drupal 9.4.0

This is a minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backward compatibility and experimental module policies.

Minor releases may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022.

9.2.x and 8.9.x will no longer receive security support, so sites on a Drupal 8 or 9 version earlier than 9.2.x should upgrade to a supported release as soon as possible.

Important update information

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.4 directly. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Changes to site-owner-managed files

• The root .htaccess file now has a section for PHP 8 settings. This brings .htaccess files into alignment with Drupal’s supported PHP version.

  If you have a custom .htaccess file and its PHP settings are working, you can keep using your existing .htaccess file unchanged. If you are upgrading from PHP 7 to PHP 8, adopt the new .htaccess file and adopt the custom settings that you need from your existing .htaccess file PHP 7 section to the new PHP 8 section.

• The theme used when update.php is run and there is no maintenance_theme selected in settings.php has changed:

  1. If Claro is installed, it will be used as the maintenance theme.
  2. If Seven is installed and Claro is not, Seven will be used as the maintenance theme.
  3. If neither Claro nor Seven are installed, the default theme is used.

  Review the change record on the maintenance theme changes for more information.

Platform requirements changes

Minimum supported PHP version increased to PHP 7.4; PHP 8.1 recommended

Drupal 9.4's minimum PHP requirement has been increased from PHP 7.3 to 7.4. Sites on PHP 7.3 may still be installed and updated (with a warning), but their security coverage is not guaranteed unless they update to at least PHP 7.4. For more information, see the PHP requirements handbook page.

PHP 8.1 is now the recommended PHP version to use with Drupal 9.4 and above.

Database drivers moved to their own modules

The core supported database drivers, MySQL, PostgreSQL and SQLite, have been moved to their own modules. The modules are installed when the 9.4.0 update is run. Code that uses core-supplied database classes will continue to work, but these classes are deprecated and will be removed in Drupal 11. Custom and contrib drivers will need to supply a module parameter when encoding database connections as URLs.

See the known issues for known bugs related to this change.

Database JSON support warning

Drupal core will begin warning in the status report if a database connection doesn't support JSON, in preparation for this becoming an installation requirement in Drupal 10. The most common MySQL/MariaDB/Percona databases used with Drupal already had this requirement for Drupal 9.0, so this new warning is likely to appear only for SQLite and PostgreSQL users.

The drupal/core-recommended package now allows patch-level updates

The drupal/core-recommended metapackage now allows patch-level updates for dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package. Site owners should test patch-level updates before deploying them. Instructions for managing dependency updates with the updated drupal/core-recommended metapackage.

Note that egulias/email-validator has a wider constraint due to the name of its most recent supported version, so site owners may wish to add a specific constraint to avoid updates to version 3.3 or higher in the future.

The CKEditor 5 experimental module is nearly (but not quite) stable

CKEditor 4 will be end-of-life in 2023. The CKEditor 5 experimental module will replace CKEditor 4 in Drupal 10. CKEditor 5 differs significantly from CKEditor 4, so we strongly recommend sites and modules begin testing with it now in preparation for Drupal 10's release later this year. Only a few issues remain until the new module can be marked stable, including a critical data loss bug for custom tags when using Full HTML text format, support for inserting externally hosted images, support for Styles Combo (which blocks some contributed projects), and a number of accessibility issues. Most of these are blocked on upstream improvements, and we're working closely with the CKEditor team!

Testing CKEditor 5

Back up your site data and configuration before beginning testing.

1. The automatic content upgrade path: Under Configuration > Content Authoring > Text formats and editors, configure a text format and change its "text editor" setting from "CKEditor" to "CKEditor 5". (This will happen automatically when upgrading to Drupal 10.)

   You will get the equivalent CKEditor 5 configuration created automatically: toolbar, plugin settings, and so on. Messages will appear upon switching that explain what happened and why. Verify that the messages and generated configuration are correct.

2. The editing experience: Verify that the default CKEditor 5 configuration works as you need and expect. For example, the linking experience should be improved, uploading images is much faster, and so on.

3. Your existing content: When you edit existing content with CKEditor 5 and you save it, verify that the resulting markup looks as you expect, and that no data is lost.

Upgrading contributed modules to CKEditor 5

The module can be also used for making modules extending CKEditor 4 to become compatible with CKEditor 5.

• Meta issue of contrib modules being ported: #3207845: [META] Port some initial CKEditor 4 plugin integration modules to CKEditor 5
• Examples of complex CKEditor 4 modules updating to CKEditor 5 compatibility:
  • #3232190: CKEditor 5 readiness
  • #3232052: Drupal 10 & CKEditor 5 readiness

Deprecated modules

The following core modules are deprecated in Drupal 9.4 and will be moved to contributed projects in Drupal 10:

• Color
• Aggregator
• HAL
• The Entity Reference and SimpleTest stubs

Sites will receive warning messages when deprecated modules are in use. Review the deprecated module documentation on the steps to take if your site uses any of these modules.

API changes

• Preprocess functions can no longer take the third $info parameter by reference, this was an undocumented behaviour but is now disallowed.

• Module uninstall validators are now run during configuration import validation. Validators should implement interface \Drupal\Core\Extension\ConfigImportModuleUninstallValidatorInterface to differentiate between a config import validation and a regular module uninstall. (Note: This is a new change since 9.4.0-rc2.)

• ImageStyleStorageInterface now extends ConfigEntityStorageInterface. If you are directly implementing ImageStyleStorageInterface you will need to ensure you also implement methods from ConfigEntityStorageInterface.

• The drupal.elements metadata in CKEditor 5 plugin definitions must now explicitly list which tags are creatable. Previously, any listed tag was assumed to be creatable by the CKEditor 5 module, even if it was only able to create attributes on an already existing tag.

• ​​The JavaScript API for Contextual module has been marked internal (except for the drupalContextualLinkAdded event, which is still public API), and various parts of this will be refactored and/or removed in Drupal 10. Contributed modules should interact with contextual module only via the PHP API.

• The Modernizr.touchevents browser feature detection check has been deprecated. In addition, Modernizr is no longer responsible within Drupal for detecting touch devices and adding the touchevents/no-touchevents classes to the HTML element based on the detection result. The specific functionality of adding classes based on touch device detection is now provided via a core library: core/drupal.touchevents-test. The detection method used is identical to Modernizr's.

  Themes relying on the selector do not need to change, but code calling Modernizr directly should be updated.

Changes to the Standard and Umami Demo profiles

• The Standard profile now uses Olivero as a frontend theme instead of Bartik, and both Standard and the Umami Demo profile use Claro instead of Seven for the administrative theme. The default configurations for Bartik and Seven have been moved to the optional configuration. Standard and Umami now install with default configuration for Olivero and Claro according to core standards.

  This change does not affect existing sites, but does affect new site installation where the new themes will be the defaults.

• Standard profile will no longer enable the Color module when installed.

Backend dependency updates

The following dependencies have been changed or updated since 9.3.

• Sites are able to install Guzzle 7 due to a widening of Drupal core's composer constraints. This allows for more complete PHP 8.1 support. Contributed modules should continue to provide Guzzle 6 support since both the drupal/core-recommended package and tarballs continue to provide Guzzle 6.

  • Site owners who are using drupal/core-recommended and wish to use Guzzle 7 will need to change their site to depend on drupal/core directly. Note that your Composer dependencies will no longer be locked to specific patch or minor release versions after this change, so you will need to take care to avoid accidentally updating dependencies before your site is ready.

    Test thoroughly before deploying an update to Guzzle 7, as some contributed and custom projects may be incompatible with it.

  • Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

• Drupal 10 will switch its PSR-17 implementation from laminas/laminas-diactoros to Guzzle. It should not be necessary to make any changes unless you are directly referencing Diactoros classes. If your project does depend directly on any Diactoros code (uncommon), you should make sure it is declared as a dependency in your composer.json or change the code to use Guzzle.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

  Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

Backend development dependencies

• Coder has been updated to 8.3.15. This version will automatically set up Drupal coding standards sniffs in PHP_CodeSniffer thanks to a new dependency on dealerdirect/phpcodesniffer-composer-installer.

Frontend dependency updates

Frontend production dependencies

• The Backbone and Underscore core JavaScript dependencies are deprecated and will no longer be provided as public core libraries in Drupal 10. Consequently, the drupal.editor.admin and drupal.filter.filter_html.admin libraries no longer depend on Underscore. Backbone and Underscore will eventually be removed from core, possibly prior to Drupal 10.0.0.

  Modules or themes which depend on these libraries should either refactor their code to remove the dependencies, or treat them as third-party dependencies for the contributed module.

  Most Underscore functionality has simple replacements in modern ES6 JavaScript. Review the change record about the Underscore deprecation for more information on upgrading your code.

  Both these deprecated dependencies have also received patch-level updates: Backbone has been updated from 1.4.0 to 1.4.1, and Underscore has been updated from 1.13.2 to 1.13.3.

• Drupal 10 will drop support for Internet Explorer 11. This includes removing all polyfills in Drupal 10. If you plan to continue supporting Internet Explorer 11 even when used with Drupal 10, your project will have to depend on any required polyfills directly. If you plan to support Internet Explorer 11 only until the end-of-life of Drupal 9, you don’t have to do anything until Drupal 9 is end-of-life.

  For a full list of polyfills being removed, reference the draft Drupal 10 change records for removing Internet Explorer 11 polyfills and removing Drupal's custom <details> fieldset collapse script.

• The latest minor versions of all JavaScript dependencies are now required by core yarn constraints. Additionally, the constraints have been changed to only allow patch-level updates for production dependencies. This allows yarn upgrades to be done easily and safely when there are security issues with the dependencies, without accidentally making disruptive updates to production dependencies.

  The constraints will be deliberately increased as necessary for future updates and future Drupal minor versions.

• Shepherd.js has been updated from 8.3.1 to 9.1.0. According to its release note, there should be no breaking changes that affect our usage.

• SortableJS has been updated from 1.14.0 to 1.15.0. According to its release note, there should be no breaking changes that affect our usage.

• tabbable has been updated from 5.2.1 to 5.3.2. According to its release note, there should be no breaking changes that affect our usage.

• Popper.js has been updated from 2.11.2 to 2.11.5.

Frontend development dependencies

• Node.js is a development dependency for Drupal core. In Drupal 9 and 10, Drupal core's Node.js requirement has been updated from 12.0.0 to 16.0.0. (Information on changes in Node.js 16.) An updated version of Node.js can be installed directly or with nvm. This only affects sites that have installed Drupal core's JavaScript development dependencies with npm or yarn.

• The Chromedriver JavaScript development dependency has been updated from 87.0.0 to 98.0.1.

• Eslint has been updated from 7.32.0 to 8.9.0. core/.eslintrc.passing.json has been updated to reflect the new rules.

• Stylelint has been updated from 13.13.1 to 14.8.2, and minor changes have been made to whitespace and quoting in core CSS. Refer to the change record on the Stylelint 14 update for more information.

• The jsdom development dependency has been updated from 18.1.1 to 19.0.0.

• All of Drupal core’s JavaScript development dependencies have been updated to the latest allowed minor and patch versions to address security issues in those dependencies. This should have minimal impact on contributed or custom code and CI workflows. Core developers should completely remove their core/node_modules directory and re-run yarn install from within the core/ directory.

Changed coding standards

• JavaScript linting now uses eslint-config-airbnb-base instead of eslint-config-airbnb for linting core JavaScript. Anyone who uses core’s ESLint config to lint React or JSX code should add eslint-config-airbnb back to their yarn dev dependencies.

Known issues

• #3285724: [regression] Drupal 9.4 breaks BC of \Drupal\Driver\* overriding core drivers during installation and parsing connection URLs
• #3291147: Successfully applying an update puts the remainder of the request into an unreliable state
• #3290924: [regression] With Drupal 9.4, can no longer call Database::getConnection() from within settings.php due to driver classes not yet in autoloader
• #3290936: Argument #1 ($database) must be of type Drupal\Core\Database\Driver\mysql\Connection, Drupal\mysql\Driver\Database\mysql\Connection given
• #3290992: Recursion tracker doesn't work
• #3294299: Regression in functional test performance with a large number of modules
• #3294695: Drupal 8 BC for database driver namespace fails for replicas

Search the issue queue for known issues.

All changes since Drupal 9.4.0-rc2

• Issue #3285696 by sardara, alexpott, longwave: Legacy random session ID generation is incompatible with symfony/http-foundation v4.4.42
• Issue #3198340 by alexpott, xjm, cilefen, Mile23, mmjvb, catch, longwave, mfb, Mixologic, effulgentsia, larowlan, Warped, quietone, greg.1.anderson: Strict constraints in drupal/core-recommended make it harder for Composer-managed sites to apply their own security updates when a core update is not available
• Issue #3285572 by alexpott, longwave: Update dependencies to latest patch releases for 9.4.x / 9.5.x
• Issue #3265429 by neclimdul, eleonel: Fix array keys in MailManagerTest
• Issue #3277025 by Spokje, longwave: For additional security you should declare the allow-plugins config with a list of packages names that are allowed to run code
• Issue #2430133 by JeroenT, znerol, mgifford: BlockLanguageTest tests non-existing pages
• Issue #3265492 by dww, Spokje, Amber Himes Matz, quietone: Fix inaccuracies in quickedit help topic (after the split from settings_tray)
• Issue #3277148 by rpayanm, andregp, joachim, Farnoosh, Athrylith, Jingting: ResourceResponse should document that the route it is used with must define the _format requirement
• Issue #2392815 by alexpott, pooja saraah, bircher, cilefen, pratik_specbee, catch, fago: Module uninstall validators are not used to validate a config import
• Issue #3283619 by eleonel: Fix a comment typo in common.inc
• Issue #3283599 by eleonel: Fix a typo in Help message on ckeditor5.module
• Issue #3281443 by _shY: Update Taxonomy tests to not use Bartik and Seven
• Issue #3281451 by tinto: Update Ajax FunctionalJavascript test to not use Bartik and Seven
• Issue #3269215 by slucero, dpi: EntityTypeInterface::getKey() is typehinted as possibly returning bool, but never returns true
• Issue #3284970 by alexpott: Reduce complexity in \Drupal\Core\Site\Settings::initialize
• Issue #3280398 by alexpott, mherchel, quietone: Theme's post updates within update.php refer to themes as "module"
• Issue #3285193 by Lendude, xjm: Temporarily skip random test failures that hide real test failures, part 4