Overview of Magento Commerce and Open Source 2.3.5 release

General availability for Magento 2.3.5 was on April 28. This release introduced new security and performance improvements. Like any patch release, if you want to improve your Magento performance, it’s recommended that you update to the latest version of the Magento application at your earliest convenience to apply not only functional enhancements but, most importantly, all the recent security fixes. To help you plan and budget software updates, let’s first clarify types of Magento code releases.

Types of Magento versions

As stated in the release policy, Magento uses ordinal (in sequence) numbers for versioning. This makes it easy for any merchant to track Magento and know if their version is the latest and up to date. Note: to verify the current version, check the Admin Panel page.

A major version is changed infrequently (in this case, since Magento 2 was introduced in 2015). It is important to note that Magento 1’s end of life was in June 2020, making it highly recommended by Magento to migrate to Magento 2 as soon as possible. This recommendation is made to keep your website secure and compliant, as well as to minimize the total long-term cost of ownership.
A minor version release should be expected annually. The minor release provides a large update of the platform centered on maintaining compatibility for major system requirements such as PHP and platform upgrades such as Elasticsearch or Braintree. It introduces new features, but also may create changes that require additional Magento development. Such an update requires significant effort from your dev team to ensure that the website performs correctly and that all modules function and are compatible with the new version.
A patch release is usually announced quarterly to ensure Magento website security is maintained at the highest level. A patch also includes quality improvements suggested by the Magento Community, and the Magento core team, where we participate. This version is backward compatible, meaning that code written for any 2.3.x Magento version works on the latest version.
A security release is introduced occasionally to address serious vulnerabilities. Security releases should be applied as soon as possible. They are available on quarterly basis as an alternative to patch updates. Security releases only address security-sensitive issues and do not address functional fixes.

Release Type	Example	Estimated frequency	Responsible for Applying Update	Backward Compatibility
Major	2	Once	Merchant	No
Minor	2.3	Annual	Merchant	No
Patch	2.3.5	Quarterly	Merchant	Likely
Security	2.3.5-p1	As Needed	Merchant	Likely

Generally, the key reasons to perform Magento 2 upgrade are performance improvements, security compatibility, functional fixes, and of course new features availability. For more details check Why should you perform Magento 2 upgrade to the latest version?

What changes are available in Magento Commerce 2.3.5.

Release Type	April 2020 version
Patch	Magento Commerce and Magento Open Source 2.3.5-p1
Security	Magento Commerce and Magento Open Source Security-only Patch 2.3.4-p2
Patch	Magento Commerce 1.14.4.5
Patch	Magento Open Source 1.9.4.5
Security	SUPEE-11314 to patch earlier Magento Commerce and Magento Open Source 1.x versions

Magento Open Source and Magento Commerce include over 180 functional fixes to the core product and over 25 security enhancements in the 2.3.5 version. It presents significant platform upgrades, substantial security changes, and performance improvements; this is based on 46 GitHub issues resolved by Magento Community contributors, as well as a Magento core team.

The following are key changes covered in this version:

1. Security

As stated above, a security-only patch (Magento 2.3.5-p1 (for 2.3.4) or 2.3.4-p2 (for 2.3.3) provides fixes for vulnerabilities that have been identified in the previous quarterly releases of Magento. 25+ security fixes included in this release help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities. Content security policy (CSP) and removal of session-id from URLs are also added in this version. The vulnerability details are listed in Adobe Security Bulletin documentation here.

2. Platform upgrades

To keep the website relevant with third-party platforms the following changes were applied:

Compatibility with Elasticsearch 7.x
Upgrade of Symfony Components to 4.4 version
Core integrations of third-party payment methods (Authorize.Net, eWay, CyberSource, and Worldpay) are deprecated
Core integration of the Signifyd fraud protection code is deprecated
Dependencies on Zend Framework are migrated to the Laminas project

3. Performance

A better invalidating of all customer sections data that avoids a known issue with local storage when custom sections.xml invalidations are active.
Also, the number of queries to Redis that are performed on each Magento request is minimized, which excessively boosts the performance.

4. Infrastructure

The PayPal Pro payment method is compatible with the Chrome 80 browser now. A PHPStan code analysis check has been integrated into Magento static builds to enhance static code analysis.

5. Magento Page Builder (Magento Commerce only)

Templates that can be created from existing content and applied to new content areas are added.
Page Builder Rows, Banners, and Sliders now have the option to use videos for their backgrounds and a possibility to set their heights to the full height of the page.
Content type upgrade library allows for backward compatibility.

6. Magento Inventory Management

The ability to view allocated inventory sources from the orders list is presented together with a new extension point for SourceDataProvider and StockDataProvider.

7. Magento 2 GraphQL

Staging queries now include Products and categoryList.

8. Magento PWA Studio 6.0.0

Possibility to create an API for a storefront and modify storefront logic is presented in the extensibility framework.
Caching and data fetching are improved.
Shopping cart components that can be used for a full-page shopping cart experience are added.

9. Dotdigital

Engagement Cloud and Magento B2B module are integrated to allow the B2B merchants to perform sync of company, shared catalog, quote, and custom product catalog data to Dotdigital.
Improved importer performance and coupon code resend.

10. Google Shopping ads Channel

It is no longer supported. Find alternative extensions on the Magento Marketplace.

To receive additional information on vendor-developed extension enhancements and fixed issues, check Magento 2.3.5 Open Source Release Notes and Magento 2.3.5 Commerce Release Notes. It is strongly recommended that you update any Magento 2 store to have the latest version. This is recommended to maintain security at the highest level. If you hope to begin the upgrade process now, contact your partner to learn more about , or freely contact our Atwix team.

Cookie	Duration	Description
__jid	1 day	Used to add comments to the website and remember the user's Disqus login credentials across websites that use said service.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
li_gc	2 years	Linkeding cookie that stores the user's cookie consent state for the current domain
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google Analytics cookie. Used to identify unique users and expires after two years
_gat	1 day	Used by Google Analytics to throttle request rate
_gid	24 hours	Google Analytics cookie. Used to identify user and expires in 24 hours.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar cookie. Used to detect the first pageview session of a user. 30 minutes duration. Boolean true/false data type.
_hjFirstSeen	User session	Hotjar cookie. Identifies a new user’s first session. Used by Recording filters to identify new user sessions. Session duration. Boolean true/false data type.
_hjIncludedInPageviewSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's pageview limit. 30 minutes duration. Boolean true/false data type.
_hjIncludedInSessionSample	30 minutes	Hotjar cookie. Set to determine if a user is included in the data sampling defined by your site's daily session limit. 30 minutes duration. Boolean true/false data type.
_hjRecordingLastActivity	User session	Hotjar cookie. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes
_hjSession_2881021	30 minutes	Hotjar cookie. Holds current session data. Ensures subsequent requests in the session window are attributed to the same session. 30 minutes duration. JSON data type.
_hjSessionRejected	User session	Hotjar cookie. If present, set to '1' for the duration of a user's session, when Hotjar has rejected the session from connecting to our WebSocket due to server overload. Applied in extremely rare situations to prevent severe performance issues. Session duration. Boolean true/false data type.
_hjSessionUser_2881021	1 year	Hotjar cookie. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 365 days duration. JSON data type.
_hjTLDTest	User session	Hotjar cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory	29 days	Linkedin cookie. Used in connection with data-synchronization with third-party analysis service.
disqus_unique	1 year	Disqus cookie. Collects statistics related to the user's visits to the website, such as number of visits, average time spent on the website and loaded pages.
https://#.#/	User session	leadfeeder.com cookie. Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
juggler/event.gif	User session	Disqus cookie. Identifies the visitor across devices and visits, in order to optimize the chat-box function on the website.

Cookie	Duration	Description
aet-dismiss	User session	Disqus cookie. Necessary for the functionality of the website's comments system
drafts.queue		Disqus cookie. Necessary for the functionality of the website's comments system
lang		Linkedin cookie. Remembers the user's selected language version of a website
submitted_posts_cache	User session	Disqus cookie. Necessary for the functionality of the website's comments system

Cookie	Duration	Description
_hjRecordingEnabled	User session	Hotjar cookie. This cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.
_lfa	2 years	Leadfeeder cookie. Used to store and track audience reach and expires in 2 years.
_lfa_expiry	persistent	Leadfeeder cookie. : Contains the expiry-date for the cookie with corresponding name
_lfa_test_cookie_stored	1 day	Leadfeeder cookie. Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
ads/ga-audiences	User session	Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
badges-message	Persistent	Disqus cookie. Used for comments functionality
bcookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
bscookie	2 years	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
lidc	1 day	Used by the social networking service, LinkedIn, for tracking the use of embedded services.
UserMatchHistory	29 days	Linkedin cookie. Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.