() have been deprecated.
    These options no longer have any effect.
  - Most methods of MWTidy, except for MWTidy::tidy(), have been deprecated;
    tidiness is always enabled and not configurable.
  - Version 1 of the parserTests file format has been deprecated. You'll need to
    update your parser tests to version 2, which uses Remex tidy on all test
    output by default. Support for parser tests with Remex tidy off will later
    be removed entirely.
  - $wgParser — This global variable, soft deprecated in 1.32, has now been hard
    deprecated. Use MediaWikiServices::getInstance()->getParser() instead.
    (T160811)
* The signature of DefaultPreferencesFactory::__construct has been changed:
  - LanguageConverter $languageConverter has been added.
  and its usage with old arguments is hard deprecated.
* The public usage of the following properties of LanguageConverter have been
  deprecated as there is no reason they should be used outside the
  LanguageConverter class and will be changed from public to private:
  - mLangObj
  - mUcfirst
  - mConvRuleTitle
  - mURLVariant
  - mUserVariant
  - mHeaderVariant
  - mMaxDepth
  - mVarSeparatorPattern
  changed from public to protected:
  - mTables
* The ArticleEditUpdatesDeleteFromRecentchanges hook has been deprecated. Please
  use the RecentChange_save hook or similar instead.
* The ArticleEditUpdates hook has been deprecated. Please
  use the RevisionDataUpdates hook or similar instead.
* The SkinTemplatePreventOtherActiveTabs and SkinTemplateTabAction hooks have
  been hard deprecated. Please use the SkinTemplateNavigation__Universal hook
  instead.
* ResourceLoaderFileModule::compileLessFile() has been deprecated, use
  ResourceLoaderFileModule::compileLessString() instead
* The SquidPurgeClient and SquidPurgeClientPool classes have been deprecated.
  Use MultiHttpClient or HtmlCacheUpdater instead.
* MimeAnalyzer::getExtensionsForType() and ::getTypesForExtensions() were
  deprecated in favor of MimeAnalyzer::getExtensionsFromMimeType() and
  ::getMimeTypesFromExtension(), respectively. The new methods return arrays
  rather than strings.
* Calling Action::factory and Action constructor with WikiPage has been
  hard deprecated. Caller must provide an Article instance.
* ApiTestCase::doLogin, soft deprecated in 1.31, was hard deprecated.
* WebRequest::getLimitOffset is hard deprecated. Instead, use
  ::getLimitOffsetForUser and pass a User object.
* PageArchive::getPreviousRevision is hard deprecated. Instead, use the new
  ::getPreviousRevisionRecord method.
* PageArchive::getArchivedRevision is hard deprecated. Instead, use the new
  ::getArchivedRevisionRecord method.
* PageArchive::undelete is hard deprecated. Instead, use ::undeleteAsUser
  and pass a User object.
* PageArchive::getRevision is hard deprecated.
* EditPage::getBaseRevision was hard deprecated. Instead, use the new
  ::getExpectedParentRevision method.
* The public variable EditPage::$mBaseRevision was hard deprecated.
* FileDeleteForm previously did not accept a user parameter in its constructor,
  instead relying on the global $wgUser. A user parameter has been added,
  and //not// providing a user is deprecated. There are no known callers
  outside of mediawiki core.
* AuthManager::singleton() has been deprecated. Use
  MediaWikiServices::getInstance()->getAuthManager() instead.
* ContribsPager::tryToCreateValidRevision is hard deprecated. Instead, use
  ContribsPager::tryCreatingRevisionRecord.
* The following functions all accept an optional user parameter. Not passing a
  user is hard deprecated, and support for calling them without passing a user
  will be removed in 1.36:
  - Title::getNotificationTimestamp (note however that the method is deprecated
      in its entirely in favor of the new WatchlistNotificationManager service)
  - PatrolLog::record
  - LogEventsList::userCan
  - LogEventsList::userCanBitfield
  - LogEventsList::userCanViewLogType
  - LogPage::addEntry
  - FileDeleteForm::doDelete
  - OldLocalFile::userCan
  - ArchivedFile::userCan
  - File::userCan
* The following functions all accept an optional audience parameter and
  an optional user parameter. If the audience is FOR_THIS_USER and no
  user is passed, they fallback to $wgUser. Not passing a user when
  one is needed is deprecated
  - LogEventsList::getExcludeClause
  - WikiPage::getComment
  - WikiPage::getCreator
  - WikiPage::getUser
  - WikiPage::getUserText
* UploadBase::checkWarnings now accepts a User parameter; not providing a
  user is soft deprecated.
* Article::insertProtectNullRevision and WikiPage::insertProtectNullRevision
  were hard deprecated. Instead, use WikiPage::insertNullProtectionRevision.
* Article::doDeleteArticle, Article::doDeleteArticleReal, and
  WikiPage::doDeleteArticle are all deprecated. Instead, use
  WikiPage::doDeleteArticleReal.
* Article::getComment is deprecated. Instead, use WikiPage::getComment.
* Article::getCreator is deprecated. Instead, use WikiPage::getCreator.
* Article::updateRevisionOn() and ::updateIfNewerOn(), and
  WikiPage::updateIfNewerOn() are deprecated. Instead, use
  WikiPage::updateRevisionOn().
* Article::getUser is deprecated. Instead, use WikiPage::getUser.
* Article::getUserText is deprecated. Instead, use WikiPage::getUserText.
* Article::prepareContentForEdit is hard deprecated. Instead, use
  WikiPage::prepareContentForEdit.
* WikiPage::prepareContentForEdit previously accepted either a Revision or a
  RevisionRecord object as its optional second parameter. Passing a Revision
  is now hard deprecated.
* Article::getUndoContent and WikiPage::getUndoContent are hard deprecated.
  Instead, use ContentHandler::getUndoContent.
* Passing Revision objects to ContentHandler::getUndoContent is hard deprecated.
  Instead, pass the associated Content objects, as well as whether the undo is
  from the current revision.
* Article::doDeleteUpdates and ::doEditUpdates are deprecated. Instead,
  use WikiPage::doDeleteUpdates and ::doEditUpdates.
* WikiPage::doEditUpdates previously accepted a Revision object as its first
  parameter. It now accepts RevisionRecord objects, and passing Revision
  objects is deprecated.
* Article::getRevisionFetched is deprecated. Instead, use the
  fetchRevisionRecord method, which has been converted from protected to
  public.
* LocalFileDeleteBatch was migrated to a new constructor signature with the
  user as the second parameter. Support for the old signature is hard
  deprecated, and once removed the user parameter will be required. At the
  same time, a number of file-deletion related methods were updated
  - File::delete is hard deprecated in favor of the new ::deleteFile
  - LocalFile::delete is hard deprecated in favor of the new ::deleteFile
  - LocalFile::deleteOld is hard deprecated in favor of the new ::deleteOldFile
  - ForeignDBFile::delete is hard deprecated in favor of the new ::deleteFile
* File::recordUpload (along with the respective methods in the LocalFile and
  ForeignDBFile classes) is hard deprecated, and LocalFile::recordUpload2 is
  soft deprecated. Use the new LocalFile::recordUpload3, which has a different
  signature and requires that a User parameter is passed.
* The SpecialPageFactory class was moved from the MediaWiki\Special namespace
  to the MediaWiki\SpecialPage namespace. The old location remains as a
  deprecated alias.
* Title::userCan, ::quickUserCan, and ::getUserPermissionsErrors, which
  were deprecated in 1.33, were hard deprecated. Instead, use
  PermissionManager::userCan, ::quickUserCan, and ::getPermissionErrors.
* All methods of the old SpecialPageFactory, deprecated in 1.32, were hard
  deprecated. Instead, get a SpecialPageFactory from MediaWikiServices and
  use its methods.
* User::updateNewtalk now accepts as its optional third parameter a
  RevisionRecord object; passing a Revision is hard deprecated.
* User::getNewMessageRevisionId and ::getNewMessageLinks were hard deprecated.
* DifferenceEngine::getRevisionHeader now accepts a RevisionRecord as its
  first parameter; passing a Revision is hard deprecated.
* WikiPage::doDeleteUpdates now accepts as its optional third parameter
  a RevisionRecord object; passing a Revision is hard deprecated.
* WikiPage::onArticleEdit now accepts as its optional second parameter
  a RevisionRecord object; passing a Revision is hard deprecated.
* Global $wgUser variable was soft deprecated.
* The Revision class was soft deprecated entirely in 1.31. All methods
  have now been individually hard deprecated:
  - ::__construct - create MutableRevisionRecord objects instead
  - ::newFromId - use RevisionLookup::getRevisionById instead
  - ::newFromTitle - use RevisionLookup::getRevisionByTitle instead
  - ::newFromPageId - use RevisionStore::getRevisionByPageId instead
  - ::newFromArchiveRow - use RevisionFactory::newRevisionFromArchiveRow
  - ::newFromRow - use RevisionStore::newRevisionFromRow instead
  - ::loadFromPageId - use RevisionStore::getRevisionByPageId instead
  - ::loadFromTitle - use RevisionStore::getRevisionByTitle instead
  - ::loadFromTimestamp - use RevisionStore::getRevisionByTimestamp instead
  - ::getQueryInfo - use RevisionStore::getQueryInfo instead
  - ::getArchiveQueryInfo - use RevisionStore::getArchiveQueryInfo instead
  - ::getParentLengths - use RevisionStore::getRevisionSizes instead
  - ::getRevisionRecord - no replacement
  - ::getId - use RevisionRecord::getId instead
  - ::setId - use MutableRevisionRecord::setId instead
  - ::setUserIdAndName - use MutableRevisionRecord::setUser instead
  - ::getTextId - use SlotRecord::getContentAddress for retrieving an actual
      content address, or RevisionRecord::hasSameContent to compare content
  - ::getParentId - use RevisionRecord::getParentId instead
  - ::getSize - use RevisionRecord::getSize instead
  - ::getSha1 - use RevisionRecord::getSha1 instead
  - ::getTitle - use RevisionRecord::getPageAsLinkTarget instead
  - ::setTitle - the method was previously a no-op
  - ::getPage - use RevisionRecord::getPageId instead
  - ::getUser - use RevisionRecord::getUser and then User::getId instead
  - ::getUserText - use RevisionRecord::getUser and then User::getName instead
  - ::getComment - use RevisionRecord::getComment instead
  - ::isMinor - use RevisionRecord::isMinor instead
  - ::isUnpatrolled - use RevisionStore::getRcIdIfUnpatrolled instead
  - ::getRecentChange - use RevisionStore::getRecentChange instead
  - ::isDeleted - use RevisionRecord::isDeleted instead
  - ::getVisibility - use RevisionRecord::getVisibility instead
  - ::getContent - use RevisionRecord::getContent instead
  - ::getSerializedData - use SlotRecord::getContent for retrieving a
      content object, and Content::serialize for the serialized form
  - ::getContentModel - use SlotRecord::getModel instead
  - ::getContentFormat - use SlotRecord::getFormat instead, with a fallback
       to ContentHandler::getDefaultFormat
  - ::getContentHandler - use ContentHandlerFactory::getContentHandler instead
  - ::getTimestamp - use RevisionRecord::getTimestamp instead
  - ::isCurrent - use RevisionRecord::isCurrent instead
  - ::getPrevious - use RevisionLookup::getPreviousRevision instead
  - ::getNext - use RevisionLookup::getNextRevision instead
  - ::getRevisionText - use RevisionRecord::getContent instead
  - ::compressRevisionText - use SqlBlobStore::compressData instead
  - ::decompressRevisionText - use SqlBlobStore::decompressData instead
  - ::insertOn - use RevisionStore::insertRevisionOn instead
  - ::base36Sha1 - use SlotRecord::base36Sha1 instead
  - ::newNullRevision - use RevisionStore::newNullRevision
  - ::userCan - use RevisionRecord::userCanBitfield instead
  - ::userCanBitfield - use RevisionRecord::userCanBitfield instead
  - ::getTimestampFromId - use RevisionStore::getTimestampFromId instead
  - ::countByPageId - use RevisionStore::countRevisionsByPageId instead
  - ::countByTitle - use RevisionStore::countRevisionsByTitle instead
  - ::userWasLastToEdit - use RevisionStore::userWasLastToEdit instead
  - ::newKnownCurrent - use RevisionStore::getKnownCurrentRevision instead
* The Revision method had a few methods that were previously protected and
  have been made private. They were:
  - ::getRevisionStore
  - ::getRevisionLookup
  - ::getRevisionFactory
  - ::getBlobStore
  The $mRecord variable was also changed from protected to private.
* Multiple hooks that include Revision objects were deprecated. The hooks, as
  well as suitable replacements, are noted below:
  - ArticleRevisionUndeleted (hard deprecated, use the RevisionUndeleted hook)
  - ArticleRollbackComplete (hard deprecated, use the RollbackComplete hook)
  - DiffRevisionTools (hard deprecated, use the DiffTools hook)
  - DiffViewHeader (hard deprecated, use the DifferenceEngineViewHeader hook)
  - HistoryRevisionTools (hard deprecated, use the HistoryTools hook)
  - NewRevisionFromEditComplete (hard deprecated, use the
      RevisionFromEditComplete hook).
  - PageContentInsertComplete (hard deprecated, use the PageSaveComplete hook)
  - PageContentSaveComplete (hard deprecated, use the PageSaveComplete hook)
  - RevisionInsertComplete (soft deprecated in 1.31, now hard deprecated)
  - TitleMoveCompleting (hard deprecated, use the PageMoveCompleting hook)
  - TitleMoveComplete (hard deprecated, use the PageMoveComplete hook)
  - UndeleteShowRevision (hard deprecated)
* The following RevisionStore methods were deprecated:
  - ::loadRevisionFromTitle
  - ::loadRevisionFromTimestamp
  - ::loadRevisionFromPageId
  - ::listRevisionSizes
* WikiPage::$mLastRevision was changed from protected to private.
* RecentChange::markPatrolled was deprecated. Use ::doMarkPatrolled instead.
* The JobRunner class has been converted to a service class.
  Direct construction is deprecated, use MediaWikiServices::getJobRunner.
* JobRunner::setLogger has been deprecated, thus using JobRunner as a
  LoggerAwareInterface is deprecated as well. Rely on the logger passed in the
  constructor instead.
* LogEventsList::typeAction accepts an optional right to check against as
  the fourth parameter. Specifying such a right is deprecated.
* SkinTemplate::makeArticleUrlDetails has been deprecated, no longer used.
* Passing a Revision object into CategoryMembershipChange constructor is
  deprecated. Pass a RevisionRecord instead.
* The "mediawiki.legacy.oldshared" module has been deprecated.
  Skins and extensions that are using this should copy its necessary CSS rules
  to their own styles module. CologneBlue and Nostalgia skins serve as examples.
* The "mediawiki.legacy.shared" module has been deprecated.
  Use the "mediawiki.skinning.*" modules, or ResourceLoaderSkinModule instead.
* The following hooks, soft deprecated in 1.24, have been hard deprecated:
  - APIQueryInfoTokens
  - APIQueryRecentChangesTokens
  - APIQueryRevisionsTokens
  - APIQueryUsersTokens
  - ApiTokensGetTokenTypes
* Calling Action::factory and Action constructor with any Page implementations
  other than Article is deprecated.
* Action::page property is deprecated for direct access.
  Use Action::getArticle or Action::getWikiPage instead.
* LESS `.background-image-svg()` mixin from 'mediawiki.mixins.less' is
  deprecated and should be removed in 1.36.
* LESS `.background-image-svg-quick()` mixin from 'mediawiki.mixins.less' is
  deprecated and should be removed in 1.36.
* The following methods were deprecated:
  - Title::getFirstRevision (hard deprecated)
  - Title::getEarliestRevTime
  - WikiPage::getOldestRevision (hard deprecated)
  - Article::getOldestRevision (hard deprecated)
  Use RevisionStore::getFirstRevision instead.
* WikiPage::commitRollback and ::doRollback are declared to be internal
  in preparation for breaking changes. Neither method has any known
  callers outside of MediaWiki core. Both methods modify an array passed
  by reference ($resultDetails) - accessing the Revision objects added to
  that array (using the keys `current` and `target`) is also deprecated.
* The following Linker methods previously accepted Revision objects as
  parameters. They now accept either Revision or RevisionRecord objects.
  Passing a Revision object is hard deprecated.
  - ::revUserLink
  - ::revUserTools
  - ::revComment
  - ::generateRollback
  - ::getRollbackEditCount
  - ::buildRollbackLink
  - ::getRevDeleteLink
* WikiPage::hasDifferencesOutsideMainSlot previously accepted Revision
  objects for its two parameters. It now accepts RevisionRecord objects,
  and passing Revision objects is hard deprecated.
* WikiPage::updateRevisionOn previously accepted Revision objects for its
  second parameter. It now accepts RevisionRecord objects, and passing
  Revision objects is hard deprecated.
* The ParserGetVariableValueVarCache hook has been deprecated.
* When using the ParserGetVariableValueSwitch hook, the following unusual
  uses have been deprecated: modifying the passed $magicWordId or failing to
  cache the returned value in $variableCache.  The related
  MagicWordwgVariableIDs hook has been deprecated and renamed; use
  the GetMagicVariableIDs hook instead.
* The following Parser properties have been deprecated:
  - ::$mTagHooks
  - ::$mFunctionHooks
  - ::$mMarkerIndex
  - ::$mFirstCall
  - ::$mPreprocessor
  - ::$mOutput
  - ::$mStripState
  - ::$mLinkID
  - ::$mIncludeSizes
  - ::$mPPNodeCount
  - ::$mGeneratedPPNodeCount
  - ::$mHighestExpansionDepth
  - ::$mDoubleUnderscores
  - ::$mExpensiveFunctionCount
  - ::$mShowToc
  - ::$mUser
  - ::$mOptions
  - ::$mTitle
  - ::$ot
  - ::$mRevisionObject
  - ::$mRevisionId
  - ::$mRevisionTimestamp
  - ::$mRevisionUser
  - ::$mRevisionSize
  - ::$mInputSize
  - ::$mInParse
* LinksUpdate::getRevision and ::setRevision are hard deprecated in favor
  of the new ::getRevisionRecord and ::setRevisionRecord methods.
* A large number of exposed variables and methods of Article were deprecated as
  part of its planned removal:
  - Article::$mContext is deprecated; use getContext()/setContext() instead.
  - Article::__get(), ::__set() are hard deprecated, use the WikiPage properties
    instead.
  - These Article methods were hard deprecated; use their WikiPage equivalents:
    - ::checkFlags,
    - ::checkTouched,
    - ::clearPreparedEdit,
    - ::commitRollback,
    - ::doDeleteArticleReal,
    - ::doEditContent,
    - ::doPurge,
    - ::doRollback,
    - ::doUpdateRestrictions,
    - ::doViewUpdates,
    - ::exists,
    - ::followRedirect,
    - ::getContentHandler,
    - ::getContentModel,
    - ::getContributors,
    - ::getDeletionUpdates,
    - ::getHiddenCategories,
    - ::getId,
    - ::getLatest,
    - ::getLinksTimestamp,
    - ::getMinorEdit,
    - ::getRedirectTarget,
    - ::getRedirectURL,
    - ::getTimestamp,
    - ::getTouched,
    - ::hasViewableContent,
    - ::insertOn,
    - ::insertRedirect,
    - ::insertRedirectEntry,
    - ::isCountable,
    - ::isRedirect,
    - ::loadFromRow,
    - ::loadPageData,
    - ::lockAndGetLatest,
    - ::makeParserOptions,
    - ::pageDataFromId,
    - ::pageDataFromTitle,
    - ::prepareContentForEdit,
    - ::protectDescription,
    - ::protectDescriptionLog,
    - ::replaceSectionAtRev,
    - ::setTimestamp,
    - ::shouldCheckParserCache,
    - ::supportsSections,
    - ::triggerOpportunisticLinksUpdate,
    - ::updateCategoryCounts, and
    - ::updateRedirectOn.
  - Article::generateReason() was hard deprecated; instead, please use
    WikiPage::getAutoDeleteReason().
  - Article::replaceSectionContent() was hard deprecated, use
    Article::replaceSectionAtRev() instead.
  - Article::getRevision and WikiPage::getRevision were hard deprecated in favor
    of the new WikiPage::getRevisionRecord method.
* A new UserNameUtils service was introduced. The following User methods
  were deprecated in favor of using the new service:
  - isIP
  - isIPRange
  - isValidUserName
  - isUsableName
  - isCreatableName
  - getCanonicalName
* The signature of WikiPage::doDeleteArticleReal was changed to make the user
  the second parameter, and the suppression option the third parameter.
  Previously, the third parameter was unused. Using the old signature is
  hard deprecated.
* ApiQueryRevisions::getRollbackToken, which has been soft deprecated since
  1.24, accepted as its third parameter a Revision object. It now accepts
  a RevisionRecord, and passing a Revision is hard deprecated.
* Passing Article to ParserCache::get() was deprecated
* ParserOptions::newCanonical() with no first parameter, or null as the first
  parameter, which falls back to using global $wgUser, is hard deprecated.
* Parser::fetchCurrentRevisionOfTitle, ::statelessFetchRevision, and
  ::getRevisionObject were hard deprecated in favor of the new
  ::fetchCurrentRevisionRecordOfTitle, ::statelessFetchRevisionRecord,
  and ::getRevisionRecordObject methods respectively.
* ParserOptions::getCurrentRevisionCallback and ::setCurrentRevisionCallback
  were hard deprecated in favor of the new ::getCurrentRevisionRecordCallback
  and ::setCurrentRevisionRecordCallback methods respectively.
* Parser::statelessFetchTemplate returns an array; accessing the Revision
  object returned (via the `revision` key to the array) is deprecated. Instead,
  use `revision-record` to retrieve the equivalent RevisionRecord.
* WikiPage::doEditContent returns an array, and PageUpdater::getStatus returns
  a Status object with an array value. For both of those arrays, accessing the
  Revision object returned (via the `revision` key to the array) is deprecated.
  Instead, use `revision-record` to retrieve the equivalent RevisionRecord.
* Page interface was deprecated. Use Article or WikiPage instead.
* The following DatabaseBlock methods are deprecated because they are no longer
  needed in core: chooseBlock, fromMaster, deleteIfExpired.
* wfGetScriptUrl() was deprecated. The script URL should be configured rather
  than detected. wfScript() can be used to get a configured script URL.
* Action::factory() with null $action argument is hard deprecated
* The following methods of the User class were deprecated: getDefaultOptions,
  getDefaultOption, getOptions, getOption, getBoolOption, getIntOption,
  setOption, listOptionKinds, getOptionKinds, resetOptions. Use corresponding
  methods in UserOptionsLookup or UserOptionsManager service classes instead.
* UserRetrieveNewTalks hook was deprecated without replacement.
* User::getNewtalk and ::setNewtalk were hard deprecated. Use service
  TalkPageNotificationManager instead.
* EditPage::matchSpamRegex and ::matchSummarySpamRegex were hard deprecated in
  favor of the new SpamChecker service.
* Title::getNotificationTimestamp, User::clearNotification, and
  User::clearAllNotifications were deprecated in favor of the new
  WatchlistNotificationManager service.
* SpecialPage::setListed() and SpecialPage::listed() were deprecated. Subclass
  UnlistedSpecialPage to set listed as false, and use SpecialPage::isListed()
  to get the value.
* CategoryPage::getCategoryViewerClass() and ::setCategoryViewerClass() were
  deprecated.
* MWHttpRequest and its subclasses PhpHttpRequest, CurlHttpRequest and
  GuzzleHttpRequest now require the timeout and connectTimeout options to
  always be specified, otherwise a deprecation warning will be raised. Most
  callers should use HttpRequestFactory which always sets these options.
* Linker::normaliseSpecialPage() has been deprecated, instead make use of
  LinkRenderer::normalizeTarget().
* SkinTemplate::getPersonalToolsList() was soft deprecated.
* ChangeTags::truncateTagDescription() has been deprecated.
* The following methods of the User class are deprecated: getGroups,
  getGroupMemberships, getEffectiveGroups, getAutomaticGroups,
  addGroup, removeGroup, getFormerGroups, getAllGroups, getImplicitGroups,
  addAutopromoteOnceGroups. Use the new UserGroupManager service instead.
* The following methods of the UserGroupMembership class were deprecated:
  selectFields, getMembershipsForUser, getMembership, insert, delete,
  newFromRow, initFromRow, purgeExpired.
  Use the new UserGroupManager service instead.
* wfWaitForSlaves() has been hard deprecated. Use LBFactory::waitForReplication
  instead. It was soft deprecated in 1.27.
* BaseTemplate::getAfterPortlet and ::renderAfterPortlet have been deprecated in
  favor of the Skin::getAfterPortlet method. Skin::getAfterPortlet does not wrap
  the result in a div, callers are responsible for that.
  The hook BaseTemplateAfterPortlet, called by both methods has been deprecated
  as well and is replaced by SkinAfterPortlet.
* Autopromote class has been soft deprecated and it's methods moved into
  UserGroupManager.
* SkinTemplateBuildNavUrlsNav_urlsAfterPermalink hook has been deprecated.
  Use SidebarBeforeOutput hook and get the revision id from the OutputPage
  object.
* BaseTemplate::getToolbox() method has been soft deprecated. The toolbox data
  is now available in a sidebar data array which you can get from any class
  that's extending QuickTemplate class. The hook associated with this method,
  BaseTemplateToolbox, has been hard deprecated. To add items to the toolbox,
  use SidebarBeforeOutput hook instead.
* The SkinTemplateOutputPageBeforeExec hook is deprecated.
  The page [[mw:Manual:Hooks/SkinTemplateOutputPageBeforeExec]] and T60137
  for recommendations for alternative approaches based on how developers
  previously used this hook.
* SkinTemplateToolboxEnd hook has been deprecated. Use SidebarBeforeOutput hook
  instead.
* Using Skin::addToBodyAttributes() method to add body attributes has been
  deprecated. Use OutputPageBodyAttributes hook instead.
* Installer::getDBTypes has been hard deprecated in favor of
  InstallerDBSupport::getDatabases
* The hooks BeforeHttpsRedirect, CanIPUseHTTPS and UserRequiresHTTPS were
  deprecated, as part of a long-term plan to remove support for mixed
  HTTP/HTTPS wikis.
* Skin::generateDebugHTML() has been hard deprecated. Call
  MWDebug::getHTMLDebugLog() directly.
* ExternalStoreDB::getSlave(), soft deprecated in 1.34, was hard deprecated.
  Use ExternalStoreDB::getReplica() instead.
* Less variables in mediawiki.ui/variables.less file that don't follow the
  standard variable naming scheme (compare WikimediaUI Base) including
  `@colorGray* variables have been deprecated. New variables are in place and
  aliases have been set. Replace occurrences and use the new variables instead.

=== Other changes in 1.35 ===
* A new maintenance script is added (purgeExpiredWatchlistItems.php) with which
  to delete expired watchlist items. These items will also be deleted during
  wiki editing if $wgWatchlistPurgeRate is > 0. This maintenance script only
  has effect if $wgWatchlistExpiry is true. It is recommended that a cronjob or
  similar be set up to run it at least daily.
* Title::purgeSquid is deprecated. Use MediaWikiServices::getHtmlCacheUpdater.
* SpecialVersion::getExtLicenseFileName() has been deprecated, use
  MediaWiki\ExtensionInfo::getLicenseFileNames() instead.
* SpecialVersion::getExtAuthorsFileName() has been deprecated, use
  MediaWiki\ExtensionInfo::getAuthorsFileName() instead.
* Migration to the new content storage schema is complete, all backwards
  compatibility code and duplication in the database have been removed.
  The old schema was a 1:1 relationship modeled by
  revision.text_id -> text.old_id. The new schema is a n:m relationship,
  revision.rev_id <- slots.slot_revision_id|slots.slot_content_id ->
  content.content_id|content.content_address -> text.old_id. The same applies
  to the archive table.
  The following fields were removed:
  - revision.rev_text_id, replaced by content.content_address
  - revision.rev_content_model, replaced by content.content_model,
    referencing content_models.model_id
  - revision.rev_content_format, replaced by automatic detecting in
    ContentHandler
  - archive.ar_text_id, replaced by content.content_address
  - archive.ar_content_model, replaced by content.content_model,
    referencing content_models.model_id
  - archive.ar_content_format, replaced by automatic detecting in
    ContentHandler
* Migration to normalized storage of edit comments and user names is
  progressing. The following fields were unused and have been removed:
  - revision.rev_comment,
    replaced by rev_comment_id referencing comment.comment_id.
  - revision.rev_user and rev_user_text,
    replaced by rev_actor referencing actor.actor_id.
  Note that archive.ar_user, archive.ar_user_text, and archive.ar_comment
  had already been removed in previous releases.
* The printableversion has been marked as deprecated per T167956.
* (T30162, T245387) The installer supports using a Postgres server running
  on a custom port other than 5432.

== Compatibility ==
MediaWiki 1.35 requires PHP 7.3.19 or later, and the following PHP extensions:

* ctype
* dom
* fileinfo
* iconv
* json
* mbstring
* xml

MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature.

The supported versions are:

* MySQL 5.5.8 or later
* PostgreSQL 9.2 or later
* SQLite 3.8.0 or later

== Online documentation ==
Documentation for both end-users and site administrators is available on
MediaWiki.org, and is covered under the GNU Free Documentation License (except
for pages that explicitly state that their contents are in the public domain):

       https://www.mediawiki.org/wiki/Special:MyLanguage/Documentation

== Mailing list ==
A mailing list is available for MediaWiki user support and discussion:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

A low-traffic announcements-only list is also available:

       https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce

It's highly recommended that you sign up for one of these lists if you're
going to run a public MediaWiki, so you can be notified of security fixes.

== IRC help ==
There's usually someone online in #mediawiki on irc.libera.chat.