28 April 2020
Magento version 2.3.5-p1 is now available.
Upgrading to Magento 2.3.5-p1
Magento 2.3.5-p1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Magento updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Magento install to test the 2.3.5-p1 upgrade prior to applying it live. Get started managing your Magento installations with Installatron
What's New in Magento 2.3.5-p1
Magento Open Source 2.3.5 offers significant platform upgrades, substantial security changes, and performance improvements.
- Over 25 security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities.
- Implementation of Content Security Policy (CSP). Content-Security-Policy is an HTTP response header that browsers can use to enhance the security of a web page. This added layer of security supports the detection and mitigation of attacks, including cross-site scripting (XSS) and data injection attacks.
- Removal of session_id from URLs. Exposure of session-id values in URLs creates a potential security vulnerability in the form of session fixation. We are removing code from the classes and methods that add or read session_id from URLs.
- Support for Elasticsearch 7.x. Elasticsearch 7.x is now the supported catalog search engine for both Magento Commerce and Magento Open Source. With this release, Magento 2.3.x supports only Elasticsearch 6.x and 7.x. Elasticsearch 2.x and 5.x are now deprecated for Magento 2.3.x and will be removed in Magento 2.4.0.
- Deprecation of core integration of third-party payment methods. With this release, the integrations of the Authorize.Net, eWay, CyberSource, and Worldpay payment methods are deprecated. These core features are no longer supported and will be removed in the next minor release (2.4.0). Merchants should migrate to the official extensions that are available on the Magento Marketplace. See the Deprecation of Magento core payment integrations devblog post.
- Deprecation of the core integration of the Signifyd fraud protection code. This core feature is no longer supported. Merchants should migrate to the Signifyd Fraud & Chargeback Protection extension that is available on Magento Marketplace.
- Upgrade of Symfony Components to the latest lifetime support version (4.4). (Symfony Components are a set of decoupled PHP libraries used by the Magento Framework.)
- Migration of dependencies on Zend Framework to the Laminas project to reflect the transitioning of Zend Framework to the Linux Foundation’s Laminas Project. Zend Framework has been deprecated. Magento 2.3.5 contains the minimal number of changes to code and configuration that are required to support the use of the Laminas libraries. These changes are backward-compatible, and you can continue to use your current code. However, we recommend that extension developers and system integrators begin migrating their extensions to use Laminas. While this migration isn’t required for compatibility with this patch release, long-term solutions will require it.
- Improvements to customer data section invalidation logic. This release introduces a new way of invalidating all customer sections data that avoids a known issue with local storage when custom sections.xml invalidations are active. (Previously, private content (local storage) was not correctly populated when you had a custom etc/frontend/sections.xml with action invalidations.) See Private content.
- Multiple optimizations to Redis performance. The enhancements minimize the number of queries to Redis that are performed on each Magento request.
- New extension point for SourceDataProvider and StockDataProvider.
- Ability to view allocated inventory sources from the Orders list.
- With this release, you can now use products and categoryList queries to retrieve information about products and categories that have been added to a staged campaign.
PWA Studio 6.0.0
- Launch of the PWA extensibility framework. This framework gives developers the ability to create an extensibility API for their storefront or write plugins that can tap into those API and modify storefront logic.
- Caching and data fetching improvements. This release contains improved caching logic and other data fetching optimizations in the Peregrine and Venia UI component libraries. These components have been refactored to take advantage of Apollo cache features to reduce overfetching or prevent the storage of sensitive data.
- Shopping cart components that can be used for a full-page shopping cart experience.
- Integration of Engagement cloud and Magento B2B. A new B2B integration module integrates Engagement cloud and the Magento B2B module enable Magento B2B merchants to leverage their B2B commerce data and better engage with their prospective and existing customers. This will include: Company data sync (customer type, company, company status); Sync of shared catalog data. Syncing additional product catalog data (custom products and product attributes) to dotdigital. Merchants can turn additional product data into marketing campaigns or use it to make recommendations; Sync of quote data.
- Improved importer performance and coupon code re-send.
Google Shopping ads Channel
- The Google Shopping ads Channel bundled extension has reached end-of-life with this release (2.3.5 and 2.3.4-p1). It is no longer supported. Alternative extensions are available on the Magento Marketplace.
Vendor-developed extension enhancements: Klarna
- With this release, the Klarna extension is now available in Australia and New Zealand. A new Oceania endpoint has been added to the existing API. This release also contains UX enhancements and minor bug fixes.
Vendor-developed extension enhancements: Vertex
- Address Validation. Addresses that are created or edited in the Customer Account are now validated when the module is enabled.
- Admin Configuration. Flexible Field dropdown options are now sorted alphabetically by the current Admin user’s locale.
- Virtual Products. Vertex now uses an order’s billing address to calculate taxes on virtual products. Shipping-related flexible fields are no longer completed for virtual products.
- Restorable configuration settings. The Use Vertex for orders shipping to, Summarize Tax by, and Global Delivery Term now provide an option to be restored to their default setting.
- Port in WSDL. The WSDL URL now supports ports and basic authentication.
- Best Practices in Code. Models intended to assist Observers have been relocated into the Model namespace to clean up the Observer namespace.
- We have fixed hundreds of issues in the Magento 2.3.5 core code.