Apr 28

Magento Open Source 2.4.4 Released

Magento Open Source 2.4.4 highlights

Security enhancements

This release includes one security fix and platform security improvements. This security fix has been backported to Magento Open Source 2.4.3-p2 and Magento Open Source 2.3.7-p3.

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts:

Additional security enhancements

Security improvements for this release improve compliance with the latest security best practices, including:

  • Email variable usage was deprecated back in 2.3.4 as part of a security risk mitigation in favor of a more strict variable syntax. This legacy behavior has been fully removed in this release as a continuation of that security risk mitigation.As a result, email or newsletter templates that worked in previous versions of Magento Open Source may not work correctly after upgrading to Adobe Commerce 2.4.4 or Magento Open Source 2.4.4. Affected templates include admin overrides, themes, child themes, and templates from custom modules or third-party extensions. Your deployment may still be affected even after using the Upgrade compatibility tool to fix deprecated usages. See Migrating custom email templates for information about potential effects and guidelines for migrating affected templates.
  • Integration tokens can no longer be used for API Bearer token authentication. Previously, an integration token could be used as a standalone key for token-based authentication. However, this behavior has been disabled by default due to the security implications of a never-expiring access token. The previous behavior can be enabled through the command line or Admin. See Token-based authentication.
  • Session IDs are no longer stored in the database.
  • OAuth access tokens and password reset tokens are now encrypted when stored in the database.
  • Validation has been strengthened to prevent the upload of non alpha-numeric file extensions.
  • Added reCAPTCHA support to coupon codes.
  • Swagger is now disabled by default when Magento Open Source is in production mode.
  • HTTPS is now enabled by default for the Magento Open Source storefront. The Use Secure URLs on Storefront and Use Secure URLs in Admin settings are enabled by default, and all built-in cookies are now set as secure.
  • The dependency confusion plugin is now required for all Magento Open Source installations. Previously, this plugin was required for Composer-based installations only. It now permits trusted versions. Merchants can bypass the constraints set in this plugin that prohibit certain combinations of Composer installations. The constraints can be bypassed for trusted versions, and Magento Open Source now displays a warning before proceeding with installation.
  • Developers can now configure the limit on the size of arrays accepted by Magento Open Source RESTful endpoints on a per-endpoint basis. See API security.
  • Added mechanisms for limiting the size and number of resources that a user can request through a web API on a system-wide basis, and for overriding the defaults on individual modules. This resolves the issue addressed by MC-43048__set_rate_limits__2.4.3.patch. See API security.

Platform enhancements

Magento Open Source 2.4.4 now supports PHP 8.1. All project libraries and dependencies have been updated for compatibility with PHP 8.1. Additional platform enhancements include:

  • Magento Open Source 2.4.4 provides support for Elasticsearch 7.16 and OpenSearch 1.2. Magento Open Source merchants with deployments hosted on-premises can use either solution. However, OpenSearch is now the default search engine for Magento Open Source 2.4.4 deployments hosted in the cloud. All customers with cloud deployments who upgrade to version 2.4.4 must use OpenSearch. See Switching to OpenSearch for Adobe Commerce on Cloud 2.4.4
  • The JQuery library has been upgraded to version 3.6. The jquery-ui library has been upgraded to version 1.13.0. Several other JavaScript libraries have been updated to the latest versions.
  • TinyMCE 5.8.1 is now supported. TinyMCE 4 has been removed from the codebase.
  • The RequireJS library has been upgraded to the latest version (v2.3.6). GitHub-33672
  • PHPUnit has been upgraded to the latest version (9.5.x). Tests and test frameworks have been updated to be compatible with the new version.
  • Most Laminas dependencies have been upgraded to the latest versions that are compatible with PHP 8.1. Three Laminas dependencies were removed from the codebase to reduce the number of dependencies.

jQuery UI upgrade

jQuery UI has been upgraded to the latest version (v1.13.0). The following v1.10.0 jQuery components have been removed:

  • ajaxOptions and cache options for tabs. See Tabs.
  • .zIndex(). jQuery UI v1.12.1 includes jquery/z-index.js, which supports the use of .zIndex(). See UI Core.
  • Data fallbacks for widget names. You must use the full name for the .data() key.
  • Hard coding of classes such as ui-corner-all in widgets.


This release includes these GraphQL enhancements:

  • Performance improvements:
    • The performance of GraphQL cart operations has improved. The collectQuoteTotals() method is now called only once during a GraphQL request, which reduces response time.
    • Storefront performance has been improved by changes to how GraphQL requests are cached. Fastly and Varnish now cache GraphQL requests sent with auth tokens.
  • New storefront-related Admin configuration settings. The storeConfig query now returns the configuration settings for the Zero Subtotal Checkout and Check/Money Order payment methods.
  • Updated core GraphQL library. The webonyx library, which enables core GraphQL to function, has been upgraded to version ^14.9.
  • Fixed translation issues in GraphQL with multi-site and multi-language stores. The GraphQL resolver now returns translated strings based on store scope as expected.
  • GraphQL now provides New Relic with descriptive transaction names, which can be helpful for debugging. GitHub-30915

See the GraphQL Developer Guide for details on these enhancements.

Vendor-Bundled Extensions

With the exception of Braintree, all vendor-bundled extensions have been removed from the Magento Open Source 2.4.4 code base. Merchants should migrate to the official extensions, which are available on the Commerce Marketplace.

Amazon Pay





PayPal Payment enhancements

  • The Venmo payment option is now supported.
  • Pay Later has been added as an option for shoppers based on the shopper’s location, not the merchant’s location.
  • Merchants can now set the shopper country when testing the shopper experience in their country of choice. Previously, tests were limited to testing only for the country in which the merchant is located. This change is valid in sandbox mode only.
  • Messaging on the checkout page now displays accurate messaging on how much and in how many increments shopper will be expected to pay when using Pay Later.

Accessibility updates

This release brings enhanced conformance to standard accessibility guidelines. It includes improved tooltips, accessible naming and tagging of screen elements, and redesigned icons and buttons. Over 80% of these fixes help improve the shopping experience for users Without Vision or Limited Vision.

Page Builder

Merchants can now add alternative text (alt_text) to images (Image, Banner, Slide) to enhance content accessibility. GitHub-746