Drupal 9.4.0-beta 1 was released on 31^st March 2022. The beta release for the next minor (feature) release of Drupal 9. Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Beta releases are not recommended for non-technical users, nor for production websites. More information on beta releases.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010
This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.4.x contains new features, and should be the target for new site development. Drupal 9.3.x will continue to have security support until December 2022. Security support for 9.2.x ends with the release of 9.4.0 on 15^th June, 2022.

Important changes since Drupal 9.4.0-alpha1

The minimum supported PHP version is now set dynamically based on the documented end-of-life date for each PHP version. After a PHP version is no longer supported, there will be warnings about the unsupported PHP version, but this won't prevent running, updating, or installing Drupal. In order to provide sites with the most complete information on which PHP versions are supported and recommended for their current installation, \Drupal::MINIMUM_SUPPORTED_PHP is deprecated and replaced by \Drupal\Core\PhpRequirements::minimumSupportedPhp(). Review the handbook documentation on unsupported PHP versions for more information.

The theme used when update.php is run and there is no maintenance_theme selected in settings.php has changed. If Claro is installed it will be used, if not Seven is used if it is installed. If neither Claro and Seven are installed, the default theme is used. Review the change record on the maintenance theme changes for more information.

The Modernizr.touchevents test has been deprecated. In addition, Modernizr is no longer responsible within Drupal for detecting touch devices and adding the touchevents/no-touchevents classes to the HTML element based on the detection result. The specific functionality of adding classes based on touch device detection is now provided via a core library: core/drupal.touchevents-test. The detection method used is identical to Modernizr's.

Themes relying on the selector do not need to change, but code calling Modernizr directly should be updated.

​​The JavaScript API for Contextual module has been marked internal, and various parts of this will be refactored and/or removed in Drupal 10. Contributed modules should interact with contextual module only via the PHP API.

Color module is deprecated. Review deprecation documentation for more information.

Backend dependencies:

Sites are able to install Guzzle 7 due to a widening of Drupal core's composer constraints. This allows for more complete PHP 8.1 support. Contributed modules should continue to provide Guzzle 6 support since both the drupal/core-recommended package and core tarballs continue to provide Guzzle 6.

Site owners who do not use drupal/core-recommended should take care to ensure they do not accidentally update to Guzzle 7 when running composer updates. In the latest snapshot channel of Composer, it is possible to use:

composer update --with=guzzlehttp/guzzle:^6 -W
You can update to the snapshot channel by re-running composer self-update after updating to the current stable release (2.3.5). You can roll back to a stable version at any time by using composer self-update --rollback.

In current stable releases of Composer, a workaround is to temporarily add a top-level requirement on the exact version of Guzzle you which to install, e.g.:

composer require guzzlehttp/guzzle:6.5.6
composer update
...and then remove the specific guzzle requirement from the top-level composer.json for your project.

Drupal core's pinned Composer dependency versions have been updated for the latest minor and patch releases.

Additionally, Drupal core’s composer constraints have been increased to require the latest minor version for forward compatibility. This ensures that if any composer package that Drupal core depends upon has a security release, the Drupal core security update will be non-disruptive, because if possible no minor version increase will occur for the affected dependency, only a patch version increase.

The following packages have received minor-level updates since alpha1:

egulias/email-validator, from 3.1.2 to 3.2.
laminas/laminas-diactoros, from 2.10.0 to 2.11.0.
twig/twig, from 2.14.13 to 2.15.1.
The composer/xdebug-handler dependency has received a major version update that removes support for PHP versions not supported for Drupal 10.

Frontend dependencies:

CKEditor 5 has been updated from 34.0.0 to 34.1.0, which fixes several bugs affecting Drupal core.

Additionally:

Shepherd.js is updated to 9.1.0.
SortableJS is updated to 1.15.0.
tabbable is updated to 5.3.2.
For all three of these updates, according to the projects' release notes, there should be no breaking changes that affect our usage.

Development dependencies

Coder has been updated to 8.3.15. This version will automatically set up Drupal coding standards sniffs in PHP_CodeSniffer thanks to a new dependency on dealerdirect/phpcodesniffer-composer-installer.

Source: