What's New?
Important
PHP version 8.2 is the minimum requirement to install and use CoCart. PHP 7.4, 8.0, and 8.1 are all past end-of-life/security support so to help manage development resources to maintain CoCart, it will no longer be tested on these versions. Running CoCart on PHP 8.2 not only ensures you are secure but it also improves the performance of the CoCart API. Thank you for your understanding.
-
REST API: Added ETag support for all cart endpoints (GET/POST/PUT/DELETE) enabling conditional requests with
If-None-Matchheader for immediate use. -
REST API: Added ETag support for product endpoints (products, categories, tags, attributes, reviews).
-
REST API: Added
CoCart-Cacheresponse header indicating cache status:HIT,MISS, orSKIP. -
REST API: Added
_skip_cachequery parameter to bypass caching for individual requests. -
REST API: Added
stale-while-revalidatedirective to cacheable routes (products) for improved performance. -
REST API: Added check for
X-HTTP-Method-Overrideheader if it exists during authentication. -
WordPress Dashboard: New integrations page to provide more control over which supported plugin is running when making a CoCart request.
-
Plugin: New settings page providing quick easy control of CoCart without touching code for the following:
-
- CORS and allowed origin.
-
- Authorization header server variable.
-
- Session expiration for guest and logged-in users.
-
- "Load Cart from Session" feature.
-
- "Name Your Price" feature.
Settings show a locked state when controlled by an external filter with a link providing information as to what and where.
Bug Fixes
- REST API: Requests made via the WordPress REST API batch endpoint were not recognized and caused a fatal error when adding items.
- REST API: Shipping address fields were blank after submitting billing-only details — billing fields now mirror to shipping when
ship_to_different_addressis not set, matching WooCommerce checkout behaviour. Shipping packages now also return correctly after a complete address is saved. - REST API: Slugs, permalinks and attribute names with non-ASCII characters (e.g., Chinese, Arabic) are now returned decoded instead of encoded across all product and cart endpoints.
- REST API: Authentication not determining user in time when
rest_url_prefixfilter is used causing several cloned guest sessions with cart items. - REST API: Fixed fatal error when adding an invalid product to cart via v2 controller due to missing
WP_Errorcheck after product validation. - REST API: Corrected
Last-Modifiedheader in GMT per HTTP spec with more robust date parsing. - Plugin: Fixed
cocart_deprecated_filter()returningnullwhen the debug log was active, causing callers to receive no value from the deprecation wrapper.
PHP 8.2+ Fixes
- REST API: Fixed warnings for undefined array keys
cart_item_dataandcart_item_keyin v1 add item controller. - Session: Fixed warning for undefined array key
totalin session handler cart hash generation. - Plugin: Fixed warnings for undefined array key
countwhen database queries return no results in cart counting functions. - Plugin: Fixed warning for undefined variable
$per_pagein admin plugin search. - Plugin: Fixed deprecated
${var}string interpolation syntax in plugin update screen.
Change
- Session: Removed the max expiration exceed limit of 30 days to allow adjusting the lifetimes via the
cocart_cart_expiringandcocart_cart_expirationfilters as needed.
Dev note: You will still be warned "Keeping sessions for longer than X days can cause performance issues and larger session tables."
Improvements
- REST API: Slight performance increase by preventing admin content from loading in the background for every REST request made.
- REST API:
cocart_upload_file()andcocart_upload_image_from_url()now use atry/finallyblock to guarantee theupload_dirfilter is always removed, even when an exception is thrown during upload. - REST API:
cocart_upload_image_from_url()now useswp_parse_url()to extract the filename from the image URL, correctly stripping query strings instead of splitting on?. - Session: Adjusted
get_session()usingwp_cache_set()instead ofwp_cache_add(), which caused stale persistent object cache entries to never be overwritten. - Session: Adjusted
get_session()andupdate_cart()using an uninitialized expiration value on frontend requests, preventing sessions from being cached after a database read. - Session: Adjusted
save_data()writing to object cache with a potentially negative TTL when session expiration was stale or unset. - Session: Adjusted
update_cart()not syncing the object cache after a database write, causing subsequent reads to return stale cached data. - Session: Added
get_cache_expiration()helper to reliably resolve cache expiration across both REST API and frontend contexts.
Breaking Changes
- REST API: The
cocart_does_product_allow_price_changefilter now defaults tofalse. Price overrides via thepriceparameter oncocart/v2/cart/add-itemare disabled by default. To restore the previous behaviour, addadd_filter( 'cocart_does_product_allow_price_change', '__return_true' );— or returntrueconditionally for specific products only.
Developers
- Logger: Log entries now include a source line identifying the calling class, method, file, and line number for easier debugging.
- Introduced new filter
cocart_etag_cart_routesto customize which cart routes support ETag. - Introduced new filter
cocart_etag_product_routesto customize which product routes support ETag. - Introduced new filter
cocart_etag_routesto add ETag support for third-party plugin routes. - Introduced new filter
cocart_cache_max_ageto customize cache duration (default: 1 hour). - Introduced new filter
cocart_stale_while_revalidateto customize stale-while-revalidate duration (default: 24 hours).
Deprecation's
- Filter
cocart_secure_registered_usersdeprecated for security — unauthenticated access to registered user carts is now always blocked.
Compatibility
- Tested with WordPress 7.0
- Tested with WooCommerce v10.9