Releases: OpenMage/magento-lts
v19.5.0-rc4
You should absolutely know
Since the approval of our second RFC - release schedule OpenMage 19.x enters and "patch only" state, it will be maintained for two more years as promised but only significant security patches or regression fixes will be ported to v19, every other development (and we have many) will be focused on v20+.
We encourage everybody to upgrade to v20, it is our latest and greatest and deserves the bit of work necessary for the upgrade (ask your developer/agency, don't do it yourself).
Highlights
This is a big release, that's why we decided to move away from the 19.4.x versioning and go to 19.5.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 19.5.0. Tests are more than welcome now but be extra careful with production environment.
- What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
- PHP 7.4 is now the minimum required version and 8.2 is now supported
- M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- Support for Google Analytics 4 was added
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Fixed session renew timestamp should be updated when customer changes password #2916
- Fixed price filter when search by non-numeric value #3136
- Added patch for Zend_Mail and "emails are displayed incorrectly" problem #3202
Full Changelog: v19.5.0-rc3...v19.5.0-rc4
v20.1.0-rc3
You should absolutely know
Since the approval of our second RFC - release schedule OpenMage 19.x enters and "patch only" state, it will be maintained for two more years as promised but only significant security patches or regression fixes will be ported to v19, every other development (and we have many) will be focused on v20+.
We encourage everybody to upgrade to v20, it is our latest and greatest and deserves the bit of work necessary for the upgrade (ask your developer/agency, don't do it yourself).
Release highlights
This is a big release, that's why we decided to move away from the 20.0.x versioning and go to 20.1.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 20.1.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Also:
- PHP 7.4 is now the minimum required version and 8.2 is now supported.
- the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- a great improvement to EAV config cache has been added to v20.
- support for Google Analytics 4 was added.
- possibility to set backend locale per every admin user was added.
Changelog
- Removed module Mage_Poll by @fballiano in #3098
- Upgraded ExtJS to 1.1.1 by @justinbeaty in #2473
- Bump openmage/dev-meta-package from 1.0.2 to 1.0.3 by @dependabot in #3138
- Updated branches for codeql analysis workflow by @fballiano in #3141
- Regenerated PHPStan baseline for "main" branch by @fballiano in #3142
- Fixed some minor indentation problem for docblocks by @fballiano in #3143
- Ended the request (and close the session) before core_app_run_after event by @colinmollenhour in #1592
- Added possibility to set backend locale per every admin user by @fballiano in #3087
- Used session_status() instead of $_SESSION in Mage_Core_Model_App by @fballiano in #3145
- Added check for coupon expiration date by @fballiano in #3144
- Improved global search performance by using only prefix matching. by @colinmollenhour in #1596
- Avoided calling getBackendModelByFieldConfig with empty field by @fballiano in #3151
- Fixed typo in the exception message by @addison74 in #3153
- Avoided unnecessary calls to string translation methods for catalog/sales rules labels by @luigifab in #3140
- Updated README.md to reflect new RFC 0002 - Release Schedule by @colinmollenhour in #3139
- Bump phpstan/phpstan from 1.10.10 to 1.10.11 by @dependabot in #3156
- Reduced getWebsiteId() calls by @luigifab in #3154
- Move login page title to controller by @luigifab in #3157
- Updated ACL of order objects and updated setActiveMenu for sales and catalog items by @luigifab in #3159
- [PHP 8.2] Fixed some deprecation warnings by @fballiano in #3155
- Reduced calls to char() method by @luigifab in #3161
- Fixed some whitespace issues in docblocks by @fballiano in #3162
- Added order tracking for Google Analytics 4 by @fballiano in #3092
- Fixed PHP warnings when session backend exits before returning. by @colinmollenhour in #3109
- Fixed price filter when search by non-numeric value by @sreichel in #3136
- Use default configurable attribute label for new products by @mmenozzi in #3168
Full Changelog: v20.1.0-rc2...v20.1.0-rc3
Contributors
Assets 3
v19.5.0-rc3
You should absolutely know
Since the approval of our second RFC - release schedule OpenMage 19.x enters and "patch only" state, it will be maintained for two more years as promised but only significant security patches or regression fixes will be ported to v19, every other development (and we have many) will be focused on v20+.
We encourage everybody to upgrade to v20, it is our latest and greatest and deserves the bit of work necessary for the upgrade (ask your developer/agency, don't do it yourself).
Highlights
This is a big release, that's why we decided to move away from the 19.4.x versioning and go to 19.5.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 19.5.0. Tests are more than welcome now but be extra careful with production environment.
- What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
- PHP 7.4 is now the minimum required version and 8.2 is now supported
- M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- Support for Google Analytics 4 was added
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Fix exception logged when no Category image is uploaded by @elidrissidev in #3086
- Added frontend_type color by @fballiano in #2945
- PHP 7.4 is now the minimum required version by @fballiano in #3091
- Fixed ESI parsing error with turpentine by @luigifab in #2987
- Added new options to"number of record" in grid by @loekvangool in #3096
- Fixed allowed PHP version in composer.json by @fballiano in #3097
- Some PHPStan fixes by @fballiano in #3031
- Added info about Mage_Poll removal to README by @fballiano in #3101
- Deprecation errors are not suppressed anymore by @fballiano in #3102
- Bump phpstan/phpstan from 1.10.6 to 1.10.7 by @dependabot in #3104
- Bump PHPCSFixer to 3.15.1 + new fixes required by @fballiano in #3106
- Fixed PHP_OS check in cron.php by @elidrissidev in #3113
- Bump dev-meta-package to 1.0.2 by @fballiano in #3111
- Removed commented code by @fballiano in #3100
- Fixed problem with associated_products not visible in backend by @fballiano in #3093
- Bump phpstan/phpstan from 1.10.7 to 1.10.8 by @dependabot in #3117
- Bump colinmollenhour/magento-redis-session from 3.0.2 to 3.1.1 by @dependabot in #3116
- Fixed Illegal offset type in Mage_Tag by @m-overlund in #3118
- PHPStan: some fixes to lib/ files by @fballiano in #3099
- Disabled and disallowed SWF file extension by @fballiano in #3108
- Prevented Configurable Swatches assets from loading while unneeded by @loekvangool in #2999
- [PHP 8.2] Fixed deprecated dynamic property creation by @elidrissidev in #3094
- RWD theme: Focus on the search field when clicking on the search button by @fballiano in #3095
- Fixed monthly report dates (date was 1970) by @sreichel in #3126
- Bump phpunit/phpunit from 9.6.5 to 9.6.6 by @dependabot in #3131
- Bump friendsofphp/php-cs-fixer from 3.15.1 to 3.16.0 by @dependabot in #3132
- Bump phpstan/phpstan from 1.10.8 to 1.10.10 by @dependabot in #3133
- Updated license info in copyright docblocks by @fballiano in #3120
Full Changelog: v19.5.0-rc2...v19.5.0-rc3
v20.1.0-rc2
Highlights
This is a big release, that's why we decided to move away from the 20.0.x versioning and go to 20.1.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 20.1.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Also:
- the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- a great improvement to EAV config cache has been added to v20.
- support for Google Analytics 4 was added.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Everything included in https://github.com/OpenMage/magento-lts/releases/tag/v19.5.0-rc2
- EAV Config Cache followup: select non-existent attribute exception by @davidhiendl in #3038
- Fixed cast store config (checkout/cart/delete_quote_after) to int to avoid unsupported operand types php error by @darinda in #3065
- EAV config cache followup for multi scope load by @davidhiendl in #3044
- EAV Config Cache revert return empty attribute model by @davidhiendl in #3074
New Contributors
Full Changelog: v20.1.0-rc1...v20.1.0-rc2
v19.5.0-rc2
Highlights
This is a big release, that's why we decided to move away from the 19.4.x versioning and go to 19.5.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 19.5.0. Tests are more than welcome now but be extra careful with production environment.
- What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
- M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- Support for Google Analytics 4 was added
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Support for Google Analytics 4 by @fballiano in #3023
- Bump phpstan/phpstan from 1.9.17 to 1.9.18 by @dependabot in #3032
- Version bump by @fballiano in #3028
- Added docblock related to customer address. by @kiatng in #3035
- Fixed E_DEPRECATED in Mage/GoogleAnalytics/Block/Ga.php by @kiatng in #3037
- Bump phpstan/phpstan from 1.9.18 to 1.10.1 by @dependabot in #3036
- Bump colinmollenhour/magento-redis-session from 3.0.1 to 3.0.2 by @dependabot in #3041
- Bump squizlabs/php_codesniffer from 3.7.1 to 3.7.2 by @dependabot in #3039
- Bump phpstan/phpstan from 1.10.1 to 1.10.2 by @dependabot in #3040
- Fixed E_Warning array_key_exists() on product save by @kiatng in #3042
- Add more info to admin auth exceptions by @loekvangool in #3024
- Bump phpstan/phpstan from 1.10.2 to 1.10.3 by @dependabot in #3045
- Bump phpunit/phpunit from 9.6.3 to 9.6.4 by @dependabot in #3048
- set phpstan to bleedingEdge config by @Flyingmana in #3011
- Add cache rule for image/svg+xml to .htaccess by @loekvangool in #3051
- Enabled PHP 8.2 in composer.json, updated README with software compatibility info by @fballiano in #3052
- Fixed undefined array key warning in Mage_Catalog_Model_Resource_Category_Flat by @fballiano in #3047
- Bump phpseclib/phpseclib from 3.0.18 to 3.0.19 by @dependabot in #3063
- Bump phpstan/phpstan from 1.10.3 to 1.10.5 by @dependabot in #3069
- Moved dependabot to weekly again by @fballiano in #3070
- bugfix: return first cart item when adding bundle product to cart by @eneiasramos in #3056
- Handle case when
qtysparam is null when preparing shipment by @CharlieDelta6 in #3062 - Remove status filter from Product Collection in CatalogSearch Layer by @elidrissidev in #3060
- Making optionalZipCountries JS code conditional by @loekvangool in #2996
- Make Prototype Validator optional by @loekvangool in #3053
- Make PHPStan run independently from PHPCS by @fballiano in #3049
- Bump phpstan/phpstan from 1.10.5 to 1.10.6 by @dependabot in #3080
- Bump phpunit/phpunit from 9.6.4 to 9.6.5 by @dependabot in #3079
- Optimize Composer autoloader by @elidrissidev in #3081
New Contributors
- @CharlieDelta6 made their first contribution in #3062
Full Changelog: v19.5.0-rc1...v19.5.0-rc2
v20.1.0-rc1
Highlights
This is a big release, that's why we decided to move away from the 20.0.x versioning and go to 20.1.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 20.1.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Also:
- the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- a great improvement to EAV config cache has been added to v20.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Everything included in https://github.com/OpenMage/magento-lts/releases/tag/v19.5.0-rc1
- Remove legacy media uploader / editor remnants by @justinbeaty in #2434
- Remove more Internet Explorer code by @justinbeaty in #2427
- EAV Config Cache by @davidhiendl in #2993
New Contributors
- @davidhiendl made their first contribution in #2993
Full Changelog: v20.0.18...v20.1.0-rc1
v19.5.0-rc1
Highlights
This is a big release, that's why we decided to move away from the 19.4.x versioning and go to 19.5.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 19.5.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Also the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Update title size of unsubscription email by @luigifab in #2722
- Require a parent category to add a new sub category by @luigifab in #2716
- Version bump for next release by @fballiano in #2769
- Use store data for products of order items by @luigifab in #2723
- Fix error when payment methods have been deleted by @sreichel in #2772
- Fixed sort in Manage Tax Rates grid by @sreichel in #2757
- Use default paths for config files by @sreichel in #2765
- Moved phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier to composer by @fballiano in #2411
- Fixes workflow issues, ref #2770 by @sreichel in #2773
- Added Cm_Redis files to .gitignore by @sreichel in #2779
- Hotfix: broken workflow by @sreichel in #2778
- Removed unreachable code by @sreichel in #2775
- Avoid to use unavailable $data var in Curl HTTP Client by @maximehuran in #2785
- phpstan: added lib/Mage and lib/Magento by @sreichel in #2780
- Updated DOCblocks (fixed param null) by @sreichel in #2776
- Fixed baseline, ref #2785 by @sreichel in #2789
- PHPStan: removed excluded directories by @sreichel in #2790
- Reverted autoloader patch by @sreichel in #2791
- PHPStan: Level 0 update by @sreichel in #2794
- Check $sessionData is an array in Mage_Captcha_Model_Zend by @fballiano in #2804
- Moved null-byte fix from lib/Zend to lib/Magento by @sreichel in #2807
- Updated phpstan 1.9.3 by @sreichel in #2808
- PHPStan: updated lib/Varien by @sreichel in #2795
- Replaced MySql4 classes in installer by @sreichel in #2797
- Updated phpdocs by @sreichel in #2796
- Sync v19 v20 by @sreichel in #2810
- Created a release builder workflow by @fballiano in #2165
- phpstan: Mage.php by @sreichel in #2819
- phpstan: Mage_Poll by @sreichel in #2816
- phpstan: Mage_Rss by @sreichel in #2817
- phpstan: Mage_Page by @sreichel in #2820
- Add confirm dialog to critical massactions by @sreichel in #2814
- Added cweagans/composer-patches - prepare for ZF1Future 🚀 by @sreichel in #2822
- [Backport] Remove documentation hints, ref #1536 by @sreichel in #2815
- phpstan: Mage_Cms by @sreichel in #2818
- Optimisation for Varien_Object::_addFullNames by @AGelzer in #2821
- Fix passing null and array to string conversion error by @sreichel in #2824
- [php8.1] deprecated PDOStatement::fetch, ref #1812 by @sreichel in #2805
- phpstan: Sitemap, Newsletter, ... by @sreichel in #2823
- phpstan: added missing returns by @sreichel in #2832
- Replace lib/Zend with shardj/zf1-future 🚀 by @sreichel in #2827
- phpstan: fixes "Call to function is_null ..." by @sreichel in #2831
- Sonar: fixed path to lib/Zend by @sreichel in #2834
- Fixed bugs for admin save base urls by @sreichel in #2800
- Added getApplyTo() to Mage_Eav_Model_Entity_Attribute_Abstract. ref #2829 by @sreichel in #2836
- Removed Mage_PageCache by @sreichel in #2813
- phpstan: step back to level 4 by @sreichel in #2837
- Version bump by @fballiano in #2835
- phpstan: Change OpenMage version compare by @sreichel in #2839
- phpstan: working on level 3 by @sreichel in #2840
- Added dependabot config by @sreichel in #2841
- Moved note about PHP7.2 since it is not supported anymore by @fballiano in #2842
- Bump tj-actions/changed-files from 34 to 35 by @dependabot in #2843
- Bump symfonycorp/security-checker-action from 4 to 5 by @dependabot in #2845
- Bump EnricoMi/publish-unit-test-result-action from 1.6 to 1.40 by @dependabot in #2846
- Bump pelago/emogrifier from 6.0.0 to 7.0.0 by @dependabot in #2844
- Added helper for admin button onclick actions by @sreichel in #2784
- Added shell/ to checks by @sreichel in #2848
- autoload without hiding errors by @Flyingmana in #2300
- Use correct code for Greece VAT validation by @elidrissidev in #2849
- Updated lib/Varien for PHP8.1 by @sreichel in #2802
- Added .dist and .neon to "deny from all" in .htaccess by @fballiano in #2852
- Added notes about composer library/modules to README (for 19.5.x and 20.1.x) by @fballiano in #2851
- phpstan: remove one diff between v19/20 baseline by @sreichel in #2855
- Hotfix: php7 has no return type "mixed" by @sreichel in #2856
- Add translation helper shell script by @justinbeaty in #2332
- PHPMD: added basic config by @sreichel in #2771
- Load dev shell scripts as composer module by @sreichel in #2853
- Fixed tag aggregation indexer query by @fballiano in #2858
- Updated workflow: run when files are deleted by @sreichel in #2860
- Rewrote Mage_Reports_Model_Resource_Review_Product_Collection/Mage_Reports_Model_Resource_Order_Collection queries for a correct use of Zend_Db_Expr by @fballiano in #2864
- Backport 2271, removed lib/flex by @fballiano in #2862
- Updated copyright blocks by @sreichel in #2866
- Updated autoloader, ref #2300 by @sreichel in #2867
- Adding useful feedback to Gd2.php exceptions by @loekvangool in #1339
- Added ddev command shortcuts by @sreichel in #2868
- Use github URL for patch files by @sreichel in #2871
- Remove "was" from error messages by @loekvangool in #2869
- Add autocomplete attribute to known password fields. by @rfeese in #2700
- Create codeql-analysis.yml by @Flyingmana in #2644
- Cast types, ref #735 by @sreichel in #2872
- Fix error on add new contributor by @AGelzer in #2877
- Fix for ...
v20.0.20
v19.4.23
v20.0.19
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.