Adobe Commerce 2.4.5 highlights
Look for the following highlights in this release.
Security enhancements
This release includes 20 security fixes and platform security improvements. This security fix has been backported to Adobe Commerce 2.4.3-p3 and Adobe Commerce 2.3.7-p4.
No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts:
- IP allowlisting
- Two-factor authentication
- Use of a VPN
- Use of a unique location rather than
/admin
- Good password hygiene
See Adobe Security Bulletin for the latest discussion of these fixed issues.
Additional security enhancements
Security improvements for this release improve compliance with the latest security best practices, including:
-
reCAPTCHA support has been added to the Wish List Sharing, Create New Customer Account, and Gift Card forms.
-
ACL resources have been added to Inventory.
-
Inventory template security has been enhanced.
-
The
MaliciousCode
filter has been upgraded to use theHtmlPurifier
library.
Platform enhancements
-
Adobe Commerce on-premises deployments: Adobe Commerce 2.4.5 has been tested and confirmed to be compatible with Elasticsearch 7.17 (~7.17.0 with constraint). Merchants hosting Adobe Commerce on-premises can use either Elasticsearch or OpenSearch 1.2.
-
Adobe Commerce cloud-hosted deployments: ElasticSearch 7.11 or later is not supported on Adobe Commerce 2.4.5 cloud-hosted deployments. OpenSearch is the default search engine for Adobe Commerce 2.4.5 cloud deployments.
Adobe Commerce 2.4.5 now supports
-
Composer 2.2
-
TinyMCE (5.10.2). Earlier versions of TinyMCE (v5.9.2 or earlier) allowed arbitrary JavaScript execution when a specially crafted URL or an image with a specially crafted URL was updated.
-
jQueryUI (1.13.1)
-
PHPStan
(^1.5.7 with constraint) GitHub-35315
The DHL Integration schema has been updated from v6.0 to v6.2. This upgrade will not result in a change in product behavior.
Outdated JavaScript libraries have been updated to their latest versions, and outdated dependencies have been removed. These changes are backward compatible.
Composer dependency updates
The following Composer dependencies have been updated to the latest versions with constraint:
colinmollenhour/credis
(1.13.0)?guzzlehttp/guzzle
(^7.4.2)laminas/laminas-captcha
(updated with a constraint ^2.12)laminas/laminas-db
(^2.15.0)laminas/laminas-di
(^3.7.0)laminas/laminas-escaper
(~2.10.0)laminas/laminas-eventmanager
(^3.5.0)laminas/laminas-feed
(^2.17.0)laminas/laminas-mail
(^2.16.0)laminas/laminas-mvc
(^3.3.3)laminas/laminas-server
(^2.11.1)laminas/laminas-servicemanager
(^3.11.0)laminas/laminas-validator
(^2.17.0)league/fly
(2.4.3)monolog/monolog
(^2.5)phpmd/phpmd
(^2.12.0)phpstan/phpstan
(^1.5.7)phpunit/phpunit
(~9.5.20)php-cs-fixer
(^3.4.0)webonyx/graphql-php
(14.11.6)
The laminas/laminas-session
, laminas/laminas-text
, and laminas/laminas-view
dependencies have been removed.
Other upgrades and replacements
-
The DHL Integration schema has been updated from v6.0 to v6.2.
-
The default Gateway URL for USPS shipping has been updated to use
https
instead ofhttp
. -
The
Froogaloop
library has been replaced with the VimeoPlayer.js
library (2.16.4). -
The
grunt-eslint
(NPM) library has been upgraded to the latest version. -
The
jQuery Storage
libraries have been replaced withjulien-maurel/js-storage
. -
The
php-cs-fixer
andphpcs
static code analysis tools are now compatible with PHP 8.x. -
glob.js
dependency (upgraded with constraint to ~7.2.0) -
serve-static.js
dependency (upgraded with constraint ~1.14.2) -
underscore.js
dependency (NPM) (1.14.2) -
moment-timezone-with-data.js
(0.5.34) -
The library
jquery/jquery-cookie
has been replaced withjs-cookie/js-cookie
. -
The
jarallax.js
andjaralax-video.js
libraries have been updated to use the latest version of the Vimeo REST API.
Performance and scalability enhancements
Price indexer optimization
Primary index performance has been improved by reducing the number of primary indexes from 3 to 1 for the catalog_product_index_price_tmp
table. This enhancement reduced the number of records created in the price index by reducing eSKU multiplication that resulted from shared catalogs. Indexing time has been significantly reduced.
Accessibility updates
The focus of this release has been on creating a storefront experience on Venia (PWA) that is more perceivable, operable, understandable, and robust. These enhancements include:
- Search results summary information is now announced to screen reader users
- Screen readers are now informed when a new page view loads
- Contrast and keyboard accessibility have been improved
Adobe Sign
Merchants can now allow customers to electronically sign customized agreements, such as warranty documents, purchase agreements, and terms and conditions, during Adobe Commerce checkout.
Adobe Commerce integration with Adobe IMS
Adobe Commerce merchants who have an Adobe ID and want a streamlined login to Adobe Commerce and Adobe Business products can integrate Commerce authentication with the Adobe IMS authentication workflow. After this integration is enabled for your Commerce store, each Admin user must use their Adobe credentials — not their Commerce credentials — to log in. See Adobe Identity Management Service (IMS) Integration Overview.
Branding and style changes
The Admin has been updated to align with Adobe’s brand strategy. Changes affect headers, footers, data grid color updates, and navigation elements.
B2B
We have optimized the normalized database data that is needed to implement the Shared Catalogs feature. This reduction in eSKU multiplication results in a performance boost as fewer database rows must be stored. Previously, Adobe Commerce duplicated every SKU in the catalog for each Shared Catalog. Adobe Commerce now creates unique eSKUs for those directly assigned to a Shared Catalog.
Enabling the new Enabled Shared Catalog direct product price assigning configuration option also improves product price indexer performance.
This release includes multiple bug fixes. See B2B Release Notes.
Google Analytics
Google has updated the tracking and integration mechanisms of AdWords and Analytics in web applications through integration with GTag. This integration of Google functionality into website pages extends opportunities to track and manage content through Google Services. Adobe Commerce has a set of built-in modules including Google AdWords, Analytics, Optimizer, and TagManager that leverage the former API for integration with Google services. In this release, we have re-implemented this integration using the GTag approach. See Migrate from analytics.js to gtag.js (Universal Analytics).
GraphQL
GraphQL performance enhancements include:
-
Developers and administrators experience faster rebuilding of the unified storefront GraphQL schema on deployment or when changing attributes in production. Shoppers also experience significantly faster page load speeds when the GraphQL schema must be rebuilt for any reason.
-
Added capability to consume the expiration date/time of the authorization token through the use of JSON Web Tokens (JWT) in the GraphQL API.
-
The
bin/magento config:set graphql/session/disable 1
command allows merchants to completely disable the creation of session cookies for all GraphQL operations. By default, Adobe Commerce creates these cookies and relies on them for authorization, which affects performance. Going forward, we recommend using tokens as the only form of authorization for GraphQL requests. We do not recommend using session cookies alone or in conjunction with authorization tokens. See GraphQL Authorization. -
Session cookies are now launched in GraphQL operations using class proxies only when needed.
-
Session usage has been removed from
http
header processors in GraphQL such as store, customer, or currency.
See the GraphQL Developer Guide for details on these enhancements.
Inventory
Inventory template security has been enhanced.
Live Search
This release introduces support for B2B customer groups and custom pricing. Live Search now respects product assignments to customer groups and the pricing that is set for a specific customer group/shared catalog.
Page Builder
Page Builder v.1.7.2 is compatible with Adobe Commerce 2.4.5.
Page Builder column layout includes these enhancements:
-
Columns are now exposed, permitting users to control column settings on the storefront.
-
Column resizing now supports wrapping triggered by user actions.
Payments
Apple Pay is now available to all merchants running deployments with Payment Services enabled. This payment method does not require shoppers to enter their credit or debit card details. Apple Pay is available on the product details page, mini cart, shopping cart, and checkout workflow. Merchants can toggle on this feature.
PayPal
-
Merchants in Spain and Italy can now offer PayPal Pay Later to shoppers.
-
Previews of the PayPal, Credit and Pay Later buttons are now available in the Admin for the checkout, mini cart, cart, and product pages. Previews reveal how these buttons will look when they are enabled and rendered on the storefront.
Braintree
-
Braintree has discontinued the KOUNT fraud protection integration. It has been removed from the Adobe Commerce codebase.
-
The Always request 3DS option has been added to the Admin.
PWA Studio
PWA Studio v.12.5.x is compatible with Adobe Commerce 2.4.5.
New features for this release include:
-
Shopper behavior data is collected on PWA Studio storefront for web analytics services. Merchants can now subscribe and extend these events as needed.
-
Merchants can now select a service to deploy from the Admin (Google Tag Manager).
For information about enhancements and bug fixes, see PWA Studio releases. See Version compatibility for a list of PWA Studio versions and their compatible Adobe Commerce core versions.
Upgrade Compatibility Tool
Enhancements include:
-
Method signature validation now identifies incompatible changes within a method or a constructor signature.
-
Database schema validation now identifies schema changes and incompatibilities.
-
DI configuration validation now verifies references to removed or deprecated non-API core classes in
di.xml
and preferences for core classes and interfaces. -
UCT now identifies code deprecations and provides specific recommendations for resolving each issue.
Fixed issues
We have fixed hundreds of issues in the Adobe Commerce 2.4.5 core code.
Installation, upgrade, deployment
- You can now rename a data patch and add the old class name as an alias in the
patch_list
database table. Adobe Commerce now checks whether data patch aliases already existed in the database before applying the patch. Previously, Adobe Commerce threw an error under these conditions.
- Adobe Commerce no longer throws an exception when you try to change the Admin URL to a custom URL from the Admin. Previously, after changing the Admin URL, you could not log in. GitHub-35416
- Merchants can now successfully upgrade from an Adobe Commerce 2.4.2 deployment with Klarna to Adobe Commerce 2.4.3. GitHub-33760
- The path to Adobe Commerce Analytics is no longer hardcoded. Previously, this hardcoded path resulted in conflicts when multiple Adobe Commerce instances were installed on one server. GitHub-29373
Accessibility
- The Shopping bag button now provides a programmatic or textual indication of its state. Screen reader users are informed that clicking this button will expand other content, or that the associated content is expanded or collapsed. Previously, this button did not provide a programmatic or textual indication of its state.
- Payment Information credit card option text elements or images of text now meet the WCAG 2.0 required minimum color contrast ratio of 4.5:1 for standard text of 18pt (24px) or 14pt (19px) if bolded. Previously, they did not meet the expected contrast ratio.
- Address book > Communication > Account information custom focus indicators now provide a contrast ratio of at least 3:1 against the background color.
- Filter and Sort button text now meet the WCAG 2.0 required minimum color contrast ratio of 4.5:1 for standard text of 18pt (24px) or 14pt (19px) if bolded. Previously, navigation buttons for carousels did not meet these minimum contrast requirements.
- Screen readers announce the word “Venia” only once when navigating to Venia headers and footers. Previously, the same word was announced twice consecutively.
- Buttons that trigger dropdowns now provide information to screen readers that indicate their expanded or collapsed state and accessible names.
- Screen reader users are informed when a new page view is rendered. Previously, when a page title changed, the title change was not announced.