Magento Open Source 2.4.7 release notes

Changes to the behavior of non-generated cache keys:

• Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the setCacheKey or setData methods.)
• Non-generated cache keys for blocks now must contain only letters, digits, hyphens (-), and underscore characters (_).

Limitations on the number of auto-generated coupon codes. Magento Open Source now limits the number of coupon codes that are automatically generated. The default maximum is 250,000. Merchants can use the new Code Quantity Limit configuration option (Stores > Settings:Configuration > Customers > Promotions) to prevent potentially overwhelming the system with many coupons.

Optimization of the default Admin URL generation process. The generation of the default Admin URL has been optimized for increased randomness, which makes generated URLs less predictable.

A new full-page cache configuration setting can help to mitigate the risks associated with the HTTP {BASE-URL}/page_cache/block/esi endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles params size configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles params size). See Configure the Commerce application to use Varnish.

Added Subresource Integrity (SRI) support to comply with PCI 4.0 requirements for verification of script integrity on payment pages. Subresource Integrity (SRI) support provides integrity hashes for all JavaScript assets residing in the local filesystem. The default SRI feature is implemented only on the payment pages for the Admin and storefront areas. However, merchants can extend the default configuration to other pages. See Subresource Integrity in the Commerce PHP Developer Guide.

Changes to Content Security Policy (CSP)—Configuration updates and enhancements to Adobe Commerce Content Security Policies (CSPs) to comply with PCI 4.0 requirements. For details, see Content Security Policies in the Commerce PHP Developer Guide.

• The default CSP configuration for payment pages for Commerce Admin and storefront areas is now restrict mode. For all other pages, the default configuration is report-only mode. In releases prior to 2.4.7, CSP was configured in report-only mode for all pages.

• Added a nonce provider to allow execution of inline scripts in a CSP. The nonce provider facilitates the generation of unique nonce strings for each request. The strings are then attached to the CSP header.

• Added options to configure custom URIs to report CSP violations for the Create Order page in the Admin and the Checkout page in the storefront. You can add the configuration from the Admin or by adding the URI to the config.xml file.

  note note
  NOTE
  Updating the CSP configuration to restrict mode might block existing inline scripts on the payment pages in the Admin and storefront, which causes the following browser error when a page loads: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src. Fix these errors by updating the whitelist configuration to allow required scripts. See Troubleshooting in the Commerce PHP Developer Guide.

Native rate limiting for payment information transmitted through REST and GraphQL APIs. Merchants can now configure rate limiting for the payment information transmitted using REST and GraphQL. This added layer of protection supports prevention of carding attacks and potentially decreases the volume of carding attacks that test many credit card numbers at once. This is a change in the default behavior of an existing REST endpoint. See Rate limiting.

The default behavior of the isEmailAvailable GraphQL query and the (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the APIs now always return true. Merchants can enable the original behavior by setting the Enable Guest Checkout Login option in the Admin to yes, but doing so can expose customer information to unauthenticated users.

RabbitMQ 3.13 support. This release is compatible with the latest version of RabbitMQ 3.13. Compatibility remains with RabbitMQ 3.11 and 3.12, which is supported through August 2024 and December 2024 respectively, but Adobe recommended using Magento Open Source 2.4.7 only with RabbitMQ 3.13.

Composer 2.7.x. Compatibility with Composer 2.2.x remains.

Varnish cache 7.4 support. This release is compatible with the latest version of Varnish Cache 7.4. Compatibility remains with the 6.0.x and 7.2.x versions, but we recommended using Magento Open Source 2.4.7 only with Varnish Cache version 7.4 or version 6.0 LTS.

Elasticsearch 8.11 compatibility

OpenSearch 2.12 and OpenSearch 1.3 support

Redis 7.2

The extjs library has been replaced with the latest version of jsTree.

jquery/fileUpload library has been removed.

The Commerce UPS XML API gateway has been migrated to the new Commerce UPS REST API to support updates that UPS is making to their API security model. (UPS is implementing an OAuth 2.0 security model (bearer tokens) for all APIs.) All previous Commerce UPS XML APIs have been removed from the Magento Open Source 2.4.7 code base.

The Magento Open Source integration with FedEx has been migrated from legacy FedEx WSDL Web Services to the latest FedEx RESTful APIs. FedEx Web Services Tracking, Address Validation, and Validate Postal Codes WSDLS will be retired in May 2024.

Added support for the new USPS Ground Advantage shipping method. This is an out-of-box integration with USPS’s new shipping method, USPS Ground Advantage, which was released July 2023. This new integration can be used to retrieve shipping rates and schedule deliveries and returns through the USPS shipping service. The USPS Ground Advantage shipping method replaces these shipping methods, which were retired when the USPS Ground Advantage shipping method was released:

• USPS Retail Ground
• First-Class Package Service
• Parcel Select Ground

Temando shipping modules have been removed from the core Magento Open Source code base. This feature was deprecated in Magento Open Source 2.4.4.

Enhanced indexer management. The new indexer:set-status command supports the dynamic management of indexer status. Admin users can use this command to change indexer status to suspended, invalid, or valid. This feature is particularly useful for managing system performance during extensive bulk operations, such as product imports or updates, by allowing control over when indexers are automatically triggered by the system’s cron jobs. See Manage the indexers.

Product listing page for complex products with many options. Load time has improved for product listing pages that include complex products with over 100 options. The performance of GraphQL requests to list products by category has also improved.

Sales rule performance improvements. Improved performance of enterprise deployments with many (approximately 100,000) active sales rules. Enterprise deployments that heavily implement promotions often deploy many active cart rules. These types of enterprise deployments running Magento Open Source 2.4.7 will not see any performance degradation related to the number of configured cart price rules during checkout operations.

Faster save operations of store-level configurations for deployments with many stores. Saving configuration settings in deployments with more than 500 stores can be time-consuming. The new Async Config module enables asynchronous configuration save operations by running a cron job that uses a consumer to process the save operation in a message queue. AsyncConfig is disabled by default.

Faster generation of the config cache for large configurations. The bin/magento cache:clean config command now pre-warms the config cache when the config cache is enabled. This reduces the downtime required to generate the config cache for large configurations. Configuration save operations no longer clean the config_scopes cache before writing data to the cache, which also reduces the time that other requests are locked out while config data is being written.

Vaulted PayPal and Pay Later Changes—Logged-in customers who have previously vaulted/stored their PayPal account have the option to pay with:

• Pay Now (without having to log into their PayPal account, the user can pay with their default card)
• Pay with a different funding source
• Pay with a different account
• PayPal Pay Later or PayPal Credit button

3DS support for Google Pay—Included 3DS verification support for the Google Pay non-tokenized cards. See the Braintree documentation for more information.

Vault Apple Pay Payments—Allow logged-in customers to vault/store their Apple Pay payments to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.

Vault Google Pay Payments—Allow logged-in customers to vault/store their Google Pay payments to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.

Vault Venmo Payments—Allow logged-in customers to vault/store their Venmo accounts to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.

Vault ACH Payments—Allow logged-in customers to vault/store their ACH payments to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.

Express Payment buttons at the top of checkout—To encourage a faster checkout experience, we’ve introduced Express Payment options at the beginning of the checkout. Customers can now pay by PayPal, PayPal Pay Later, Apple Pay, and Google Pay Express payments.

Braintree release notes and Support links within the Admin Configuration—Merchants can now directly link from the Commerce Admin to Braintree support and release notes online.

GraphQL support for all Braintree payment methods except Venmo—More configurations are exposed in the GraphQL API. This is particularly useful for headless applications.

Vaulting payments in account area—Logged-in customers can now vault/store new credit/debit cards and PayPal accounts in the Customer account area. Previously, customers could only vault/store when saving their payments for later use when completing a transaction on the checkout, now they can vault new credit/debit cards and PayPal accounts without needing to create a new transaction.

Frictionless Transactions—Frictionless transactions accelerate the payment process by reducing the number of customer clicks/steps to complete an online credit/debit card transaction. Previously (when 3DS was enabled), every customer was 3DS challenged. With the new Frictionless Transactions feature, customers are only challenged for 3DS when the bank requests it. This reduces cart abandonment, increases conversion rates, and leads to more sales.

Dispute webhooks—When a customer disputes a transaction in Braintree, the dispute status is now passed on to Commerce. It is searchable in the Sales > Order grid and attached to each order.

More flexible cart management. The clearCart mutation now clears the contents of a specified shopping cart in a single action. It replaces the clearCustomerCart mutation, which has been deprecated.

Improvements in create cart mutations. The createGuestCart mutation has been added to replace the deprecated createEmptyCart mutation. Previously, if you used createEmptyCart, you could not determine whether the cart was for a guest or logged-in customer.

Order items now include product images. OrderItemInterface exposes product images, which permits images to be associated with ordered products and load more efficiently. GitHub-32369

Expanded support for resolver caching. The following GraphQL query resolvers are now cacheable in the GraphQL Resolver Results cache, which improves performance when queries are submitted with POST requests:

• Magento\CustomerGraphQl\Model\Resolver\Customer::resolve
• Magento\CustomerGraphQl\Model\Resolver\CustomerAddress::resolve
• Magento\CustomerGraphQl\Model\Resolver\IsSubscribed::resolve
• Magento\CatalogGraphQl\Model\Resolver\Product\MediaGallery::resolve

Support for order cancellation. The cancelOrder mutation allows a customer to cancel an order, passing its identifier and a cancellation reason.

• The new order_cancellation_enabled and order_cancellation_reasons.description response fields in the storeConfig
  query support user-initiated order cancellation requests. See Query a store’s order cancellation configuration

Enhanced support for custom attributes. GraphQL custom attribute support has been enhanced by enriching API data to support all attribute types. The GraphQL EAV attributes schema now supports extending customer attributes and customer address objects in the Admin and retrieving them using GraphQL. Specific areas of enhancement include:

• extended/added custom attributes support to specific areas such as customer and customer address
• added caching for custom attributes
• enhanced existing custom attributes support for products

Enhanced GraphQL caching capabilities improve page load speed. Caching capability has been added to these queries, improving the speed of page load time for most PWA pages:

• availableStores
• countries and country
• storeConfig
• currency
• customAttributeMetadata

Improved GraphQL parser performance. GraphQL parser performance has been improved by reducing the number of times the parse method is called per request. It is now called once. Previously, the parser was called at least three times.

Added the quickorder_active field to the storeConfig and availableStores queries. This field indicates whether the quick order feature is enabled.

Added the following fields to the setBillingAddressOnCart and setShippingAddressesOnCart mutations:

• fax
• middlename
• prefix
• suffix