Apply AC-3022.patch
to continue offering DHL as a shipping carrier
DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch
at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as shipping carrier Knowledge Base article for information about downloading and installing the patch.
Security patch available
Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, 2.4.0-p1) provides. Patch 2.4.0.1 (Composer package 2.4.0-p1) is a security patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, 2.4.0. All hot fixes that were applied to the 2.4.0 release are included in this security patch. (A hot fix provides a fix to a released version that addresses a specific problem or bug.)
For general information about security patches, see Introducing the New Security Patch Release. For instructions on downloading and applying security patches (including patch 2.3.5-p2), see Quick start on-premises installation. Security patches include security bug fixes only, not the additional security enhancements that are included in the full patch.
Other release information
Although code for these features is bundled with quarterly releases , several of these projects (for example, B2B, Page Builder, and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in the separate, project-specific release information that is available in the documentation for each project.
Highlights
Look for the following highlights in this release.
Substantial security enhancements
This release includes over 15 security fixes and platform security improvements. All security fixes have been backported to 2.4.0-p1 and 2.3.6.
Over 15 security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities
No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP allowlisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin
, and good password hygiene. See Security Updates Available for Magento for a discussion of these fixed issues.
Additional security enhancements
Security improvements for this release include:
-
CAPTCHA protection has been added to the following product areas:
- Place Order storefront page and REST and GraphQL endpoints
- Payment-related REST and GraphQL endpoints.
CAPTCHA protection for these additional pages is disabled by default. It can be enabled on the Admin in the same way that other pages covered by CAPTCHA are. This protection has been added as an anti-brute force mechanism to protect stores against carding attacks. See CAPTCHA.
-
Support for the SameSite attribute for cookies. To support the Google Chrome enforcement of the new cookie classification system, the application classes that handle cookies have been updated to support the
SameSite
cookie attribute. This attribute is set toLax
by default but can be explicitly overridden. -
Enhanced Security Scan Tool. Adobe has partnered with Sanguine Security, a leader in preventing digital skimming, to integrate their database of over 8700 threat signatures into the Security Scan Tool. This partnership will enable merchants to get real-time insights into the security status of their site through proactive detection of malware and reduction of false positives. Merchants can register for the tool by visiting
https://account.magento.com/scanner
. For more information, see the Secure Your Storefront With the Enhanced Security Scan Tool blog post.
Infrastructure improvements
This release contains enhancements to core quality, which improve the quality of the Framework and these functional areas: Customer Account, Catalog, CMS, OMS, Import/Export, Promotions and Targeting, Cart and Checkout, B2B, and Staging and Preview.
- Site-Wide Analysis Tool integration with Admin. The tool provides system insights and instrumentation for Adobe on cloud infrastructure installations with 24/7 real-time performance monitoring, reports, and self-service recommendations. Merchants can use the new Admin role resource to securely access their Customer Detail pages through the Admin. See the FAQ for an overview.
Performance improvements
-
Reduction in the size of network transfers between Redis and Magento. Plugin list configuration is now generated during the execution of the
bin/magento di:compile
command. This configuration information is written to generated metadata folders based on scope. Previously, this information was stored in cache. Resulting performance improvements include a decrease in network cache size and execution time for many scenarios. -
Enhanced message queue consumer performance. Three new configuration settings support a decrease in consumer queue CPU consumption. These optional parameters provide increased control over consumers and save server resources. See Configure message queues for a description of the
maxIdleTime
,sleep
, andonlySpawnWhenMessageAvailable
parameters. -
Improved execution time for
bin/magento
commands.
Adobe Stock Integration
This release includes Adobe Stock Integration v2.1.0.
New Media Gallery
The New Media Gallery is now enabled by default in the Admin. Merchants can now perform these actions on images in the Media Gallery:
-
Delete images in bulk
-
Optimize media storage by identifying duplicate images and images that are not used on the storefront
-
Filter images by the storefront area they are used in, including product and category content and CMS blocks
-
Work with image metadata
- View metadata from the images uploaded into Media Gallery
- Edit image metadata (title, description, and keywords)
- Search for images by their metadata
Page Builder
Page Builder now supports full screen mode, which supports easier editing of content and provides a consistent experience editing content across the Admin. See Workspace.
GraphQL
This release adds GraphQL coverage for the following features:
-
Product reviews. Customers and guests can write product reviews. Customers can retrieve their product review histories. See Create a product review and productReviewRatingsMetadata query for information on retrieving information about the reviews infrastructure.
-
Gift options. All customers and guests can add a gift message to their order. On Adobe Commerce installations, they can also add gift wrapping, gift receipts, and printed cards to the order. See
setGiftOptionsOnCart
mutation andupdateCartItems
mutation -
Reward points. Customers can apply or remove reward points to their carts. They can also view their reward point history. See
applyRewardPointsToCart
andremoveRewardPointsFromCart
for a discussion of managing reward points within a cart. -
Order history. All customers can view details about their order histories, including invoices, shipping, and refunds.
-
Add to cart. The
addProductsToCart
mutation allows you to add any type of product to the active cart. We recommend using this mutation instead of single-purpose mutations such asaddSimpleProductsToCart
. Fix submitted by Yaroslav Rogoza in pull request 27914. GitHub-28524 -
Stored payment methods. Logged-in customers can now store payment details (including Braintree credit card and Braintree with PayPal) in My Account.
-
Support for wish lists in Magento Open Source. You can add items to, update items in, and remove items from a wish list.
-
Improved management of customer accounts. We have added the
createCustomerV2
andupdateCustomerV2
mutations to manage customer accounts. These new mutations require different input objects than thecreateCustomer
andupdateCustomer
mutations. To change a customer’s email address, use the newupdateCustomerEmail
mutation. -
Support for Payflow Pro Vault. Added GraphQL Vault support for the Payflow Pro Vault payment method. Fix submitted by Oleh Usik in pull request 28821. GitHub-28520
-
Updated the GraphQL
storeConfig
query to include new customer configuration settings. Fix submitted by Oleh Usik in pull request 27876. GitHub-28521 -
Added the
requestPasswordResetEmail
mutation, which triggers the password reset email for the provided email address. Fix submitted by Oleh Usik in pull request 27876. GitHub-28521 -
Klarna GraphQL. Added or updated topics on Klarna GraphQL in Klarna’s payment method and
createKlarnaPaymentsSession
See the GraphQL Developer Guide for details on these enhancements.
PWA Studio
PWA Studio v8.0.0 introduces new features and enhancements:
-
Updates to the Venia style guide that apply to design tokens, typography, colors, core components, and page layouts
-
Improvements to the Venia mini-cart experience
-
Initial support for multiple locales and localized content on the Venia storefront
-
Numerous improvements to the MyAccount experience of the Venia storefront
See compatibility for a list of PWA Studio versions and their compatible versions. For information about enhancements and bug fixes, see PWA Studio releases.
B2B
Version 2.4.1 introduces B2B v1.3.0. This release includes improvements to order approvals, shipping methods, shopping cart, and logging of Admin actions.
Improvements to Order Approvals
B2B order approvals have been enhanced to improve usability and to allow for bulk actions on purchase orders.
Improvements to order approval and rejection include the following:
-
New View Rule page for users without edit privileges. B2B buyers can now view rules that apply to their company on the new View Rule page when they do not have permission to edit them.
-
Count alert icon on the Requires My Approval tab. The Requires My Approval tab in the My Purchase Orders view now displays a counter that indicates the number of pending approval actions.
-
Bulk order approvals and rejections. B2B managers and Company Administrators can now perform bulk rejection and approval of purchase orders. These changes allow approvers to approve or reject multiple purchase orders in a single action.
-
Merchants can now search the Applies to and Requires approval from fields of the My Purchase Orders view and can select multiple user roles during rule creation.
-
Examples of how to configure Order Approval rules are provided on the Rule Configuration page.
See Approval rules
B2B shipping methods enhancements
B2B merchants can now control shipping methods that are offered to each Company. Merchants can configure the following from the Admin:
- A specific set of shipping methods for B2B Company accounts
- The use of All or B2B-specific shipping methods for each Company account
- A specific list of B2B shipping methods for each Company account
Shopping cart improvements
-
Merchants can now allow users to clear the contents of their shopping cart in a single action and can configure this ability independently on each website.
-
B2B buyers can now add individual items or the entire contents of their shopping cart directly to a requisition list.
New Admin features
- B2B merchants can create orders from the Admin on behalf of customers using Payment on Account as the payment method.
- Merchants can now directly view all quotes associated with a user from the customer’s detail page.
- Merchants can now filter the Customers Now Online grid by Company.
- Admins can now filter customers in the Admin by Sales Rep.
See B2B Features.
Enhanced security on storefront
To reduce creation of fraudulent or spam accounts, merchants can now enable Google reCAPTCHA on the New Company Request form on the storefront. See reCAPTCHA.
Expanded logging of Admin actions
Admin actions taken in the Company modules are now logged in the Admin Actions Log. Actions are logged from all relevant company modules: Company
, NegotiableQuote
, CompanyCredit
, SharedCatalog
.
This release also includes multiple bug fixes. See B2B Release Notes.
Functional Testing Framework (MFTF)
MFTF 3.1.0 is now available. See Functional Testing Framework Changelog.
Vendor Developed Extensions
See the following articles for updates on features and changes for this release:
Fixed issues
We have fixed hundreds of issues in the 2.4.1 core code.
Installation, upgrade, deployment
- Installation with third-party extensions that have dependencies on APIs for the Store module in CLI commands no longer fails. Previously, the application displayed this error message:
The default website isn't defined. Set the website and try again
. This was a known issue in 2.4.0.
bin/magento setup:di:compile
no longer throws a fatal error. Previously, the application threw an error the first time you ran this command, but the second execution resulted in successful compilation.
- Upgrade no longer fails when a plugin is declared on
Magento\Framework\Encryption\Encryptor
.
- The application now displays an informative error message when some themes are not deployed after running
bin/magento setup:static-content:deploy
. Previously, when deployment completed successfully but not all packages were deployed, the application did not display an error. When this command is executed with enabled parallel processing and each theme requires more time to be deployed then the specified maximum execution time, this command can finish successfully, although themes are not deployed.
- The Use default checkbox for Klarna payments (Stores > Configuration > Sales > Payment methods > Klarna) now remain checked as expected when website scope changes.
- Running
/bin/magento config:show vendor_module/general/value
now returns0
or an empty string as expected. Previously, it returnedConfiguration for path: "vendor_module/general/value" doesn't exist
. Fix submitted by Vadim Malesh in pull request 28549. GitHub-23290
- Upgrade no longer results in the sudden failure of the Galera cluster. Previously, the Galera cluster exited abruptly after re-indexing immediately after upgrade. During an upgrade, index tables are altered, and the engine is changed from
MEMORY
toInnoDB
. At this point, the content of these tables became out-of-sync between the nodes of the Galera cluster. GitHub-25334
- Disabling the PageBuilder module no longer affects the rendering of the product page. Previously, custom layouts on the product page disappeared when the module was disabled, and the application displayed a blank page.
- You can now use
bin/magento sampledata:deploy
to deploy sample data as expected after installing Adobe Commerce using Composer. Previously, the application threw this error:Git installations must deploy sample data from GitHub; see https://experienceleague.adobe.com/en/docs/commerce-operations/installation-guide/next-steps/sample-data/git-repositories for more information
. Fix submitted by Andrii Beziazychnyi in pull request 27481. GitHub-19481
- Storefront performance has improved by eliminating the unnecessary loading of the
Datepicker
component. Fix submitted by Mateusz Krzeszowiak in pull request 27860. GitHub-28823
- Executing
bin/magento setup:upgrade
now completes as expected. Previously, the application displayed printed array content for caches. Fix submitted by Sathish Subramanian in pull request 27567. GitHub-27091
bin/magento setup:static-content:deploy --language=all
now deploys all languages that are used on the storefront and all languages configured by Admin users when no language parameter is set. (en_US
is always deployed by default.) Fix submitted by Anton Evers in pull request 28922. GitHub-29218
- The application no longer displays the Backup menu when the Backup feature is disabled. Fix submitted by Eden Duong in pull request 29222. GitHub-29280
- Catalog image helper initialization now uses the product model instead of
DataObject
. Fix submitted by jmonteros422 in pull request 29435. GitHub-1711
- Admin users can now save an empty Customer Token Lifetime (hours) field (Admin Stores > Configurations > Services > OAuth > Access Token Expiration). GitHub-29502
- The Create Permanent Redirect for old URL setting is now disabled by default for categories. Fix submitted by Vadim Malesh in pull request 28752. GitHub-24922
AdminGWS
- The application no longer displays the Add Attribute button (Stores > Attributes or Add Attribute Set button (Stores > Attributes > Customer) when the logged-in administrator lacks the appropriate permissions to create these entities. Previously, the application threw a 404 error when a website administrator who did not have the appropriate permissions tried to create an Attribute Set or Customer attribute.
- The application no longer throws an error when an administrator with restricted roles for specific websites tries to create a subcategory from the Admin.
Adobe Stock Integration
- Images in the Adobe Stock images grid are now properly aligned after filters have been cleared. Fix submitted by Nazar Klovanych in pull request 28366. GitHub-824, GitHub-972
- The Used in section of the Adobe Stock gallery image details page now accurately identifies if the image is associated with a product. Fix submitted by Nazar Klovanych in pull request 28798. GitHub-1474
\Magento\MediaGallery\Model\ResourceModel\Keyword\SaveAssetsKeywords::execute
now deletes the links to the keywords that are not specified on the parameters and insert the new ones when deleting keyword tags while editing image details. Fix submitted by jmonteros422 in pull request 29207. GitHub-1391
- The
Login failed
message that the application displays when a merchant clicks License for a previously saved, unlicensed Adobe Stock image no longer contains HTML tags. Fix submitted by yolouiese in pull request 29398. GitHub-1684
- Clicking on the links in the Used in section of the image Details page now displays a grid that displays all entities that are filtered by the image. The asset filter is also set and displayed correctly. Previously, the application did not display the asset title in the Applied filters section. Fix submitted by Nazar Klovanych in pull request 29367. GitHub-1694
- The application no longer displays the Used in section of the image Details page when the image is not in use. Fix submitted by Nazar Klovanych in pull request 29367. GitHub-1699
- Corrected display issues when adding a new image tag that exceeds the maximum number of characters. Fix submitted by Nazar Klovanych in pull request 29367. GitHub-1702
- Assets can now be checked as expected using the assets filter on the image Details Used in section. Fix submitted by Nazar Klovanych in pull request 29367. GitHub-1704
- Information about images that are used by different entities (for example,
page
andcategory
) is now listed corrected in the image Details page. Fix submitted by Nazar Klovanych in pull request 29367. GitHub-1747
- You can now use the new
UrlFilterApplier
component to apply filters on product,cms_page
, andcms_block
grids using the GET URL parameter. Fix submitted by Gabriel da Gama in pull request 28932. GitHub-1501
- Clicking on links in the Used in section for an image in the Media Gallery now opens the grid of entities that are filtered by the image as expected. Previously, the image title was not displayed in the applied filters section of the grid. Fix submitted by Nazar Klovanych in pull request 29429. GitHub-1694
- The application now adds tags correctly when you edit multiple images successively in the Media Gallery. Fix submitted by Nazar Klovanych in pull request 29429. GitHub-1755
- The application now removes tags for Adobe Stock images after a merchant deletes the tags and saves the image details. Previously, tags were not deleted until the page was refreshed. Fix submitted by Honeymay Louiese Ignacio in pull request 29400. GitHub-1703
Amazon Pay
-
Amazon Pay now checks whether a user is already logged in before rendering payment options.
-
Issues with multi-factor authentication and abandoned carts have been resolved.
-
Amazon Pay now correctly populates the
store name
in emails and other displayed locations. If the Store Name field in Amazon Pay configuration is empty, the extension retrieves the store’s default name (that is, the name you give your store in the Admin). -
Localization/translation issues for Decline scenarios have been addressed. Displayed text is no longer always in English.
Analytics
- Administrators with the correct permissions can now access Advanced Reporting and Segment Reports.
- Adobe Commerce successfully generates advance reporting data files and sends them as expected to Inventory on deployments with split databases. Previously, the application did not generate or send the
quotes.csv
file to Inventory, and as a result, Inventory did not generate the expected reports.
Braintree
-
Braintree now sends the correct amount to PayPal when a promotion code is applied on the checkout page.
-
Apple Pay now works as expected when Terms & Conditions are enabled on the checkout page.
-
Browser errors no longer occur during checkout on desktop devices when Venmo is enabled from the Admin.
-
Checkout no longer fails when the shopper enters special characters in the Name fields of the checkout workflow. Previously, authentication failed because the Braintree 3DS API did not support non-ASCII characters.
-
The application now displays the correct recipient name in the shipping section of the checkout workflow when placing an order using PayPal.
-
The application now updates the Order Review page as expected when a shopper changes the shipping method more than once during checkout.
Bundle products
- The application no longer throws an exception when you try to create a product in a deployment in which Inventory is installed but the
Magento_InventoryBundleProduct
module is disabled.
- The application now correctly calculates offline refunds for orders that contain bundle products.
- The mini cart now displays the correct prices for bundle products when tier prices are also assigned for simple products. GitHub-22807
- Merchants can now create a credit memo for bundle products that provides a refund without requiring the return of the product. Previously, the application threw an error. Fix submitted by Dzung Nguyen in pull request 27455. GitHub-23440
- The application no longer displays redundant validation messages when a shopper adds a bundle product to their cart without selecting a required option. Fix submitted by Dzung Nguyen in pull request 27455. GitHub-23440
- GraphQL now supports placing an order for a bundle product with option type
radio
anddropdown
with multiple choices. Previously, the application displayed a message about invalid input forBundleItem.type: radio/dropdown
. Fix submitted by Michał Derlatka in pull request 29256. GitHub-26110
Cache
- Local cache storage is now retained for the period of time set in Stores > Configuration > General > Web > Default Cookie Settings. Previously, the expiry date of cookies was hard-coded to one day, which put it out of sync with this setting. As a result, welcome messages did not retain returning customer information for the expected duration.
- The number of calls to page cache
config
has been reduced. Fix submitted by Lukasz Bajsarowicz in pull request 28992. GitHub-29159
- Varnish no longer throws a
Connection reset by peer
error when a large catalog is reindexed on schedule. Fix submitted by Matthew O’Loughlin in pull request 26256. GitHub-26255
- Full page cache is no longer cleared for unrelated products when a product has been edited in the Admin. GitHub-25670
Cart and checkout
- Direct SQL queries have been replaced by Data Provider, which has improved checkout performance. Fix submitted by Lukasz Bajsarowicz in pull request 29376. GitHub-29453
- The Products in the Comparison and the Recently Compared Products lists now work as expected. Previously, when the comparison list was expanded, the application did not display products, even though the section indicated that the list contained products.
- The Delete button on the Add to Shopping Cart by SKU section of a customer’s Manage Shopping Cart page now works as expected when multiple rows are selected.
- The application no longer throws an error when you try to order a product by SKU when the digits you enter match a valid SKU but the case of these digits differ. Previously, when you entered an SKU on My Account > Order by SKU that did not exactly match a valid SKU, the application threw an error.
- A customer’s shipping address is now selected by default at checkout when the address is located in the country identified on the Allow Countries list and that list includes only that country. Previously, the application did not select the address as default and displayed this error message:
Please specify a regionId in shipping address
.
- Merchants can now enable Apply to Shipping Amount in the Action tab of Marketing > Cart Price Rules > Add New Rule when Fixed amount discount for whole cart is applied. GitHub-24422
- The application no longer throws an exception when a shopper tries to unset the persistence cookie after beginning checkout and then navigating to the storefront home page. Previously, when the shopper clicked the Not you? link on the home page, the application threw this exception:
The shipping address is missing. Set the address and try again
. GitHub-24218
- The application now displays an add-to-cart success message when a customer adds an out-of-stock product to their cart. Previously, the product was added, but the application did not display a success message.
- Custom address attributes are now included as expected in the form that displays for the payment step in the checkout workflow.
- The State/Province/Region input box is now enabled as expected on My Account > Address Book > Add new address.
- Discounts are now applied as expected to shipping charges when Apply to Shipping Amount is enabled. Fix submitted by Andrii Kalinich in pull request 28839. GitHub-26723
- The code that supports closing the mini cart has been refactored to remove the
closeSidebar
function. The appropriate click binding has been added to the[data-action="close"]
element. Fix submitted by lumnn in pull request 28906. GitHub-29161
- The new Show “Clear Shopping Cart” button on the cart page configuration setting provides control over displaying a Clear Cart button on the shopping cart view page. By default, this setting is disabled. Fix submitted by Pavlo Sydorenko in pull request 27917. GitHub-28705
- Validation has been added to the phone field in the checkout workflow. Fix submitted by Oleh Usik in pull request 27537. GitHub-28800
- Guest checkout is now disabled as expected when a cart contains downloadable products when the Shareable and Disable Guest Checkout if Cart Contains Downloadable Items settings are disabled. Fix submitted by Rani Priya in pull request 23972. GitHub-23971
- The success message that the application displays when a shopper adds a product to their cart from the customer account sidebar now contains a link to the shopper’s shopping cart. Fix submitted by Ajith in pull request 27977. GitHub-29097
- The application now selects an empty value by default for the prefix dropdown options menu on the checkout workflow. Fix submitted by Vadim Malesh in pull request 28238. GitHub-18823
- The pop-up message that the application displays when you delete multiple items from a shopping cart now accurately describes the number and type of entities you have selected for deletion. Fix submitted by Nazar Klovanych in pull request 29490. GitHub-1749
- The application now displays a customer registration form when a guest user completes checkout.
- Custom customer address attributes fields are now displayed as expected in the storefront checkout workflow.
- The application now retrieves the current customer group for an active quote during checkout. Previously, the applicationused the customer group that was active when the product was first added to the cart, and if that customer group was deleted before checkout, the application threw an error. Fix submitted by Konstantin in pull request 28902. GitHub-29327