Skip to content

3.0.0

Choose a tag to compare

@rhoerr rhoerr released this 20 May 23:08

Release notes: https://mage-os.org/releases/2026-05-18-mage-os-3-0-0-release/

What's Changed

  • Patch for CVE-2025-54236 - WebAPI-improvement by @rhoerr in #160
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #159
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #162
  • Fix PHP 8.4 Deprecation: Explicitly Mark Nullable Parameter in CanViewNotification (cherry-pick of #157) by @fballiano in #158
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #163
  • Fix admin dashboard JS error on login by @rhoerr in #164
  • fix product export of configurable_variations for configurable products with multiple super attributes by @rhoerr in #142
  • fix product export of configurable_variations for configurable products with multiple super attributes (#142) by @rhoerr in #169
  • Check if array element exists in config load by @ProxiBlue in #167
  • Security changes from upstream 2.4.8-p3 by @rhoerr in #171
  • AC-15210: Migrate USPS integration from Web Tools APIs to REST APIs by @rhoerr in #170
  • Added missing composer file for Magento/Framework/Stomp by @rhoerr in #172
  • Add missing composer file for Magento_Stomp by @rhoerr in #173
  • Fix customer group extension attributes for lists by @avstudnitz in #53
  • fix: file validation bypass by targeting non file input types during customer file upload by @SamJUK in #174
  • AC-14999: FPC not work when login by @rogerdz by @rhoerr in #176
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #180
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #184
  • Updated Mage-OS readme files by @rhoerr in #183
  • Add X-Dist response header with the distribution name by @rhoerr in #179
  • Fix SRI hash failures with JS bundling and minifying by @rhoerr in #177
  • chore: Remove outdated replace and extra definitions from composer files by @rhoerr in #181
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #185
  • Feature: Add command to detect unregistered themes by @furan917 in #186
  • Expand allowed versions of MySQL/MariaDB by @rhoerr in #189
  • Cherry-pick: fixing setup:di:compile area order in plugin generation … by @rhoerr in #194
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #193
  • Feature: Add command to detect new queues by @furan917 in #188
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #195
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #198
  • Upstream Merge Conflict (2.4-develop) by @mage-os-ci in #200
  • Generalize product metapackage detection for alternate metapackages by @rhoerr in #196
  • fix: Real column type introspection skips unsigned/nullable processors by @furan917 in #205
  • Security changes from upstream 2.4.8-p4 by @rhoerr in #206
  • Merge 2.x latest to 3.x by @rhoerr in #208
  • ACP2E-4138: Attacker could use POST request using REST API and can send RCE payload by @marcelmtz in #210
  • Fix GraphQL API by pinning webonyx/graphql-php version to <15.31.0 by @rhoerr in #211
  • Rebase release/3.x by @rhoerr in #216
  • Update graphql-php version constraints (fixes #212) by @rhoerr in #218
  • Merge latest 2.4-develop onto release/3.x by @rhoerr in #219
  • Removed ext-ftp dependency and deprecated the class related to the FTP by @konarshankar07 in #190
  • feat: admin footer version update indicator by @rhoerr in #207
  • Feature/interactive installer by @DavidLambauer in #191
  • Remove duplicated methods from patch and merge by @rhoerr in #223
  • Add return type to MessageQueue command execute method by @rhoerr in #222
  • Trim whitespace from address fields before database save by @ProxiBlue in #215
  • Remove analytics modules from composer.json by @rhoerr in #220
  • Merge upstream 2.4-develop / 2.4.9-beta1-develop by @rhoerr in #227
  • Cherry-pick ACP2E-4675 (WysiwygValidationConfigResolver) onto release/3.x by @rhoerr in #228
  • Security changes from upstream 2.4.8-p5 by @marcelmtz in #229
  • Merge upstream AC-17066 (final pre-2.4.9 commit) by @rhoerr in #231
  • chore: merge mage-os/main (2.4.8-p5 security changes) into release/3.x by @rhoerr in #232
  • Add PHP 8.4 lazy-ghost object loading to compiled DI factory by @rhoerr in #225
  • Mark always-realized core classes with #[NonLazy] (companion to #225) by @rhoerr in #226
  • Regenerate composer.lock by @rhoerr in #234
  • Fix unit test and code standards fallout from upstream merge by @rhoerr in #235
  • Restore DHL REST carrier constants lost in merge by @rhoerr in #240
  • Guard Csp HashResolver against unresolved area code by @rhoerr in #241
  • Fix PHPUnit 12 fallout in three integration tests by @rhoerr in #242
  • Fix/quote get shipping rate by code skip deleted rx by @ProxiBlue in #236
  • fix: trim address fields before collecting shipping rates by @ProxiBlue in #237
  • Fix DHL CarrierTest fixture SoftwareName to match emitted value by @rhoerr in #244
  • Fix unit test fallout from post-merge optional constructor deps by @rhoerr in #245
  • Align integration test matrix with Magento 2.4.9 certified services by @rhoerr in #246
  • Pin opensearch and varnish to existing wardenenv image tags by @rhoerr in #247
  • Revert PRs #215 and #237 (address field trimming) by @rhoerr in #251
  • Mage-OS 3.0 prep: merge release/3.x into main by @rhoerr in #233
  • Detect missing laravel/prompts in interactive installer by @rhoerr in #252

New Contributors

Full Changelog: https://github.com/mage-os/mageos-magento2/commits/3.0.0