drupal 9.4.1

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:

• CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
• 
  Change in port should be considered a change in origin

The Security Team believes it is unlikely Drupal core or contributed modules are affected, but this release updates the dependency as a security hardening.

Drupal 9.4.x will receive security coverage until June 2023.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.4.0 release notes before upgrading to this release.

Important update information

• Drupal core now requires guzzlehttp/guzzle 6.5.8 or higher (up from 6.5.7), or 7.4.5 or higher (up from 7.4.4).

  The latest guzzle versions also require guzzlehttp/psr7 1.9 or higher (up from 1.8.5), so that package is updated as well.

  Since the above change to guzzlehttp/psr7 requires a minor-level package update, sites will not be able to update the dependency themselves as outlined in this week's PSA.

  Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. Review the instructions for managing Guzzle updates without drupal/core-recommended.

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so updating custom versions of those files is not necessary if your site is already on the previous release.

All changes since 9.4.0

• Issue #3291780 by longwave, xjm: guzzlehttp/guzzle 6.5.8 requires guzzlehttp/psr7 ^1.9
• Issue #1645328 by Liam Morland, darvanen, shravan sonkar, andregp, mandar.harkare, jhedstrom, sun: Add test to ensure fieldset allows any non-empty-string #title
• Issue #3145738 by andrewmacpherson, quietone, Mile23, mmjvb: Incorrect composer update instructions for Drupal core metapackages
• Issue #3283235 by TR: Fix a comment typo in FileFieldWidgetTest
• Issue #3283794 by mondrake, longwave: Fix 'should return {type} but return statement is missing' PHPStan L0 errors in test code
• Issue #3164699 by jungle, ravi.shankar, andregp, kishor_kolekar, sulfikar_s, ankithashetty, paulocs, Abhijith S, WagnerMelo, quietone: Fix or ignore 15 words used in Help Topics
• Issue #3291265 by Spokje: \Drupal\Testsorum\Functional\ForumNodeAccessTest doesn't use tracker module
• Issue #3280033 by hmendes, rajandro, dpi, Ayesh: PHP 8.2 compatibility: ${} string interpolation deprecated
• Issue #3283498 by Mile23, alexpott: Scaffold ReplaceOp::copyScaffold() throws an error for empty files
• Issue #3257600 by tstoeckler, rpayanm: SettingsTrayBlockFormTest needlessly overrides getTestThemes
• Issue #2747273 by quietone, mayurjadhav, talhaparacha: Example given on FormBuilder::submitForm API Page is not working
• Issue #2430379 by quietone, znerol, larowlan: Add explicit test for session based language negotiation
• Issue #3268244 by Spokje, xjm, Wim Leers: [random test failure] Un-skip and fix QuickEditIntegrationTest::testArticleNode()