Releases: OpenMage/magento-lts
v20.1.0-rc1
Highlights
This is a big release, that's why we decided to move away from the 20.0.x versioning and go to 20.1.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 20.1.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Also:
- the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
- a great improvement to EAV config cache has been added to v20.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Everything included in https://github.com/OpenMage/magento-lts/releases/tag/v19.5.0-rc1
- Remove legacy media uploader / editor remnants by @justinbeaty in #2434
- Remove more Internet Explorer code by @justinbeaty in #2427
- EAV Config Cache by @davidhiendl in #2993
New Contributors
- @davidhiendl made their first contribution in #2993
Full Changelog: v20.0.18...v20.1.0-rc1
Contributors
Assets 3
v19.5.0-rc1
Highlights
This is a big release, that's why we decided to move away from the 19.4.x versioning and go to 19.5.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 19.5.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Also the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Update title size of unsubscription email by @luigifab in #2722
- Require a parent category to add a new sub category by @luigifab in #2716
- Version bump for next release by @fballiano in #2769
- Use store data for products of order items by @luigifab in #2723
- Fix error when payment methods have been deleted by @sreichel in #2772
- Fixed sort in Manage Tax Rates grid by @sreichel in #2757
- Use default paths for config files by @sreichel in #2765
- Moved phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier to composer by @fballiano in #2411
- Fixes workflow issues, ref #2770 by @sreichel in #2773
- Added Cm_Redis files to .gitignore by @sreichel in #2779
- Hotfix: broken workflow by @sreichel in #2778
- Removed unreachable code by @sreichel in #2775
- Avoid to use unavailable $data var in Curl HTTP Client by @maximehuran in #2785
- phpstan: added lib/Mage and lib/Magento by @sreichel in #2780
- Updated DOCblocks (fixed param null) by @sreichel in #2776
- Fixed baseline, ref #2785 by @sreichel in #2789
- PHPStan: removed excluded directories by @sreichel in #2790
- Reverted autoloader patch by @sreichel in #2791
- PHPStan: Level 0 update by @sreichel in #2794
- Check $sessionData is an array in Mage_Captcha_Model_Zend by @fballiano in #2804
- Moved null-byte fix from lib/Zend to lib/Magento by @sreichel in #2807
- Updated phpstan 1.9.3 by @sreichel in #2808
- PHPStan: updated lib/Varien by @sreichel in #2795
- Replaced MySql4 classes in installer by @sreichel in #2797
- Updated phpdocs by @sreichel in #2796
- Sync v19 v20 by @sreichel in #2810
- Created a release builder workflow by @fballiano in #2165
- phpstan: Mage.php by @sreichel in #2819
- phpstan: Mage_Poll by @sreichel in #2816
- phpstan: Mage_Rss by @sreichel in #2817
- phpstan: Mage_Page by @sreichel in #2820
- Add confirm dialog to critical massactions by @sreichel in #2814
- Added cweagans/composer-patches - prepare for ZF1Future 🚀 by @sreichel in #2822
- [Backport] Remove documentation hints, ref #1536 by @sreichel in #2815
- phpstan: Mage_Cms by @sreichel in #2818
- Optimisation for Varien_Object::_addFullNames by @AGelzer in #2821
- Fix passing null and array to string conversion error by @sreichel in #2824
- [php8.1] deprecated PDOStatement::fetch, ref #1812 by @sreichel in #2805
- phpstan: Sitemap, Newsletter, ... by @sreichel in #2823
- phpstan: added missing returns by @sreichel in #2832
- Replace lib/Zend with shardj/zf1-future 🚀 by @sreichel in #2827
- phpstan: fixes "Call to function is_null ..." by @sreichel in #2831
- Sonar: fixed path to lib/Zend by @sreichel in #2834
- Fixed bugs for admin save base urls by @sreichel in #2800
- Added getApplyTo() to Mage_Eav_Model_Entity_Attribute_Abstract. ref #2829 by @sreichel in #2836
- Removed Mage_PageCache by @sreichel in #2813
- phpstan: step back to level 4 by @sreichel in #2837
- Version bump by @fballiano in #2835
- phpstan: Change OpenMage version compare by @sreichel in #2839
- phpstan: working on level 3 by @sreichel in #2840
- Added dependabot config by @sreichel in #2841
- Moved note about PHP7.2 since it is not supported anymore by @fballiano in #2842
- Bump tj-actions/changed-files from 34 to 35 by @dependabot in #2843
- Bump symfonycorp/security-checker-action from 4 to 5 by @dependabot in #2845
- Bump EnricoMi/publish-unit-test-result-action from 1.6 to 1.40 by @dependabot in #2846
- Bump pelago/emogrifier from 6.0.0 to 7.0.0 by @dependabot in #2844
- Added helper for admin button onclick actions by @sreichel in #2784
- Added shell/ to checks by @sreichel in #2848
- autoload without hiding errors by @Flyingmana in #2300
- Use correct code for Greece VAT validation by @elidrissidev in #2849
- Updated lib/Varien for PHP8.1 by @sreichel in #2802
- Added .dist and .neon to "deny from all" in .htaccess by @fballiano in #2852
- Added notes about composer library/modules to README (for 19.5.x and 20.1.x) by @fballiano in #2851
- phpstan: remove one diff between v19/20 baseline by @sreichel in #2855
- Hotfix: php7 has no return type "mixed" by @sreichel in #2856
- Add translation helper shell script by @justinbeaty in #2332
- PHPMD: added basic config by @sreichel in #2771
- Load dev shell scripts as composer module by @sreichel in #2853
- Fixed tag aggregation indexer query by @fballiano in #2858
- Updated workflow: run when files are deleted by @sreichel in #2860
- Rewrote Mage_Reports_Model_Resource_Review_Product_Collection/Mage_Reports_Model_Resource_Order_Collection queries for a correct use of Zend_Db_Expr by @fballiano in #2864
- Backport 2271, removed lib/flex by @fballiano in #2862
- Updated copyright blocks by @sreichel in #2866
- Updated autoloader, ref #2300 by @sreichel in #2867
- Adding useful feedback to Gd2.php exceptions by @loekvangool in #1339
- Added ddev command shortcuts by @sreichel in #2868
- Use github URL for patch files by @sreichel in #2871
- Remove "was" from error messages by @loekvangool in #2869
- Add autocomplete attribute to known password fields. by @rfeese in #2700
- Create codeql-analysis.yml by @Flyingmana in #2644
- Cast types, ref #735 by @sreichel in #2872
- Fix error on add new contributor by @AGelzer in #2877
- Fix for ...
v20.0.20
v19.4.23
v20.0.19
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.
v19.4.22
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.
v19.4.21
v19.4.20
Overview
This is mainly a bugfix release with a couple of optimizations.
Most importantly we've fixed bugs regarding:
- fixer.io currency exchange rate provider
- CSS merge
- indexes
Upgrading is highly suggested, but always backup and test before doing it.
What's Changed
- Set php version for phpstan by @sreichel in #2692
- Do not autoload captcha class when disabled by @luigifab in #2681
- Do not crash when shipment does not exist by @luigifab in #2683
- Trimmed files by @luigifab in #2698
- Reduce again getId calls by @luigifab in #2699
- Add link to the product page and float default qty for bundle items by @luigifab in #2701
- Remove obsolete ACL resources from DB by @sreichel in #2706
- Allow labeler workflow to fail by @sreichel in #2710
- Bugfix to make exchange rate data with fixer.io work again by @dbachmann in #2694
- Fixes typo in join alias in indexer by @rubanooo in #2711
- Removed support for eAccelerator Cache Backend by @fballiano in #2712
- Set the right menu for reviews by @luigifab in #2680
- Version bump for next release by @fballiano in #2714
- Added confirmation before deleting website/store/storeview by @fballiano in #2717
- Fixed typo in copyright docblock by @fballiano in #2740
- Add method code in payment method list by @luigifab in #2735
- Set width:auto for td.massaction by @luigifab in #2718
- Fix data.title replace when it's null/undefined by @luigifab in #2719
- Add PHPCodeSniffer to workflow by @sreichel in #2708
- Use getStoreConfigFlag() instead of (bool)getStoreConfig() by @sreichel in #2747
- Replaces full class name with self by @sreichel in #2749
- Updated phpdocs: return $this by @sreichel in #2751
- Backport: #1149 by @sreichel in #2745
- Fixed incorrect docblock for setLastRealOrderId() and getLastRealOrde… by @kiatng in #2752
- Fix: merge CSS files /w missing file by @sreichel in #2754
- Backport: #2315 by @sreichel in #2746
- Fixed setting of source_model when adding new attribute and for multiselect. by @kiatng in #1293
- Remove declared properties accessed by magic getter in Paypal Config by @elidrissidev in #2759
- Fix Order comment REST endpoint route param by @elidrissidev in #2750
- Moved DDEV docs by @sreichel in #2764
- Add php-cs-fixer & PHPCompatibility check to workflow by @sreichel in #2744
- PhpStan L5 fixes for Mage/Admin by @sreichel in #2761
Full Changelog: v19.4.19...v19.4.20
v20.0.18
Overview
This is mainly a bugfix release with a couple of optimizations.
Most importantly we've fixed bugs regarding:
- fixer.io currency exchange rate provider
- CSS merge
- indexes
Upgrading is highly suggested, but always backup and test before doing it.
What's Changed
- Removed ms-filter by @luigifab in #2733
- Every change included in https://github.com/OpenMage/magento-lts/releases/tag/v19.4.20
Full Changelog: v20.0.17...v20.0.18
v20.0.17
Overview
This is a maintanance release with small bugfixes, code cleanup, documentation improvements and a better overall PHPStan coverage.
We're also bumping the minimum required PHP version to 7.3 with intl extension enabled.
Our source code finally has a much better "copyright" section, to thank all the team that is contributing to this beautiful project.
Important things you should check before upgrading
This release requires PHP 7.3 with intl extension, do not upgrade if your system doesn't match this requirement.
What's Changed
- Make overrides of Mage_Core_Model_Resource_Db_Abstract::delete respect parent api by @midlan in #1257
- Every change included in https://github.com/OpenMage/magento-lts/releases/tag/v19.4.19
Full Changelog: v20.0.16...v20.0.17
