Skip to main content

Pantheon release notes

Your destination for staying informed about our latest innovations and product updates.
Subscribe to RSS feed
May 27, 2026

Pantheon will shut down infrastructure running our Front-End Sites offering on October 1st, 2026.

Our intention to replace the Front-End Sites was included in the Beta announcement of newer support for Next.js. As our support for Next.js reached General Availability, Pantheon staff began direct outreach to customers using Front-End Sites.

Please reach out to your Customer Success Manager if you would like assistance moving your site. Or, if you prefer to migrate on your own, you can do so with these steps.

May 26, 2026

Terminus 4.3.0 is now available. This release adds GitHub Enterprise Server (GHES) support for VCS commands, enabling customers using GHES to provision and manage their repositories through Terminus.

Key improvements in this release

  • GHES provisioning command: New vcs:github-host:add command allows provisioning GitHub Enterprise Server hosts for use with Pantheon VCS integrations (#2838)
  • GHES support in VCS commands: Existing VCS commands now accept a --github-host option to target GitHub Enterprise Server instances (#2840)
  • Twig dependency update: Updated the twig templating dependency (#2841)

How to upgrade to Terminus 4.3.0

If you use Homebrew (macOS-only) to manage your Terminus installation, you should upgrade using:

If you installed Terminus directly from the .phar file, you should upgrade using the self:update command:

For more information about this release, visit the GitHub release page.

If you have questions or concerns around Terminus, please use the Terminus issue queue.

May 20, 2026

Pantheon has released version 2.3.2 of the WP SAML Auth WordPress plugin. This security update fixes vulnerabilities in the robrichards/xmlseclibs and onelogin/php-saml dependencies. For more information, see the plugin release notes for details.

Update to 2.3.2 from the WordPress dashboard under Plugins > Installed Plugins, or download it from the WordPress Plugin Repository.

May 20, 2026

The latest version of WordPress, 7.0 (Armstrong), is available on Pantheon as of May 20, 2026.

Action required

Upgrade to WordPress 7.0 right from your Pantheon dashboard or Terminus to access the latest features, fixes, and security enhancements. See related documentation for how to apply core updates.

Highlights

  • AI integration — A new provider-agnostic AI Client and Abilities API let WordPress communicate with generative AI models (Anthropic, Google, OpenAI, or custom), managed from a central Connectors screen in the dashboard.
  • Modernized admin dashboard — A refreshed color scheme, smooth view transitions between screens, and a new Cmd+K / Ctrl+K command palette shortcut accessible from anywhere in the admin.
  • New blocks — Breadcrumbs, Icon, and an enhanced Heading block join the editor, along with lightbox slideshow support in the Gallery block and video backgrounds in Cover blocks.
  • Block-level custom CSS and responsive visibility — Apply custom CSS to individual blocks and show or hide blocks by device type for more granular design control.
  • Font Library — A dedicated font management page for uploading, installing, and managing fonts across block, hybrid, and classic themes.
  • PHP-only block registration — Create blocks entirely server-side without JavaScript, auto-registered with the block API.
  • ...and more

For full details about WordPress 7.0, see the release notes or the WordPress 7.0 Field Guide.

May 20, 2026

Drupal has released a highly critical security update (CVSS 20/25) for Drupal core addressing SA-CORE-2026-004 (CVE-2026-9082). The vulnerability is a SQL injection flaw in Drupal's database abstraction API that only affects sites running on PostgreSQL. Drupal 7 is not affected.

No action is required to protect your Pantheon-hosted sites. Pantheon does not use PostgreSQL, so this vulnerability does not apply to sites hosted on Pantheon. Additionally, as a founding Platform Partner of the Drupal Steward program, Pantheon worked with the Drupal Security Team to implement platform-level mitigations prior to public disclosure.

Recommended update

We still recommend updating to the latest Drupal core patch release to keep your codebase aligned with upstream supported branches.

Patched releases for supported branches:

  • Drupal 11.3.10 and 11.2.12
  • Drupal 10.6.9 and 10.5.10

Emergency patches are also available for end-of-life branches 11.1.x, 10.4.x, 9.5.x, and 8.9.x — see the security advisory for details.

To apply the update, use one-click core updates in the Pantheon dashboard.

May 15, 2026

Terminus 4.2.2 is now available. This release adds object cache and search visibility to site:info, upstream fields to site listing commands, and Node.js dependency update support.

Key improvements in this release

  • Object Cache and Search status in site:info: site:info now shows whether Object Cache (Redis) is enabled and which search index (Elasticsearch, Solr, or both) is active (#2812)
  • Upstream fields in site:list: site:list and org:site:list now support upstream and upstream_label as optional --fields values (#2835)
  • Node.js dependency updates: upstream:updates commands now support Node.js sites for dependency management (#2828)
  • EVCS site creation validation: Site creation for EVCS sites now uses server-side repo name validation for more accurate error messages (#2831)
  • PHP 8.2 fix: Resolved deprecation warnings for dynamic property creation in the Site model (#2813)

How to upgrade to Terminus 4.2.2

If you use Homebrew (macOS-only) to manage your Terminus installation, you should upgrade using:

If you installed Terminus directly from the .phar file, you should upgrade using the self:update command:

For more information about this release, visit the GitHub release page.

If you have questions or concerns around Terminus, please use the Terminus issue queue.

May 15, 2026

We've made it easier to auto-instrument New Relic Browser Agent monitoring on Drupal 10.2+ sites.

Starting in Drupal 10.2, strict Content-Length headers were introduced that broke New Relic's standard Browser Agent auto-injection. You can now re-enable browser monitoring with a single pantheon.yml setting, and Pantheon's platform will handle the injection automatically. Changes take effect within a few minutes.

WordPress sites and Drupal versions prior to 10.2 are unaffected. Browser Agent auto-instrumentation continues to work out of the box for those frameworks.

For full details, visit our documentation page on New Relic.

May 13, 2026

Setting tika_version: 1 in pantheon.yml is now rejected at validation time. Sites with this setting will receive a validation error on their next commit:

Tika 1.18 and 1.21 were removed from the platform on April 28, 2026. Since that date, tika_version: 1 was silently ignored and sites automatically used Tika 3. This change formalizes the rejection so that sites receive a clear error instead of a silent fallback.

Action Required

Update your pantheon.yml to use a supported value:

Or remove the tika_version setting entirely if your site does not use Tika. To explicitly disable Tika, set tika_version: none.

For Tika 3 configuration details, including how to disable OCR, see External Libraries: Apache Tika.