Releases: OpenMage/magento-lts
v19.5.0-rc1
Highlights
This is a big release, that's why we decided to move away from the 19.4.x versioning and go to 19.5.x. Since a lot of changes could have some impact on current installations we decided to release some "rc" versions before the official 19.5.0. Tests are more than welcome now but be extra careful with production environment.
What's most important is the removal of all the 3rd party libraries (phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier and Zend Framework) form our repository, they are now imported via composer. This was an important step to clean up and modernise our code.
Also the M1 legacy themes have been moved to an external repository since it's old (and mostly unused) code.
Don't worry though, if you've always installed OpenMage extracting the zip file, starting from this release you'll find a new zip file attached to the release itself, we build this zip adding all of the old 3rd party libraries so that you will not have to migrate to composer or use composer at all.
Changelog
- Update title size of unsubscription email by @luigifab in #2722
- Require a parent category to add a new sub category by @luigifab in #2716
- Version bump for next release by @fballiano in #2769
- Use store data for products of order items by @luigifab in #2723
- Fix error when payment methods have been deleted by @sreichel in #2772
- Fixed sort in Manage Tax Rates grid by @sreichel in #2757
- Use default paths for config files by @sreichel in #2765
- Moved phpseclib, mcrypt_compat, Cm_RedisSession, Cm_Cache_Backend_Redis and Pelago_Emogrifier to composer by @fballiano in #2411
- Fixes workflow issues, ref #2770 by @sreichel in #2773
- Added Cm_Redis files to .gitignore by @sreichel in #2779
- Hotfix: broken workflow by @sreichel in #2778
- Removed unreachable code by @sreichel in #2775
- Avoid to use unavailable $data var in Curl HTTP Client by @maximehuran in #2785
- phpstan: added lib/Mage and lib/Magento by @sreichel in #2780
- Updated DOCblocks (fixed param null) by @sreichel in #2776
- Fixed baseline, ref #2785 by @sreichel in #2789
- PHPStan: removed excluded directories by @sreichel in #2790
- Reverted autoloader patch by @sreichel in #2791
- PHPStan: Level 0 update by @sreichel in #2794
- Check $sessionData is an array in Mage_Captcha_Model_Zend by @fballiano in #2804
- Moved null-byte fix from lib/Zend to lib/Magento by @sreichel in #2807
- Updated phpstan 1.9.3 by @sreichel in #2808
- PHPStan: updated lib/Varien by @sreichel in #2795
- Replaced MySql4 classes in installer by @sreichel in #2797
- Updated phpdocs by @sreichel in #2796
- Sync v19 v20 by @sreichel in #2810
- Created a release builder workflow by @fballiano in #2165
- phpstan: Mage.php by @sreichel in #2819
- phpstan: Mage_Poll by @sreichel in #2816
- phpstan: Mage_Rss by @sreichel in #2817
- phpstan: Mage_Page by @sreichel in #2820
- Add confirm dialog to critical massactions by @sreichel in #2814
- Added cweagans/composer-patches - prepare for ZF1Future 🚀 by @sreichel in #2822
- [Backport] Remove documentation hints, ref #1536 by @sreichel in #2815
- phpstan: Mage_Cms by @sreichel in #2818
- Optimisation for Varien_Object::_addFullNames by @AGelzer in #2821
- Fix passing null and array to string conversion error by @sreichel in #2824
- [php8.1] deprecated PDOStatement::fetch, ref #1812 by @sreichel in #2805
- phpstan: Sitemap, Newsletter, ... by @sreichel in #2823
- phpstan: added missing returns by @sreichel in #2832
- Replace lib/Zend with shardj/zf1-future 🚀 by @sreichel in #2827
- phpstan: fixes "Call to function is_null ..." by @sreichel in #2831
- Sonar: fixed path to lib/Zend by @sreichel in #2834
- Fixed bugs for admin save base urls by @sreichel in #2800
- Added getApplyTo() to Mage_Eav_Model_Entity_Attribute_Abstract. ref #2829 by @sreichel in #2836
- Removed Mage_PageCache by @sreichel in #2813
- phpstan: step back to level 4 by @sreichel in #2837
- Version bump by @fballiano in #2835
- phpstan: Change OpenMage version compare by @sreichel in #2839
- phpstan: working on level 3 by @sreichel in #2840
- Added dependabot config by @sreichel in #2841
- Moved note about PHP7.2 since it is not supported anymore by @fballiano in #2842
- Bump tj-actions/changed-files from 34 to 35 by @dependabot in #2843
- Bump symfonycorp/security-checker-action from 4 to 5 by @dependabot in #2845
- Bump EnricoMi/publish-unit-test-result-action from 1.6 to 1.40 by @dependabot in #2846
- Bump pelago/emogrifier from 6.0.0 to 7.0.0 by @dependabot in #2844
- Added helper for admin button onclick actions by @sreichel in #2784
- Added shell/ to checks by @sreichel in #2848
- autoload without hiding errors by @Flyingmana in #2300
- Use correct code for Greece VAT validation by @elidrissidev in #2849
- Updated lib/Varien for PHP8.1 by @sreichel in #2802
- Added .dist and .neon to "deny from all" in .htaccess by @fballiano in #2852
- Added notes about composer library/modules to README (for 19.5.x and 20.1.x) by @fballiano in #2851
- phpstan: remove one diff between v19/20 baseline by @sreichel in #2855
- Hotfix: php7 has no return type "mixed" by @sreichel in #2856
- Add translation helper shell script by @justinbeaty in #2332
- PHPMD: added basic config by @sreichel in #2771
- Load dev shell scripts as composer module by @sreichel in #2853
- Fixed tag aggregation indexer query by @fballiano in #2858
- Updated workflow: run when files are deleted by @sreichel in #2860
- Rewrote Mage_Reports_Model_Resource_Review_Product_Collection/Mage_Reports_Model_Resource_Order_Collection queries for a correct use of Zend_Db_Expr by @fballiano in #2864
- Backport 2271, removed lib/flex by @fballiano in #2862
- Updated copyright blocks by @sreichel in #2866
- Updated autoloader, ref #2300 by @sreichel in #2867
- Adding useful feedback to Gd2.php exceptions by @loekvangool in #1339
- Added ddev command shortcuts by @sreichel in #2868
- Use github URL for patch files by @sreichel in #2871
- Remove "was" from error messages by @loekvangool in #2869
- Add autocomplete attribute to known password fields. by @rfeese in #2700
- Create codeql-analysis.yml by @Flyingmana in #2644
- Cast types, ref #735 by @sreichel in #2872
- Fix error on add new contributor by @AGelzer in #2877
- Fix for ...
Contributors
Assets 3
v20.0.20
v19.4.23
v20.0.19
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.
v19.4.22
This is an important security update release, it includes six security patches:
- CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF
- CVE-2021-41144 - GHSA-5j2g-3ph4-rgvm - Fix for authenticated remote code execution through layout update
- CVE-2021-41143 - GHSA-5vpv-xmcj-9q85 - Fix for arbitrary file deletion in customer media allows for remote code execution
- CVE-2021-41231 - GHSA-h632-p764-pjqm - DataFlow upload remote code execution vulnerability
- CVE-2021-39217 - GHSA-c9q3-r4rv-mjm7 - Fix for arbitrary command execution in custom layout update through blocks
- CVE-2023-23617 - GHSA-3p73-mm7v-4f6m - DoS vulnerability in MaliciousCode filter
All of these updates should be totally backward compatible, except one, CVE-2021-21395 - GHSA-r3c9-9j5q-pwv4 - Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.
Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code <input name="form_key" type="hidden" value="<?php echo $this->getFormKey(); ?>" /> after the <form open tag. Please refer to this link in case you want to see how the patch works and copy/paste the simple solution.
In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.
v19.4.21
v19.4.20
Overview
This is mainly a bugfix release with a couple of optimizations.
Most importantly we've fixed bugs regarding:
- fixer.io currency exchange rate provider
- CSS merge
- indexes
Upgrading is highly suggested, but always backup and test before doing it.
What's Changed
- Set php version for phpstan by @sreichel in #2692
- Do not autoload captcha class when disabled by @luigifab in #2681
- Do not crash when shipment does not exist by @luigifab in #2683
- Trimmed files by @luigifab in #2698
- Reduce again getId calls by @luigifab in #2699
- Add link to the product page and float default qty for bundle items by @luigifab in #2701
- Remove obsolete ACL resources from DB by @sreichel in #2706
- Allow labeler workflow to fail by @sreichel in #2710
- Bugfix to make exchange rate data with fixer.io work again by @dbachmann in #2694
- Fixes typo in join alias in indexer by @rubanooo in #2711
- Removed support for eAccelerator Cache Backend by @fballiano in #2712
- Set the right menu for reviews by @luigifab in #2680
- Version bump for next release by @fballiano in #2714
- Added confirmation before deleting website/store/storeview by @fballiano in #2717
- Fixed typo in copyright docblock by @fballiano in #2740
- Add method code in payment method list by @luigifab in #2735
- Set width:auto for td.massaction by @luigifab in #2718
- Fix data.title replace when it's null/undefined by @luigifab in #2719
- Add PHPCodeSniffer to workflow by @sreichel in #2708
- Use getStoreConfigFlag() instead of (bool)getStoreConfig() by @sreichel in #2747
- Replaces full class name with self by @sreichel in #2749
- Updated phpdocs: return $this by @sreichel in #2751
- Backport: #1149 by @sreichel in #2745
- Fixed incorrect docblock for setLastRealOrderId() and getLastRealOrde… by @kiatng in #2752
- Fix: merge CSS files /w missing file by @sreichel in #2754
- Backport: #2315 by @sreichel in #2746
- Fixed setting of source_model when adding new attribute and for multiselect. by @kiatng in #1293
- Remove declared properties accessed by magic getter in Paypal Config by @elidrissidev in #2759
- Fix Order comment REST endpoint route param by @elidrissidev in #2750
- Moved DDEV docs by @sreichel in #2764
- Add php-cs-fixer & PHPCompatibility check to workflow by @sreichel in #2744
- PhpStan L5 fixes for Mage/Admin by @sreichel in #2761
Full Changelog: v19.4.19...v19.4.20
v20.0.18
Overview
This is mainly a bugfix release with a couple of optimizations.
Most importantly we've fixed bugs regarding:
- fixer.io currency exchange rate provider
- CSS merge
- indexes
Upgrading is highly suggested, but always backup and test before doing it.
What's Changed
- Removed ms-filter by @luigifab in #2733
- Every change included in https://github.com/OpenMage/magento-lts/releases/tag/v19.4.20
Full Changelog: v20.0.17...v20.0.18
v20.0.17
Overview
This is a maintanance release with small bugfixes, code cleanup, documentation improvements and a better overall PHPStan coverage.
We're also bumping the minimum required PHP version to 7.3 with intl extension enabled.
Our source code finally has a much better "copyright" section, to thank all the team that is contributing to this beautiful project.
Important things you should check before upgrading
This release requires PHP 7.3 with intl extension, do not upgrade if your system doesn't match this requirement.
What's Changed
- Make overrides of Mage_Core_Model_Resource_Db_Abstract::delete respect parent api by @midlan in #1257
- Every change included in https://github.com/OpenMage/magento-lts/releases/tag/v19.4.19
Full Changelog: v20.0.16...v20.0.17
v19.4.19
Overview
This is a maintanance release with small bugfixes, code cleanup, documentation improvements and a better overall PHPStan coverage.
We're also bumping the minimum required PHP version to 7.3 with intl extension enabled.
Our source code finally has a much better "copyright" section, to thank all the team that is contributing to this beautiful project.
Important things you should check before upgrading
This release requires PHP 7.3 with intl extension, do not upgrade if your system doesn't match this requirement.
What's Changed
- Fixed whitespace for docblocks by @fballiano in #2550
- Remove redundant polyfill code for error reporting constants by @elidrissidev in #2555
- Fixed whitespace for docblocks by @fballiano in #2556
- Some CSS fixes to OpenMage adminhtml theme by @sreichel in #2422
- Fixed whitespace for docblocks by @fballiano in #2558
- Set default width for grid datetime columns, ref #2239 by @sreichel in #2544
- Removed PHP 5.3 compatibility code from Mage_Adminhtml_Model_System_Config_Backend_Locale_Timezone by @fballiano in #2563
- Added info about targetNamespace change in README by @fballiano in #2559
- Removed unused controller Mage_Shipping_ShippingController by @fballiano in #2564
- phpstan: fixed calls on Varien_Object/Mage_Core_Model_Abstract by @sreichel in #2565
- Ignore scss-cache and .phar files in .gitignore by @sreichel in #2566
- Changed boolean/integer to bool/int in docs by @sreichel in #2567
- Fixed whitespace for docblocks by @fballiano in #2562
- An Exception is thrown and logged if file is not found while merging by @fballiano in #2445
- Fixed PHPStan error with Mage_Catalog_Model_Resource_Product_Option_Collection by @fballiano in #2572
- Make php7.3 minimum requirement by @sreichel in #2413
- Added missing css.map file by @sreichel in #2573
- Added php-extension "intl" as requirement, updated composer by @sreichel in #2437
- Delete Mage_AmazonPayments.csv by @elidrissidev in #2579
- Update label for
system/csrf/use_form_keyconfig by @elidrissidev in #2578 - Refactoring: Replace dirname(FILE) With Corresponding Constant by @Sdfendor in #2582
- Fixed some docs for phpdocumentor by @sreichel in #2577
- phpstan: added some return statements to match parent class or interface by @sreichel in #2574
- phpstan: return type fixes by @sreichel in #2587
- Use null coalescing operator by @sreichel in #2543
- Updated phpstan experimental by @sreichel in #2589
- Fix Phpdoc Typos in Various Files by @Sdfendor in #2591
- phpstan: fixed "Access to an undefined property" by @sreichel in #2554
- Strip null bytes from strings and filter conditions. by @colinmollenhour in #1430
- Fixed phpstan-workflow by @sreichel in #2593
- Some fixes for phpdocs by @sreichel in #2588
- Removed Mage_GoogleBase.csv by @sreichel in #2599
- Better admin/config validation for allowed currencies by @sreichel in #2597
- Fix admin grid filter, ref #1430 by @sreichel in #2602
- [backport] Aggregate most viewed products report daily via a Cron job (#1829) by @sreichel in #2610
- Update deprecated using ${var} in lib/Zend by @sreichel in #2611
- Fix integers being cast to decimal in some particular cases by @digitalpianism in #1198
- phpstan: fixes for Mage_Catalog_Model_Product_Type_Abstract by @sreichel in #2605
- phpdocs: Undefined methods by @sreichel in #2613
- Downgraded composer dependencies to also fit php7.3 by @sreichel in #2576
- Added two indexes on sales_flat_order and sales_flat_order_item tables by @fballiano in #2447
- Phpdocs/phpstan update by @sreichel in #2596
- Replace Date Format String Literals With Existing Constants by @Sdfendor in #2592
- [PHP 8.1] Fix passing null to preg_split limit param by @elidrissidev in #2616
- Updated github workflow by @sreichel in #2608
- Updated README by @sreichel in #2618
- Fixed detect changes in custom options section (product edit) by @fballiano in #2444
- Add/Remove mark when region/zip is required by @luigifab in #2149
- Optimize EAV collections by @Sekiphp in #911
- Convert Exception to Throwable in Mage_Core_Block_Template. by @kiatng in #2623
- Added css class for sorted columns by @sreichel in #2604
- Improvements in cron scripts by @fballiano in #2380
- Fixed javascript error on adminhtml login page caused by #2149 by @fballiano in #2624
- Fixed bug caused by #2605 by @fballiano in #2625
- Fix workflow badges in README by @elidrissidev in #2626
- Update hardcoded credit card message in checkout by @elidrissidev in #2628
- bugfix + add module names to helper by @sreichel in #2617
- Get catalog search result collection from engine by @elidrissidev in #2634
- Add PHP dependencies security check workflow by @elidrissidev in #2639
- [security-workflow] Fixed cron syntax by @sreichel in #2640
- Add OpenMage Contributors Copyright by @justinbeaty in #2295
- docs: added ddev snippets by @sreichel in #2575
- Only run workflows when relevant files change by @elidrissidev in #2641
- Add back notification popup severity icons URL by @elidrissidev in #2633
- Fixes issue #475, reduce reprocessed jpeg image file size by defaulting image quality to 85% by @kiatng in #2629
- Prevent from editing a non-editable Order by @elidrissidev in #2632
- Allow automatic full invoice from API by @luigifab in #2393
- Add check if array key exists before use it by @przemyslaw-p in #2649
- Reload admin ACL by @luigifab in #1714
- Fixed Mage_Catalog_Model_Product_Status::addSaleableFilterToCollection() does nothing by @fballiano in #2603
- Reindex EAV values only for active storeviews by @fballiano in #2651
- Check if remote storage is enabled before saving local file by @elidrissidev in #2627
- Phpstan: fixed return types (docs only) by @sreichel in #2636
- Cast getLoadingTimeout() to int in template by @sreichel in #2661
- Fixes #2658 by @sreichel in #2662
- Re-added composer validation to github workflow by @sreichel in #2667
- Fix bug on clonePosition() in prototype.js. by @kiatng in #2669
- Fixes phpunit-workflow by @sreichel in #2672
- Reduce getId calls by @luigifab in #2677
- Allow to save configuration without fields by @luigifab in #2679
- Do not crash when creditmemo does not exist by @luigifab in #2684
- Fix esi parsing with turpentine by @luigifab in #2682
- Remove try catch throw by @luigifab in https://github.com/Open...
