• Documentation >
• Update and migration >
• Update from v4.6 >
• Update to v4.6

Update from v4.6.x to v4.6.latest

Update the application

Note which version you actually have before starting.

First, run:

Ibexa HeadlessIbexa ExperienceIbexa Commerce

composer require ibexa/headless:4.6.21 --with-all-dependencies --no-scripts
composer recipes:install ibexa/headless --force -v

composer require ibexa/experience:4.6.21 --with-all-dependencies --no-scripts
composer recipes:install ibexa/experience --force -v

composer require ibexa/commerce:4.6.21 --with-all-dependencies --no-scripts
composer recipes:install ibexa/commerce --force -v

Then execute the instructions below starting from the version you're upgrading from.

v4.6.1

No additional steps needed.

v4.6.2

Database update

Run the following scripts:

MySQLPostgreSQL

mysql -u <username> -p <password> <database_name> < vendor/ibexa/installer/upgrade/db/mysql/ibexa-4.6.1-to-4.6.2.sql

psql <database_name> < vendor/ibexa/installer/upgrade/db/postgresql/ibexa-4.6.1-to-4.6.2.sql

v4.6.3

Notification config update

The configuration of the package ibexa/notifications has changed. This package is required by other packages, such as ibexa/connector-actito for Transactional emails, ibexa/payment, or ibexa/user.

If you are customizing the configuration of the ibexa/notifications package, and using SiteAccess aware configuration to change the Notification subscriptions, you have to manually change your configuration by using the new node name notifier instead of the old notifications.

For example, the following v4.6.2 config:

ibexa:
    system:
        my_siteacces_name:
            notifications: # old
                subscriptions:
                    Ibexa\Contracts\Shipping\Notification\ShipmentStatusChange:
                        channels:
                            - sms

becomes the following from v4.6.3:

ibexa:
    system:
        my_siteacces_name:
            notifier: # new
                subscriptions:
                    Ibexa\Contracts\Shipping\Notification\ShipmentStatusChange:
                        channels:
                            - sms

v4.6.4

Database update

Run the following scripts:

MySQLPostgreSQL

mysql -u <username> -p <password> <database_name> < vendor/ibexa/installer/upgrade/db/mysql/ibexa-4.6.3-to-4.6.4.sql

psql <database_name> < vendor/ibexa/installer/upgrade/db/postgresql/ibexa-4.6.3-to-4.6.4.sql

v4.6.5

No additional steps needed.

v4.6.6

No additional steps needed.

v4.6.7

No additional steps needed.

v4.6.8

To avoid deprecations when updating from an older PHP version to PHP 8.2 or 8.3, run the following commands:

composer config extra.runtime.error_handler "\\Ibexa\\Contracts\\Core\\MVC\\Symfony\\ErrorHandler\\Php82HideDeprecationsErrorHandler"
composer dump-autoload

v4.6.9

No additional steps needed.

v4.6.10

No additional steps needed.

v4.6.11

Ibexa Cloud

Update Platform.sh configuration for PHP and Varnish.

Generate new configuration with the following command:

composer ibexa:setup --platformsh

Review the changes applied to .platform.app.yaml and .platform/, merge with your custom settings if needed, and commit them to Git.

v4.6.12

If the new bundle ibexa/core-search has not been added by the recipes, enable it by adding the following line in config/bundles.php:

    Ibexa\Bundle\CoreSearch\IbexaCoreSearchBundle::class => ['all' => true],

v4.6.13

This release comes with a command to clean up duplicated entries in the ezcontentobject_attribute table, which were created due to an issue described in IBX-8562.

If you're affected, remove the duplicated entries by running the following command:

php bin/console ibexa:content:remove-duplicate-fields

Caution

Remember about proper database backup before running the command in the production environment.

You can customize the behavior of the command with the following options:

• --batch-size or -b - number of attributes affected per iteration. Default value = 10000.
• --max-iterations or -i - maximum iterations count. Default value = -1 (unlimited).
• --sleep or -s - wait time between iterations, in milliseconds. Default value = 0.

v4.6.14

Security

This release contains security fixes. For more information, see the published security advisory. For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action, for example by revoking passwords for all affected users.

BREACH vulnerability

The BREACH attack is a security vulnerability against HTTPS when using HTTP compression.

If you're using Varnish, update the VCL configuration to stop compressing both the Ibexa DXP's REST API and JSON responses from your backend. Fastly users are not affected.

Varnish on Ibexa CloudVarnish 6Varnish 7

Update Platform.sh configuration and scripts.

Generate new configuration with the following command:

composer ibexa:setup --platformsh

Review the changes, merge with your custom settings if needed, and commit them to Git before deployment.

Update your Varnish VCL file to align it with the vendor/ibexa/http-cache/docs/varnish/vcl/varnish6.vcl file.

Update your Varnish VCL file to align it with the vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl file. ```

If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content-Type in the web server configuration. For more information, see the updated Apache and nginx template configuration.

XSS in Content name pattern

There are no additional update steps to execute.

Outdated version of jQuery in ibexa/commerce-shop package

Only users of the old Commerce solution are affected. There are no additional update steps to execute.

Other changes

Disable translations of identifiers in Product Catalog's categories

The possibility of translating identifiers and parent information for the Categories in Product Catalog might lead to data consistency issues.

Disable it by running the following migration:

php bin/console ibexa:migrations:import vendor/ibexa/product-catalog/src/bundle/Resources/migrations/2024_07_25_07_00_non_translatable_product_categories.yaml --name=2024_07_25_07_00_non_translatable_product_categories.yaml
php bin/console ibexa:migrations:migrate --file=2024_07_25_07_00_non_translatable_product_categories.yaml

Update web server configuration

Adjust the web server configuration to prevent direct access to the index.php file when using URLs consisting of multiple path segments.

See the updated Apache and nginx template files for more information.

v4.6.15

Removed symfony/orm-pack and symfony/serializer-pack dependencies

This release no longer directly requires the symfony/orm-pack and symfony/serializer-pack Composer dependencies, which can remove some dependencies from your project during the update process.

If you rely on them in your project, for example by using Symfony's ObjectNormalizer to create your own REST endpoints, run the following command before updating Ibexa packages:

composer require symfony/serializer-pack symfony/orm-pack

Then, verify that Symfony Flex installed the versions you were using before.

v4.6.16

No additional steps needed.

v4.6.17

Security

This release contains security fixes. For more information, see the published security advisory. For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action.

CartOwner permission limitation exposes carts

This release fixes a critical vulnerability in the REST API regarding shopping carts. There are no additional update steps to execute.

Unauthorized user can cancel scheduled publish events

This release fixes vulnerability in publish scheduling, ensures that edit/create policies are correctly checked. There are no additional update steps to execute.

Dependency upgrades

This release upgrades the requirements for Twig to v3.19 and PHPSpreadsheet to v1.29.9, resolving several vulnerabilities of varying severity in those dependencies. There are no additional update steps to execute.

v4.6.18

No additional steps needed.

v4.6.19

Security

This release fixes a critical vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText field type's XML, the attacker could perform an attack using XML external entity (XXE) injection. To exploit this vulnerability, an attacker would need to have edit permission to content with RichText fields.

For more information, see the published security advisory IBEXA-SA-2025-002.

Evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action. There are no additional update steps to execute.

Ibexa Rector

The new Ibexa Rector package is now available. It's an optional package based on Rector and comes with additional rules for working with Ibexa code.

You can use it to get rid of PHP code deprecations and start preparing your project for the next major release.

Note

Ibexa Rector requires PHP 8.3 and you must upgrade your codebase first. To do it, you can use Rector and the existing PHP upgrade sets.

To get started with Ibexa Rector, execute the following steps:

1. Add the Composer dependency:

   composer require --dev ibexa/rector:^4.6
   

2. Adjust the created rector.php configuration file to match your project structure

3. Run Rector in the dry-run mode to preview the changes:

   vendor/bin/rector --dry-run
   

4. Run Rector:

   vendor/bin/rector
   

v4.6.20

No additional steps needed.

v4.6.21

Security

This security advisory resolves XSS vulnerabilities in several parts of the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities.

For more information, see the security advisory IBEXA-SA-2025-003.

Evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action. There are no additional update steps to execute.

Database update

Run the following scripts:

MySQLPostgreSQL

mysql -u <username> -p <password> <database_name> < vendor/ibexa/installer/upgrade/db/mysql/ibexa-4.6.20-to-4.6.21.sql

psql <database_name> < vendor/ibexa/installer/upgrade/db/postgresql/ibexa-4.6.20-to-4.6.21.sql

Notify support

Inform the support team that you have updated your installation. They update your Service portal to match the new version. This ensures that you receive notifications about new maintenance releases and security advisories for the correct version. You can contact the support team at support@ibexa.co or through your Service portal.

With the product updated to the latest version, you can now finish the update process or proceed to updating the LTS Updates packages.

LTS Updates

LTS Updates are standalone packages with their own update procedures. To use the latest features added to them, update them separately with the following commands:

DiscountsAI actionsDate and time attribute

Run the following command to get the latest version:

composer require ibexa/discounts:4.6.21 ibexa/discounts-codes:4.6.21

Then apply manually the changes described below.

4.6.20

Policy changes

The discount/view policy is no longer required for the store customers to use a discount and must be removed from all users who are not managing discounts. The policy allows to access all the discount details, including the coupon codes to activate them, which could lead to system abuse.

To learn more, see the discounts policies overview.

Database update

Run the following scripts:

MySQLPostgreSQL

CREATE TABLE ibexa_discount_code_usage (
    id INT AUTO_INCREMENT NOT NULL,
    discount_code_id INT NOT NULL,
    order_id INT NOT NULL,
    discriminator VARCHAR(10) NOT NULL,
    used_at DATETIME NOT NULL COMMENT '(DC2Type:datetime_immutable)',
    INDEX ibexa_discount_code_usage_discount_code_idx (discount_code_id),
    INDEX ibexa_discount_code_usage_order_idx (order_id),
    PRIMARY KEY(id)
) DEFAULT CHARACTER SET utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;

CREATE TABLE ibexa_discount_code_usage_email (
    id INT NOT NULL,
    user_email VARCHAR(190) DEFAULT NULL,
    INDEX ibexa_discount_code_usage_email_idx (user_email),
    UNIQUE INDEX ibexa_discount_codes_usage_email_uidx (id, user_email),
    PRIMARY KEY(id)
) DEFAULT CHARACTER SET utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;

CREATE TABLE ibexa_discount_code_usage_user (
    id INT NOT NULL,
    user_id INT DEFAULT NULL,
    INDEX ibexa_discount_code_usage_user_idx (user_id),
    UNIQUE INDEX ibexa_discount_codes_usage_user_uidx (id, user_id),
    PRIMARY KEY(id)
) DEFAULT CHARACTER SET utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;

ALTER TABLE ibexa_discount_code_usage
    ADD CONSTRAINT ibexa_discount_code_usage_code_fk FOREIGN KEY (discount_code_id)
        REFERENCES ibexa_discount_code (id) ON UPDATE CASCADE ON DELETE CASCADE;

ALTER TABLE ibexa_discount_code_usage
    ADD CONSTRAINT ibexa_discount_code_usage_order_fk FOREIGN KEY (order_id)
        REFERENCES ibexa_order (id) ON UPDATE CASCADE ON DELETE CASCADE;

ALTER TABLE ibexa_discount_code_usage_email
    ADD CONSTRAINT ibexa_discount_code_usage_email_fk FOREIGN KEY (id)
        REFERENCES ibexa_discount_code_usage (id) ON UPDATE CASCADE ON DELETE CASCADE;

ALTER TABLE ibexa_discount_code_usage_user
    ADD CONSTRAINT ibexa_discount_code_usage_user_fk FOREIGN KEY (id)
        REFERENCES ibexa_discount_code_usage (id) ON UPDATE CASCADE ON DELETE CASCADE;

ALTER TABLE ibexa_discount_code_usage_user
    ADD CONSTRAINT ibexa_discount_code_usage_user_content_fk FOREIGN KEY (user_id)
        REFERENCES ezuser (contentobject_id) ON UPDATE CASCADE ON DELETE CASCADE;

CREATE TABLE ibexa_discount_code_usage
(
    id SERIAL NOT NULL,
    discount_code_id INT NOT NULL,
    order_id INT NOT NULL,
    discriminator VARCHAR(10) NOT NULL,
    used_at TIMESTAMP(0) WITHOUT TIME ZONE NOT NULL,
    PRIMARY KEY(id)
);

CREATE INDEX ibexa_discount_code_usage_discount_code_idx
    ON ibexa_discount_code_usage (discount_code_id);

CREATE INDEX ibexa_discount_code_usage_order_idx
    ON ibexa_discount_code_usage (order_id);

COMMENT ON COLUMN ibexa_discount_code_usage.used_at IS '(DC2Type:datetime_immutable)';

CREATE TABLE ibexa_discount_code_usage_email (
    id INT NOT NULL,
    user_email VARCHAR(190) DEFAULT NULL,
    PRIMARY KEY(id)
);

CREATE INDEX ibexa_discount_code_usage_email_idx
    ON ibexa_discount_code_usage_email (user_email);

CREATE UNIQUE INDEX ibexa_discount_codes_usage_email_uidx
    ON ibexa_discount_code_usage_email (id, user_email);

CREATE TABLE ibexa_discount_code_usage_user
(
    id INT NOT NULL,
    user_id INT DEFAULT NULL,
    PRIMARY KEY(id)
);

CREATE INDEX ibexa_discount_code_usage_user_idx
    ON ibexa_discount_code_usage_user (user_id);

CREATE UNIQUE INDEX ibexa_discount_codes_usage_user_uidx
    ON ibexa_discount_code_usage_user (id, user_id);

ALTER TABLE ibexa_discount_code_usage
    ADD CONSTRAINT ibexa_discount_code_usage_code_fk FOREIGN KEY (discount_code_id)
        REFERENCES ibexa_discount_code (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;

ALTER TABLE ibexa_discount_code_usage
    ADD CONSTRAINT ibexa_discount_code_usage_order_fk FOREIGN KEY (order_id)
        REFERENCES ibexa_order (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;

ALTER TABLE ibexa_discount_code_usage_email
    ADD CONSTRAINT ibexa_discount_code_usage_email_fk FOREIGN KEY (id)
        REFERENCES ibexa_discount_code_usage (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;

ALTER TABLE ibexa_discount_code_usage_user
    ADD CONSTRAINT ibexa_discount_code_usage_user_fk FOREIGN KEY (id)
        REFERENCES ibexa_discount_code_usage (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;

ALTER TABLE ibexa_discount_code_usage_user
    ADD CONSTRAINT ibexa_discount_code_usage_user_content_fk FOREIGN KEY (user_id)
        REFERENCES ezuser (contentobject_id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;

Run the following command to get the latest version:

composer require ibexa/connector-ai:4.6.21 ibexa/connector-openai:4.6.21

Run the following command to get the latest version:

composer require ibexa/product-catalog-date-time-attribute:4.6.21