drupal 9.4.7

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 9.4.x will receive security coverage until June 2023 when Drupal 10.1.0 is released.
• Sites on 9.3.x or earlier should update immediately to Drupal 9.3.22 instead of this release (but update to 9.4 or higher soon).
• Versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage.
• Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

• Drupal 9.4 core now requires twig/twig 2.15.3 or higher (up from 2.15.0).

• This release includes a change to default.services.yml. It adds a twig.config.allowed_file_extensions configuration setting to restrict file types that may be loaded with Twig for security. Site owners should make a copy of their default.services.yml prior to updating to ensure any custom modifications are retained.

  Following this release, by default, Twig may load the following file types:

  • .css
  • .html
  • .js
  • .svg
  • .twig

  If your site, module, or theme must load additional file types via Twig, consult the documentation for twig.config.allowed_file_extensions in default.services.yml.