Release Magento 2.4.7

Magento Open Source 2.4.7 introduces support for PHP 8.3, enhancing performance and compatibility. This release incorporates numerous quality fixes and enhancements, addressing various issues reported by users and developers. Core Composer dependencies and third-party libraries have been updated to their latest versions, ensuring optimal functionality and security.

This release incorporates the same essential security fixes and platform security enhancements found in Adobe Commerce 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8. For detailed information on these resolved issues, please refer to the Adobe Security Bulletin.

To date, there have been no confirmed attacks associated with these vulnerabilities. However, it’s important to acknowledge that certain vulnerabilities could potentially be exploited to gain access to sensitive customer information or compromise administrator sessions. Most of these vulnerabilities necessitate initial access to the Admin panel by an attacker.

As a precautionary measure, we strongly advise you to implement all necessary precautions to safeguard your Admin panel. This includes, but is not limited to, the following efforts:

• IP allowlisting
• two-factor authentication
• use of a VPN
• use of a unique location rather than /admin
• good password hygiene

Limitations on the number of auto-generated coupon codes. Magento Open Source now limits the number of coupon codes that are automatically generated. The default maximum is 250,000. Merchants can use the new Code Quantity Limit configuration option (Stores > Settings:Configuration > Customers > Promotions) to prevent potentially overwhelming the system with many coupons.

Optimization of the default Admin URL generation process. The generation of the default Admin URL has been optimized for increased randomness, which makes generated URLs less predictable.

A new full-page cache configuration setting can help to mitigate the risks associated with the HTTP {BASE-URL}/page_cache/block/esi endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles params size configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles params size).

Added Subresource Integrity (SRI) support to comply with PCI 4.0 requirements for verification of script integrity on payment pages. Subresource Integrity (SRI) support provides integrity hashes for all JavaScript assets residing in the local filesystem. The default SRI feature is implemented only on the payment pages for the Admin and storefront areas. However, merchants can extend the default configuration to other pages.

Changes to Content Security Policy (CSP)—Configuration updates and enhancements to Adobe Commerce Content Security Policies (CSPs) to comply with PCI 4.0 requirements. For details, see Content Security Policies in the Commerce PHP Developer Guide.

The default CSP configuration for payment pages for Commerce Admin and storefront areas is now restrict mode. For all other pages, the default configuration is report-only mode. In releases prior to 2.4.7, CSP was configured in report-only mode for all pages.

Added a nonce provider to allow execution of inline scripts in a CSP. The nonce provider facilitates the generation of unique nonce strings for each request. The strings are then attached to the CSP header.

Added options to configure custom URIs to report CSP violations for the Create Order page in the Admin and the Checkout page in the storefront. You can add the configuration from the Admin or by adding the URI to the config.xml file.

PHP 8.3 compatibility. This release introduces support for PHP 8.3. Magento Open Source now supports both PHP 8.3 and 8.2. PHP 8.2 will be supported until its End of Service (EOS) date in December 2025. After December 2025, all merchants running 2.4.7 deployments should migrate to PHP 8.3.

Magento Open Source 2.4.7 is still compatible with PHP 8.1 for upgrade purposes only. PHP 8.1 is not supported and not recommended. Magento Open Source 2.4.7 core code, all bundled extensions, and all Adobe-owned extensions and SaaS services are compatible with PHP 8.3.

RabbitMQ 3.13 support. This release is compatible with the latest version of RabbitMQ 3.13. Compatibility remains with RabbitMQ 3.11 and 3.12, which is supported through August 2024 and December 2024 respectively, but Adobe recommended using Magento Open Source 2.4.7 only with RabbitMQ 3.13.

Varnish cache 7.4 support. This release is compatible with the latest version of Varnish Cache 7.4. Compatibility remains with the 6.0.x and 7.2.x versions, but we recommended using Magento Open Source 2.4.7 only with Varnish Cache version 7.4 or version 6.0 LTS.

• Elasticsearch 8.11 compatibility
• OpenSearch 2.12 and OpenSearch 1.3 support
• Redis 7.2
• The extjs library has been replaced with the latest version of jsTree.
• jquery/fileUpload library has been removed.
• Composer 2.7.x. Compatibility with Composer 2.2.x remains.

Magento Open Source 2.4.7 includes enhanced GraphQL caching abilities, GraphQL schema support for custom attributes, support for headless order cancellation, and improved resolver caching.

More flexible cart management. The clearCart mutation now clears the contents of a specified shopping cart in a single action. It replaces the clearCustomerCart mutation, which has been deprecated.

Improvements in create cart mutations. The createGuestCart mutation has been added to replace the deprecated createEmptyCart mutation. Previously, if you used createEmptyCart, you could not determine whether the cart was for a guest or logged-in customer.

Order items now include product images. OrderItemInterface exposes product images, which permits images to be associated with ordered products and load more efficiently.

Expanded support for resolver caching. The following GraphQL query resolvers are now cacheable in the GraphQL Resolver Results cache, which improves performance when queries are submitted with POST requests:

• Magento\CustomerGraphQl\Model\Resolver\Customer::resolve
• Magento\CustomerGraphQl\Model\Resolver\CustomerAddress::resolve
• Magento\CustomerGraphQl\Model\Resolver\IsSubscribed::resolve
• Magento\CatalogGraphQl\Model\Resolver\Product\MediaGallery::resolve

This release introduces two new REST endpoints that provide a workaround for a limitation with the REST API GET and POST V1/products/attributes endpoints. These endpoints return the same value for the is_filterable attribute for both the Filterable(with results) and Filterable(no results) options of the Use in Layered Navigation option. (The is_filterable attribute property is of type Boolean, which does not permit setting this property to Filterable(no results).)

Two new REST endpoints have been implemented as a workaround:

PUT /V1/products/attributes/{attributeCode}/is-filterable/{isFilterable}. Path parameters: attributeCode (String) and isFilterable (int values are: 0 is No; 1 is Filterable (with results); 2 is Filterable (no results)).
GET /V1/products/attributes/{attributeCode}/is-filterable. Path parameters: attributeCode (String).