Release notes Shopware 6.7.11.0

Abstract

System requirements

• tested on PHP 8.2, 8.4 and 8.5
• tested on MySQL 8 and MariaDB 11

Improvements

Features

[Experimental] MCP Server for AI tool integration

Shopware now includes an experimental MCP (Model Context Protocol) server that lets AI clients like Claude Desktop or Cursor interact with your Shopware instance through a standardized protocol.

The server exposes the full MCP capability set:

• Tools for entity management (search, read, create, update, delete), system configuration, state machine transitions, cache management, and storefront product search with sales channel context.
• Prompts that give the AI client context about Shopware's data model, criteria format, and best practices.
• Resources that expose static reference data (entity list, sales channels, state machines, business events, flow actions) as readable URIs.

All operations respect the authenticated user's ACL permissions and integrate with the Admin API authentication. Integration credentials can be passed directly via sw-access-key and sw-secret-access-key headers. No separate OAuth token exchange is required. Per-integration allowlists are configurable under Settings -> Integrations to limit which tools, prompts, and resources a given client can see.

To enable this feature, set the MCP_SERVER feature flag to true. The MCP endpoint is available at /api/_mcp and uses the Streamable HTTP transport. Plugins register additional MCP capabilities by tagging services with mcp.tool, mcp.prompt, or mcp.resource. Apps can declare them in their app manifest.

A debug:mcp CLI command is available to list all registered MCP tools, prompts, and resources.

API

New foreign key resolvers for the Sync API

The Sync API now ships seven additional foreign key resolvers, allowing payloads to reference entities by stable human-readable keys instead of UUIDs:

• currency.iso_code — resolves a currency by its isoCode (e.g. EUR).
• locale.code — resolves a locale by its code (e.g. en-GB). The en_GB underscore variant is also accepted.
• payment_method.technical_name — resolves a payment_method by its technicalName.
• shipping_method.technical_name — resolves a shipping_method by its technicalName.
• document_type.technical_name — resolves a document_type by its technicalName.
• salutation.salutation_key — resolves a salutation by its salutationKey (e.g. mr).
• tax.tax_rate — resolves a tax by its taxRate. Because tax_rate is not unique, the resolver only resolves a value when exactly one tax row matches the given rate; ambiguous rates are left unresolved (combine with nullOnMissing: true if appropriate).

Use these inside a Sync payload anywhere a UUID is expected, e.g. {"currencyId": {"resolver": "currency.iso_code", "value": "EUR"}}.

Mail template preview and send routes support richer rendering context

The mail template Admin API now exposes dedicated preview and send routes:

• /api/_action/mail-template/simulate
• /api/_action/mail-template/preview
• /api/_action/mail-template/get-data-and-send
• /api/_action/mail-template/available-variables

The preview routes support sales-channel-aware rendering. /api/_action/mail-template/preview accepts salesChannelId, includeHeaderFooter, and strictRendering, and /api/_action/mail-template/simulate accepts salesChannelId and strictRendering. This allows Administration extensions and custom tooling to preview the final mail output, including sales-channel-specific headers and footers, against the same rendering context used for sending.

/api/_action/mail-template/get-data-and-send lets callers resolve a persisted mail template together with entity-based template data before sending. /api/_action/mail-template/available-variables exposes the variable tree for a business event so extensions can build mail-template editing and preview tooling without hardcoding the available data shape.

The /api/_action/mail-template/send payload now also has a first-class extensions bag for custom mail data. Arbitrary unknown top-level keys are still forwarded for backwards compatibility in 6.7, but they are deprecated and will stop being forwarded in Shopware 6.8.

Core

Backward compatible invalid locales

Added and deprecated BackwardCompatibleNumberFormatter to temporarily allow invalid locale strings without throwing exceptions in PHP >=8.4. It will be removed in Shopware 6.8.

Configurable order deep link expiry

The number of days an order can be accessed via deep link is now configurable via shopware.yaml:

shopware:
  order:
    deep_link:
      expire_days: 30

Technical media associations can be ignored by media:delete-unused

Plugins can now mark technical media associations with the new DAL flag IgnoreInUnusedMediaSearch. This prevents media:delete-unused from treating metadata-only extensions as real media usage and helps avoid false negatives when removing unused files. Third-party developers should add this flag to media associations that store technical metadata but do not represent an actual assignment of the media file.

State machine transitions are locked per entity

State machine transitions now acquire a short-lived lock per entity and context version while the current state is read and the transition history is written. This prevents concurrent calls to StateMachineRegistry::transition() from creating duplicate history entries for the same entity transition. Extensions that use the registry automatically benefit from the lock; direct SQL or DBAL writes to state fields remain outside this protection.

Deprecation of RegisterScheduleTaskMessage

The RegisterScheduleTaskMessage class and the accompanying message handler RegisterScheduledTaskHandler is deprecated and will be removed in Shopware 6.8.0.0, as the message wasn't dispatched anymore. If you dispatched that message manually, you should call the TaskScheduler::registerTask() method directly instead.

Plugin snippet files are no longer silently dropped when any translation is installed

Plugin snippet files (.json files shipped in Resources/snippet/) were being skipped for all locales as soon as a core translation for any single locale was installed via the translation installer. Installing pl-PL for one plugin would cause de-DE, en-GB, and every other locale to lose that plugin's translations entirely, even though no core translation for those locales existed.

The guard in SnippetFileLoader now checks whether a core translation exists for the specific locale being loaded, not for the plugin as a whole.

If you have decorated AbstractTranslationLoader, override the new pluginTranslationExistsForLocale(Plugin $plugin, string $locale): bool method to provide locale-aware behaviour. The old pluginTranslationExists(Plugin $plugin) is deprecated and will be removed in v6.8.0.

Composer-managed plugins in TestBootstrapper::addActivePlugins()

TestBootstrapper::addActivePlugins() can now be used with Composer-managed plugins installed below vendor/. Plugins no longer need to be copied into custom/plugins or custom/static-plugins just to be installed and activated during test bootstrap. When TestBootstrapper::getPluginPath() or getClassLoader() is used without bootstrapping the full application, local plugins below custom/plugins and custom/static-plugins are still resolved from the filesystem. This keeps static analysis and other tooling that only needs plugin paths or autoload-dev registration working without a database-backed kernel.

Requirement-aware plugin installation order

plugin:install now orders the selected plugins by their Composer plugin requirements before installation. When one selected plugin requires another selected plugin package, the required plugin is installed first. This ordering only applies to plugins that are known before the command starts. The command does not reload Composer's autoloader while it is running. If installing one plugin also installs new PHP packages, plugins installed afterwards in the same command cannot use those packages yet. Run those installs in separate CLI calls when a plugin depends on code that another plugin adds through Composer during installation.

Listing configured translations via translation:list

A new translation:list console command prints every locale configured for translation:install / translation:update, including its localized name, English name, and the timestamp of the last installed Crowdin snapshot. translation:install without --all or --locales now drops into an interactive multi-select prompt with autocompletion over the available locale codes, instead of throwing an exception.

Support for pseudo-locales in translation:install

The new SnippetPatterns::ALLOWED_PSEUDO_LOCALES and SnippetPatterns::PSEUDO_LOCALE_TERRITORY constants register Crowdin pseudo-languages (e.g. ach-UG) as valid translation targets for in-context proofreading and translatability audits. Pseudo-locales bypass Symfony Intl validation in Language::validateLocale and TranslationLoader::getLocalePath, and a missing locale entity is auto-created on install with a display name from the constant map and a fixed Pseudo Language territory.

Administration

Block renaming

Due to misleading block names, the following blocks have been deprecated and will be removed in v6.8.0. Use the respective replacements instead:

• sw_settings_listing_option_base_smart_content -> sw_settings_listing_option_base_content
• sw_settings_listing_option_base_smart_content_general_info -> sw_settings_listing_option_base_content_general_info
• sw_settings_listing_option_base_smart_bar_actions_grid -> sw_settings_listing_option_base_content_criteria_grid
• sw_settings_listing_option_base_smart_bar_actions_grid_delete_modal -> sw_settings_listing_option_base_content_delete_modal

Mail template preview is now sales-channel-aware and uses isolated HTML rendering

The mail template detail page can now preview mails with the selected sales channel and its configured mail header and footer. This helps developers and merchants validate the final rendered output more accurately, especially for document mails and installations with channel-specific branding.

The HTML preview is now rendered in a sandboxed iframe instead of being injected directly into the Administration DOM. This keeps the preview close to the actual mail output while reducing the risk of script execution from rendered template content.

Custom fields respect read-only permissions in Administration detail views

Custom fields on category, landing page, sales channel, customer address, and order address detail views are now disabled when the current user only has read permissions.

Fixed "Last Quarter" timeframe returning the wrong year in sw-date-filter

Selecting the "Last Quarter" timeframe in any listing's date filter (orders, documents, customers, etc.) between January and March now produces a three-month range in the previous year instead of a ~15-month range that spanned both years. The end boundary is now derived from the quarter's start year rather than the current year.

Admin menu flyout no longer overflows the viewport

When the sidebar is collapsed, hovering a menu entry near the bottom of the sidebar could cause the flyout submenu to extend beyond the viewport, making lower entries inaccessible. The flyout now calculates a dynamic max-height from the remaining viewport space and scrolls vertically when its content exceeds that limit.

Meteor Component Library updated to 4.28.6

The Administration now uses Meteor Component Library 4.28.6. With this update, disabled Meteor switch fields in system configuration can now unlink inherited sales channel values. Previously, the switch field itself was disabled as expected, but its inheritance control was disabled as well, preventing merchants from overriding inherited values for that sales channel.

Administration sidebar off-canvas closes on mobile navigation

The Administration sidebar off-canvas now closes reliably on very small viewports after selecting a navigation entry, clicking outside the sidebar, or changing routes.

Fix theme manager inheritance for boolean fields

Switch and checkbox fields in theme configuration now render and handle inheritance consistently. Before they wouldn't have shown the inheritance switch. Also the checkbox field is now positionally aligned with the other components.

Resolving download errors by renaming media

When merchants rename a media file, its URL automatically updates so they can download it without issues.

Storefront

New Component System

We introduced a new component system to the Storefront, which makes it easier to create reusable templates. It is one foundation of a new content system, which will be released at a later stage, but components can also be used anywhere in existing templates. The component system is based on Twig UX components, plus some additional features like SCSS and JS handling for your components.

To dive into the full possibilities, please refer to the official documentation.

New Dev-Server for development based on Vite

With the new component system we introduced a separate build process based on Vite. With that there is also a new dev-server feature available that also supports usual theme file updates for SCSS and JS. It offers a better developer experience, because it does not need a proxy. You can simply work in your normal Storefront while the dev-server is active.

composer storefront:dev-server

The current composer watch:storefront command is deprecated for the next major version. Use the new dev-server instead.

Theme config available as native CSS custom properties

With the new content system we want to move away from the PHP-based SCSS compilation. As a first step, we made the theme configuration available as native CSS custom properties. You can start using them instead of SCSS variables for colors and other visual settings in CSS. The CSS custom properties are available under the same name as the SCSS variables.

Example

.btn-primary {
    background: var(--sw-color-brand-primary);
}

Available are all config fields that does not have set scss: false in the theme configuration.

Single file references in theme.json

The theme.json file now supports single file references, allowing you to include individual files from other bundles rather than pulling in an entire theme or plugin. This gives themes fine-grained control over exactly which files are compiled.

This is available for both style and script entries:

Bundle-relative references — Include a single specific file from another bundle or theme using @BundleName/path/to/file:

{
  "style": [
    "@MyTheme/app/storefront/src/scss/overrides.scss",
    "@MyTheme"
  ],
  "script": [
    "@MyPlugin/app/storefront/dist/storefront/my-plugin.js",
    "@Plugins"
  ]
}

New global JavaScript event system

With the new component system we also start to improve the general possibilities in the Storefront. One of these improvements is a new global event system that is available via a new central Shopware object. This system is easier to use than the instance scoped events from the current JS plugin system. The event system is based on the native Node event emitter and can be used in a similar way. You will find some additional features, like interceptable events which can be used to hook into certain methods, like changing request parameters before they get send. We want to offer this as a new extension system, especially for the new component system.

window.Shopware.emit('Filter:Change', { foo: 'bar' });

window.Shopware.on('Filter:Change', ({ foo }) => {
    // do something
});

For more detailed information, refer to the documentation.

New plugin manager function to call plugin methods

We added a new method to the Storefront plugin manager which allows to call a specific plugin method on all existing instances of that plugin.

window.PluginManager.callPluginMethod(pluginName, methodName, ...args)

Single-hit search redirect now matches EAN and manufacturer number

The storefront search already redirected to the product detail page when a search term exactly matched a product's number and produced a single result. The same redirect now triggers when the term exactly matches the product's ean or manufacturerNumber. The condition still requires exactly one matching product, so listings with multiple hits remain unaffected.

The set of fields that trigger the redirect is configurable via the shopware.storefront.redirect_on_single_hit_fields container parameter (defaults to ['productNumber', 'ean', 'manufacturerNumber']). Any string-valued property declared on ProductEntity may be configured — unknown or non-string properties are skipped. Set the parameter to a narrower list (for example ['productNumber']) to restore the previous behaviour.

Hosting & Configuration

Local filesystem permission enforcement can be disabled

Local filesystem adapters now support config.enforce_file_permissions: false to preserve existing file permissions after writes. This is useful for installations that manage permissions outside Shopware, for example with ACLs or shared deployment users, where writes are allowed but chmod() calls should not be enforced by the application.

Partial filesystem visibility overrides preserve adapter configuration

Partial filesystem visibility overrides now keep the previously configured adapter type and config. Replacing the adapter config block still replaces it as a whole, so adapter-specific config from a previous definition is not mixed into the new adapter.

Critical Fixes

Transient Elasticsearch outages no longer break order placement

ElasticsearchHelper::allowIndexing() now catches transport-level exceptions thrown from Client::ping() (e.g. DNS failures, connection refused, timeouts) and routes them through logAndThrowException().

Previously, a transient Elasticsearch / OpenSearch outage during checkout caused a ConnectException to bubble out of ProductUpdater::update() (triggered by ProductStockAlteredEvent after stock decrement), aborting the request after the order had already been written to the database. With SHOPWARE_ES_THROW_EXCEPTION=0, the indexing call is now logged at critical and skipped for that request; order placement completes normally. With SHOPWARE_ES_THROW_EXCEPTION=1 (the default) behavior is unchanged — the exception is still re-thrown.

Fixed bugs

• #14368 - Rounding issue in price calculation [BACKPORT]
• #16947 - Restore nullable inherited filesystem config [BACKPORT]
• #16694 - Invalid webhook cache state
• #16773 - Allow disabling local filesystem permission enforcement
• #16468 - Preserve explicitly provided shipping address salutation on registration [BACKPORT]

See all fixed bugs in this release: https://github.com/shopware/shopware/milestone/35?closed=1

Credits

Thanks to all diligent friends for helping us make Shopware better and better with each pull request!

See all contributors on this page: https://github.com/shopware/shopware/releases/tag/v6.7.11.0#Contributors

More resources

• Detailed diff on Github to the former version
• Changelog on GitHub for this version.
• Release News corporate blog post
• Installation overview
• Update from a previous installation

Get in touch

Discuss about decisions, bugs you might stumble upon, etc in our community discord. See you there 😉