Broadleaf Microservices

Broadleaf Commerce Microservices Release Notes

Broadleaf follows semantic versioning with the following addendum regarding database schema:

  • Minor releases can involve additive (rollback compatible) database schema changes.

  • If your process supports liquibase, the main changelog in the Broadleaf base service jar contains any liquibase scripted migration required (no drops). There are also optional drop changelogs (if applicable) that can be included in your application managing changelog and vetted after a completed upgrade.

  • If you require raw SQL migration, review each service SQL section to study the changes. Update sql scripts and drop sql scripts (for any defunct tables, FKs, and columns) are available. Drop sql scripts are optional and you may vet them at your convenience after a completed upgrade.

  • While the API remains backward compatible and the schema change risk is generally minimal, it is still useful to review update and drop scripts before an upgrade to ascertain scope.

  • An update or drop sql script always targets mutation of schema from the immediately preceding minor release and does not include migration from releases prior to that. To upgrade several versions ahead using sql, each version migration must be performed consecutively. This is different than the main liquibase changelog in the service jar which accounts for the entire database update change history across multiple versions (no drop). This is one of the advantages of adopting a liquibase process, rather than raw sql.

  • Unless otherwise noted here, patch releases will never include database schema changes.

  • Any further instructions required for an individual upgrade will be provided in this document in the notes for the specific version.

See individual services for a Software Bill Of Materials (SBOM) for each service. You can review an SBOM file to determine all OSS dependencies referenced in the service, their version, and OSS license. This can be used as part of a supply chain component analysis. See the CycloneDX standard for more information.
Security fixes often involve dependency updates to remediate issues being tracked in external OSS components. It is worth considering adopting releases with security fixes (even Broadleaf Severity LOW) to avoid any possibility of transitive exposure in your codebase.

Release Collections

1.3.0-GA (In Progress)

  • New Features

    • Marketplace Features

    • Demo: Enhance k8s startup behavior for containers

    • OMS: Add frontend components for returns and refunds

  • Bug Fixes

    • Catalog: Assigning image to category can cause it to be removed from another category

    • Testing: TestContainers is not always able to reliably pull the ryuk image

    • Catalog: 2 categories with the same URL cause an issue when searching a category by URL

    • CartOps: Fixed possible NPE if no product description is present

    • Vendor: Fix saving of the vendor attributes

    • Inventory: Adjustments for fulfilled, cancelled, and returned inventory don’t work if Fulfillment doesn’t have an inventory location

    • REFERENCE MutabilityType between two Catalogs is not being honored

    • CartOps: Registering post-checkout does not add order to customer

    • Demo: CSR Shop as Guest and Shop as Customer do not work

    • Customer: Change additional phone domain to not use @Delegate

    • Customer: Make use of new Phone field for customer metadata

    • OrderOps: Error during createPaymentTransactionLog while capturing fulfillment is swallowed

    • OrderOps: Reverse auth might not occur with multiple payments and a cancelled fulfillment while fulfilling

    • Demo: Product details page for Sudden Death sauce only shows the Variant of Sudden Death Sauce"

    • Admin: Add better message and link to login when session reaches final" expiration"

    • Search: Revisit filters used by AbstractBatchIndexRequestHandler implementations to gather indexables

    • Search: Ensure that ContextualProductConsolidationContributor implementations exclude archived entities

    • Search: Multiple application-assigned catalogs contributing to one CategoryProduct doesn’t index Category

    • Search: Tenant-level inventory becoming unavailable doesn’t cause Solr representation to be cleared

    • Promotions: DefaultFulfillmentGroupOfferProcessor#sort throws NPE

    • Admin: Added fulfillment reference number for the group

    • Auth: Going directly to auth base causes redirect to internal docker/kubernetes URL

    • PayPal: Fixed issues with how paypal responds to captures in their v2 APIs

    • PayPal: Fix refunding an immediately captured order

    • PayPal: uto-add assertions header for refunds when a seller ID is available

  • Security Fixes

    • Bouncy Castle - OpenBSDBCrypt.checkPassword utility method compared incorrect data : CVE-2020-28052 : Broadleaf Severity (LOW) : Broadleaf does not exercise vulnerable flows : Remediation was to upgrade dependency

    • Log4j : SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data : CVE-2019-17571 : Broadleaf Severity (LOW) : Broadleaf does not use Log4j : Remediated by excluding the dependency

    • Netty : When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled : CVE-2021-21290 : Broadleaf Severity (LOW) : Broadleaf does not leverage the vulnerable flow: Remediated transitive exposure via dependency upgrade