Magento Open Source 2.3.5 offers significant platform upgrades, substantial security changes, and performance improvements.
This release includes over 180 functional fixes to the core product and over 25 security enhancements. It includes resolution of over 46 GitHub issues by our community members. These community contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.
Quarterly releases may contain backward-incompatible changes (BIC). Magento 2.3.5 contains minor backward-incompatible changes. To review minor backward-incompatible changes, see BIC reference. (Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.)
During pre-release, we discovered issues that forced us to create new packages. To expedite delivery, we chose to change the name of the full-release patch from 2.3.5 to 2.3.5-p1. The 2.3.5-p1 package contains all new features and fixes. We also changed the name of the security-only patch for this quarter from 2.3.4-p1 to 2.3.4-p2. Future releases will follow the typical package naming conventions for full-release and security packages. See Wishlist error during upgrade to Magento versions 2.3.4-p1 or 2.3.5.
Security-only patch available
Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.5-p1) provides. Patch 22.214.171.124 (Composer package 2.3.4-p2) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.4. All hot fixes that were applied to the 2.3.4 release are included in this security-only patch. (A hot fix provides a fix to a released version of Magento that addresses a specific problem or bug.)
For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.4-p2), see Install Magento using Composer. Security-only patches include security bug fixes only, not the additional security enhancements that are included in the full patch.
With this quarterly release, we’ve changed how we describe these security issues. Individual issues are no longer described in the Magento Security Center. Instead, these issues are documented in an Adobe Security bulletin.
Other release information
Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Inventory Management and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in the separate, project-specific release information that is available in the documentation for each project.
Upgrade to Magento 2.3.5-p1 or 2.3.4-p2 for merchants running pre-release versions of Magento 2.3.5
Merchants upgrading to pre-release versions of Magento 2.3.5 and security-only patch 2.3.4-p1 and whose deployments contain bundle products may encounter the following error during upgrade:
Unable to apply data patch Magento\Wishlist\Setup\Patch\Data\CleanUpData for module Magento_Wishlist. Original exception message: Unable to unserialize value. Error: Syntax error
Merchants who encounter this error after installing Magento 2.3.5 should upgrade to Magento 2.3.5-p1. Merchants who encounter this error after installing Magento 2.3.4-p1 should upgrade to Magento 2.3.4-p2. See Wishlist error during upgrade to Magento versions 2.3.4-p1 or 2.3.5.
Download and run the updated Database Cleanup script
This hotfix addresses an issue with a previous database clean-up script that was released in March 2020. That database cleanup script has been updated to clear pre-existing failed login data in additional database tables. We recommend that all merchants run DB_CLEANUP_SCRIPT_v2 script to clear pre-existing failed login data in additional tables as soon as possible. See the Remove failed login attempts from the database support article.
Look for the following highlights in this release:
Substantial security enhancements
This release includes the following security enhancements:
Over 25 security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities
No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP whitelisting, two-factor authentication, use of a VPN, the use of a unique location rather than
/admin, and good password hygiene. See Security updates available for Magento for a discussion of these fixed issues. All known exploitable security issues fixed in this release (2.3.5) have been ported to 126.96.36.199 and 188.8.131.52, as appropriate.
With the Magento 2.3.4 release, we changed how we describe these security issues. Individual issues are no longer described in the Magento Security Center. Instead, these issues are documented in an Adobe Security bulletin.
Security enhancements and fixes to core code
This release includes over 25 security fixes and platform security improvements. Additional security enhancements include:
Implementation of Content Security Policies (CSP). This release includes a set of powerful new security tools for Magento installations. Content Security Policies (CSP) provide additional layers of defense by helping to detect and mitigate Cross-Site Scripting (XSS) and related data injection attacks. This common attack vector works by injecting malicious content that falsely claims to originate from the website. After the malicious content is loaded and executed, it can initiate the unauthorized transfer of data. See Content Security Policy Overview. For technical information, see Content Security Policies in the PHP Developer Guide.
Removal of session_id from URLs. Exposure of
session-idvalues in URLs creates a potential security vulnerability in the form of session fixation. We are removing code from the classes and methods that add or read session_id from URLs.
Starting with the release of Adobe Commerce 2.3.2, we will assign and publish indexed Common Vulnerabilities and Exposures (CVE) numbers with each security bug reported to us by external parties. This allows users to more easily identify unaddressed vulnerabilities in their deployment.
The following platform upgrades help enhance website security and performance:
Support for Elasticsearch 7.x. Elasticsearch 7.x is now the supported catalog search engine for both Adobe Commerce and Magento Open Source. With this release, Magento Open Source 2.3.x supports only Elasticsearch 6.x and 7.x. Elasticsearch 2.x and 5.x are now deprecated for Magento Open Source 2.3.x and will be removed in Magento Open Source 2.4.0.
Deprecation of core integration of third-party payment methods. With this release, the integrations of the Authorize.Net, eWay, CyberSource, and Worldpay payment methods are deprecated. These core features are no longer supported and will be removed in the next minor release (2.4.0). Merchants should migrate to the official extensions that are available on the Commerce Marketplace. See the Deprecation of Magento core payment integrations devblog post.
Deprecation of the core integration of the Signifyd fraud protection code. This core feature is no longer supported. Merchants should migrate to the Signifyd Fraud & Chargeback Protection extension that is available on Commerce Marketplace.
Upgrade of Symfony Components to the latest lifetime support version (4.4). (Symfony Components are a set of decoupled PHP libraries used by the Magento Framework.)
Migration of dependencies on Zend Framework to the Laminas project to reflect the transitioning of Zend Framework to the Linux Foundation’s Laminas Project. Zend Framework has been deprecated. Magento 2.3.5 contains the minimal number of changes to code and configuration that are required to support the use of the Laminas libraries. These changes are backward-compatible, and you can continue to use your current code. However, we recommend that extension developers and system integrators begin migrating their extensions to use Laminas. While this migration isn’t required for compatibility with this patch release, long-term solutions will require it.
laminas/laminas-dependency-pluginrequires Composer 1.7.0 and higher. To see which version of Composer you are running, run
composer –-version. Then, run
composer self-updateif you are on an older version of Composer.
See the Migration of Zend Framework to the Laminas Project DevBlog post.
Improvements to customer data section invalidation logic. This release introduces a new way of invalidating all customer sections data that avoids a known issue with local storage when custom
sections.xmlinvalidations are active. (Previously, private content (local storage) was not correctly populated when you had a custom etc/frontend/sections.xml with action invalidations.) See Private content.
Multiple optimizations to Redis performance. The enhancements minimize the number of queries to Redis that are performed on each Magento request. These optimizations include:
- Decrease in the size of network data transfers between Redis and Magento
- Reduction in Redis’ consumption of CPU cycles by improving the adapter’s ability to automatically determine what needs to be loaded
- Reduction in race conditions on Redis write operations
This release contains enhancements to core quality, which improve the quality of the Framework and these modules: Catalog, Sales, PayPal, Elasticsearch, Import, and CMS.
The PayPal Pro payment method now works as expected in the Chrome 80 browser. This payment method previously invoked a Magento callback endpoint that needed access to the customer’s session — access that the new default Chrome Samesite cookie functionality does not permit. GitHub-26840
A PHPStan code analysis check has been integrated into Magento static builds. This tool performs sophisticated static code analysis and identifies additional issues that are currently not detected by PHP CodeSniffer and PHP Mess Detector. See Magento Testing Guide.
Inventory Management enhancements for this release include:
- New extension point for
- Ability to view allocated inventory sources from the Orders list
See Inventory Management release notes for a more detailed discussion of recent GraphQL bug fixes.
With this release, you can now use
categoryList queries to retrieve information about products and categories that have been added to a staged campaign. See Using queries in the GraphQL Developer Guide for details.
See Release notes for a more detailed discussion of recent GraphQL bug fixes.
PWA Studio 6.0.0 contains both new features and improvements to existing features:
Launch of the PWA extensibility framework. This framework gives developers the ability to create an extensibility API for their storefront or write plugins that can tap into those API and modify storefront logic.
Caching and data fetching improvements. This release contains improved caching logic and other data fetching optimizations in the Peregrine and Venia UI component libraries. These components have been refactored to take advantage of Apollo cache features to reduce overfetching or prevent the storage of sensitive data.
Shopping cart components that can be used for a full-page shopping cart experience
For information on these enhancements plus other improvements, see PWA Studio releases.
This release includes:
- Integration of Engagement cloud and Magento B2B. A new B2B integration module integrates Engagement cloud and the Magento B2B module enable Magento B2B merchants to leverage their B2B commerce data and better engage with their prospective and existing customers. This will include:
- Company data sync (customer type, company, company status)
- Sync of shared catalog data. Syncing additional product catalog data (custom products and product attributes) to dotdigital. Merchants can turn additional product data into marketing campaigns or use it to make recommendations
- Sync of quote data
- Improved importer performance and coupon code re-send.
Google Shopping ads Channel
The Google Shopping ads Channel bundled extension has reached end-of-life with this release (2.3.5 and 2.3.4-p1). It is no longer supported. Alternative extensions are available on the Commerce Marketplace.
Vendor-developed extension enhancements
This release of Magento includes extensions developed by third-party vendors. It includes both quality and UX improvements to these extensions.
With this release, the Klarna extension is now available in Australia and New Zealand. A new Oceania endpoint has been added to the existing API. This release also contains UX enhancements and minor bug fixes.
This release of Vertex includes the following new feature and enhancements:
Address Validation. Addresses that are created or edited in the Customer Account are now validated when the module is enabled.
Admin Configuration. Flexible Field dropdown options are now sorted alphabetically by the current Admin user’s locale.
Virtual Products. Vertex now uses an order’s billing address to calculate taxes on virtual products. Shipping-related flexible fields are no longer completed for virtual products.
Restorable configuration settings. The Use Vertex for orders shipping to, Summarize Tax by, and Global Delivery Term now provide an option to be restored to their default setting.
Port in WSDL. The WSDL URL now supports ports and basic authentication.
Best Practices in Code. Models intended to assist Observers have been relocated into the Model namespace to clean up the Observer namespace.
We have fixed hundreds of issues in the Magento 2.3.5 core code.
Installation, upgrade, deployment
- The link accessed from Admin > Stores > Settings > Configuration > General > Advanced Reporting now opens in a new tab as expected. Fix submitted by Nagamaiah K in pull request 25760. GitHub-25757
- You can now successfully remove a website along with the website’s scope-specific configuration settings in
app/etc/config.phpas expected. Previously, when you tried to remove the website, the operation failed, and Magento displayed this error:
The website with code xxx that was requested wasn't found. Verify the website and try again. Additionally, Magento displayed this error on the storefront:
Config files have changed. Run app:config:import or setup:upgrade command to synchronize configuration. GitHub-24061
- Configuration settings that are disabled in
index.phpare no longer editable from the Admin.
Adobe stock integration
- Image previews now close as expected when you navigate to a new page of search returns when searching Adobe Stock images. Fix submitted by Serhiy Zhovnir in pull request 25719. GitHub-723
- Image details are now hidden when you click on the image in the search result list. Fix submitted by Nazar Klovanych in pull request 25566. GitHub-690
- You can now use keyboard arrow keys to navigate to the next image in the preview. Fix submitted by Adarsh Manickam in pull request 25611. GitHub-691
- The Search Stock Images button now remains active as expected after you’ve searched for and saved an image from the media gallery. Previously, this button was disabled after you used it to search for an image and saved it. Fix submitted by Nazar Klovanych in pull request 25556. GitHub-622
- Bundle product prices are now calculated correctly on product pages.
- The performance of the
catalog_product_pricere-index operation for bundle products has been improved.
- Magento now correctly displays required field asterisks for products with custom options in the Admin.
- Clicking Enter in the Shipping Price field for Negotiable Quotes now correctly updates shipping price.
- Magento now displays the same price for a bundle product in the mini cart and on the product page.
- You can now add any number of bundle products to your shopping cart without error. Previously, when you added a bundle product to your cart, then navigated to the cart, Magento displayed this error:
Please correct the quantity for some products.
- Administrators can no longer manually enter a tax class in the Admin for a bundle product when the bundle product’s Tax Class and Dynamic Price settings are disabled for the default store view. Previously, when an administrator unchecked the Use Default Value option next to Tax Class, Magento enabled the option, permitting an administrator to enter another value and save the product.
- Frontend cookies are now set as expected when you enable Use Secure URLs on Storefront and Secure Base URL is set to https.
Cart and checkout
- Cart Price Rules that are based on payment methods are now applied during the checkout workflow. GitHub-24206
- You can now disable zip code validation on the checkout workflow from the Admin as expected. Previously, Magento threw an error when a customer entered a zip code that did not meet specified values for zip codes even after validation was disabled by setting Input Validation to none from Admin > Stores > Attributes > Customer address > Edit Zip/Postal Code.
- The order review page in the checkout workflow now loads successfully for an order being shipped to multiple addresses when Terms and Conditions with the Applied Manually setting is enabled. Previously, the Review page did not pass validation, and Magento displayed a 404 error.
- Filtering on the Admin product grid website column now works as expected. Previously, filter results did not display the correct number of products, but consistently displayed the total number of products as 1.
- Magento no longer throws an error during checkout when the Synchronize with Backend configuration setting is enabled. GitHub-23833
- Magento no longer throws an error when you change the name of a tiered product that is included in a scheduled update. Previously, when you tried to save the product with a new name, Magento displayed this error:
SQLSTATE: Integrity constraint violation: 1062 Duplicate entry '3-0-0-2.0000-0' for key 'UNQ_EBC6A54F44DFA66FA9024CAD97FED6C7', query was: INSERT INTO catalog_product_entity_tier_price (all_groups, customer_group_id, qty, value, website_id, percentage_value, row_id) VALUES (?, ?, ?, ?, ?, ?, ?)
- The Recently Viewed Products feature now works as expected in multistore deployments.
- You can now successfully edit a configurable product with many variants (approximately 5,000) from the Admin. Previously, when you tried to edit a configurable product with many subproducts, Magento displayed this error:
Warning: DOMDocumentFragment::appendXML(): Entity: line 1: parser error : CData section too big found in /vendor/magento/framework/View/TemplateEngine/Xhtml/Template.php on line 60
- Sorting on attribute sets on Admin > Catalog > Products is now based on alphabetical order as expected.
- Custom attribute values can now be saved as expected from the Admin.
- Corrected an issue that caused the PUT
/V1/products/:sku/media/:entryIdcall to create a new entry rather than replace the existing one.
- Customizable options are now imported as expected when
row_idis not equal to a product’s
entity_id. Previously, Magento did not import customizable options when
row_idwas not equal to a product’s
entity_id, which resulted in certain products not being imported.
- You can now assign a default watermark to a theme. Previously, after assigning the watermark, Magento threw a fatal error.
- Magento now displays product images in the mini cart without distortion. Previously, Magento stretched the image in the mini cart to fill the entire width and height of the image container.
- The Recently Viewed Products feature now shows products associated only with the current store view in multi-store deployments when Stores > Configurations > Catalog > Recently Viewed/Compared Products > Show for Current is set to store view. Previously, Magento displayed recently viewed products from all websites, no matter which website the product was assigned to.
- The product compare feature now works as expected. It displays only products in the current user’s compare list.
- Problems with the partial re-indexing of large categories have been resolved. Previously, due to problems with this process, products were randomly excluded from categories on the storefront.
getBasePricefunction now returns a float value as expected rather than a string.
- Images are now saved in
pub/media/catalog/categoryas expected when you save category images. Previously, Magento saved these images in
- Administrators with restricted permissions to Catalog can now create a downloadable product. Previously, administrators could not create a downloadable product, and Magento threw an error.
- You can now add a configurable product to the cart from the Cross-Sells tab. When you select a product and click Add to Cart from this tab, you are now taken to the product’s details page, where you can select specific product options. Previously, Magento redirected you to a 404 error page.
- You can now add a child product of a grouped product to your cart when one of the grouped product’s other child products is out-of-stock. Previously, when one child product was out-of-stock, you could not add any other child products to the cart.
- Magento now displays appropriate feedback when you unsuccessfully attempt to update and save a product. Previously, Magento did not display an error message or take any action when you tried to save a product after updating it. GitHub-22274
Catalog Price Rule
- The mini cart and Admin shopping cart (Admin > Customers > Manage Shopping Cart) now display correct product prices when a Catalog Price Rule is applied. Previously, the storefront shopping cart displayed the correct product price, but the mini cart and Admin shopping cart displayed the original product price.
- Product prices on the storefront now accurately reflect the application of a scheduled Catalog Price Rule update. Previously, prices did not reflect the scheduled cart price rule until you manually re-indexed (
php bin/magento indexer:reindex catalogrule_rule).
- Magento now displays all children of a selected parent category as expected. Previously, if you selected a parent category that is an anchor, but which did not have assigned products by itself, Magento did not display all nested products.
- The CatalogWidget products list now works as expected with anchor categories, and products from anchor categories are now matched and displayed. Previously, when you selected a parent category that was an anchor, but that did not contain assigned products, products were not visible in the widget.
Cleanup and simple code refactoring
- Corrected misalignment of the View Details label for configurable products in the order summary of the checkout workflow. Fix submitted by Max Fickers in pull request 25785. GitHub-20463
- Added a
margin-bottomvalue to the static CMS block widget in the Checkout/Cart Summary of the checkout workflow in the Luma and Blank themes. Fix submitted by Fabricio Sobral in pull request 25729. GitHub-25703
- Added a margin between the checkbox and icon when choosing a category during the process of assigning a condition to a new Cart Price Rule. Fix submitted by Eden Duong in pull request 25597. GitHub-25596
- Rating stars no longer overlay the product over which your mouse hovers on the category page. Fix submitted by Kajal Solanki in pull request 25524. GitHub-25517
- Corrected misalignment of the calendar icon inside the textbox on the Add Design Change page. Fix submitted by magudelo62 in pull request 25309. GitHub-20379
- Deleted unused variable (
time_taken) from the
Magento/Catalog/view/frontend/templates/product/listing.phtmltemplate. Fix submitted by andrew-chornij in pull request 25770. GitHub-25715
- Select from Gallery image thumbnails are now cached as expected. Previously, these images were resized on the fly.
- Magento now lets you create CMS blocks with identical names if the blocks are assigned to different store views.
- Added validation logic to the Create new value input field of the configurable product creation workflow. Previously, you could create an attribute option value that contained only a space. Fix submitted by Torben Höhn in pull request 25421. GitHub-21504
- Magento now displays all attributes of a configurable product. Previously, when the product had two or more attributes, not all attributes were displayed.
- Catalog Products List widgets can now process conditions that include product
bin/magento cron:run -vno longer fails when the database name exceeds 64 characters but instead creates a shorter name. Fix submitted by Vasil Pashovski in pull request 25472. GitHub-22240
- We’ve improved the reliability of background
cronexecution. We now use the Magento Lock Framework to lock
cronjobs. Previously, Magento used job status in the
cron_scheduletable. As a result,
cron:runexecution no longer causes an error on the application level.
Custom customer attribute
- You can now save a Gender field with a blank value when directly editing customer information from the Customer list. Previously, when you saved this value, Magento displayed a success message, but did not save it. GitHub-23128
- Magento now uses a new PHPSession for each change of password.
- The steps involved in
x-magento-initinitialization now happen in the correct order: RequireJS loads
section-config.jsconstructs and initiates itself as required. Previously, RequireJS loaded
section-config.js, but the internal data
section-configrequired for functioning did not load, and
section-config.jsthrew an error:
Uncaught TypeError: Cannot read property '*' of undefined. GitHub-17125
- Magento now honors a customer’s default shipping address. Previously, Magento did not honor the default billing and default shipping addresses according to the settings, and the Same As Billing Address setting was not enabled automatically.
- You can now successfully create a customer and associate it with a particular website using the Associate to Website dropdown menu on Customers > All Customers > Add new Customer. Previously, when you tried to associate a new customer with the non-default website in a multi-site deployment, Magento displayed this error:
The store view is not in the associated website.
- The Update Attribute action now correctly updates the timestamp of a product’s
catalog_product_entitywhen you update the product from the Admin edit product page.
- Magento now respects store-specific settings that determine whether the telephone number field of the checkout workflow is required in a multi-site deployment. Previously, in deployments where one store required this field in the checkout workflow and another store did not, customers who did not complete this field while checking out on the store that did not require it encountered this error:
Please check the shipping address information. "telephone" is required. Enter and try again.
- The order notification emails sent from Microsoft Outlook now contain content that is rendered as expected from the assigned email template. Previously, the notification email that Magento sent contained a blank body that included content as an ATT*-labeled attachment to the email. GitHub-25076
- Dependencies on Zend Framework have been migrated to the Laminas project to reflect the transitioning of Zend Framework to the Linux Foundation’s Laminas Project. Zend Framework has been deprecated.
- Editing products in the Admin no longer triggers Redis errors.
php bin/magento cron:runno longer processes items from the change log table multiple times. Previously, when you had more than 100000 new versions in the change log table, actions could be called several times for the same
- Watermark images no longer obscure the product image that they overlay. Previously, when the watermark image was larger than the product image it was applied to, the product image was not visible.
- Non-cacheable blocks are no longer added to default layout handles. Adding non-cacheable blocks to default layout handlers renders all Magento pages non-cacheable. This results from the layout generation process: During layout generation, Magento collects all available layout handles for a particular page and merges instructions from them into the page’s final layout structure. The default layout handle is used as a basic handle for every page. As a result, layout updates that are declared for the default handler appear on every Magento page. GitHub-9041
'persistent' => '1'in
env.phpno longer throws an error when you run
- Magento no longer downloads a
blank.htmlpage when an administrator clicks on a product while creating an order from the Admin.
RequireJS domReady!plugin has been improved to prevent artificial delays when loading a storefront page. GitHub-22909
- Added a check to confirm that a file belongs to the current base URL before setting the
.min.jssuffix. Previously, when you installed a CDN file using
- Comments entered by a customer on the storefront Returns page are now successfully attributed to the correct customer. Previously, these comments were attributed incorrectly to Customer Support.
- All HTML tags are now supported by the TinyMCE4 editor.
- Magento now displays an informative error message and continues to display the registration form as expected if an error occurs when a customer tries to complete a registration form that contains a multi-select customer attribute. Previously, Magento displayed a 500 error.
- The stock alert email sent to customers about the re-stocking of a configurable product now contains the correct product price. Previously, this email contained a product price of 0.
- You can now delete an empty user model without deleting the Administrators role to which it is assigned.
.fotorama__thumb__arrarrows adjacent to the thumbnail images on the product gallery now work as expected. Fix submitted by Alexey Rakitin in pull request 25666. GitHub-25652
- You can now accurately manipulate a zoomed image using your mouse. Previously, the magnified area was incorrectly offset. Fix submitted by Mateusz Krzeszowiak in pull request 25358. GitHub-25027
- LESS styling for the
Magento_Cmsmodules has been moved to the correct
designdirectory. This change brings these modules into alignment with the organization of other modules, none of which include any LESS styling. Fix submitted by Paweł Tylek in pull request 25355. GitHub-25276*
- Credit memos for orders with 100% discount (including shipping fees) now correctly include a 0 for the Grand Total. Previously, Magento calculated a negative number for the Grand Total.
- A store’s Admin URL no longer redirects to the storefront URL when these two URLs differ.
- The graphical orders chart accessible from the Orders tab on the Admin now accurately reflects order quantity.
- Product price change alert email now includes the correct product price. Previously, this email suggested a new product price of 0.
- You can now save and duplicate all CMS pages. Previously, Magento threw this exception when you tried to duplicate certain pages:
Unique constraint violation found.
- Magento now redirects you to the home page of the appropriate store view when you change language on CMS pages in a multistore deployment. Previously, Magento displayed a 404 page when you changed language on certain CMS pages.
- Magento now successfully imports customer data using the Customer and Addresses (single file)) option when
cronis enabled and the Customer Grid Indexer is set to Update By Schedule. After
cronexecutes, the imported customer information is available in the Admin as expected. Previously, Magento imported the customer data, but did not update the customer grid with the newly imported customer records.
- Magento now updates images as expected when you use the
hide_from_product_pagesetting when importing products in deployments with multiple store views.
- Magento now deletes temporary files from
<Magento_home>/varas expected after product import has completed.
- Magento now removes related, up-sell, and cross-sell products as expected in the import
.csvfile when you set the value of the Empty attribute value constant field to
_EMPTYVALUE_for products in System > Import. Previously, cross-sell, up-sell, and related products were not removed from the import
- Magento now displays a more informative error message, and does not display a download link, when you try to delete a directory from the System > Export list. Previously, when you tried to delete a directory from this list, Magento continued to display a download link for files that could not be downloaded, and displayed an uninformative error message.
- The CSV file used during import now contains the correct links for downloadable products and is now correctly formatted to support importing and updating downloadable products.
- The Stock Indexer is now triggered as expected after import and updates product status. Previously, the Stock Indexer did not index the changed product inventory data.
- Images associated with configurable products are now properly uploaded during import and available for viewing as expected from the product edit page.
- Magento now provides a message during product import that identifies which products in the imported CSV file have duplicated keys. Merchants can use this information to resolve conflicts. Previously, Magento displayed this error:
Notice: Undefined index: name in /var/www/html/ee233dev/app/code/Magento/CatalogImportExport/Model/Import/Product.php on line 2524
- Magento now successfully exports a
.csvfile when you set import behavior for Replace, select a previously exported
.csvfile, and click Check data. Previously, Magento displayed this error:
Data validation failed. Please fix the following errors and upload the file again." and "Following Error(s) has been occurred during importing process.
- You can now successfully import a product that does not have a
store_view_codevalue. Previously, Magento displayed an error when you tried to import the product. Fix submitted by Mahesh Singh in pull request 25080. GitHub-25069
- The import of customer accounts has been refactored to improve import speed.
- CSV files generated during product import now contain group titles for downloadable products as expected. Previously, unnecessary validation of
group_titleduring import prevented the display of group titles for downloadable products.
- You can now successfully import or update customers using the Customer and addresses single file option of the import workflow. Previously, when you selected this option, Magento did not import the customer data and displayed this error:
Invalid data for insert.
- Magento now successfully imports all custom options for a configurable product’s child products when
store_view_codeis specified. This works whether you choose to import configurable products individually or collectively. Previously, Magento did not successfully import all custom options when the import file contained more than one item and
.csvfiles now reflect filter settings for including in-stock or out-of-stock products. Previously, Magento exported all products, no matter which stock setting you selected.
- The partial indexer no longer incorrectly removes stock data when updating at least 1000 products. Previously, the indexer removed stock data, which resulted in in-stock products appearing out-of-stock. Fix submitted by Pieter Hoste in pull request 25306. GitHub-12205, GitHub-15984
- Elasticsearch 7.5 is now the supported catalog search engine for both Adobe Commerce and Magento Open Source. With this release, Magento Open Source 2.3.x supports only Elasticsearch 6.x and 7.x. Elasticsearch 2.x and 5.x are now deprecated for Magento Open Source 2.3.x and will be removed in Magento Open Source 2.4.0.
- Symfony Components have been upgraded to the latest lifetime support version (4.4). (Symfony Components are a set of decoupled PHP libraries used by the Magento Framework.)
- Corrected the argument type of the email address constructor. Fix submitted by Karyna Tsymbal in pull request 25485. GitHub-25434
- Admin route names can now contain a hyphen in the URL. Previously, validators for the action menu did not accept hyphens. Fix submitted by Diego Pires in pull request 25612. GitHub-25635
- The condition of the shipping method title output in
Magento_Checkout/js/view/summary/shippinghas been corrected. Fix submitted by Andrii Beziazychnyi in pull request 25530. GitHub-25529
- You can now create an offline credit memo. Previously, when you tried to create one, Magento displayed this error:
The credit memo couldn't be saved.
- Product widgets with product filter set to Attribute Set now work as expected on both the Admin and storefront. Previously, when the attribute filter was set, CMS pages on both the storefront and Admin did not work as expected when multiple Inventory sources were deployed.
- Customers can no longer check out when their order contains more products than are currently in stock.
- The preview template feature now works as expected. Previously, Magento displayed this error when you clicked Preview Template from the template edit page:
Request-URI Too Long The requested URL's length exceeds the capacity limit for this server.
- The integration of third-party payment methods into the core Magento code has been deprecated. With this release, the integrations of the Authorize.Net, eWay, CyberSource, and Worldpay payment methods are deprecated. These core features are no longer supported and will be removed in the next minor release (2.4.0). Merchants should migrate to the official extensions that are available on the Commerce Marketplace.
- You can now successfully complete an order using the Payflow Link payment method. Previously, the Payflow Link payment method always rejected payment because the order status remained in the
Pendingpayment state, even though the order status in the payment method logs was
- The core implementation of Signifyd fraud protection is no longer supported. Merchants should migrate to the Signifyd Fraud & Chargeback Protection extension that is available on Commerce Marketplace.
- The Place Order button on the shipping workflow is now enabled as expected when you select Braintree as the payment method and the My billing and shipping address are the same setting is disabled.
- You can now create an order from the Admin using Authorize.net as the payment method. Previously, Magento did not create the order, and displayed this error:
Transaction has been declined. Please try again later. GitHub-23934
- The WorldPay payment integration with the Magento core has been deprecated. Please use the official Marketplace extension instead.
TypeError: Cannot read property 'firstname' of null.
- The PayPal Pro payment method now works as expected in the Chrome 80 browser. This payment method previously invoked a Magento callback endpoint that needed access to the customer’s session — access that the new default Chrome SameSite cookie functionality does not permit. GitHub-26840
- Magento now successfully processes orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that the customer has manually entered into the text field rather than selected from the drop-down menu on the Shipping page. Previously, Magento displayed this error on the order review page:
Error 500: NOTICE: PHP message: PHP Fatal error: Uncaught Error: Call to a member function getId() on null in httpdocs/vendor/magento/module-paypal/Model/Api/Nvp.php:1527. GitHub-26698
- Magento now displays an informative error message each time a customer clicks Pay with PayPal after entering an invalid shipping address in the checkout workflow. Previously, Magento displayed an error message only when the customer first clicked the button, not for subsequent clicks.
- Magento no longer changes an order’s status to processing in the Payment Review section of the checkout workflow when a payment with PayPal fails.
- Magento now saves the information a customer enters in the default billing and shipping fields during checkout when the transaction is initially declined due to an invalid credit card but later completed successfully. Previously, although Magento created the order when the customer entered valid payment information, it did not update the default billing or shipping addresses in the My Account section of the checkout workflow.
Optimizations to Redis performance minimize the number of queries to Redis that are performed on each Magento request. These optimizations include:
- Decrease in size of network data transfers between Redis and Magento
- Reduction in Redis’ consumption of CPU cycles by improving the adapter’s ability to automatically determine what needs to be loaded
- Reduction in race conditions on Redis write operations
Customer data section invalidation logic has been improved. This release introduces a new way of invalidating all customer sections data that avoids a known issue with local storage when custom
sections.xmlinvalidations are active. (Previously, private content (local storage) was not correctly populated when you had a custom etc/frontend/sections.xml with action invalidations). See Private content.
- The performance of the Catalog Product Rule Indexer has been improved.
- Magento now disables the Submit Review button after the user clicks the button once. Previously, Magento did not disable this button after the first click and created multiple reviews when the user clicked the Submit Review button multiple times.
- The Admin > Reports > Reviews > By Products filter list now displays results as expected. Previously, when you tried to filter this list, Magento did not display any results.
- Order queries (
SalesOrderIndexGridAsyncInsertCron) have been refactored to reduce the size of the dataset returned and the frequency of the queries.
The State/Province field of the edit order page is now of type
Dropdown. Previously, in deployments that contained two websites where the main website has country restrictions, the State field had an input type of
Dropdown. This occurred when you placed an order on the second website, and allowed you to enter an incorrect value for State/Province.
The State/Province field of the Billing Address section of the checkout workflow is now of type
Dropdownin multi-site deployments where the default store has country restrictions. Previously, the State/Province field was of type
Text, which permitted you to enter an incorrect state.
- You can now successfully add a product in quantities exceeding five to an order from the Admin. Previously, when you tried to add a product in quantities exceeding five, Magento displayed this error:
The requested qty is not available.
- Completed orders now appear in both the payment system and Magento. Previously, orders appeared in the payment system but not in Magento. GitHub-25862
quote_item.applied_rule_idsis now updated as expected after a cart price rule is disabled. GitHub-24526
- Cart Price rules with a condition set as Category (Parent only) now work as expected consistently.
- Filtering results no longer include out-of-stock options when you filter configurable products in a category.
- Selecting all products from the products list page using Elasticsearch now displays all products in the search results as expected. Previously, Magento displayed no search results when this search was run on a staging server.
- Elasticsearch now works as expected when you sort a product list that contains bundle products by alphabetized product names.
- Magento now renders the < and > symbols correctly in storefront catalog search strings.
- Magento now passes product attribute filters as an
array(instead of a
strpos(), which results in the proper display of the product list and layered navigation results. Previously, Magento passed product attribute filter as an
array, which lead to the logging of this error in the
Warning: strpos() expects parameter 1 to be string, array given in vendor/magento/module-eav/Model/Entity/Attribute/Source/Table.php.
- Elasticsearch now correctly displays results from category pages when you change the number of search results viewed per page. Previously, when you changed how many search results should be displayed on the search results page, Magento displayed a blank page and this error:
"0":"SQLSTATE: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near'
- Magento now prints shipping labels as a
- The incorrect initial option values for the DHL shipping method have been corrected, and this shipping method now works as expected when enabled. Previously, when DHL shipping was enabled, Magento displayed this error in the shipping section of the checkout workflow:
This shipping method is currently unavailable. If you would like to ship using this shipping method, please contact us.
- The multishipping page of the checkout workflow now correctly displays discounted shipping prices when discounts are determined by a Cart Price rule.
- Magento now correctly calculates refunds for orders that include discounts. Previously, Magento incorrectly calculated the shipping tax and shipping discount, and the refunded total did not match the total paid.
- Support for Colombia regions has been added, and these regions are now available from the shipping and billing country dropdown menus in the checkout workflow. Fix submitted by magudelo62 in pull request 25313. GitHub-25312
- The drop-down list that is available for selecting shipping methods during the process of creating a Cart Price Rule now contains only valid values. Previously, this dropdown list contained empty or extra values.
- Free Shipping Price rules now affect only the relevant products when a shopping cart contains products from categories that are included by the Free Shipping Price rule as well as products from categories not included in the rule. Previously, when a shopping cart included products from both the free shipping categories as well as other categories not included in the price rule, then free shipping was not applied to any products.
- The partial sitemaps that are listed in the sitemap index now have the correct URL (for example,
storeurl/pub/sitemap-1-1.xml). Previously, these URLs included the folder structure between the Magento user home folder and the installation folder. GitHub-24946
- Magento now uses the project base URL as expected when you generate a sitemap.
sitemap.xml(generated from Marketing > SEO & Search > Site Map) now includes the URL of the homepage.
- Customer sessions now persist as expected when a customer logs in to one store, adds products to the shopping cart, and then switches to a new store in a multi-store deployment. Previously, when the customer navigated to the second store, Magento logged out the customer and emptied the shopping cart.
- Magento now redirects you to the correct product details page when you switch store view while on a product page in a multistore deployment. Previously, when you switched store view, Magento redirected you to a 404 page instead of the correct product page.
- Magento now longer displays an informative console error when you try to navigate to the Swagger index page. Magento previously threw an error as a result of a previous fix in which the
requirejs-configblock was removed from the layout file of the Swagger index page. Fix submitted by Duckↄhip in pull request 25682. GitHub-25680
- Magento now performs VAT calculations correctly in all stores in a multistore deployment. Previously, Magento displayed an incorrect shipping rate in the
defaultstore but the correct one in the
- Magento now updates shipping rates and prices as expected when a customer changes the destination country for an order during checkout.
- Free shipping is now applied as expected based on the applicable cart price rule. Previously, cart price rules did not take into account taxes when calculating whether an order meets criteria for free shipping.
- A PHPStan code analysis check has been integrated into Magento static builds. This tool performs sophisticated static code analysis and identifies additional issues that are currently not detected by PHP CodeSniffer and PHP Mess Detector. See Magento Testing Guide.
- Product names are no longer translated if their text matches a global key.
- We’ve resolved a bug in
JsFooterPlugin.phpthat affected the display of dynamic blocks. Previously, Magento displayed this error when you directly accessed
Uncaught TypeError: strpos() expects parameter 1 to be string, null given in
Translation and locales
- Special price range settings (from/to dates) now work correctly for administrator accounts using a Dutch locale.
- Inline translation now works as expected when enabled for a storefront.
- Radio buttons for shipping methods are now enabled as expected in the checkout workflow.
- The product edit page now loads successfully when the default attribute set for the page contains a dropdown attribute with the select label.
- You can now scroll as expected to the top of the Admin Import page. Fix submitted by Torben Höhn in pull request 25419. GitHub-6682
- Watermark size now remains consistent with the image to which it has been applied when you resize the image. Fix submitted by KrielkipNL in pull request 25528. GitHub-23515, GitHub-25528
- Magento now correctly renders the Read more … page element that is associated with a product that has an
additionalOptionvalue that exceeds 55 characters on the storefront shipment and invoice pages. Previously, these option values were escaped. Fix submitted by Torben Höhn in pull request 25418. GitHub-25050
- Corrected the position of the wishlist item Delete button on the category page. Fix submitted by Paweł Tylek in pull request 25380. GitHub-21190
- Magento now displays a N/A where needed on the product compare list page. Previously, the field for an attribute that was not relevant for the selected product was left blank. Fix submitted by Paweł Tylek in pull request 25585. GitHub-25008
- Magento now displays the dropdown icon as expected when you click Load template during the creation of a new email template from the Admin. Fix submitted by Adarsh Manickam in pull request 25629. GitHub-24840
- Magento now retains the correct aspect ratio when a store icon is resized for mobile display. Fix submitted by Fabricio Sobral in pull request 25623. GitHub-25043
- The focus function on the fourth level of a multi-level navigation menu now works consistently. Fix submitted by Fabricio Sobral in pull request 25613. GitHub-25589
- Magento now displays the correct error message in the confirmation popup dialog when you delete a customer group. Fix submitted by Eden Duong in pull request 25662. GitHub-25661
- Accordion widgets placed in tab widgets now work as intended. Previously, when you clicked on the accordion widget, the tab closed. Fix submitted by Paweł Tylek in pull request 25515. GitHub-22819
- Corrected the CSS-defined color for the Minimum Quantity allowed in Shopping Cart field of the Admin > Store > Configuration > Inventory page. Fix submitted by Eden Duong in pull request 25648. GitHub-25647
- Logo images that are being uploaded into the Admin are now displayed with its native dimensions if no width and height parameters are explicitly set. Previously, an administrator could set the
logo_img_heightblock arguments in the layout file for the logo block, which potentially distorted the display of the logo. Fix submitted by Krzysztof Daniel in pull request 25789. GitHub-25042
- We’ve reverted a previous fix (https://github.com/magento/magento2/pull/25309) that had introduced a change to global styles that had the unintended consequence of breaking styles through the storefront.
- Customers who change language on a CMS page can now successfully navigate to the store view they’ve selected. Previously, Magento displayed a 404 error.
- You can now save a category that contains many products (for example, 140000). Previously, saving a category with this many products returned a 503 error.
Web API framework
- Corrected issues with the POST
- Corrected issues with the POST
- Child products of a configurable product can now be successfully disabled through the API.
- A wishlist now works as expected when it is enabled at the store-view level and disabled at the global level. Previously, when these settings were in place, adding a product to a wishlist resulted in a 404 error.
- The WYSIWYG editor now works as expected on Internet Explorer 11.x. Previously, when you edited a field using the editor, the selected text was deselected when you clicked Link. Fix submitted by Mateusz Krzeszowiak in pull request 25693. GitHub-13209
- Magento can now successfully display two or more WYSIWYG editors on a catalog product edit page. Previously, only one working editor was displayed. Fix submitted by Nazar Klovanych in pull request 25556. GitHub-18548
- The WYSIWYG editor no longer hangs indefinitely when you try to upload an image from the Admin. Previously, the image upload popup window hung until you refreshed the page. Fix submitted by Nazar Klovanych in pull request 25556. GitHub-23966
Issue: Magento prompts customers to log in by displaying this message:
This account is not confirmed. Click here to resend confirmation email. The Click here link in this message should open the Send confirmation link page, but is currently inactive. Workaround: The Resend account confirmation email link issue patch is now available for this issue. See Resend account confirmation email link issue patch for Magento 2.3.5. A permanent fix will be available in Magento 2.3.6, which is scheduled for release in Q4 2020.
Issue: Magento 2.3.5 does not support upgrading using the Web Setup Wizard from deployments running Magento 2.3.3 or earlier without first manually updating dependencies for
magento/updater. You can upgrade using the Web Setup Wizard without issue from Magento 2.3.4 to Magento 2.3.5. Workaround: Users should run the following commands before upgrading using the Web Setup Wizard:
&& composer update
Issue: The Compare Products feature does not work as expected in deployments with multiple store views. When a user tries to compare products from multiple store views and one product has an empty value for a comparable attribute, Magento displays a corrupted Compare Products page. Workaround: Comparable attribute values cannot be empty. Merchants should specify non-empty values for comparable product attributes or use the default storeview value for the attribute. A fix will be available in Magento 2.3.6, which is scheduled for release in Q4 2020.
Issue: The storefront checkout workflow will display only the Klarna and Amazon Pay payment methods for some countries, although other payment methods have been enabled. Workaround: Download and apply Patch for specific country payment method issue. A fix will be available in Magento Open Source 2.3.6, which is scheduled for release in Q4 2020. See Country payment method issue in Adobe Commerce on cloud infrastructure and Adobe Commerce 2.3.5 and 2.3.5-p1.
Issue: An error message appears when a shopper attempts to change their credit card from the payments widget while checking out with Amazon Pay. The shopper cannot successfully complete checkout by ignoring the error and proceeding to checkout. To resolve this issue and remove the error, see Amazon Pay credit card change error to apply the fix.
Issue: You cannot complete an order to be shipped to multiple addresses if one of the ordered products is a virtual product. Currently, when you check out, Magento successfully places the order for the physical products, but the virtual product order is empty. Workaround: A fix will be available in Magento 2.3.6, which is scheduled for release in Q4 2020.
Issue: The system message displayed by Magento after a bulk action (for example, a mass product update or import/export) displays a count of 0 instead of an accurate count of the products affected by the bulk action. Workaround: A fix will be available in Magento 2.3.6, which is scheduled for release in Q4 2020.
Issue: You cannot use the Magento Extension Manager to install extensions purchased from the Commerce Marketplace. Workaround: Install extensions from the command line as described in General CLI installation. See Extension Manager shows no extensions in Adobe Commerce 2.3.x.
We are grateful to the wider Magento community and would like to acknowledge their contributions to this release. Check out the following ways you can learn about the community contributions to our current releases:
If a community member has provided a fix for this release, we identify the fix in the Fixed Issue section of these notes with the phrase, “Fix provided by community member @member_name”.
The Magento Community Engineering team Magento Contributors maintains a list of top contributing individuals and partners by month, quarter, and year. From that Contributors page, you can follow links to their merged PRs on GitHub.
The following table highlights contributions made by Partners. This table lists the Partner who contributed the pull request, the external pull request, and the GitHub issue number associated with it (if available).
Individual contributor contributions
The following table identifies contributions from our community members. This table lists the external pull requests, the GitHub issue number associated with it (if available), and the community member who contributed the pull request.
|Contributing community member||Pull Requests||Related GitHub Issues|
|Rafael Corrêa Gomes||#25416|
|Pieter Hoste||#25306||12205, 15984|
|Gustavo Vicente Dauer||#25302|
|Nazar Klovanych||#25556||622, 18548, 23966|
|Leandro F. L.||#25226|
|Marcus Pettersen Irgens||#25600|
|Rafael Corrêa Gomes||#25559|
|Rafael Corrêa Gomes||#25533|
Our technology stack is built on PHP and MySQL. For more information, see System Requirements.
Installation and upgrade instructions
You can install Magento Open Source 2.3.5 using Composer.
The Data Migration Tool helps transfer existing Magento 1.x store data to Magento 2.x. This command-line interface includes verification, progress tracking, logging, and testing functions. For installation instructions, see Install the Data Migration Tool. Consider exploring or contributing to the Magento Data Migration repository.
The Code Migration Toolkit helps transfer existing Magento 1.x store extensions and customizations to Magento 2.x. The command-line interface includes scripts for converting Magento 1.x modules and layouts.