Adobe Commerce 2.4.5 highlights

Look for the following highlights in this release.

Security enhancements

This release includes 20 security fixes and platform security improvements. This security fix has been backported to Adobe Commerce 2.4.3-p3 and Adobe Commerce 2.3.7-p4.

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts:

See Adobe Security Bulletin for the latest discussion of these fixed issues.

Additional security enhancements

Security improvements for this release improve compliance with the latest security best practices, including:

  • reCAPTCHA support has been added to the Wish List Sharing, Create New Customer Account, and Gift Card forms.

  • ACL resources have been added to Inventory.

  • Inventory template security has been enhanced.

  • The MaliciousCode filter has been upgraded to use the HtmlPurifier library.

Platform enhancements

  • Adobe Commerce on-premises deployments: Adobe Commerce 2.4.5 has been tested and confirmed to be compatible with Elasticsearch 7.17 (~7.17.0 with constraint). Merchants hosting Adobe Commerce on-premises can use either Elasticsearch or OpenSearch 1.2.

  • Adobe Commerce cloud-hosted deployments: ElasticSearch 7.11 or later is not supported on Adobe Commerce 2.4.5 cloud-hosted deployments. OpenSearch is the default search engine for Adobe Commerce 2.4.5 cloud deployments.

Adobe Commerce 2.4.5 now supports

  • Composer 2.2

  • TinyMCE (5.10.2). Earlier versions of TinyMCE (v5.9.2 or earlier) allowed arbitrary JavaScript execution when a specially crafted URL or an image with a specially crafted URL was updated.

  • jQueryUI (1.13.1)

  • PHPStan (^1.5.7 with constraint) GitHub-35315

The DHL Integration schema has been updated from v6.0 to v6.2. This upgrade will not result in a change in product behavior.

Outdated JavaScript libraries have been updated to their latest versions, and outdated dependencies have been removed. These changes are backward compatible.

Composer dependency updates

The following Composer dependencies have been updated to the latest versions with constraint:

  • colinmollenhour/credis (1.13.0)?
  • guzzlehttp/guzzle (^7.4.2)
  • laminas/laminas-captcha (updated with a constraint ^2.12)
  • laminas/laminas-db (^2.15.0)
  • laminas/laminas-di (^3.7.0)
  • laminas/laminas-escaper (~2.10.0)
  • laminas/laminas-eventmanager (^3.5.0)
  • laminas/laminas-feed (^2.17.0)
  • laminas/laminas-mail (^2.16.0)
  • laminas/laminas-mvc (^3.3.3)
  • laminas/laminas-server (^2.11.1)
  • laminas/laminas-servicemanager (^3.11.0)
  • laminas/laminas-validator (^2.17.0)
  • league/fly (2.4.3)
  • monolog/monolog (^2.5)
  • phpmd/phpmd (^2.12.0)
  • phpstan/phpstan (^1.5.7)
  • phpunit/phpunit (~9.5.20)
  • php-cs-fixer (^3.4.0)
  • webonyx/graphql-php (14.11.6)

The laminas/laminas-session, laminas/laminas-text, and laminas/laminas-view dependencies have been removed.

Other upgrades and replacements

  • The DHL Integration schema has been updated from v6.0 to v6.2.

  • The default Gateway URL for USPS shipping has been updated to use https instead of http.

  • The Froogaloop library has been replaced with the Vimeo Player.js library (2.16.4).

  • The grunt-eslint (NPM) library has been upgraded to the latest version.

  • The jQuery Storage libraries have been replaced with julien-maurel/js-storage.

  • The php-cs-fixer and phpcs static code analysis tools are now compatible with PHP 8.x.

  • glob.js dependency (upgraded with constraint to ~7.2.0)

  • serve-static.js dependency (upgraded with constraint ~1.14.2)

  • underscore.js dependency (NPM) (1.14.2)

  • moment-timezone-with-data.js (0.5.34)

  • The library jquery/jquery-cookie has been replaced with js-cookie/js-cookie.

  • The jarallax.js and jaralax-video.js libraries have been updated to use the latest version of the Vimeo REST API.

Performance and scalability enhancements

Price indexer optimization

Primary index performance has been improved by reducing the number of primary indexes from 3 to 1 for the catalog_product_index_price_tmp table. This enhancement reduced the number of records created in the price index by reducing eSKU multiplication that resulted from shared catalogs. Indexing time has been significantly reduced.

Accessibility updates

The focus of this release has been on creating a storefront experience on Venia (PWA) that is more perceivable, operable, understandable, and robust. These enhancements include:

  • Search results summary information is now announced to screen reader users
  • Screen readers are now informed when a new page view loads
  • Contrast and keyboard accessibility have been improved

Adobe Sign

Merchants can now allow customers to electronically sign customized agreements, such as warranty documents, purchase agreements, and terms and conditions, during Adobe Commerce checkout.

Adobe Commerce integration with Adobe IMS

Adobe Commerce merchants who have an Adobe ID and want a streamlined login to Adobe Commerce and Adobe Business products can integrate Commerce authentication with the Adobe IMS authentication workflow. After this integration is enabled for your Commerce store, each Admin user must use their Adobe credentials — not their Commerce credentials — to log in. See Adobe Identity Management Service (IMS) Integration Overview.

Branding and style changes

The Admin has been updated to align with Adobe’s brand strategy. Changes affect headers, footers, data grid color updates, and navigation elements.

B2B

We have optimized the normalized database data that is needed to implement the Shared Catalogs feature. This reduction in eSKU multiplication results in a performance boost as fewer database rows must be stored. Previously, Adobe Commerce duplicated every SKU in the catalog for each Shared Catalog. Adobe Commerce now creates unique eSKUs for those directly assigned to a Shared Catalog.

Enabling the new Enabled Shared Catalog direct product price assigning configuration option also improves product price indexer performance.

This release includes multiple bug fixes. See B2B Release Notes.

Google Analytics

Google has updated the tracking and integration mechanisms of AdWords and Analytics in web applications through integration with GTag. This integration of Google functionality into website pages extends opportunities to track and manage content through Google Services. Adobe Commerce has a set of built-in modules including Google AdWords, Analytics, Optimizer, and TagManager that leverage the former API for integration with Google services. In this release, we have re-implemented this integration using the GTag approach.​ See Migrate from analytics.js to gtag.js (Universal Analytics).

GraphQL

GraphQL performance enhancements include:

  • Developers and administrators experience faster rebuilding of the unified storefront GraphQL schema on deployment or when changing attributes in production. Shoppers also experience significantly faster page load speeds when the GraphQL schema must be rebuilt for any reason.

  • Added capability to consume the expiration date/time of the authorization token through the use of JSON Web Tokens (JWT) in the GraphQL API.

  • The bin/magento config:set graphql/session/disable 1 command allows merchants to completely disable the creation of session cookies for all GraphQL operations. By default, Adobe Commerce creates these cookies and relies on them for authorization, which affects performance. Going forward, we recommend using tokens as the only form of authorization for GraphQL requests. We do not recommend using session cookies alone or in conjunction with authorization tokens. See GraphQL Authorization.

  • Session cookies are now launched in GraphQL operations using class proxies only when needed.

  • Session usage has been removed from http header processors in GraphQL such as store, customer, or currency.

See the GraphQL Developer Guide for details on these enhancements.

Inventory

Inventory template security has been enhanced.

This release introduces support for B2B customer groups and custom pricing. Live Search now respects product assignments to customer groups and the pricing that is set for a specific customer group/shared catalog.

Page Builder

Page Builder v.1.7.2 is compatible with Adobe Commerce 2.4.5.

Page Builder column layout includes these enhancements:

  • Columns are now exposed, permitting users to control column settings on the storefront.

  • Column resizing now supports wrapping triggered by user actions.

Payments

Apple Pay is now available to all merchants running deployments with Payment Services enabled. This payment method does not require shoppers to enter their credit or debit card details. Apple Pay is available on the product details page, mini cart, shopping cart, and checkout workflow. Merchants can toggle on this feature.

PayPal

  • Merchants in Spain and Italy can now offer PayPal Pay Later to shoppers.

  • Previews of the PayPal, Credit and Pay Later buttons are now available in the Admin for the checkout, mini cart, cart, and product pages. Previews reveal how these buttons will look when they are enabled and rendered on the storefront.

Braintree

  • Braintree has discontinued the KOUNT fraud protection integration. It has been removed from the Adobe Commerce codebase.

  • The Always request 3DS option has been added to the Admin.

PWA Studio

PWA Studio v.12.5.x is compatible with Adobe Commerce 2.4.5.

New features for this release include:

  • Shopper behavior data is collected on PWA Studio storefront for web analytics services. Merchants can now subscribe and extend these events as needed.

  • Merchants can now select a service to deploy from the Admin (Google Tag Manager).

For information about enhancements and bug fixes, see PWA Studio releases. See Version compatibility for a list of PWA Studio versions and their compatible Adobe Commerce core versions.

Upgrade Compatibility Tool

Enhancements include:

  • Method signature validation now identifies incompatible changes within a method or a constructor signature.

  • Database schema validation now identifies schema changes and incompatibilities.

  • DI configuration validation now verifies references to removed or deprecated non-API core classes in di.xml and preferences for core classes and interfaces.

  • UCT now identifies code deprecations and provides specific recommendations for resolving each issue.

Fixed issues

We have fixed hundreds of issues in the Adobe Commerce 2.4.5 core code.

Installation, upgrade, deployment

  • You can now rename a data patch and add the old class name as an alias in the patch_list database table. Adobe Commerce now checks whether data patch aliases already existed in the database before applying the patch. Previously, Adobe Commerce threw an error under these conditions.
  • Adobe Commerce no longer throws an exception when you try to change the Admin URL to a custom URL from the Admin. Previously, after changing the Admin URL, you could not log in. GitHub-35416
  • Merchants can now successfully upgrade from an Adobe Commerce 2.4.2 deployment with Klarna to Adobe Commerce 2.4.3. GitHub-33760
  • The path to Adobe Commerce Analytics is no longer hardcoded. Previously, this hardcoded path resulted in conflicts when multiple Adobe Commerce instances were installed on one server. GitHub-29373

Accessibility

  • The Shopping bag button now provides a programmatic or textual indication of its state. Screen reader users are informed that clicking this button will expand other content, or that the associated content is expanded or collapsed. Previously, this button did not provide a programmatic or textual indication of its state.
  • Payment Information credit card option text elements or images of text now meet the WCAG 2.0 required minimum color contrast ratio of 4.5:1 for standard text of 18pt (24px) or 14pt (19px) if bolded. Previously, they did not meet the expected contrast ratio.
  • Address book > Communication > Account information custom focus indicators now provide a contrast ratio of at least 3:1 against the background color.
  • Filter and Sort button text now meet the WCAG 2.0 required minimum color contrast ratio of 4.5:1 for standard text of 18pt (24px) or 14pt (19px) if bolded. Previously, navigation buttons for carousels did not meet these minimum contrast requirements.
  • Screen readers announce the word “Venia” only once when navigating to Venia headers and footers. Previously, the same word was announced twice consecutively.
  • Buttons that trigger dropdowns now provide information to screen readers that indicate their expanded or collapsed state and accessible names.
  • Screen reader users are informed when a new page view is rendered. Previously, when a page title changed, the title change was not announced.