bug: placeOrder backwards incompatible changes included in patch from v2.4.6-p7 -> v2.4.6-p8.

[damienwebdev]

As a developer, I want my app to continue working after I apply security patches.

1. Be on Magento v2.4.6-p7, with a working application.
2. Upgrade to v2.4.6-p8 on release day because there are security vulnerabilities.
3. Break existing user-facing workflows because semver doesn't matter and software is a meme.
4. Wonder how this commit made it into a security release.

For reproduction:

1. Run placeOrder on v2.4.6-p7 and expect an error graphql response.
2. Write code based on the behavior of v2.4.6-p7
3. Upgrade to v2.4.6-p8
4. Run placeOrder on v2.4.6-p7 and expect an error graphql response.
5. (BREAKING CHANGE) Get a "success" response with a null for data with a new "errors" key.

{
    "data": {
        "placeOrder": {
            "order": null,
            "__typename": "PlaceOrderOutput"
        }
    }
}

I'm getting painfully bored and tired of breaking applications because I try to have good security routines like applying security patches the day of release.

https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/2-4-6-patches contains no mention of this BiC change.

If a change results in user programs breaking, it's a bug in the kernel. We never EVER blame the user programs. How hard can this be to understand?

Seriously. Do better.

[m2-assistant]

Hi @damienwebdev. Thank you for your report.
To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce.

• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel.
⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
🕙 You can find the schedule on the Magento Community Calendar page.
📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[JesKingDev]

+1 This is also happening on 2.4.7-p3. CC'd from #39300 (comment)

In 2.4.7-p3, I get no errors at all. Calling placeOrder with anything wrong or missing (e.g. billing address, payment, etc.) returns the response

{
    "data": {
        "placeOrder": {
            "order": null
        }
    }
}

This is a blocker for any upgrades or security patches. @damienwebdev Thank you for your description that clearly conveys the outrage I feel at the moment, having discovered this issue while finalizing our upgrade to 2.4.7.

[nwcasebolt]

Note that this same breaking pattern has already been introduced into the 2.4-develop branch for the UpdateCartItems resolver in this commit. If Adobe does not nip this in the bud now, it's going to spread.

CC'd from 39300 (comment)

[hostep]

Adobe posted a KB article about this some hours ago and it contains a patch: https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/backwards-incompatible-changes-for-graphql-placeorder-api-in-adobe-commerce-2-4-6-p8

[damienwebdev]

Closing as a patch is available.

[JesKingDev]

@damienwebdev The patch does not fix the problem in 2.4.7. Should I open a separate issue?

[damienwebdev]

@JesKingDev #39300 tracks the issue in 2.4-develop

If there's a separate issue introduced as a patch to v2.4.7, then this should be tracked as a separate issue.

However, if this was released in v2.4.7 with no further patches, then I think the other issue suffices.