Adobe Commerce 2.4.4: PHP 8.1, OpenSearch, Security

Released on 12 April 2022, Adobe Commerce 2.4.4 established a new technical baseline. It mandated PHP 8.1, introduced official OpenSearch support and delivered significant security hardening — the kind of architectural work that makes future upgrades and features possible.

Security first: 2.4.4 removed the legacy email variable syntax (deprecated since 2.3.4), disabled the use of integration tokens for Bearer auth by default, encrypted OAuth access tokens and password reset tokens in the database, and — critically — stopped storing session IDs in the database. These changes close off entire classes of attack and reduce the blast radius of incidents.

Platform modernisation: Official OpenSearch 1.2 support accompanied renewed guidance for search deployment on cloud and on‑prem. Libraries and Composer dependencies were brought forward to PHP 8.1‑compatible versions across the stack.

Performance at scale: AsyncOrder allowed the order placement workflow to run in the background, improving perceived checkout responsiveness under heavy load. Combined with PHP 8.1’s runtime gains, high‑traffic stores saw measurable wins in peak scenarios.

Why this release matters: 2.4.4 is the ‘line in the sand’ that modernises the Magento 2 codebase. Teams that adopt it (and later 2.4.6/2.4.7) benefit from a more secure platform, improved performance characteristics and a cleaner path to composable architectures powered by GraphQL.

Upgrade guidance:

• Target environments: ensure CI and hosting images support PHP 8.1; confirm OpenSearch compatibility and memory sizing.
• Audit VBEs: vendor‑bundled extensions were removed (except Braintree). Replace with Marketplace versions and validate support SLAs.
• Refactor session‑dependent customisations: remove any direct DB reads of sessions; rely on platform services instead.
• Rehearse AsyncOrder: simulate peak traffic and observe queue behaviour; tune consumers and retry policies.
• Regression plan: prioritise checkout, payment, shipping rates, and account flows; include GraphQL smoke tests for headless builds.

2.4.4 is not a simple patch — it’s a strategic upgrade. Treated with the right discipline, it reduces future change friction and unlocks a safer, faster platform.