Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Install
To start a new Drupal project with version 9.3.17:To update your site and all dependencies to the latest version of Drupal:
To update your site to this specific release:
Pinning to a specific release may make it more challenging to update your site in future, see composer documentation for managing pinned versions
Using Composer to manage Drupal site dependencies
Downloads
Download tar.gz
19.98 MB
MD5: 53cc8b15eba8bee45caad4b07d5bdd40
SHA-1: 0caf7896f458533b3908f6f9968e494f56864d35
SHA-256: 0288a780b4ae1ec4316a73f867141e834fdf6b0477c6e2583974acd7ff006e16
Download zip
32.3 MB
MD5: 00a690f1b94296b4c413f9ad79172e5b
SHA-1: 59bf0ec1af3937128e18f6df84101483227aeeeb
SHA-256: 60c126249f439d5e3739fb05ab2dd250068b76ed892c834d38f753770cf9cc96
Release notes
This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
- CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
- Change in port should be considered a change in origin
The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.
Drupal 9.3.x will receive security coverage until December 2022.
If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.
Important update information
-
Drupal core now requires
guzzlehttp/guzzle6.5.8 or higher (up from 6.5.7).The latest guzzle versions also require
guzzlehttp/psr71.9 or higher (up from 1.8.5), so that package is updated as well.Since the above change to
guzzlehttp/psr7requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.Site owners who do not use
drupal/core-recommendedshould take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates withoutdrupal/core-recommended. -
No changes have been made to the
.htaccess,web.config,robots.txt, or defaultsettings.phpfiles in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.
All changes since 9.3.16
- Issue #3291780 by longwave, xjm: guzzlehttp/guzzle 6.5.8 requires guzzlehttp/psr7 ^1.9
- Issue #3285193 by Lendude, xjm: Temporarily skip random test failures that hide real test failures, part 4
- Merge 9.3.16, resolve merge conflicts, and update lockfile and dev versions.
- Issue #3247683 by Wim Leers, lauriii, bnjmnm, Reinmar: Disable CKEditor 5's automatic link decorators (in Drupal filters should be used instead)
- Issue #3273983 by Wim Leers, ifrik, lauriii: Do not assume that plugin supporting also supports in SourceEditingRedundantTags and upgrade path
- Issue #3283795 by alexpott, bircher: ComposerHooksTest is broken on latest DrupalCI PHP container
What’s next?
- Learn how to install Drupal
- Learn how to update Drupal
- Extend Drupal to do more
- Get training
- Check out what others built
Bug fixes
Insecure
