Hyva Theme Performance and Security issues. Viva Hyva “Open-Source”
A merchant requested an audit of their Magento installation running the Hyvä theme, focusing on performance and security. The main concerns were slow TTFB (Time to First Byte), TBT (Total Blocking Time), and INP (Interaction to Next Paint). Additionally, a codebase security review was conducted.
What we discovered was shocking. Beyond the expected performance issues, we found serious license compliance concerns with Hyvä. Despite claims that Hyvä is a Magento theme built from scratch, our analysis revealed significant portions of copy-pasted code from Magento Open Source Core. This raises serious legal and licensing concerns about using Commercial Hyvä with Open Source Magento 2.
Magento 2 is licensed under OSL 3.0 (Open Software License), which mandates that any derivative work must also be open-source under the same license. If Hyvä’s code includes copied and modified portions from Magento’s core, it must remain open-source — otherwise, it violates OSL 3.0 and risks legal consequences.
Hyvä’s developers may be certified Magento experts, but following open-source licensing principles is just as important. You cannot take open-source code under OSL 3.0, copy-paste it, and repackage it into a closed-source commercial product without infringing on the license. This issue raises serious concerns for merchants who have paid for Hyvä, as it may lead to legal and compliance risks in the future.
Magento 2 License (Open Source & Commerce)
- Magento Open Source (formerly CE) is licensed under the OSL 3.0 (Open Software License).
- Magento Commerce (formerly EE) has a proprietary license.
- OSL 3.0 allows derivative works but requires that modifications remain open-source if distributed.
Hyvä License
- Hyvä has a proprietary license requiring a paid license per Magento installation.
- The Hyvä license is not open-source and restricts redistribution.
- Modifying Hyvä’s code for your own use is fine, but redistributing derivative works is prohibited without permission.
So there are areas of Hyva theme fully copy-paste even keeping the same Magento Open Source folder structure : hyva-themes/magento2-reset-theme/*
this module is 100% copy past:
Content of the file :
<?xml version="1.0"?>
<!--
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
-->
<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" layout="2columns-left" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
<body>
<referenceContainer name="columns.top">
<container name="category.view.container" htmlTag="div" htmlClass="category-view" after="-">
<!-- <block class="Magento\Catalog\Block\Category\View" name="category.image" template="Magento_Catalog::category/image.phtml">-->
<!-- <arguments>-->
<!-- <argument name="image" xsi:type="object">Magento\Catalog\ViewModel\Category\Image</argument>-->
<!-- <argument name="output" xsi:type="object">Magento\Catalog\ViewModel\Category\Output</argument>-->
<!-- </arguments>-->
<!-- </block>-->
<!-- <block class="Magento\Catalog\Block\Category\View" name="category.description" template="Magento_Catalog::category/description.phtml"/>-->
<!-- <block class="Magento\Catalog\Block\Category\View" name="category.cms" template="Magento_Catalog::category/cms.phtml"/>-->
</container>
</referenceContainer>
<referenceContainer name="content">
<!-- <block class="Magento\Catalog\Block\Category\View" name="category.products" template="Magento_Catalog::category/products.phtml">-->
<!-- <block class="Magento\Catalog\Block\Product\ListProduct" name="category.products.list" as="product_list" template="Magento_Catalog::product/list.phtml">-->
<!-- <container name="category.product.list.additional" as="additional" />-->
<!-- <block class="Magento\Framework\View\Element\RendererList" name="category.product.type.details.renderers" as="details.renderers">-->
<!-- <block claSource of this copy passed code: https://github.com/magento/magento2/blob/0057e06e480fc1df332f71971bdafae9a8d5ebde/app/code/Magento/Catalog/view/frontend/layout/catalog_category_view.xml#L4
Even Magento’s original copyright notices remain in the code — though commented out. This still constitutes redistribution of Magento Open Source code under a commercially paid Hyvä license, which raises serious license compliance issues. Simply commenting on the original code does not change the fact that the code originates from Magento Open Source, which must remain freely available under OSL 3.0. The commented-out code is also subject of the Open Source License.
Let's check other codes: magento2-email-module
// /**
// * Copyright © Magento, Inc. All rights reserved.
// * See COPYING.txt for license details.
// */
// The contents of this file will get split into two output files: email.less and email-inline.less.
//
// email.less
// Styles contained in the .email-non-inline() and .media-width() mixins will be output in the email.less file
// and will be included in a <style> tag in emails. Non-inline styles should be used for styles that can't be applied
// as inline CSS, such as media queries.
//
// email-inline.less
// Styles not included in the mixins mentioned above will be included in the email-inline.less file.
// Since email client support for CSS in <style> tags is limited, the majority of styles should be added as "inline"
// styles. CSS will be applied to transactional email HTML via the Emogrifier library, which only has support for
// certain CSS selectors (source: https://github.com/jjriv/emogrifier#supported-css-selectors):
//The same copy-pasted code still includes Magento’s original copyright, highlighting the clear reuse of Open Source code. What’s even more interesting is that README files openly reference this, further confirming that the code has been copied, modified, and redistributed — all under a commercially paid Hyvä license, which conflicts with Magento’s OSL 3.0 requirements.
Luma style Emails for Hyvä Themes because currently Hyvä does not style emails.
So even documentation says they are copying magento email Luma functionality
Another module: Hyvä Themes — Default Theme (hyva-themes/magento2-default-theme)
The Hyvä theme contains a significant amount of code copied from Magento’s Luma theme, with only minor modifications. Under open-source licensing principles, this qualifies as a derivative work — meaning it is based on and adapted from an existing open-source project rather than being an entirely original creation.
A derivative work is any modification, adaptation, or extension of pre-existing software that retains substantial portions of the original codebase. In this case, Hyvä’s theme structure, logic, and core functionalities show clear inheritance from Magento’s Luma theme, with some optimizations, Alpine.js integration, and styling updates.
Because Magento 2 is licensed under OSL 3.0 (Open Software License), any derivative work that includes copied and modified portions of its code must also be released under the same license. However, Hyvä enforces a proprietary commercial license, restricting access and redistribution, which raises serious concerns about license compliance and open-source integrity.
Hyva Code:
Hyva Code here. Can't copy past it is still under Hyva licens even if it is originaly Magento open source code. Magento file: https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Catalog/view/frontend/templates/category/products.phtml
<?php
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
?>
<?php
/**
* Category view template
*
* @var $block \Magento\Catalog\Block\Category\View
*/
?>
<?php if (!$block->isContentMode() || $block->isMixedMode()) :?>
<?= $block->getProductListHtml() ?>
<?php endif; ?>Adding just one line of code does not change the fact that it remains a derivative work of Magento Open Source. Simply copying Magento’s .phtml files, making minor modifications, and adding Tailwind CSS and Alpine.js does not make it an original creation—it is still fundamentally Magento’s open-source code written by contributors and Adobe employees. Under OSL 3.0, derivative works must remain open-source.
Let's Check another file:
Hyva Code: vendor/hyva-themes/magento2-default-theme/Magento_Checkout/templates/success.phtml
***** Im not posting the code.
This Magento copy past code with some CSS classes changes is still under commercial Hyva licens
Adobe must find out first if Hyva and Agencies are abusing the Magento Open Source Magento Source: https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Checkout/view/frontend/templates/success.phtml
<?php
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
?>
<?php /** @var $block \Magento\Checkout\Block\Onepage\Success */ ?>
<div class="checkout-success">
<?php if ($block->getOrderId()) :?>
<?php if ($block->getCanViewOrder()) :?>
<p><?= $block->escapeHtml(__('Your order number is: %1.', sprintf('<a href="%s" class="order-number"><strong>%s</strong></a>', $block->escapeUrl($block->getViewOrderUrl()), $block->getOrderId())), ['a', 'strong']) ?></p>
<?php else :?>
<p><?= $block->escapeHtml(__('Your order # is: <span>%1</span>.', $block->getOrderId()), ['span']) ?></p>
<?php endif;?>
<p><?= $block->escapeHtml(__('We\'ll email you an order confirmation with details and tracking info.')) ?></p>
<?php endif;?>
<?= $block->getAdditionalInfoHtml() ?>
<div class="actions-toolbar">
<div class="primary">
<a class="action primary continue" href="<?= $block->escapeUrl($block->getContinueUrl()) ?>"><span><?= $block->escapeHtml(__('Continue Shopping')) ?></span></a>
</div>
</div>
</div>Hyva has a lot of modified versions of Magento’s template files. But it is not open source under the same license.
How about not .phtml and design files but PHP classes? Let's check ViewModels: hyva-themes/magento2-theme-module/src/ViewModel/ProductAttributes.php
***Magento Code :
/**
* $excludeAttr is optional array of attribute codes to exclude them from additional data array
*
* @param array $excludeAttr
* @return array
* @throws \Magento\Framework\Exception\LocalizedException
*/
public function getAdditionalData(array $excludeAttr = [])
{
$data = [];
$product = $this->getProduct();
$attributes = $product->getAttributes();
foreach ($attributes as $attribute) {
if ($this->isVisibleOnFrontend($attribute, $excludeAttr)) {
$value = $attribute->getFrontend()->getValue($product);
if ($value instanceof Phrase) {
$value = (string)$value;
} elseif ($attribute->getFrontendInput() == 'price' && is_string($value)) {
$value = $this->priceCurrency->convertAndFormat($value);
}
if (is_string($value) && strlen(trim($value))) {
$data[$attribute->getAttributeCode()] = [
'label' => $attribute->getStoreLabel(),
'value' => $value,
'code' => $attribute->getAttributeCode(),
];
}
}
}
return $data;
}The same derivative Magento code, including its original comments, was copied and pasted from the Block class to the ViewModel, split into two methods without significant changes and other formatting. Even renaming variables or functions does not change the fact that the original Open Source Magento logic remains.
Copying and pasting Magento Open Source code into another class (e.g., from a Block to a ViewModel) can be a license violation if it constitutes a derivative work under the OSL 3.0 (Open Software License).
OSL 3.0 Defines Derivative Works
- A derivative work includes any modification, adaptation, or transformation of the original open-source code.
- Simply moving Magento’s open-source logic from one class to another (e.g., Block to ViewModel) does not change its origin — it is still based on Magento’s Open Source intellectual property.
Structural Changes Do Not Bypass Licensing
- Changing where the code resides (e.g., refactoring, reorganizing, splitting into multiple methods) does not create an original work.
- If the copied code retains Magento’s original logic, structure, and functionality, it remains OSL 3.0 licensed and must remain open-source.
If the modified code is kept private for internal use, there is no violation. If the copied and refactored code is redistributed under a commercial or closed-source license (like Hyvä’s proprietary model), this violates OSL 3.0, as derivative works must remain open-source.
Copying and pasting Magento Open Source code into another class does not automatically violate the license if used internally. However, if the copied code is redistributed under a proprietary or commercial license, it violates OSL 3.0 and must be open-sourced.
Hyva Service: vendor/hyva-themes/magento2-theme-module/src/Service/Navigation.php
The same Block functionality was copied and pasted to the service file:
/**
* Get Category Tree
*
* @param int $storeId
* @param int $rootId
* @param int $maxLevel
* @return CategoryColleciton
* @throws LocalizedException
*/
public function getCategoryTree($storeId, $rootId, $maxLevel = 0)
{
/** @var CategoryColleciton $collection */
$collection = $this->collectionFactory->create();
$collection->setStoreId($storeId);
$collection->addAttributeToSelect(['name', 'image']);
$collection->addFieldToFilter('path', ['like' => '1/' . $rootId . '/%']); //load only from store root
$collection->addAttributeToFilter('include_in_menu', 1);
$collection->addIsActiveFilter();
if ($maxLevel > 0) {
$collection->addLevelFilter($maxLevel);
} else {
$collection->addNavigationMaxDepthFilter();
}
$collection->addUrlRewriteToResult();
$collection->addOrder('level', Collection::SORT_ORDER_ASC);
$collection->addOrder('position', Collection::SORT_ORDER_ASC);
$collection->addOrder('parent_id', Collection::SORT_ORDER_ASC);
$collection->addOrder('entity_id', Collection::SORT_ORDER_ASC);
return $collection;
}As I see it, Hyvä ViewModels and Services are derivative works based on Magento Core’s block logic.
Magento code: https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Catalog/Plugin/Block/Topmenu.php
Another one:
Hyva Code: vendor/hyva-themes/magento2-theme-module/src/ViewModel/Currency.php
****Magento Code: https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Directory/Block/Currency.php#L73
/**
* Retrieve currencies array
* Return array: code => currency name
* Return empty array if only one currency
*
* @return array
*/
public function getCurrencies()
{
$currencies = $this->getData('currencies');
if ($currencies === null) {
$currencies = [];
$codes = $this->_storeManager->getStore()->getAvailableCurrencyCodes(true);
if (is_array($codes) && count($codes) > 1) {
$rates = $this->_currencyFactory->create()->getCurrencyRates(
$this->_storeManager->getStore()->getBaseCurrency(),
$codes
);
foreach ($codes as $code) {
if (isset($rates[$code])) {
$allCurrencies = (new CurrencyBundle())->get(
$this->localeResolver->getLocale()
)['Currencies'];
$currencies[$code] = $allCurrencies[$code][1] ?: $code;
}
}
}
$this->setData('currencies', $currencies);
}
return $currencies;
}The Open Software License (OSL) is a copyleft license, which means it has specific requirements regarding the distribution and modification of the code: You are allowed to copy and distribute the code under the terms of the OSL. However, if you distribute the code, you must also provide the source code and include the original license terms.
This issue is widespread — Hyvä appears to be a derivative of Magento’s core code with modifications: added JavaScript (Alpine.js), and CSS changes. There is nothing inherently wrong with modifying Magento’s core, but if Hyvä’s code is based on Magento Open Source, it must remain open-source under the same OSL 3.0 license.
To protect the open-source community from commercial abuse, this potential license violation has been reported to Adobe. Magento is an open-source solution built by thousands of contributors, and its intellectual property must be safeguarded against improper commercialization.
Hyva file: hyva-themes/magento2-theme-module/src/ViewModel/StoreSwitcher.php
Magento file: https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Store/Block/Switcher.php
/**
* Get raw stores.
*
* @return array
*/
public function getRawStores()
{
if (!$this->hasData('raw_stores')) {
$websiteStores = $this->_storeManager->getWebsite()->getStores();
$stores = [];
foreach ($websiteStores as $store) {
/* @var $store \Magento\Store\Model\Store */
if (!$store->isActive()) {
continue;
}
$localeCode = $this->_scopeConfig->getValue(
Data::XML_PATH_DEFAULT_LOCALE,
\Magento\Store\Model\ScopeInterface::SCOPE_STORE,
$store
);
$store->setLocaleCode($localeCode);
$params = ['_query' => []];
if (!$this->isStoreInUrl()) {
$params['_query']['___store'] = $store->getCode();
}
$baseUrl = $store->getUrl('', $params);
$store->setHomeUrl($baseUrl);
$stores[$store->getGroupId()][$store->getId()] = $store;
}
$this->setData('raw_stores', $stores);
}
return $this->getData('raw_stores');
}What Can Hyvä Do to Resolve This?
- Open-source the Hyvä theme since it is a derivative of Magento’s core theme with some modifications (Alpine.js and styling updates).
- Refund license fees, as the original Magento Open Source license (OSL 3.0) prohibits proprietary commercialization of derivative works. If Magento’s license was violated, the software should never have been sold under a closed-source commercial model in the first place.
This is not about opposing Hyvä’s theme frontend improvements. They are great, but they are about ensuring fairness and protecting open-source contributions from being improperly monetized.
Adobe must review this license violation. If Adobe chooses not to take action against a Magento Open-Source license violator, it sets a double standard that is unfair to the broader open-source community. Enforcing OSL 3.0 compliance selectively — pursuing some violators while ignoring others — creates inconsistency and undermines the integrity of Magento’s open-source licensing.
If Hyvä or any other entity is allowed to commercialize derivative works of Magento Open Source without consequence, it raises a serious question: Why should other developers and businesses be held to different standards? Either all violations should be addressed or none at all — anything less is an unfair and biased application of open-source principles.
I believe that the open-source community deserves clarity on whether Magento Open Source code can be repurposed into closed-source commercial products. To ensure transparency, I publish a blog post highlighting this issue, educating the Magento developer community on the importance of open-source license compliance. I notified Adobe about the License Abuse (Case ID: 667325) to verify the issue and determine if any action is required. As no update was provided, I am publishing this post to raise public awareness and resolve this issue ASAP.(no answer…) Hyva was also notified about the issue.
I’m not a lawyer. This is not legal advice. Please consult with a qualified attorney for any legal questions regarding licensing, compliance, and intellectual property matters.
