drupal 9.4.5

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:

• CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process

Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.

CKEditor 4 is not affected, so sites where only the stable CKEditor module is enabled (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.

Drupal 9.4.x will receive security coverage until June 2023.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.4.0 release notes before upgrading to this release.

Important update information

• Drupal 9.4.4 removed the 'replace' section from core's composer.json for core modules. However, the 'replace' information for core components was accidentally removed at the same time, which resulted in Composer warnings. The 'replace' information for core components has been restored, which should resolve these warnings.

• CKEditor 5 has been updated from 34.1.0 to 35.0.1 for a security update. This update also introduces backwards compatibility breaks from CKEditor 35.0.0. Therefore, maintainers of CKEditor 5 integrations should review the CKEditor 35.0.0 release notes.

• symfony/http-foundation has been updated to 6.1.3 to resolve a bug with destructable services.

Known issues

• #3285724: [regression] Drupal 9.4 breaks BC of \Drupal\Driver\* overriding core drivers during installation and parsing connection URLs
• #3290924: [regression] With Drupal 9.4, can no longer call Database::getConnection() from within settings.php due to driver classes not yet in autoloader
• #3290936: Argument #1 ($database) must be of type Drupal\Core\Database\Driver\mysql\Connection, Drupal\mysql\Driver\Database\mysql\Connection given
• #3294299: Regression in functional test performance with a large number of modules
• #3294695: Drupal 8 BC for database driver namespace fails for replicas

Search the issue queue for known issues.

All changes since 9.4.4

• Issue #3301495 by lauriii, nod_: Update CKEditor 5 to 35.0.1
• Issue #3116405 by Spokje, Mile23, Hardik_Patel_12, jofitz, Sahana _N, andypost, alexpott, fgm: Warnings generated when using an optimized autoload file with Composer 1.10 / Composer 2
• Issue #3300773 by bradjones1, xjm, catch, andypost, Spokje: Fix failed test on `symfony/http-foundation` 4.4.44/6.1.3 and later
• Issue #3242538 by danflanagan8, mounir_abid, cilefen, DigitalFrontiersMedia, super_romeo, smustgrave: Term creation fail with php 8 when override_selector = TRUE
• Issue #3056652 by yogeshmpawar, mashermike, aalin, ranjith_kumar_k_u: Link options attributes removed on save