Adobe Commerce (Magento) 2.4.6-p3 Update

Preconditions

We have a Magento 2 Open Source project that uses the Magento 2.4.6-p1 Open Source version. Since the website runs on PHP 8.1 and Magento 2.4.6-p3 Open Source supports both PHP 8.1 and PHP 8.2, we decided to go with the upgrade and keep the PHP 8.1. The PHP upgrade to version 8.2 can happen in the next iteration. This is a recommended approach that minimizes time and deployment risk if there is an incompatibility with a 3rd party extension or custom Adobe Commerce (Magento) module.

Make sure to perform the update on your local environment before making any changes on a production server.

Composer Update Command

Execute the below command to update the magento/product-community-edition dependency to the latest 2.4.6-p3 version. The -W flag allows the composer package manager to update the main package with dependencies. Without this flag, your Adobe Commerce (Magento) won't update correctly.

composer update magento/product-community-edition:2.4.6-p3 -W

Composer may require you to add a Token if you use GitHub.

Depending on your Before version, you should see the Magento packages updated:

...
  - Upgrading magento/framework (103.0.6-p1 => 103.0.6-p3): Extracting archive
  - Upgrading magento/module-sales (103.0.6-p1 => 103.0.6-p3): Extracting archive
  - Upgrading magento/module-tax (100.4.6 => 100.4.6-p2): Extracting archive
  - Upgrading magento/module-shipping (100.4.6 => 100.4.6-p3): Extracting archive
  - Upgrading magento/module-customer (103.0.6-p1 => 103.0.6-p3): Extracting archive
  - Upgrading magento/module-url-rewrite (102.0.5 => 102.0.5-p3): Extracting archive
  - Upgrading magento/module-cms (104.0.6 => 104.0.6-p2): Extracting archive
  - Upgrading magento/module-catalog (104.0.6-p1 => 104.0.6-p3): Extracting archive
  - Upgrading magento/module-catalog-inventory (100.4.6 => 100.4.6-p2): Extracting archive
  - Upgrading magento/module-page-cache (100.4.6 => 100.4.6-p3): Extracting archive
  - Upgrading magento/module-checkout (100.4.6-p1 => 100.4.6-p3): Extracting archive
  - Upgrading magento/module-downloadable (100.4.6 => 100.4.6-p3): Extracting archive
  - Upgrading magento/module-catalog-rule (101.2.6 => 101.2.6-p2): Extracting archive
  - Upgrading magento/module-sales-rule (101.2.6 => 101.2.6-p2): Extracting archive
  - Upgrading magento/module-newsletter (100.4.6 => 100.4.6-p2): Extracting archive
  - Upgrading magento/module-reports (100.4.6-p1 => 100.4.6-p2): Extracting archive
  - Upgrading magento/module-captcha (100.4.6-p1 => 100.4.6-p2): Extracting archive
  - Upgrading magento/module-bundle (101.0.6-p1 => 101.0.6-p2): Extracting archive
...
  - Upgrading magento/module-adobe-stock-image-admin-ui (1.3.4 => 1.3.4-p3): Extracting archive
  - Upgrading magento/module-page-builder (2.2.4 => 2.2.4-p3): Extracting archive
  - Upgrading magento/module-inventory-configurable-product-frontend-ui (1.0.4 => 1.0.4-p2): Extracting archive
  - Upgrading magento/module-inventory-admin-ui (1.2.4 => 1.2.4-p2): Extracting archive
  - Upgrading magento/module-inventory-in-store-pickup-admin-ui (1.1.3 => 1.1.3-p2): Extracting archive
  - Upgrading magento/module-inventory-in-store-pickup-frontend (1.1.4 => 1.1.4-p2): Extracting archive
  - Upgrading magento/module-inventory-sales-admin-ui (1.2.4 => 1.2.4-p2): Extracting archive
  - Upgrading magento/module-inventory-swatches-frontend-ui (1.0.2 => 1.0.2-p2): Extracting archive
...
  - Upgrading magento/module-paypal (101.0.6 => 101.0.6-p2): Extracting archive
  - Upgrading magento/module-checkout-agreements (100.4.5 => 100.4.5-p2): Extracting archive
...
  - Upgrading magento/security-package (1.1.5-p1 => 1.1.5-p3)
  - Upgrading magento/page-builder (1.7.3-p1 => 1.7.3-p3)
  - Upgrading magento/module-usps (100.4.5-p1 => 100.4.5-p3): Extracting archive
  - Upgrading magento/module-persistent (100.4.6 => 100.4.6-p3): Extracting archive
  - Upgrading magento/module-marketplace (100.4.4 => 100.4.4-p2): Extracting archive
  - Upgrading magento/module-login-as-customer (100.4.6 => 100.4.6-p2): Extracting archive
  - Upgrading magento/module-currency-symbol (100.4.4 => 100.4.4-p3): Extracting archive
...
  - Upgrading magento/magento2-base (2.4.6-p1 => 2.4.6-p3): Extracting archive
  - Upgrading magento/inventory-metapackage (1.2.6-p1 => 1.2.6-p3)
  - Upgrading magento/adobe-stock-integration (2.1.5-p1 => 2.1.5-p3)
...
  - Upgrading magento/product-community-edition (2.4.6-p1 => 2.4.6-p3)
...

Make sure to run the setup:upgrade Magento CLI command, so the changes in the database schema are reflected after the Adobe Commerce (Magento) 2.4.6-p3 upgrade.

bin/magento setup:upgrade

Known Issue with the Adobe Commerce (Magento) 2.4.6-p3 Release

Adobe Commerce displays a wrong checksum error during download by Composer from repo.magento.com, and package download is interrupted. This issue can occur during the download of release packages that were made available during prerelease and is caused by a repackaging of the magento/module-page-cache package.
For details on the workaround, please follow the below instructions:

Delete the /vendor directory inside the project, if one exists.
Run the bin/magento composer update magento/module-page-cache command. This command updates only the page cache package.

Security Vulnerability Details

The Adobe Commerce (Magento) 2.4.6-p3 release addresses the following security vulnerability issues:

Improper Input Validation (CWE-20)
Cross-site Scripting (Stored XSS) (CWE-79)
Improper Authorization (CWE-285)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Information Exposure (CWE-200)
Uncontrolled Resource Consumption (CWE-400)
Server-Side Request Forgery (SSRF) (CWE-918)