System requirements

• tested on PHP 8.2, 8.4 and 8.5
• tested on MySQL 8 and MariaDB 11

What's Changed

• GHSA-7cw6-7h3h-v8pf - fix: map in security extension for array callables

Full Changelog: v6.7.6.0...v6.7.6.1

Get in touch

Discuss about decisions, bugs you might stumble upon, etc in our community discord. See you there ;)

System requirements

• tested on PHP 8.2, 8.4 and 8.5
• tested on MySQL 8 and MariaDB 11

Features

HTTP caching rework

• Support for HTTP caching policies was added. It allows defining HTTP cache behavior per area (storefront, store_api)
  and per route using configuration. The feature is experimental and can be enabled with the CACHE_REWORK feature flag
  together with other HTTP caching improvements.
• Selected Store API routes were marked as cacheable and now support HTTP caching with Cache-Control headers.

Send email on customer password change

A new flow has been introduced which sends a confirmation email whenever a customer changes their password. This helps to identify any suspicious account activity more quickly.

API

Video cover management /api/_action/media/{mediaId}/video-cover

Added endpoint to assign or remove cover images for video media files. Requires media.editor ACL permission.
Accepts coverMediaId (string or null) in request body.
Cover image reference is stored in metaData.video.coverMediaId.
When a cover image is deleted, all video references are automatically cleaned up via VideoCoverCleanupSubscriber.

StoreAPI HTTP caching support

HTTP caching support was added for the following Store API endpoints:

• /store-api/breadcrumb/{id}
• /store-api/category
• /store-api/category/{navigationId}
• /store-api/navigation/{activeId}/{rootId}
• /store-api/cms/{id}
• /store-api/product
• /store-api/seo-url
• /store-api/country
• /store-api/country-state/{countryId}
• /store-api/currency
• /store-api/language
• /store-api/salutation

GET methods and HTTP caching support were added for the following Store API endpoints:

• /store-api/media
• /store-api/product/{productId}/cross-selling
• /store-api/product/{productId}
• /store-api/product/{productId}/find-variant
• /store-api/product-listing/{categoryId}
• /store-api/product/{productId}/reviews
• /store-api/search
• /store-api/search-suggest

It's intended to work with the new HTTP caching policy system, and should increase performance for cacheable Store API requests.

Store API: compressed criteria parameter support

Criteria can be passed in the GET requests as single query parameter, encoded as JSON -> gzip -> base64url. This allows
sending complex criteria without hitting URL length limits. Also, ProductListingCriteria fields are supported.
Please note that this is a temporary workaround intended to be used until QUERY request method is standardized and supported.
Check the ADR for more details.

Document download /store-api/document/download/

The endpoint now selects the document file type based on the Accept header.
When no Accept header is set or with */*, PDF will be returned. (PR #12944)

Core

PHP 8.5 support

Shopware is now fully compatible with PHP 8.5.

Deprecation of sw-states and sw-currency handling and new way to disable caching

The sw-states and sw-currency handling is deprecated, which means by default the HTTP-Cache will also be active for logged in customers or when the cart is filled in the next major version.
You can opt in to the new behaviour by activating either the v6.8.0.0 (all upcoming breaking changes), PERFORMANCE_TWEAKS (all performance related breaks) or CACHE_REWORK (only the HTTP-Cache related breaks) feature flag.

Due to the rework of the contained rules in the cache hash, this becomes efficiently possible. The complete caching behaviour is now controlled by the sw-cache-hash cookie.

You should rework you extensions to also work with enabled cache for logged in customers and when the cart is filled.
To modify the default behaviour there are several extension points you can hook into, for a detailed explanation please take a look at the caching docs.

The following classes and constants were deprecated as they will not be used anymore:

• \Shopware\Core\Framework\Adapter\Cache\Http\CacheStateValidator
• \Shopware\Core\Framework\Adapter\Cache\CacheStateSubscriber
• \Shopware\Core\Framework\Adapter\Cache\Http\HttpCacheKeyGenerator::SYSTEM_STATE_COOKIE
• \Shopware\Core\Framework\Adapter\Cache\Http\HttpCacheKeyGenerator::INVALIDATION_STATES_HEADER
• \Shopware\Core\Framework\Adapter\Cache\Http\HttpCacheKeyGenerator::CURRENCY_COOKIE
• \Shopware\Core\Framework\Adapter\Cache\CacheStateSubscriber::STATE_LOGGED_IN
• \Shopware\Core\Framework\Adapter\Cache\CacheStateSubscriber::STATE_CART_FILLED

Additionally, the following configuration was deprecated:

• shopware.cache.invalidation.http_cache

HTTP Caching Policies

Added support for caching policies to define HTTP cache behavior via configuration.

You can now configure named caching policies that define how the Cache-Control header is formed. These policies can be assigned per area (storefront, store_api) and per route. The header controls how caches (browser, reverse proxy, CDN, Symfony cache layer) should cache the response.

The feature is enabled using the CACHE_REWORK feature flag. For more details see the caching policies documentation.

Add recursive assign method to AssignArrayTrait

A new method assignRecursive has been added to Shopware\Core\Framework\Struct\AssignArrayTrait. Along with it, the new Shopware\Core\Framework\Struct\AssignArrayInterface has been introduced.
To make full use of assignRecursive, every class using AssignArrayTrait must also implement the new AssignArrayInterface.
The assignRecursive method enables deeply nested, JSON-serialized data structures - for example, a fully serialized ProductEntity including associations such as properties - to be converted back into a fully populated ProductEntity instance, including all nested Struct and Collection objects.

Note: assignRecursive uses reflection and creates nested struct instances, so it is noticeably slower than the classic shallow assign and is intended for import/export and (re-)hydration scenarios rather than tight, performance-critical loops.

Performance improvements for generating category SEO-Urls

We don't synchronously fetch and generate the SEO-Urls for all child categories anymore.
Instead, we rely on the CategoryIndexer to trigger the re-index of children asynchronously.
This prevents cases where SEO-Urls were generated multiple times for the same category, and thus it considerably improves the performance of category indexing.

Administration

Loading indicator for whole page

When the initial page takes more than two seconds to load, a loading indicator appears instead of a blank page.

Search filter for settings module

In the settings module, there is now a search bar in the top right. It can be used to filter settings based on a search term to quickly find what you need.

Storefront

The email validation supports IDN email addresses

The domain part of email addresses may now contain internationalized domain names (IDN). The Storefront validation will properly check these domains. The form validation in PHP may still deny IDN emails addresses, but the default Shopware forms already allow them.

App System

App Script caching control

As before, app developers can control caching via in app scripts using syntax {% do response.cache.<directive> %}, which map to ResponseCacheConfiguration methods.
Next changes were made to ResponseCacheConfiguration methods:

• added sharedMaxAge(seconds) - set shared (reverse proxy/CDN) cache TTL, equivalent to s-maxage cache control directive.
• added clientMaxAge(seconds) - set client-side (browser) cache TTL, equivalent to max-age cache control directive. Has effect only if CACHE_REWORK feature flag is enabled.
• deprecated maxAge(seconds) - use sharedMaxAge() instead.

Admins can override policies per script using route_policies with route#hook pattern in configuration (see HTTP caching policies description in the Core section).

Hosting & Configuration

Control language analyzer usage in Elasticsearch search queries

A new environment variable SHOPWARE_ES_USE_LANGUAGE_ANALYZER has been added to control whether language-specific analyzers (like sw_english_analyzer, sw_german_analyzer) are used for search queries.

By default (SHOPWARE_ES_USE_LANGUAGE_ANALYZER=1), search queries use the same analyzer as the indexed field, which includes language-specific features like stopword filtering and stemming. This provides broader, more fuzzy search results.

When set to 0 (SHOPWARE_ES_USE_LANGUAGE_ANALYZER=0), search queries use sw_whitespace_analyzer instead, providing less fuzzy search results with fewer matches.

Note: This setting only affects search queries, not indexing. Indexed data continues to use language analyzers for proper tokenization.

Possibility to disable extensions when setting up staging mode

A new config option shopware.staging.extensions.disable was added to allow configuring extensions that should be automatically disabled when the staging mode gets activated via system:setup:staging command.

shopware:
    staging:
        extensions:
            disable: ["TheExtensionName", "AnotherExtensionName"]

Deprecated HTTP cache configuration

• SHOPWARE_HTTP_DEFAULT_TTL environment variable.
• shopware.http.cache.default_ttl parameter.
• shopware.http_cache.stale_while_revalidate parameter.
• shopware.http_cache.stale_if_error parameter.

Deprecated parameters will have no effect when CACHE_REWORK feature fl...

See the UPGRADE.md for all important technical changes.

• GHSA-6w82-v552-wjw2 - fix: input validation of request paramteres in account login page

What's Changed

• GHSA-6w82-v552-wjw2 - fix: input validation of request paramteres in account login page
• fix: theme manager tabs not shown in 6.7 (backport: 6.7.5.x) by @shopware-octo-sts-app[bot] in #13786

Full Changelog: v6.7.5.0...v6.7.5.1

Features

Tax Calculation Logic

The tax-free detection logic if the cart changed to handle B2B and B2C customers separately.
Previously, enabling "Tax-free for B2C" in the country settings also affected B2B customers.
Now, tax rules are applied correctly based on the customer type.

Robots.txt configuration

The rendering of the robots.txt file has been changed to support custom User-agent blocks and the full robots.txt standard.
For a detailed guide on how to use the new features and extend the functionality, please refer to our documentation guide Extend robots.txt configuration.

Scheduled Task for cleaning up corrupted media entries

A new scheduled task media.cleanup_corrupted_media has been introduced.
It detects and removes corrupted media records, such as entries created by interrupted or failed file uploads that have no corresponding file on the filesystem.

API

Add the possibility to specify indexer in context

When you want to specify which indexer should run, you can add the EntityIndexerRegistry::EXTENSION_INDEXER_ONLY extension to the context as follows:

$context->addExtension(EntityIndexerRegistry::EXTENSION_INDEXER_ONLY,
    new ArrayEntity([
        ProductIndexer::STOCK_UPDATER // Only execute STOCK_UPDATER.
    ]),
);

When making a call to the Sync API, specify the required indexer in the header:

curl -X POST "http://localhost:8000/api/_action/sync" \
-H "indexing-only: product.stock" \
#...

Core

Improved Store API OpenAPI documentation with field descriptions

The OpenAPI schema generator for Store API endpoints now includes descriptions for entity fields, making it easier for developers to understand the available fields and their purposes.

Additionally, available associations for each entity are now automatically listed in the OpenAPI operation descriptions, showing developers which relationships can be loaded.

To add descriptions to fields in your custom entity definitions, use the setDescription() method:

(new ManyToOneAssociationField('group', 'customer_group_id',
    CustomerGroupDefinition::class, 'id', false))
    ->addFlags(new ApiAware())
    ->setDescription('Customer group determining pricing and permissions')

Allow overwriting Doctrine wrapperClass on Primary/Replica setups

It's now possible to overwrite the wrapperClass of the Doctrine\DBAL\Connection instance.
This is useful if you want to use e.g. Doctrine MySQL Comeback to automatically reconnect if the MySQL connection is lost.

composer require facile-it/doctrine-mysql-come-back ^3.0

Then specify the wrapperClass in the .env file:

DATABASE_URL=mysql://root:root@database/shopware?driverOptions[x_reconnect_attempts]=5&wrapperClass=Facile\DoctrineMySQLComeBack\Doctrine\DBAL\Connection

Robots.txt parsing

A new Shopware\Storefront\Page\Robots\Parser\RobotsDirectiveParser has been introduced to parse robots.txt files. This new service provides improved error tracking and adds new events for better extensibility.
As part of this change, the constructor for Shopware\Storefront\Page\Robots\Struct\DomainRuleStruct is now deprecated for string parameters. You should use the new parser to create a ParsedRobots object to pass to the constructor instead.

new JWT helper

Added new Shopware\Core\Framework\JWT\SalesChannel\JWTGenerator and Shopware\Core\Framework\JWT\Struct\JWTStruct to build general structure for encoding and decoding JWT.

Added PHP 8.5 polyfill

The new dependency symfony/polyfill-php85 was added, to make it possible to already use PHP 8.5 features, like array_first and array_last

Removal of old changelog handling

As we changed how we process and generate changelogs the "old" changelog files are no longer needed.
Therefore, we removed all the internal code used to generate and validate them.
The whole Shopware\Core\Framework\Changelog namespace was removed.
The code is not needed anymore, you should adjust the RELEASE_INFO and UPGRADE files manually instead.

Deprecated the \Shopware\Core\Framework\Test\TestCaseHelper\ReflectionHelper

Refection has significantly improved in particular since PHP 8.1, therefore the Shopware\Core\Framework\Test\TestCaseHelper\ReflectionHelper was deprecated and will be removed in the next major release.
See below for the explicit replacements:

- $property = ReflectionHelper->getProperty(MyClass::class, 'myProperty');
+ $property = \ReflectionProperty(MyClass::class, 'myProperty');

- $method = ReflectionHelper->getMethod(MyClass::class, 'myMethod');
+ $method = \ReflectionMethod(MyClass::class, 'myMethod');

- $propertyValue = ReflectionHelper->getPropertyValue($object, 'myProperty');
+ $propertyValue = \ReflectionProperty(MyClass::class, 'myProperty')->getValue($object);

- $fileName = ReflectionHelper->getFileName(MyClass::class);
+ $fileName = \ReflectionClass(MyClass::class)->getFileName();

New constraint to check for existing routes

The new constraint \Shopware\Core\Framework\Routing\Validation\Constraint\RouteNotBlocked checks if a route is available or already taken by another part of the application.

Multiple payment finalize calls allowed

With the feature flag REPEATED_PAYMENT_FINALIZE, the /payment-finalize endpoint can now be called multiple times using the same payment token.
This behaviour will be the default in the next major release.
If the token has already been consumed, the user will be redirected directly to the finish page instead of triggering a PaymentException.
To support this behavior, a new consumed flag has been added to the payment token struct, which indicates if the token has already been processed.
Payment tokens are no longer deleted immediately after use. A new scheduled task automatically removes expired tokens to keep the payment_token table clean.

Added sanitized HTML tag support for app snippets

Added sanitized HTML tag support for app snippets. App developers can now use HTML tags for better formatting within their snippets. The sanitizing uses the basic set of allowed HTML tags from the html_sanitizer config, ensuring that security-related tags such as script are automatically removed.

App custom entity association handling

The behaviour creating associations with custom entities in apps changed.
Now an exception will be thrown if the referenced table does not exist, instead of creating a reference to the non-existing table.

To allow the schema updater to skip creating associations if the referenced table does not exist, improving flexibility and robustness during schema updates, a new optional attribute ignore-missing-reference was added to association types (one-to-one, one-to-many, many-to-one, many-to-many).

Example usage:

<one-to-many name="custom_entity" reference="quote_comment" ignore-missing-reference="true" store-api-aware="false" on-delete="set-null" />

Translatable product manufacturer links

The link property of the product manufacturer entity is now translatable.

Administration

URL restrictions for product and category SEO URLs

When creating a SEO URL for a product or category, the URL is now checked for availability. Before it was possible to override existing URLs like account or maintenance with SEO URLs. Existing URLs are now blocked to be used as SEO URLs.

Refactor filters for the newsletter recipients list.

We now use the <mt-select> instead administration/src/module/sw-newsletter-recipient/component/sw-newsletter-recipient-filter-switch.
Because of that, we deprecate these twig blocks:

• sw_newsletter_recipient_list_sidebar_filter_status_not_set
• sw_newsletter_recipient_list_sidebar_filter_status_direct
• sw_newsletter_recipient_list_sidebar_filter_status_opt_in
• sw_newsletter_recipient_list_sidebar_filter_status_opt_out

These blocks will be removed in v6.8.0.0 without replacement. Use the parent blocks instead.
We also deprecate
administration/src/module/sw-newsletter-recipient/component/sw-newsletter-recipient-filter-switch which will be removed with v6.8.0.0 and
administration/src/module/sw-newsletter-recipient/page/sw-newsletter-recipient-list/index.js which will be private in v6.8.0.0.

Storefront

Language selector twig blocks

New extensible Twig blocks layout_header_actions_language_widget_content_inner and layout_header_actions_languages_widget_form_items_flag_inner have been added to the language selector to allow custom flag implementations.

context.token is no longer available in twig rendering context

The context.token variable is no longer available in twig rendering context to prevent potential security vulnerabilities. If you need to access the token, consider using alternative methods that do not expose it in the rendered HTML.
Usually inside the Twig storefront there is no need to handle the context token manually, as it is handled automatically via the session handling in the Storefront.

Added specific add-product-by-number template

The page_checkout_cart_add_product* blocks inside @Storefront/storefront/page/checkout/cart/index.html.twig are deprecated and a new template @Storefront/storefront/component/checkout/add-product-by-number.html.twig was added.

Instead of overwriting any of the page_checkout_cart_add_product* blocks inside @Storefront/storefront/page/checkout/cart/index.html.twig,
extend the new @Storefront/storefront/component/checkout/add-product-by-number.html.twig file using the same blocks.

Change:

{% sw_extends '@Storefront/storefron...

See the UPGRADE.md for all important technical changes.

• #13416 - Improve shop id verification when used with atomic deployments
• #13305 - Fix positioning of partial review stars
• #13387 - Add missing system services (Storefront Analytics / Google Analytics)
• #13434 - Fix: blocked shipping method not switched
• #13321 - Fix: changing the default address during guest checkout results in a 403 Forbidden error

See the UPGRADE.md for all important technical changes.

• GHSA-2w46-vq8h-98vh - fix: password recovery not expiring on email change

See the UPGRADE.md for all important technical changes.

• GHSA-2w46-vq8h-98vh - fix: password recovery not expiring on email change

See the UPGRADE.md for all important technical changes.

• #12145 - Add custom action in media sidebar
• #12165 - Fix vite bundling for Symfony bundles
• #12233 - Allow granular inheritance for slot_config overrides
• #12349 - Fix plugin config default values
• #12498 - Update health check API
• #12672 - Improve error output of app loader in CI environment
• #12723 - Remove not needed shipping detail admin SCSS @aragon999
• #12724 - Properly define the padding of the admin modal @aragon999
• #12755 - Do not use the Symfony validator to validate the honeypot captcha @aragon999
• #12756 - Fix Cache Cookie Handling to prevent cache poisoning
• #12808 - Add gitignore when creating a plugin @wannevancamp
• #12832 - Fix deletion and sorting of log events listing in the administration
• #12833 - Fix proper display of the administrator switch in the user create @wannevancamp
• #12834 - Fix media search navigation
• #12835 - Replace latest sw-switch-field component with bool input @wannevancamp
• #12836 - Fix SalesChannelContext::state to reset to previous state @JoshuaBehrens
• #12837 - Add more Twig blocks to product box to reduce amount of code to be copied over @JoshuaBehrens
• #12839 - Add option for FormAutoSubmit to trigger form validation @JoshuaBehrens
• #12865 - Add aria-label to CMS image link @lacknere
• #12869 - Improve shipping and payment cart blocking errors @gecolay
• #12892 - Improved error handling when a sales channel cannot be deleted because it is still assigned to other entities
• #12925 - Add product available sorting criteria option @lacknere
• #12932 - Only consider filterable discount packages @aragon999
• #12947 - Improve SCSS color validation
• #12986 - Fix sidebar width persistence issue when collapsed through button
• #13007 - Add message queue message size limit config option @gecolay
• #13011 - Add admin notification transformers
• #13070 - Add possibility to set fetchpriority="high" on cms image elements @aragon999
• #13082 - Add events when fetching entities for the sitemap @aragon999
• #13087 - Fix IAP decoding with old OpenSSL versions
• #13091 - Replace $result type with native CmsPageCollection type in the CmsPageLoadedEvent @aragon999
• #13094 - Fixed 3D light intensity
• #13146 - Fix webhook cleanup for queued webhook event logs
• #13156 - Fix flaky storefront test for active route parameters
• #13161 - Respect the COMPOSER_PLUGIN_LOADER environment variable in the bin/shopware cli command @aragon999
• #13177 - Only display last search index date
• 12292 - Fix issue with loading seo url preview
• 12411 - Load product streams over opensearch
• 12783 - Search result should include products when parent product number matches
• 12805 - Clearance sale (stock handling) is ignored as soon as a product is in the cart
• 13127 - Fix cookie offcanvas link not working when opened from navigation offcanvas
• 4307 - Fix Google Consent Mode v2 default and update implementation
• 9451 - Google reCAPTCHA loading only if cookie accepted
• 9451 - Interactive offcanvas cookies
• https://github.com/shopware/shopware/issues/12823 - Fix session locking during kernel reboot on plugin state change
• https://github.com/shopware/shopware/issues/6409 - Separate Vimeo and YouTube cookie consent
• https://github.com/shopware/shopware/pull/13079 - Fix CacheClearer global locking

See the UPGRADE.md for all important technical changes.

• #11055 - Add global styling for blockquotes
• #11215 - Restore ResetInterface support in long-running runtimes @mateuszfl
• #11484 - Don't check for canonical SEO Urls when no path info given during SEO URL creation @M-arcus
• #11580 - Increased minimum required version of MySQL database
• #11580 - Symfony components updated
• #11766 - Fix boolean fields in theme config
• #11803 - Fix advanced prices for fixed item price discount
• #11823 - optimize fetching product properties
• #11830 - Fix display of line item taxes with tax provider
• #11838 - Fix recursive cart lock usage
• #11839 - Fix duplicate address display in sw-order-detail
• #11855 - Fix removal of composer plugins
• #11967 - Fix zoom functionality to prevent a large window
• #12029 - Fix custom fields with same names as foreign keys
• #12209 - Allow docx file extension
• #12225 - Fix invoice empty pages @lacknere
• #12464 - Fix initialization of DiscountCampaignStruct and add additional properties
• #12756 - Fix Cache Cookie Handling to prevent cache poisoning
• #7156 - Fix API aware flag for proxied requests
• #7238 - Update SwitchContextEvent @PheysX
• #10707 - Fix Elasticsearch Datetime format
• #11001 - Show relevant products without previews when searching @tinect
• #11074 - Fix admin es search for document number does not return any result
• #11097 - Fix wrong customer context on login if entry from sales_channel_api_context is expired
• #11528 - Show correct exception when updating an entity with a foreign key constraint fails
• #11550 - Fix inconsistent seoUrls for cross-selling products
• #11619 - Fix SeoUrl generate database-error when the url changes
• #11654 - Fixing document squished line item listing
• #11800 - fix overwrite slot config
• #8018 - Move Search config loader class to Core bundle
• #8018 - Use minimal search term length in config tables
• #8584 - Error when trying to remove "Main category" for product
• #12979 - compatibility with OpenSearch 3.x