Security Updates for 3rd party modules

Appreciate most of you active in the Magento space are already aware that a large majority of module vendors are moving to a subscription based model soon.

I’ll leave my feelings on ‘lifetime free updates’ not exactly being lifetime for another thread!

However I’ve written to all of the vendors and most have agreed that regardless of a customers support status, if a security issue is identified in a module then this fix would be released to all customers.

Out of all the ones I wrote to, Amasty was the only company that didn’t agree that all customers should get security updates.

Mirasvit, MageWorx, Mageplaza, AheadWorks all agreed security fixes should not be tied to subscription status.

submitted by /u/iSpiKedfd
[link] [comments]

Help with Warden/Magento2

Hey all, thanks again for all the support this community has shown whlie I get up to speed with Magento2.

I’m working on setting up a dev environment using Warden, and hit my first snag. Haven’t really tried to debug it yet but need to take a break for a while.

Warden install has gone fine, right up until this point:

I just ran: $ warden shell and got connected to the fpm container. Then I get the error below. Running composer to set my keys results in an error- but even more importantly, where do I get the keys? I just want to run the open source edition for now.

————————————

www-data@magento-dev-php-fpm:/var/www/html$ composer global config http-basic.repo.magento.com

Changed current directory to /home/www-data/.composer

[RuntimeException]

http-basic.repo.magento.com is not defined.

submitted by /u/kwisatzcraperach
[link] [comments]

Recently viewed widget – “out of stock”

Hi – I thought this would be relatively easy, I just need to change where it says “Out of stock” to “Sold out” in the Recently Viewed widget. I have tried adding to themefolderi18nen_GB.csv

"Out of stock","Sold out" 

and also to themefolderMagento_Catalogi18nen_GB.csv but neither works. This is how it appears in the browser

<div class="stock unavailable">

<span data-bind="i18n: 'Out of stock'">Out of stock</span>

</div>

I was going to just change it in the relevant phtml file but can’t find the correct one. Can anyone pointme to the actual HTML for the items in this widget? Thanks

submitted by /u/hawthornmage
[link] [comments]

TTFB issues

Hey all.

Thanks for all the help on my earliest post about Redis/stunnel!

So, I’ve optimized some things, have ensured caching is in place, http2 is on, opcache is configured, etc. What appears to be killing page load times now is TTFB (time to first byte). The home page is .9s ttfb, some deeper pages are much as 4s. By the way, this is a store with maybe 50 products. So, shouldn’t be too crazy in terms of processing.

I’ve gotten so far (with help of this subreddit) to turn on HTML debugging such that it profiles code execution at the bottom of the page. So, at least I know the problem is in a couple of templates in the layout. I’m going through those templates and I’m seeing what looks like PHP code interleaved in the template HTML. Looks like the old devs created some custom helper classes and authentication (oauth2) classes and I suspect that’s where the issue is coming from.

However, I haven’t gotten a dev environment setup or things configured well enough where I can step through the code, so I’m looking for a way to better profile the code- to really see where the timing problem is stemming from.

Is there something like a Debugbar for Magento? Thinking about the overlays that sit at the top/bottom of the page in dev mode and provide stack traces, queries, etc.

Well, thanks for all the pointers, do appreciate it!

submitted by /u/kwisatzcraperach
[link] [comments]

Redis with Magento – stunnel?

I just inherited a Magento site (Adobe Commerce) that is really struggling performance wise. I’ve already found an issue with php-fpm max_children settings being ridiculously low (5) and optimizing that has helped a lot.

As I’m reviewing the architecture in general, I’ve found that the Redis server is being accessed through a local tunnel instead of directly. That is to say, a tunnel has been configured (without ssl) to hit the redis cache across a network, then the magento config uses localhost:port instead of the actual hostname to the redis server.

This seems like a needless additional step to me,, but wanted to check with the community here to understand if this is for some reason a Magento best-practice, of if you can think of any other reason this might be desirable?

submitted by /u/kwisatzcraperach
[link] [comments]

Mageplaza Layered Navigation – XSS Security Fix

Does anyone know any details about the XSS security fix in the latest release (4.1.2) of the Mageplaza Layered Navigation module?

We use their module but we’ve heavily customised it so usually only apply security related changes released by Mageplaza.

However Mageplaza support are refusing to provide us a list of changes related to this security update for some reason (we have an active support subscription)

submitted by /u/iSpiKedfd
[link] [comments]