Minor releases can involve additive (rollback compatible) database schema changes.
If your process supports liquibase, the main changelog in the Broadleaf base service jar contains any liquibase scripted migration required (no drops). There are also optional drop changelogs (if applicable) that can be included in your application managing changelog and vetted after a completed upgrade.
If you require raw SQL migration, review each service SQL section to study the changes. Update sql scripts and drop sql scripts (for any defunct tables, FKs, and columns) are available. Drop sql scripts are optional and you may vet them at your convenience after a completed upgrade.
While the API remains backward compatible and the schema change risk is generally minimal, it is still useful to review update and drop scripts before an upgrade to ascertain scope.
An update or drop sql script always targets mutation of schema from the immediately preceding minor release and does not include migration from releases prior to that. To upgrade several versions ahead using sql, each version migration must be performed consecutively. This is different than the main liquibase changelog in the service jar which accounts for the entire database update change history across multiple versions (no drop). This is one of the advantages of adopting a liquibase process, rather than raw sql.
Unless otherwise noted here, patch releases will never include database schema changes.
Any further instructions required for an individual upgrade will be provided in this document in the notes for the specific version.
|See individual services for a Software Bill Of Materials (SBOM) for each service. You can review an SBOM file to determine all OSS dependencies referenced in the service, their version, and OSS license. This can be used as part of a supply chain component analysis. See the CycloneDX standard for more information.|
|Security fixes often involve dependency updates to remediate issues being tracked in external OSS components. It is worth considering adopting releases with security fixes (even Broadleaf Severity LOW) to avoid any possibility of transitive exposure in your codebase.|
Auth: Refresh Token Rotation implementation
Catalog: Product type grouping
Catalog: Standard and Variant product enhancements
Catalog: Introduce priced bundle
Search: Introduce Availability Data Strategy for product indexing
Search: Products search by product option
Admin: Entity long form view
Admin: Refactor Styles to use Tailwind
NextJS Starter: Stripe and Paypal Express support
Auth: Unable to add permissions or grant types to AuthorizedClient
Cart: Unable to use an extended type for the StoredCartItem list in JpaCart
CartOps: Improve the error message shown to users when checkout fails due to lack of inventory
CartOps: NullPointerException when adding to cart with ItemChoice sale price data
CartOps: Checking inventory availability for dependent cart items assumes that the item is an IncludedProduct even if it’s from an ItemChoice instead
CartOps: If a product is not discountable, then any related FulfillmentItems should not receive any prorated discounts
CartOps: Add rounding for prorated order adjustments split across fulfillment items.
Catalog: Product can reference itself as a product Option
Catalog: Unable to edit category at the application level
Catalog: Unable to select an asset when creating a product at the tenant level
Menu: Adding a new Menu Item of type Link doesn’t allow you to enter an absolute URL
Pricing: Price Lists that target a customer segment don’t work
Pricing: Subtotal does not reflect price data pricing tiers
Promotions: Offer proration type cannot be changed
Promotions: Product’s discountable" flag should also be used to declare if order-level offers are applicable"
Promotions: Error deploying extended Offer with an Offer Code
Search: Rule-Based Categories returns an unexpected search result
Tenant: Policy validation prevents application-restricted users from managing application catalogs
NextJs Starter: Use asset services image resize functionality
NextJS Starter: Sale price difference is not shown in cart
NextJS Starter: Inventory exception in the cart clears out and empties the cart instead of displaying an error message
NextJS Starter: Unable to add to cart due to cart missing guest token
NextJS Starter: Search results displayed not being updated when new request sent after selecting facet value
OMS: Click the "Capture Payment and Fulfill Items" button causes an error for the order items of the bundle product
OMS: The price for the order item displays incorrectly if the offer was applied and the prorated price is applied to this item
OMS: Order Item price breakdown does not include tax in the item total
Spring Security - Changing SecurityContext More Than Once in Single Request Can Fail to Save : CVE-2021-22112 : Broadleaf Severity (LOW) : Broadleaf does not leverage code to engage the issue : Remediated transitive exposure via dependency upgrade
Spring Core - Local Privilege Escalation within Spring Webflux Multipart Request Handling : CVE-2021-22118 : Broadleaf Severity (LOW) : Broadleaf does not leverage code to engage the issue : Remediated transitive exposure via dependency upgrade
Tomcat Embed Core - CVE-2020-9484 CVE-2021-25329 CVE-2021-25122 : Broadleaf Severity (LOW) : Broadleaf usage is only for a test harness: Remediated transitive exposure via dependency upgrade
Netty and Jetty : CVE-2021-21409 CVE-2021-21295 CVE-2021-28163 CVE-2021-28165 : Broadleaf Severity (LOW) : Broadleaf does not leverage Netty or Jetty in the context of any vulnerable flow: Remediated transitive exposure via dependency upgrade
Admin: Handlebars : Remote Code Execution : CVE-2021-23369 : HIGH : Remediation was to upgrade
Demo: Enhance k8s startup behavior for containers
OMS: Add frontend components for returns and refunds
Catalog: Assigning image to category can cause it to be removed from another category
Testing: TestContainers is not always able to reliably pull the ryuk image
Catalog: 2 categories with the same URL cause an issue when searching a category by URL
CartOps: Fixed possible NPE if no product description is present
Vendor: Fix saving of the vendor attributes
Inventory: Adjustments for fulfilled, cancelled, and returned inventory don’t work if Fulfillment doesn’t have an inventory location
REFERENCE MutabilityType between two Catalogs is not being honored
CartOps: Registering post-checkout does not add order to customer
Demo: CSR Shop as Guest and Shop as Customer do not work
Customer: Change additional phone domain to not use @Delegate
Customer: Make use of new Phone field for customer metadata
OrderOps: Error during createPaymentTransactionLog while capturing fulfillment is swallowed
OrderOps: Reverse auth might not occur with multiple payments and a cancelled fulfillment while fulfilling
Demo: Product details page for Sudden Death sauce only shows the Variant of Sudden Death Sauce"
Admin: Add better message and link to login when session reaches final" expiration"
Search: Revisit filters used by AbstractBatchIndexRequestHandler implementations to gather indexables
Search: Ensure that ContextualProductConsolidationContributor implementations exclude archived entities
Search: Multiple application-assigned catalogs contributing to one CategoryProduct doesn’t index Category
Search: Tenant-level inventory becoming unavailable doesn’t cause Solr representation to be cleared
Promotions: DefaultFulfillmentGroupOfferProcessor#sort throws NPE
Admin: Added fulfillment reference number for the group
Auth: Going directly to auth base causes redirect to internal docker/kubernetes URL
PayPal: Fixed issues with how paypal responds to captures in their v2 APIs
PayPal: Fix refunding an immediately captured order
PayPal: uto-add assertions header for refunds when a seller ID is available
Bouncy Castle - OpenBSDBCrypt.checkPassword utility method compared incorrect data : CVE-2020-28052 : Broadleaf Severity (LOW) : Broadleaf does not exercise vulnerable flows : Remediation was to upgrade dependency
Log4j : SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data : CVE-2019-17571 : Broadleaf Severity (LOW) : Broadleaf does not use Log4j : Remediated by excluding the dependency
Netty : When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled : CVE-2021-21290 : Broadleaf Severity (LOW) : Broadleaf does not leverage the vulnerable flow: Remediated transitive exposure via dependency upgrade