drupal 9.5.0

This is the final minor version (feature release) of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9 and the Drupal core release cycle.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backward compatibility and experimental module policies.

Minor releases may include string changes and additions. Translators can review the latest translation status on localize.drupal.org.

Drupal 9.5 is the final minor release of the 9.x series. It will be supported until November 2023. It provides almost the same public API as Drupal 10.0 aside from deprecated code and dependency changes. For more information on the Drupal 10 release, read the Drupal 10.0.0 release notes.

Existing Drupal 9 sites will get the smoothest upgrade experience by updating to Drupal 9.5 prior to updating to Drupal 10. This ensures the smallest necessary changes to upgrade to Drupal 10.

If you are starting a new Drupal project, start with Drupal 10.0 for forward compatibility with later releases.

Regardless of which version you choose now, new features will only be added to upcoming Drupal 10 minor releases, so you should prepare your site for Drupal 10 this year in order to continue receiving the new features in Drupal 10.1 and 10.2.

9.3.x will no longer receive security support, so sites on a Drupal 8 or Drupal 9 version earlier than 9.4.x should upgrade to a supported release as soon as possible.

Important update information

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading from Drupal 8 to Drupal 9.

Upgrading from Drupal 6 and 7

Drupal 6 and 7 users can continue to migrate to Drupal 9.5. The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Recommended but optional: upgrade to CKEditor 5

If you already upgraded to CKEditor 5 while on Drupal 9.4, you can ignore this.

Sites that do this at a time of their choosing while on Drupal 9.5.x will have a smoother update to Drupal 10.

Most Drupal sites that are still using CKEditor 4 should upgrade to CKEditor 5 — see the recommendations for CKEditor for details.

Upgrading from CKEditor 4 to 5 is a manual process, because it requires human supervision.

Changes to site-owner-managed files

• Improved performance for Apache serving gzipped JavaScript and CSS aggregates to browsers. Sites should update their .htaccess files to take advantage of this performance improvement.

• yarn.lock and package.json are now blocked by Drupal's default web server configuration, sites should update any copies of .htaccess or web.config to incorporate the changes.

• It is no longer necessary or recommended to configure fast 404s in settings.php.

• The default robots.txt file has been updated to disallow indexing of oEmbed media links.

• A new developer feature to show debug markup for render caching has been added, this can be configured from services.yml and is disabled by default. Sites should ensure that their site-specific services.yml includes the new section.

• For forward-compatibility with a deprecation in 10.1.x, a change has been made to the assertion handling defaults in example.settings.local.php. Site owners can update their settings.local.php to maintain consistency and forward-compatibility.

Platform requirements changes

Drupal recommends that sites on PHP 8.1 use at least PHP 8.1.6.

• PHP 8.1.6 is now recommended. PHP 8.0 remains fully supported, but PHP 7.4 is end of life and no longer receives security fixes.

• For more information on supported PHP versions, see the PHP requirements handbook page.

• Drupal 9.5 and its dependencies do not have full support for PHP 8.2. For PHP 8.2 support, update to Drupal 10.

Deprecated modules

The following core modules are deprecated in Drupal 9.5.0 and will be moved to contributed projects in Drupal 10:

• CKEditor 4
• Color
• Quick Edit
• RDF

This is in addition to the modules already deprecated in Drupal 9.4 (Aggregator and HAL).

Sites will receive warning messages when deprecated modules are in use. Review the deprecated module documentation on the steps to take if your site uses any of these modules.

Deprecated themes

The following core themes are deprecated in Drupal 9.5.0 and will be moved to contributed projects in Drupal 10:

• Bartik
• Classy
• Seven

Sites will receive warning messages when deprecated themes are in use. Review the deprecated theme documentation on the steps to take if your site uses any of these themes.

Backend dependency updates

The following dependencies have been changed or updated since 9.4.

Backend development dependencies

• Symfony has been updated to the latest patch release of Symfony 4.4.

• Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

• Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

• egulias/email-validator has received a major-version update to 3.2.1 (from version 2, which is end-of-life).

Frontend (CSS and JavaScript) production dependency changes

• The core/jquery.farbtastic library has been deprecated.
  The Color module relies on the Farbtastic library, and that module is deprecated in Drupal 9.5 and removed in Drupal 10. This library is not otherwise used in core, so it is also deprecated in Drupal 9.5.0 for removal in Drupal 10.0.0.

• CKEditor 5 has been updated to the latest 35.4.0 release. This update has a minor breaking change that could affect the development of certain contributed or custom CKEditor 5 integrations. For more information read the CKEditor 5 35.4.0 release notes.

• Shepherd.js has been updated from 9.1.0 to 9.1.1.

• PopperJS and the associated core library have been deprecated. It has also been updated from version 2.11.5 to 2.11.6.

• tabbable has been updated from 5.2.2 to 5.2.3.

• jQuery has been updated from 3.6.0 to 3.6.1.

• The public Drupal library for Underscore has been deprecated. The internal version has been updated from 1.13.3 to 1.13.4

Frontend development dependencies

• The JavaScript chromedriver package has been removed. If you were running Nightwatch tests locally, you may need to start Chromedriver manually.

• The JavaScript raw-loader package has been removed as it is no longer required by Drupal’s build process.

• Drupal core's JavaScript development dependencies have been updated to the latest minor and patch versions. Core developers should completely remove their node_modules directory and re-run yarn install from within the core/ directory.

• cspell has been updated from version 5 to 6. This results in some slight changes to the dictionary for core development.

Changed coding standards

The following coding standards checks have been enabled in core:

• Drupal.Array.Array.ArrayClosingIndentation
  Drupal.Array.Array.ArrayIndentation
  Drupal.Commenting.FunctionComment.MissingReturnType

• All YAML files are linted for correct indentation.

Known issues

Search the issue queue for known issues.

• #3327856: Performance regression introduced by container serialization solution
• #3328256: Not working with Drupal 9.5 and 10

All changes since Drupal 9.5.0-rc2

• Revert "Issue #2568889 by smustgrave, berenddeboer, Lendude, Anandhi Karnan, ckaotik, boromino, diaodiallo, Yago Elias, yashingole, Abhijith S, Amber Himes Matz, dawehner, Scott Weston: Views exposed text filter set to required shows an empty error and form error on page load"
• Issue #3327115 by Eric_A, alexpott, xjm, longwave, pandaski: .htaccess rules broken since yarn.lock got added
• Issue #3326896 by longwave, lauriii, Wim Leers, effulgentsia, catch, xjm: Update CKEditor 5 to 35.4.0
• Issue #3326874 by longwave, xjm: Update to jQuery 3.6.2
• Issue #2828724 by Spokje, alexpott, ravi.shankar, Lal_, malcomio, ElusiveMind, smaz, yogeshmpawar, ridhimaabrol24, semiaddict, piggito, f.mazeikis, tvhung, tatarbj, ranjith_kumar_k_u, vijaycs85, baikho, Jelle_S, kleinmp, bbrala, Mike_info, David_Rothstein, pwolanin, cburschka: Username enumeration via one time login route
• Issue #3325772 by andypost, mondrake: Fix wrong property typehinting in SchemaCheckTrait
• Issue #2810985 by _Archy_, smustgrave, GoZ, joelpittet, csheltonlcm, ayush.khare, Lendude: Remove duplicate condition
• Issue #3213752 by Spokje, bradjones1, quietone, _pratik_, ravi.shankar, rpayanm, bbrala, alexpott, catch: Remove dead code from JsonApiDocumentTopLevelNormalizerTest
• Issue #3259090 by Lendude, mr.york, Pandepoulus: Exposed filter equality check works differently in PHP 8.0