Adobe Commerce 2.4.7 highlights
Look for the following highlights in this release.
Security enhancements
This release includes the same security fixes and platform security improvements that are included in Adobe Commerce 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8. See Adobe Security Bulletin for the latest discussion of these fixed issues.
No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts:
- IP allowlisting
- Two-factor authentication
- Use of a VPN
- Use of a unique location rather than
/admin
- Good password hygiene
Additional security enhancements
Security improvements for this release improve compliance with the latest security best practices.
-
Changes to the behavior of non-generated cache keys:
- Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the
setCacheKey
orsetData
methods.) - Non-generated cache keys for blocks now must contain only letters, digits, hyphens (-), and underscore characters (_).
- Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the
-
Limitations on the number of auto-generated coupon codes. Commerce now limits the number of coupon codes that are automatically generated. The default maximum is 250,000. Merchants can use the new Code Quantity Limit configuration option (Stores > Settings:Configuration > Customers > Promotions) to prevent potentially overwhelming the system with many coupons.
-
Optimization of the default Admin URL generation process. The generation of the default Admin URL has been optimized for increased randomness, which makes generated URLs less predictable.
-
Added Subresource Integrity (SRI) support to comply with PCI 4.0 requirements for verification of script integrity on payment pages. Subresource Integrity (SRI) support provides integrity hashes for all JavaScript assets residing in the local filesystem. The default SRI feature is implemented only on the payment pages for the Admin and storefront areas. However, merchants can extend the default configuration to other pages. See Subresource Integrity in the Commerce PHP Developer Guide.
-
Changes to Content Security Policy (CSP)—Configuration updates and enhancements to Adobe Commerce Content Security Policies (CSPs) to comply with PCI 4.0 requirements. For details, see Content Security Policies in the Commerce PHP Developer Guide.
-
The default CSP configuration for payment pages for Commerce Admin and storefront areas is now
restrict
mode. For all other pages, the default configuration isreport-only
mode. In releases prior to 2.4.7, CSP was configured inreport-only
mode for all pages. -
Added a nonce provider to allow execution of inline scripts in a CSP. The nonce provider facilitates the generation of unique nonce strings for each request. The strings are then attached to the CSP header.
-
Added options to configure custom URIs to report CSP violations for the Create Order page in the Admin and the Checkout page in the storefront. You can add the configuration from the Admin or by adding the URI to the
config.xml
file.NOTEUpdating the CSP configuration torestrict
mode might block existing inline scripts on payment pages in the Admin and storefront, which causes the following browser error when a page loads:Refused to execute inline script because it violates the following Content Security Policy directive: "script-src
. Fix these errors by updating the whitelist configuration to allow required scripts. See Troubleshooting in the Commerce PHP Developer Guide.
-
-
A new full-page cache configuration setting can help to mitigate the risks associated with the HTTP
{BASE-URL}/page_cache/block/esi
endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles params size configuration setting sets the value of this endpoint’shandles
parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles params size). See Configure the Commerce application to use Varnish. -
Native rate limiting for payment information transmitted through REST and GraphQL APIs. Merchants can now configure rate limiting for the payment information transmitted using REST and GraphQL. This added layer of protection supports prevention of carding attacks and potentially decreases the volume of carding attacks that test many credit card numbers at once. This is a change in the default behavior of an existing REST endpoint. See Rate limiting.
-
The default behavior of the isEmailAvailable GraphQL query and the (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the APIs now always return
true
. Merchants can enable the original behavior by setting the Enable Guest Checkout Login option in the Admin toyes
, but doing so can expose customer information to unauthenticated users.
Platform enhancements
Platform upgrades for this release improve compliance with the latest security best practices.
Adobe Commerce 2.4.7 includes the following platform upgrades:
- PHP 8.3 compatibility. This release introduces support for PHP 8.3. Commerce now supports both PHP 8.3 and 8.2. PHP 8.2 will be supported until its End of Service (EOS) date in December 2025. After December 2025, all merchants running 2.4.7 deployments should migrate to PHP 8.3.
Adobe Commerce 2.4.7 is still compatible with PHP 8.1 for upgrade purposes only. PHP 8.1 is not supported and not recommended. Adobe Commerce 2.4.7 core code, all bundled extensions, and all Adobe-owned extensions and SaaS services are compatible with PHP 8.3.
-
RabbitMQ 3.13 support. This release is compatible with the latest version of RabbitMQ 3.13. Compatibility remains with RabbitMQ 3.11 and 3.12, which is supported through August 2024 and December 2024 respectively, but Adobe recommended using Adobe Commerce 2.4.7 only with RabbitMQ 3.13.
-
Composer 2.7.x. Compatibility with Composer 2.2.x remains.
-
Varnish cache 7.4 support. This release is compatible with the latest version of Varnish Cache 7.4. Compatibility remains with the 6.0.x and 7.2.x versions, but we recommended using Adobe Commerce 2.4.7 only with Varnish Cache version 7.4 or version 6.0 LTS.
-
Elasticsearch 8.11 compatibility
-
Opensearch 2.12 and OpenSearch 1.3 support
-
Redis 7.2
-
The
extjs
library has been replaced with the latest version ofjsTree
. -
jquery/fileUpload
library has been removed.
All JavaScript libraries and NPM dependencies in Adobe Commerce core code have been updated to the latest available versions. All Laminas library dependencies have been updated to the latest version that are compatible with PHP 8.3.
Additional upgrades
-
Multiple coupons per order support. Merchants can now configure the maximum number of coupons that can be applied per order with the new Maximum number of coupons per order configuration option. This value is set to 1 by default. You can now use REST or GraphQL to apply multiple coupons to a cart.
-
The Commerce UPS XML API gateway has been migrated to the new Commerce UPS REST API to support updates that UPS is making to their API security model. (UPS is implementing an OAuth 2.0 security model (bearer tokens) for all APIs.) All previous Commerce UPS XML APIs have been removed from the Adobe Commerce 2.4.7 code base.
-
Adobe Commerce integration with FedEx has been migrated from legacy FedEx WSDL Web Services to the latest FedEx RESTful APIs. FedEx Web Services Tracking, Address Validation, and Validate Postal Codes WSDLS will be retired in May 2024.
-
Added support for the new USPS Ground Advantage shipping method. This is an out-of-box integration with USPS’s new shipping method, USPS Ground Advantage, which was released July 2023. This new integration can be used to retrieve shipping rates and schedule deliveries and returns through the USPS shipping service. The USPS Ground Advantage shipping method replaces these shipping methods, which were retired when the USPS Ground Advantage shipping method was released:
- USPS Retail Ground
- First-Class Package Service
- Parcel Select Ground
-
Temando shipping modules have been removed from the core Commerce code base. This feature was deprecated in Adobe Commerce 2.4.4.
Performance and scalability enhancements
Commerce 2.4.7 includes the following enhancements to Commerce performance and scalability:
-
Enterprise merchants can now configure up to one million active, coupon-based cart price rules in Adobe Commerce with no significant performance degradations of cart and checkout operations.
-
Enhanced indexer management. The new
indexer:set-status
command supports the dynamic management of indexer status. Admin users can use this command to change indexer status tosuspended
,invalid
, orvalid
. This feature is particularly useful for managing system performance during extensive bulk operations, such as product imports or updates, by allowing control over when indexers are automatically triggered by the system’s cron jobs. See Manage the indexers. -
Product listing page for complex products with many options. Load time has improved for product listing pages that include complex products with over 100 options. The performance of GraphQL requests to list products by category has also improved.
-
JSON format now supported for the REST Import API. Merchants can now import up to 100,000 records per minute into Adobe Commerce in JSON format.
-
Sales rule performance improvements. Improved performance of enterprise deployments with many (approximately 100,000) active sales rules. Enterprise deployments that heavily implement promotions often deploy many active cart rules. These types of enterprise deployments running Commerce 2.4.7 will not see any performance degradation related to the number of configured cart price rules during checkout operations.
-
Faster save operations of store-level configurations for deployments with many stores. Saving configuration settings in deployments with more than 500 stores can be time-consuming. The new Async Config module enables asynchronous configuration save operations by running a cron job that uses a consumer to process the save operation in a message queue. AsyncConfig is disabled by default.
-
Faster generation of the config cache for large configurations. The
bin/magento cache:clean config
command now pre-warms the config cache when the config cache is enabled. This reduces the downtime required to generate the config cache for large configurations. Configuration save operations no longer clean theconfig_scopes
cache before writing data to the cache, which also reduces the time that other requests are locked out while config data is being written.
GraphQL Application Server
GraphQL Application Server enables Adobe Commerce to maintain state among Commerce GraphQL API requests and eliminates the need for bootstrapping, which results in higher throughput, lower latency, and efficient resource use for all GraphQL APIs. By sharing application state among processes, GraphQL API requests become significantly more efficient, and GraphQL API responses are on average 30% faster.
GraphQL Application Server is available for Adobe Commerce only. It is not available for Magento Open Source. You must submit an Adobe Commerce Support ticket to enable GraphQL Application Server on Pro projects.
Adobe Commerce Extension metapackage
This release introduces the Adobe Commerce Extension metapackage v2.0.0, which automatically bundles select Adobe Commerce extensions with this core release. The versions of these extensions that are included in this metapackage are installed when composer update
is run, simplifying the process of upgrading these extensions when upgrading to the latest core release. These extensions maintain independent release schedules.
The Adobe Commerce Extension metapackage for Adobe Commerce 2.4.7 includes these extensions:
Future versions of this extension metapackage may contain additional extensions.
Adobe Commerce webhooks
Commerce webhooks (v1.2.0 ) enable developers to configure synchronous logic to execute calls to external systems when an Adobe Commerce event triggers. Synchronous calls are required when Commerce must immediately compute or validate a value such as an order total, tax, or payment using a third-party endpoint and subsequently write the result back into Adobe Commerce.
Commerce webhooks is now installed by default. See Adobe Commerce Webhooks Overview
Adobe Stock
The Adobe Stock package (adobe-stock-integration
) is now packaged in the Commerce extensions meta package (extensions-metapackage
) to support more frequent updates.
B2B
Braintree
-
Vaulted PayPal and Pay Later Changes—Logged-in customers who have previously vaulted/stored their PayPal account have the option to pay with:
- Pay Now (without having to log into their PayPal account, the user can pay with their default card)
- Pay with a different funding source
- Pay with a different account
- PayPal Pay Later or PayPal Credit button
-
3DS support for Google Pay—Included 3DS verification support for the Google Pay non-tokenized cards. See the Braintree documentation for more information.
-
Vault Apple Pay Payments—Allow logged-in customers to vault/store their Apple Pay payments to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.
-
Vault Google Pay Payments—Allow logged-in customers to vault/store their Google Pay payments to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.
-
Vault Venmo Payments—Allow logged-in customers to vault/store their Venmo accounts to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.
-
Vault ACH Payments—Allow logged-in customers to vault/store their ACH payments to their Commerce store account to use on future transactions. This reduces the number of steps on checkout and creates a faster checkout experience for the returning customer.
-
Express Payment buttons at the top of checkout—To encourage a faster checkout experience, we’ve introduced Express Payment options at the beginning of the checkout. Customers can now pay by PayPal, PayPal Pay Later, Apple Pay, and Google Pay Express payments.
-
Braintree release notes and Support links within the Admin Configuration—Merchants can now directly link from the Commerce Admin to Braintree support and release notes online.
-
GraphQL support for all Braintree payment methods except Venmo—More configurations are exposed in the GraphQL API. This is particularly useful for headless applications.
-
Vaulting payments in account area—Logged-in customers can now vault/store new credit/debit cards and PayPal accounts in the Customer account area. Previously, customers could only vault/store when saving their payments for later use when completing a transaction on the checkout, now they can vault new credit/debit cards and PayPal accounts without needing to create a new transaction.
-
Frictionless Transactions—Frictionless transactions accelerate the payment process by reducing the amount of customer clicks/steps to complete an online credit/debit card transaction. Previously (when 3DS was enabled), every customer was 3DS challenged. With the new Frictionless Transactions feature, customers are only challenged for 3DS when the bank requests it. This reduces cart abandonment, increases conversion rates, and leads to more sales.
-
Dispute webhooks—When a customer disputes a transaction in Braintree, the dispute status is now passed on to Commerce. It is searchable in the Sales > Order grid and attached to each order.
Commerce integration with Adobe IMS
The Adobe IMS integration package (adobe-commerce/adobe-ims-metapackage
) is now packaged in the Commerce extensions meta package (extensions-metapackage
) to support more frequent updates.
GraphQL
Commerce 2.4.7 includes enhanced GraphQL caching abilities, support to the GraphQL schema for custom attributes, support for headless order cancellation, and improved resolver caching.
-
More flexible cart management. The
clearCart
mutation now clears the contents of a specified shopping cart in a single action. It replaces theclearCustomerCart
mutation, which has been deprecated. -
Improvements in create cart mutations. The
createGuestCart
mutation has been added to replace the deprecatedcreateEmptyCart
mutation. Previously, if you usedcreateEmptyCart
, you could not determine whether the cart was for a guest or logged-in customer. -
Order items now include product images.
OrderItemInterface
exposes product images, which permits images to be associated with ordered products and load more efficiently. GitHub-32369 -
Expanded support for resolver caching. The following GraphQL query resolvers are now cacheable in the GraphQL Resolver Results cache, which improves performance when queries are submitted with POST requests:
Magento\CustomerGraphQl\Model\Resolver\Customer::resolve
Magento\CustomerGraphQl\Model\Resolver\CustomerAddress::resolve
Magento\CustomerGraphQl\Model\Resolver\IsSubscribed::resolve
Magento\CatalogGraphQl\Model\Resolver\Product\MediaGallery::resolve
-
Support for order cancellation. The cancelOrder mutation allows a customer to cancel an order, passing its identifier and a cancellation reason.
- The new
order_cancellation_enabled
andorder_cancellation_reasons.description
response fields in thestoreConfig
query support user-initiated order cancellation requests. See Query a store’s order cancellation configuration
- The new
-
Enhanced support for custom attributes. GraphQL custom attribute support has been enhanced by enriching API data to support all attribute types. The GraphQL EAV attributes schema now supports extending customer attributes and customer address objects in the Admin and retrieving them using GraphQL. Specific areas of enhancement include:
- extended/added custom attributes support to specific areas such as customer and customer address
- added caching for custom attributes
- enhanced existing custom attributes support for products
-
Enhanced GraphQL caching capabilities improve page load speed. Caching capability has been added to these queries, improving the speed of page load time for most PWA pages:
-
Improved GraphQL parser performance. GraphQL parser performance has been improved by reducing the number of times the parse method is called per request. It is now called once. Previously, the parser was called at least three times.
New fields for existing mutations
-
Added the
quickorder_active
field to the storeConfig and availableStores queries. This field indicates whether the quick order feature is enabled. -
Added the following fields to the
setBillingAddressOnCart
andsetShippingAddressesOnCart
mutations:fax
middlename
prefix
suffix
New queries and mutations
attributeForms
queryattributesList
queryguestOrder
queryguestOrderByToken
queryrecaptchaFormConfig
querycancelOrder
mutationcustomAttributeMetadataV2
queryapplyCouponsToCart
mutationclearCart
mutationconfirmEmail
mutationcreateGuestCart
mutationestimateShippingMethods
mutationestimateTotals
mutationremoveCouponsFromCart
mutation
Deprecated queries and mutations
clearCustomerCart
mutationcreateEmptyCart
mutationattributesMetadata
querycustomAttributeMetadata
query
Inventory Management
Inventory Management (v1.2.7) provides tools to manage product inventory. This community-developed feature is bundled with Adobe Commerce and Magento Open Source core code.
Payments
-
GraphQL support has been added for core operations for all payment methods except for Venmo. New GraphQL endpoints for payment services are described in Checkout.
-
Credit card vaulting has been enhanced for all payment methods except for Venmo. Shoppers can now vault, or save, their ACH payments and view or delete them from their account page. Merchants can enable and disable ACH vaulted payments from the Admin.
-
The checkout workflow now includes an express payment section that provides PayPal, Google Pay, and Apple Pay Express buttons.
Payment Options introduces supported payment methods.
PWA Studio
PWA Studio v14.0 is compatible with Adobe Commerce 2.4.7. It includes multiple enhancements to improve accessibility. For information about bug fixes, see PWA Studio releases. See Version compatibility for a list of PWA Studio versions and their compatible Adobe Commerce core versions.
Web API framework
Working with multiple coupons per cart
New REST endpoints support viewing, adding, and deleting multiple coupons associated with a cart.
V2
instead of V1
. For example, GET /rest/default/V2/carts/{cartId}/coupons
. For Commerce merchants, these endpoints are meant to replace the V1
versions of the endpoints. These endpoints are only available in Adobe Commerce.Return all coupon codes that are associated with a cart:
GET /rest/{store_code}/V2/carts/{cartId}/coupons
GET /rest/{store_code}/V2/carts/mine/coupons
Append a coupon code to a cart:
POST /rest/{store_code}/V2/carts/{cartId}/coupons/{couponCode}
POST /rest/{store_code}/V2/carts/mine/coupons/{couponCode}
Replace coupon codes in a cart:
PUT /rest/{store_code}/V2/carts/{cartId}/coupons
PUT /rest/{store_code}/V2/carts/mine/coupons
Remove coupon codes from a cart:
POST /rest/{store_code}/V2/carts/{cartId}/coupons/deleteByCodes
POST /rest/{store_code}/V2/carts/mine/coupons/deleteByCodes
Additional endpoints
This release introduces two new REST endpoints that provide a workaround for a limitation with the REST API GET
and POST V1/products/attributes
endpoints. These endpoints return the same value for the is_filterable
attribute for both the Filterable(with results)
and Filterable(no results)
options of the Use in Layered Navigation option. (The is_filterable
attribute property is of type Boolean
, which does not permit setting this property to Filterable(no results)
.)
Two new REST endpoints have been implemented as a workaround:
PUT /V1/products/attributes/{attributeCode}/is-filterable/{isFilterable}
. Path parameters:attributeCode
(String
) andisFilterable
(int
values are: 0 is No; 1 isFilterable (with results)
; 2 isFilterable (no results)
).GET /V1/products/attributes/{attributeCode}/is-filterable
. Path parameters:attributeCode
(String
).
Fixed issues
We have fixed hundreds of issues in the Adobe Commerce 2.4.7 core code. A subset of the fixed issues included in this release is described below. Fixes included in previous Commerce 2.4.7-beta releases are also described.
Installation, upgrade, deployment
- Unnecessary cache manipulation has been removed from the set-up process. Previously, Commerce wrote its configuration to disk unnecessarily when
bin/magento setup:db-data:upgrade
orbin/magento setup:upgrade
was run, which caused issues with som modules during setup. GitHub-38124
- Deployment issues due to insufficient memory and large tables have been resolved. The
bin/magento setup:upgrade
command no longer fails due to memory-exceeded errors that are related to large MySQL tables.
bin/magento setup:install
now completes successfully afterapp/etc/config.php
has been deleted. Previously, the missing file was not regenerated during installation, and Commerce threw an error. GitHub-37805
bin/magento setup:upgrade
has been refactored to run successfully when installing a new module that installs both tables and associatedmview
indexers. GitHub-37304
- Database restoration no longer fails due to a delimiter error. Previously, Commerce threw this error when
bin/magento setup:rollback --db
was executed:Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'delimiter' at line 1, query was: delimiter ;;
.
- The
bin/magento setup:upgrade
command no longer fails with this type of MySQL memory limit-related error:PHP Fatal error: Allowed memory size of 4294967296 bytes exhausted (tried to allocate 20480 bytes)
. Multi-select attribute migration has been optimized to consume less memory duringsetup:upgrade
.
- Generating a database backup now works as expected from both the Admin and command line. Previously, Adobe Commerce threw this error:
Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'delimiter' at line 1, query was: delimiter ;;
.
- Running
setup:config:set
without specifying the--lock-db-prefix
parameter no longer erases the current value from theenv.php
file.
- Varnish configuration has been updated to prevent guest users from accessing cached content related to other customer groups.
- Shoppers can now place an order in a deployment that implements split database when Checkout Async is enabled. Previously, Adobe Commerce threw this error:
An error occurred on the server. Please try to place the order again
.
bin/magento setup:upgrade
now completes successfully when installing a new module that installs both tables and associatedmview
indexers.
bin/magento setup:upgrade
now displays a more informative error message when a message queue topic does not include a topic name. GitHub-34246
bin/magento setup:upgrade
now displays a more informative error message when merged XML files are invalid. The error message now includes the filename.