Upgrading to 1.1.24

1.1.24 is a small maintenance release.

When updating the Hyvä Theme to version 1.1.24, please note to always update the hyva-themes/magento2-theme-module to the latest version as well.

Even if not updating the Default Theme to 1.1.24, it should always be safe to update Hyva_Theme module to the latest version (package hyva-themes/magento2-theme-module).

Upgraded npm package

After updating, please also update the npm dependencies by running this command in your themes web/tailwind/ folder:

npm install @hyva-themes/hyva-modules@1.0.9

Security Fix

This release fixes a security related issue reported by Aad Mathijssen (IO).

The form on the contact-us page is pre-populated for logged-in customers. However, previously the contact-us page was cached in the full-page cache.
If the cache record happened to be generated by a logged-in customer, the pre-filled values were visible to subsequent visitors.

Manual Hotfix

If you are unable to upgrade immediately, please apply a hot-fix to your theme:

Add the cacheable="false" attribute to the contactForm block in Magento_Contact/layout/contact_index_index.xml.

<block class="Magento\Contact\Block\ContactForm" name="contactForm" template="Magento_Contact::form.phtml" cacheable="false">

Better Varnish ESI caching

In older releases, the desktop and mobile top-menu blocks are flushed from the full-page cache more often than necessary.
This issue is fixed in the default theme after the update, but in case the Magento_Theme/templates/html/header/menu/desktop.phtml or Magento_Theme/templates/html/header/menu/mobile.phtml templates are overridden in a custom theme, a one-line change has to be applied to benefit from the fix, too. Without this change, the templates continue to work, but the issue will continue to be present, too.

The required change is only one line. Previously this code can be found in the template:

$viewModelNavigation = $viewModels->require(Navigation::class);

The $block should now be passed as a second argument to the require function, like this:

$viewModelNavigation = $viewModels->require(Navigation::class, $block);

For more information, please check the view mode registry documentation.

Noteworthy changes

This release upgrades Alpine.js from 3.10.4 to 3.12.3.
Also, the hyva-themes/magento2-reset-theme version constraint is raised to >=1.1.4.
For more details please refer to the changelog.

Backward incompatible changes

There are no backward incompatible changes in release 1.1.24.

Changelogs

Changelogs are available from the CHANGELOG.md in the codebase, or here:

• Changelog Default Theme
• Changelog Theme Module

Known Issues

• In the template processor plugin a regular expression to match alpine attributes is too loose, and can accidentally match emails in links or HTML comments containing an @ symbol. See gitlab.hyva.io/hyva-themes/magento2-theme-module/-/issues/291 for more information.

Please check the GitLab issue tracker for the default-theme and the theme-module for known issues.