Adobe have just released Magento Open Source 2.3.4, which includes over 220 functional fixes to the core product and over 30 security enhancements. It includes resolution of over 275 contributions by community members. These community contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.

Magento Open Source 2.3.4 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.

Highlights

Look for the following highlights in this release:

Substantial security enhancements

This release includes the following security enhancements:

Over 30 security enhancements that help close cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP whitelisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin, and good password hygiene. See Adobe Security Bulletin for a discussion of these fixed issues. All known exploitable security issues fixed in this release (2.3.4) have been ported to 2.2.11, 1.14.4.4, and 1.9.4.4, as appropriate.

Security enhancements and fixes to core code

Additional security enhancements include:

• Removal of custom layout updates and the deprecation of layout updates to remove the opportunity for Remote Code Execution (RCE). The Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages has now been converted to a selector. You can no longer specify an entity-specific layout update with text but instead must create a physical file that contains the layout updates and select it for use. The name of the file containing an update must follow the conventions described here.
• Redesigned content template features so that only whitelisted variables can be added to templates. This avoids the situation where administrator-defined templates such as email, newsletters, and CMS content can include variables and directives that can directly call PHP functions on objects.

Platform upgrades

The following platform upgrades help enhance website security and PCI compliance.

• Enhancements to the message queue framework. Magento now supports the latest release of RabbitMQ v3.8, which is the third-party technology that underlies the Magento message queue framework.
• Improved page caching and session storage. This release has been tested on the latest stable release of Redis v5.0.6.
• Enhanced support for MariaDB 10.2. Before Magento 2.3.4, when using declarative schema with MariaDB 10.2, Magento threw an error indicating that the schema was not up-to-date after running bin/magento setup:upgrade. With this release, we have normalized the values returned by MariaDB, which allows system integrators to use declarative schema with both MySQL and MariaDB.
• The core integration of the Authorize.net payment method has been deprecated. Please use the official payment integration that is available on Marketplace.

Performance boosts

Merchants and customers will see performance improvements as a result of these enhancements:

• Redundant non-cached requests to the server on catalog pages have been eliminated by refactoring the customer section invalidation mechanism and improving banner cache logic.
• PHTML files have been refactored to better support parsing by the bundling mechanism. Our new bundling mechanism now identifies all dependencies on JavaScript.
• Added the ability to disable statistic collecting for Reports module by default. A new configuration setting (System Configuration > General > Reports > General Options) allows merchants to completely or partially disable Magento Reports. (Statistics collection for the Reports module is disabled by default. Magento recommends disabling Reports functionality for performance reasons when this capability is not required.)

Infrastructure improvements

This release contains 250 enhancements to core quality, which improve the quality of the Framework and these modules: catalog, sales, PayPal, Elasticsearch, import, and CMS.

Merchant tool enhancements

• Integration with Adobe Stock image galleries. The new bundled Adobe stock integration extension enables merchants to add high quality media assets to their website content without leaving the Magento Admin. Merchants can use the searchable interface in the Magento Media Gallery to explore, preview, license, and deploy stock images in website content. See Adobe Stock Integration and Using Adobe Stock Images.

Inventory Management

Inventory Management enhancements for this release include:

• Addressed a known performance issue that caused higher than expected loads on the database server in scenarios involving the shopping cart.
• Updated the Inventory Reservations CLI command to reduce memory usage when finding and compensating for missing reservations on large catalogs.
• Resolved multiple quality issues, including those related to credit memos, grouped products, source and stock mass actions.

GraphQL

This release includes improved GraphQL coverage for search, layered navigation, cart functionality. The following mutations/queries are available:

• Guest carts can now be merged with customer carts. The mergeCarts mutation transfers the contents of a guest cart into the cart of a logged-in customer.
• A customer can start an order on one device and complete it on another. Use the `customerCart query to obtain the cart ID for a logged-in customer.
• Layered navigation can use custom filters. The filter attribute of the products query now requires the ProductAttributeFilterInput object. You can specify a pre-defined filter in this object, or define a custom filter. As a result, layered navigation on your website filters on the attributes you need.
• You can search categories by ID, name, and/or URL key. The [categoryList](/guides/v2.3/graphql/queries/category-list.html) query replaces the deprecatedcategory` query.
• The ProductInterface supports fixed product taxes (such as WEEE). Use the storeConfig query to determine whether to store supports these taxes.
• The cart object has been enhanced to include information about promotions and applied discounts at the line and cart levels.

PWA Studio

For information on these enhancements plus other improvements, see PWA Studio releases

dotdigital

• Live Chat powered by dotdigital enables merchants to increase conversion rates, and keep customers coming back with real-time engagement. All Magento 2.3.x merchants (both Magento Open Source and Magento Commerce) can receive a free live chat agent without the need for a full dotdigital Engagement Cloud license.
• Engagement Cloud includes a new Chat widget that makes it easy for shoppers to communicate in real time with customers as they shop in your store. Chat can be accessed from the Engagement Cloud section of the Magento configuration, or directly from your Engagement Cloud account. See Engagement Cloud Chat.

Google Shopping ads Channel

Google Shopping ads Channel Release Notes describes all changes to this feature for Magento 2.3.x.

Vendor-developed extension enhancements

This release of Magento includes extensions developed by third-party vendors. It includes both quality and UX improvements to these extensions.

Klarna

Klarna Payments has a new Data sharing on load field in the Magento configuration that can be set to share customer data either after the transaction is authorized, or when the Klarna payment method is selected during checkout. See Setting Up Klarna.

If you are interested in upgrading or re-platforming to the latest release of Magento 2.3.4 get in touch with Full English today.