Magento Open Source 2.3.3 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.

This release includes over 170 functional fixes to the core product and over 75 security enhancements. It includes over 200 contributions from our community members. These contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.

Highlights in this release include:

Substantial security enhancements

This release includes the following security enhancements:

• PSD2 compliance to core payment methods
• Fixes for 75 critical security issues
• Significant platform-security enhancements that boost XSS (cross-site scripting) protection against future exploits. This effort is the culmination of several months of concentrated effort on Magento’s part to reduce our backlog of security enhancements.

Core payment methods integrations are now compliant with PSD2 regulations

The European Union recently revised the Payment Services Directive (PSD) regulation with an updated version–PSD2. This revised regulation goes into effect on September 14, 2019, and will significantly affect most payment processing involving credit cards or bank transfers.  See the Magento Forum DevBlog post 3D Secure 2.0 changes for more information on Magento Payment Provider Recommendations and a wealth of links to PSD2 regulation discussions.

This release contains the following major PSD-related changes:

• The Braintree payment method now complies with PSD2 regulations. Its core integration API has been upgraded to the latest JavaScript SDK v3 API, which is a requirement for supporting native Braintree 3D Secure 2.0 adoption. Braintree transactions are now also verified by using the native Braintree 3D Secure 2.0 service.
• Authorize.net now provides the ability, through the cardholderAuthentication request field, to make 3D Secure verification through third-party services such as CardinalCommerce. Starting with this release, Authorize.net accept.js integration will support 3DS 2.0 through CardinalCommerce.

• The Cybersource and eWay payment modules have been deprecated in this release to comply with PSD2 SCA regulation, which takes effect on September 14, 2019. Use the official Marketplace extensions for these features instead.

Security enhancements and fixes to core code

• 75 security enhancements that help close cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities as well as other security issues. No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP whitelisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin, and good password hygiene. See Magento Security Center for a comprehensive discussion of these issues. All known exploitable security issues fixed in this release (2.3.3) have been ported to 2.2.10, 1.14.4.3, and 1.9.4.3, as appropriate.

Performance boosts

• Merchants now have the ability to turn off the automatic URL rewrite generation that occurs by default on products when the category they belong to is saved. The new Generate “category/product” URL Rewrites configuration option controls this behavior. When this feature is enabled, Magento will generate a lot of data when saving a category that contains many assigned products. This generated data is saved into rewrite tables that can degrade Magento performance.

• Page load speeds have been improved by moving non-critical CSS elements to the bottom of the page. This enables the browser to render and display a storefront page more quickly. This setting is disabled by default, but you can enable it using Stores > Configuration > Advanced > Developer > CSS Settings > Use CSS critical path. For more information, see CSS critical path documentation.

• The jQuery/ui library has been refactored into separate widgets so that core modules load only the widgets they need. This update improves the performance of core storefront tasks including the loading of category, configurable product, home, and checkout pages.

• Store pages now display text in readable system fonts while loading custom fonts, which significantly increases page load speed. Merchants who deploy stores that implement large CSS files and many fonts will notice the greatest improvement.

Infrastructure improvements

This release contains enhancements to core quality, which improve the quality of the Framework and these modules: Catalog, Sales, Checkout/One Page Checkout, UrlRewrite, Customer, and Ui. Here are some additional core enhancements:

• The WYSIWYG editor has been upgraded to TinyMCE v. 4.9.5​.

Merchant tool enhancements

• As part of our efforts to better understand the Admin user experience and improve product design, Magento is introducing the tracking of user actions and events on the Admin. After you upgrade to Magento 2.3.3, the first administrative user who logs into the Admin will be prompted to Allow admin usage data collection. If the user agrees to data collection, the data captured from Admin activity is sent to Adobe Analytics for analysis and reporting. Typical events include page views, save actions, and changes to Magento mode. See Store Admin for more information.

Inventory Management enhancements

• Fixes to multiple bugs. See Inventory Management release notes.

GraphQL

Expanded GraphQL functionality and improved coverage for PayPal payment integrations, gift cards, and store credit features. Added mutations and queries that support these tasks:

• Process payments through PayPal Express checkout, Payflow Pro and Link Express Checkout, and other supported PayPal payment methods, Authorize.net, and Braintree
• Redeem gift cards and convert to store credit balance for logged-in users
• Update shopping carts for guest users to apply or remove gift cards and check card balance
• Add configurable products to cart

See Release notes for a more detailed discussion of recent GraphQL bug fixes.

PWA Studio

PWA Studio 4.0.0 contains new hooks in Peregrine. Existing components have also been refactored to convert them into re-useable Peregrine hooks. For information on these enhancements plus other improvements, see PWA Studio releases.

Google Shopping ads Channel

The Google Shopping ads Channel Marketplace extension is now available as a bundled extension. Google Shopping ads Channel Release Notes describes all changes to this feature for Magento 2.3.x.

Magento Shipping

Due to the impending shutdown of Temando (the provider of the technology behind Magento Shipping), it is no longer possible to create a new Magento Shipping account. Support for current Magento Shipping deployments for all existing customers will continue. For detailed status information and recommendations for new shipping implementations in Magento, see our product information page.

This release of Magento Shipping includes:

• Improvements to batch-order processing, carrier integration, shipping method preview in the shipping portal, checkout.
• Support for bundled products and prepackage options.

See Magento Shipping.

Vendor-developed extension enhancements

This release of Magento includes extensions developed by third-party vendors. It introduces a new vendor-supplied extension–Yotpo.

Amazon Pay

Amazon Pay is now compliant with the PSD2 directive for UK and Germany. See Payment services (PSD 2) – Directive (EU) for an introduction to PSD2.

dotdigital

• Improved product catalog sync for bundled and custom products.
• Enhanced communications for abandoned cart.

Klarna

• Merchants can now disable the sending of customer information.
• New options now support B2B transactions in select markets.
• PayBright, a Canadian payment coverage option, is now supported.

See Klarna.

Vertex

• Added support for Vertex Flexible Fields. Vertex flexible fields allow merchants to send additional information to the tax engine, which can then be used in Tax Assist Rules to refine a product’s applicable tax.
• Several attributes are provided by default, including administrator-created Customer attributes, Address attributes, and Product attributes. Documentation is provided in the module’s README file on how integrators can add additional options to these attributes.

• You can now add custom fields to the Vertex connector.

Yotpo

The Yotpo user-generated content management platform is now integrated with the Magento Admin. Yotpo provides tools for merchants to gather, curate, and manage user-generated content such as product reviews. For more information on configuring and launching Yotpo from the Admin, see Yotpo Product Reviews.

If you are interested in upgrading or re-platforming to the latest release of Magento 2.3.3 get in touch with Full English today.

‍