Broadleaf Microservices

Broadleaf Commerce Microservices Release Notes

Broadleaf follows semantic versioning with the following addendum regarding database schema:

  • Minor releases can involve additive (rollback compatible) database schema changes.

  • If your process supports liquibase, the main changelog in the Broadleaf base service jar contains any liquibase scripted migration required (no drops). There are also optional drop changelogs (if applicable) that can be included in your application managing changelog and vetted after a completed upgrade.

  • If you require raw SQL migration, review each service SQL section to study the changes. Update sql scripts and drop sql scripts (for any defunct tables, FKs, and columns) are available. Drop sql scripts are optional and you may vet them at your convenience after a completed upgrade.

  • While the API remains backward compatible and the schema change risk is generally minimal, it is still useful to review update and drop scripts before an upgrade to ascertain scope.

  • An update or drop sql script always targets mutation of schema from the immediately preceding minor release and does not include migration from releases prior to that. To upgrade several versions ahead using sql, each version migration must be performed consecutively. This is different than the main liquibase changelog in the service jar which accounts for the entire database update change history across multiple versions (no drop). This is one of the advantages of adopting a liquibase process, rather than raw sql.

  • Unless otherwise noted here, patch releases will never include database schema changes.

  • Any further instructions required for an individual upgrade will be provided in this document in the notes for the specific version.

💡
See individual services for a Software Bill Of Materials (SBOM) for each service. You can review an SBOM file to determine all OSS dependencies referenced in the service, their version, and OSS license. This can be used as part of a supply chain component analysis. See the CycloneDX standard for more information.
💡
Security fixes often involve dependency updates to remediate issues being tracked in external OSS components. It is worth considering adopting releases with security fixes (even Broadleaf Severity LOW) to avoid any possibility of transitive exposure in your codebase.

Release Collections

1.6.0-GA

  • New Features

    • Service

      • Auth: Support Embedded Login pattern

      • Auth: Customer lock (& unlock) due to failed login attempts

      • Auth: Add support for Native Client login using OTP

      • Auth: Support for OTP (Passcode API)

      • Amazon Payment Services: Integration with payment provider

      • CartOps: Introduce first-class support for 3DS in checkout workflow

      • CartOps: Free Gift auto-add and remove gift cart items

      • CartOps: Update checkout workflow to better support AuthAndCapture as an alternative to Auth transactions

      • CartOps: Add voucher offers to cart

      • CartOps: Enhance validation when adding or updating Payment

      • CartOps: Refine Payment update payload

      • CartOps: Improve checkout workflow for saved payments

      • CartOps: Update checkout to correctly manage the PaymentTransaction#managementStatus values

      • CartOps: Update PaymentSummary logic to exclude transactions in reversal managementStatuses

      • CartOps: Disable/Remove payment rollback functionality

      • CartOps: Replace deprecated constructors due to new dependency added with autowired beans

      • Cart: Refine Payment domain

      • Cart: Purge cart functionality

      • Catalog: Support Product AdvancedTags

      • Catalog: Min/max product threshold per cart

      • Catalog: Support targeting of brands, merchandisingType, and gender for rule-based PriceList and Offer

      • Customer: Add admin metadata to display orders from customer screen

      • Inventory: Deprecated AccountingTransactionType

      • Order: Order submit listener for voucher offers

      • Promotion: Free Gift offers

      • Promotion: Voucher offers

      • Promotion: Cleanup noisy logging around criteria rule fields when saving an offer

      • Promotion: Add CampaignCodeAuditDetails as an external grid to the Campaign update form in metadata

      • Promotion: Allow Offer Tiers to Use Amount (or Quantity)

      • Promotion: Offer Message Enhancements

      • Promotion: Add Augmentation Support to Offer

      • Promotion: Support Monetary Amount Based Offer Tiers for Order Item Offers

      • Promotion: Enhance Offer Engine response to include qualifier association information

      • Search: Upgrade Solr from 8.2 to 8.3 & verify index/search functionality

    • Presentation

      • Admin: Introduce "Show advanced link" group type

      • Admin: Add pagination for the categories tree view

      • NextJS Starter: Improve simple item choice selection PDP when selecting choice quantity 0 or 1 (optional)

      • NextJS Starter: Display dependent cart items on the slide out mini cart

      • NextJS Starter: Create system for global server-side caching/storage

      • NextJS Starter: Add support for Badges (AdvancedTags)

    • Library

      • Order Common: Introduce managementStatus property to PaymentTransactions

      • Order Common: Introduce PaymentSummary to replace Payment#status & CartPaymentStatusService

      • Payment Gateway Common: Refine PaymentGatewayConfiguration Properties

  • Bug Fixes

    • Service

      • Auth: Reset Password from Admin Customer view not working

      • Auth: Issue with default admin user data initialization

      • CartOps: Cannot add Merchandising Product to Cart

      • Catalog: CategoryEndpoint#readAllCategories(…​) becomes quite slow when gathering parent categories

      • Catalog: 404 when hitting category page after applying application-level override

      • Customer: Disable/Enable customer

      • Inventory: Fixed JpaInventoryLocation’s toMe for longitude

      • Inventory: Mismatched path variable in SkuInventoryShopEndpoint

      • Inventory: Reserving the last available inventory is not sending a stock change notification

      • Promotion: Item Adjustment values are not as expected

      • Promotion: Creating a FulfillmentGroup Offer fails because of required hidden fields

      • Promotion: Admin errors not showing for required target criteria rule builder

      • Promotion: Inactive Campaign and Campaign Codes are being filtered out in the Admin List Grids

      • Promotion: Splitting qualifier in a negative quantity when more than 1 offers share the same qualifier

      • Sandbox: BroadleafScopedPagingStreams is returning incorrect results under JDK11

      • Search: Apply retry logic to additional Solr interactions used during reindexing

      • Search: SolrCatalogInventoryService does not correctly handle querying for Skus that include spaces

    • Presentation

      • Admin: The augmentation component with the validation method without arguments caused NPE

      • Admin: Loosen rule builder constraint on spaces between operator and operands

      • Admin: Problem with Clone Item modal

      • NextJS Starter: Update PDP’s add to cart to handle case when bundle item is not available

      • NextJS Starter: Marketing messages are shown with wrapping HTML tags

      • NextJS Starter: Searchable Variation Options missing functionality

    • Library

      • Export: Most derived type not used when converting from business domain to persistence domain for JpaExport

      • Money: Currency issues with entity CRUD operations

  • Security Fixes

    • Presentation

      • Admin, Commerce SDK, NextJS Starter: axios v0.21.1 : CWE-697 Incorrect Comparison : CVE-2021-3749 : Broadleaf Severity (HIGH) : axios is vulnerable to Inefficient Regular Expression Complexity : Remediation was to upgrade dependency to v0.24.0

  • Upgrade Notes

    • Service

      • Auth: The saved request (BLSR), saved authorized client (BL-ACS-*), and saved authorization request (BLSAR) cookies now default to SameSite=Lax in their attributes. This change may affect behavior if BLC cookies are used as third-party cookies, or if there is no gateway in front of the auth service (not recommended).

      • Auth: By default, all responses will now include Content-Security-Policy (CSP) headers with directives default-src 'self'; base-uri 'self'. This change may affect behavior if any served webpages include inline resources (scripts, styles, etc) or resources loaded from origins different from the one loading the document.

      • Cart Operations: The deprecated Cart cookie (BLCART) now defaults to SameSite=Lax in its attributes. This change may affect behavior if this deprecated functionality is still in use, particularly if BLC cookies are used as third-party cookies, or if there is no gateway in front of the cart operations service (not recommended).

1.5.0-GA

  • New Features

    • Service

      • Auth: Support social logins like Google or Facebook for login/registration for Customers

      • Auth: Expose OAuth2 Client registrations in the admin

      • Auth: Create interface to map fields from a 3rd party OAuth token to a BroadleafOAuth2UserDetails

      • Auth: Make third party IDP login compatible with Broadleaf MS tenancy

      • Auth: Remove LocalDevOAuth2ClientRedirectFilter and use dnsmasq

      • Auth: Custom OAuth2AuthorizationRequestResolver

      • Auth: Add Auth0 configuration

      • Auth: Control when users are created from third party login

      • Auth: JDBC ClientRegistrationRepository

      • Auth: Automatic auth server creation can’t handle both domain and domain prefix simultaneously

      • Auth: Replace InMemoryOAuth2AuthorizedClientService

      • CartOps: Selector product add to cart validation and attributes

      • CartOps: Add an internal inventory check for the available online flag during add to cart.

      • CartOps: Merchandising Product add to cart, offer, & price considerations

      • CartOps: Remove cart items from cart message in checkout completion event.

      • Cart: Don’t use persistence channel for carts

      • Cart: Disable persistence events on carts

      • Catalog Browse: Create new endpoint that takes a URL and returns either a product or category

      • Catalog: Introduce a read-single-variant operation in VariantEndpoint

      • Catalog: Add an endpoint to fetch multiple categories by id

      • Catalog: Rename Product.inventoryType to Product.fulfillmentType

      • Catalog: Update language & logic around ItemChoice override price to clarify that it must be a unit price

      • Catalog: Introduce OptionGroup domain to help support new product options interface"

      • Catalog: Enhance Product domain to better support rule-based categorization

      • Catalog: Support targeting of brand, merchandisingType, gender, & tags for rule-based categories

      • Catalog: Rule-based Category Improvements

      • Catalog: Add data driven enum domain for catalog fields

      • Catalog: Add priority algorithm for resolving product URLs

      • Catalog: Selector product validation concerns

      • Catalog: Cleanup rule-based category and data driven enum UI

      • Catalog: Cannot clear the field values Brand

      • Catalog: Introduce support for Selector Products

      • Catalog: Add logic to handle translations when evaluating category rule filters

      • Inventory: When creating SkuInventory via the admin, the vendorRef should be pre-populated by InventoryLocation.vendorRef

      • Menu: Introduce lookup for defining category-based and product-based menu items

      • Promotion: Offer Screen - Basic, Merchandising, & Restrictions Sections Updates

      • Promotion: Improve ability to add custom Offer target types

      • Promotion: Support Cheapest/Costliest Target Grouping Strategy

      • Search: Improved search suggestion faceting

      • Search: Establish convention for mapping from search suggestion brand/merchandisingType facet to category url

    • Presentation

      • Admin: Added RuleBuilder "Has Any In" Operator for multi value matching

      • Admin: Update Included Product & Item Choice Options admin interfaces following domain refactor

      • Admin: Support the resolution and use of parent form fields as default values

      • Admin: Refactor Styles across the board to use Tailwind

      • Admin: Refactor Admin Navigation UX

      • Admin: Replace CRA in AdminWeb and AdminStarter

      • Admin: Display version somewhere in the admin

      • Admin: Refactor Augmentation Created Event

      • NextJS Starter: Update DefaultPDP > Assets.js to lookup assets by tag with a prefix appropriate for the type of the tag

      • NextJS Starter: Show Included Products on PDP and Add-to-Cart

      • NextJS Starter: Standard & Variant product PDP use cases

      • NextJS Starter: PDP - Handle 'BUNDLE' products

      • NextJS Starter: PDP - Handle 'SELECTOR' products

      • NextJS Starter: Display applied offer name on cart item

      • NextJS Starter: PDP - Support Configurable Item Choice products like T-Shirts

    • Library

      • Data Tracking: Automatically register PackageDataRouteSuppliers from packages provided in JpaEntityScan

      • Data Tracking: Enhance to make basic audit data available on all trackable entities

      • JPA Common: Configurable SchemaCompatibiltyUtility for Client Implementations

      • Metadata: Remove need for cross service dependencies due to metadata consumer libraries

  • Bug Fixes

    • Service

      • CartOps: Cart can become broken if a fulfillment item exists without a cart item

      • CartOps: Can’t fetch the products for the rule-based category with the filter by the product’s Tags

      • CartOps: Fix Pricing Issues with Bundles and ItemChoices with overrides

      • Catalog: Item Choices have the same generated pricingKey

      • Catalog: Fix checking of the product availability for the rule-based category

      • Catalog: Fixed implicit filter on product grids by type

      • Catalog: Options grid should show label instead of attribute value

      • Catalog: When editing cart-item attribute a duplicate is created after saving

      • Catalog: CartItem.merchandisingContext not being set for demo selector product

      • Inventory: The filter of the SKU inventory in the admin doesn’t work for the "skuCode" and "skuName"

      • Pricing: Price Data on the product option form level doesn’t have effect

      • Promotion: Enhance Offer PercentOff validation to not allow values over 100

      • Promotion: Free Shipping Offer is discounting less than 100%

      • Promotion: Discounts still applied to item choices when discount allowed is false

      • Sandbox: Deploying a variant price change causes a second variant to be produced

      • Search: Solr bug - parsing with edismax if field does not exist causes malformed queries

      • Search: Update product indexing logic to only consider records whose activeEndDate is greater than today

      • Tenant: ApplicationEndpoint#readAll should return inactive/deactivated applications if active param is false

    • Presentation

      • Admin: Deployment Date and Time filters not found on JpaChangeSummary

      • Admin: Removing one of the item choice cause disappearing of other items

      • Admin: Order Fulfillments view failing to render due to attribute choices

      • Admin: Text on Application Page is obscured by asset buttons

      • Admin: Adding existing catalog to application fails the first time

      • NextJS Starter: blTenant cookie is very large. Remove in favor of server-side storage

    • Library

      • DataTracking: Jpa criteria name parameters can be duplicated when RSQL and ContextInfo query influencers are used concurrently

      • Messaging: Camel Cluster Services using JGroups are not properly arriving at a single leader in a kubernetes cluster

1.4.0-GA

  • New Features

    • Service

      • Auth: Refresh Token Rotation implementation

      • Marketplace features

      • Catalog: Product type grouping

      • Catalog: Standard and Variant product enhancements

      • Catalog: Introduce priced bundle

      • Search: Introduce Availability Data Strategy for product indexing

      • Search: Products search by product option

    • Presentation

      • Admin: Entity long form view

      • Admin: Refactor Styles to use Tailwind

      • NextJS Starter: Stripe and Paypal Express support

  • Bug Fixes

    • Service

      • Auth: Unable to add permissions or grant types to AuthorizedClient

      • Cart: Unable to use an extended type for the StoredCartItem list in JpaCart

      • CartOps: Improve the error message shown to users when checkout fails due to lack of inventory

      • CartOps: NullPointerException when adding to cart with ItemChoice sale price data

      • CartOps: Checking inventory availability for dependent cart items assumes that the item is an IncludedProduct even if it’s from an ItemChoice instead

      • CartOps: If a product is not discountable, then any related FulfillmentItems should not receive any prorated discounts

      • CartOps: Add rounding for prorated order adjustments split across fulfillment items.

      • Catalog: Product can reference itself as a product Option

      • Catalog: Unable to edit category at the application level

      • Catalog: Unable to select an asset when creating a product at the tenant level

      • Menu: Adding a new Menu Item of type Link doesn’t allow you to enter an absolute URL

      • Pricing: Price Lists that target a customer segment don’t work

      • Pricing: Subtotal does not reflect price data pricing tiers

      • Promotions: Offer proration type cannot be changed

      • Promotions: Product’s discountable" flag should also be used to declare if order-level offers are applicable"

      • Promotions: Error deploying extended Offer with an Offer Code

      • Search: Rule-Based Categories returns an unexpected search result

      • Tenant: Policy validation prevents application-restricted users from managing application catalogs

    • Presentation

      • NextJs Starter: Use asset services image resize functionality

      • NextJS Starter: Sale price difference is not shown in cart

      • NextJS Starter: Inventory exception in the cart clears out and empties the cart instead of displaying an error message

      • NextJS Starter: Unable to add to cart due to cart missing guest token

      • NextJS Starter: Search results displayed not being updated when new request sent after selecting facet value

      • OMS: Click the "Capture Payment and Fulfill Items" button causes an error for the order items of the bundle product

      • OMS: The price for the order item displays incorrectly if the offer was applied and the prorated price is applied to this item

      • OMS: Order Item price breakdown does not include tax in the item total

  • Security Fixes

    • Service

      • Spring Security - Changing SecurityContext More Than Once in Single Request Can Fail to Save : CVE-2021-22112 : Broadleaf Severity (LOW) : Broadleaf does not leverage code to engage the issue : Remediated transitive exposure via dependency upgrade

      • Spring Core - Local Privilege Escalation within Spring Webflux Multipart Request Handling : CVE-2021-22118 : Broadleaf Severity (LOW) : Broadleaf does not leverage code to engage the issue : Remediated transitive exposure via dependency upgrade

      • Tomcat Embed Core - CVE-2020-9484 CVE-2021-25329 CVE-2021-25122 : Broadleaf Severity (LOW) : Broadleaf usage is only for a test harness: Remediated transitive exposure via dependency upgrade

      • Netty and Jetty : CVE-2021-21409 CVE-2021-21295 CVE-2021-28163 CVE-2021-28165 : Broadleaf Severity (LOW) : Broadleaf does not leverage Netty or Jetty in the context of any vulnerable flow: Remediated transitive exposure via dependency upgrade

    • Presentation

      • Admin: Handlebars : Remote Code Execution : CVE-2021-23369 : HIGH : Remediation was to upgrade

1.3.0-GA

  • New Features

    • Marketplace Features

    • Demo: Enhance k8s startup behavior for containers

    • OMS: Add frontend components for returns and refunds

  • Bug Fixes

    • Catalog: Assigning image to category can cause it to be removed from another category

    • Testing: TestContainers is not always able to reliably pull the ryuk image

    • Catalog: 2 categories with the same URL cause an issue when searching a category by URL

    • CartOps: Fixed possible NPE if no product description is present

    • Vendor: Fix saving of the vendor attributes

    • Inventory: Adjustments for fulfilled, cancelled, and returned inventory don’t work if Fulfillment doesn’t have an inventory location

    • REFERENCE MutabilityType between two Catalogs is not being honored

    • CartOps: Registering post-checkout does not add order to customer

    • Demo: CSR Shop as Guest and Shop as Customer do not work

    • Customer: Change additional phone domain to not use @Delegate

    • Customer: Make use of new Phone field for customer metadata

    • OrderOps: Error during createPaymentTransactionLog while capturing fulfillment is swallowed

    • OrderOps: Reverse auth might not occur with multiple payments and a cancelled fulfillment while fulfilling

    • Demo: Product details page for Sudden Death sauce only shows the Variant of Sudden Death Sauce"

    • Admin: Add better message and link to login when session reaches final" expiration"

    • Search: Revisit filters used by AbstractBatchIndexRequestHandler implementations to gather indexables

    • Search: Ensure that ContextualProductConsolidationContributor implementations exclude archived entities

    • Search: Multiple application-assigned catalogs contributing to one CategoryProduct doesn’t index Category

    • Search: Tenant-level inventory becoming unavailable doesn’t cause Solr representation to be cleared

    • Promotions: DefaultFulfillmentGroupOfferProcessor#sort throws NPE

    • Admin: Added fulfillment reference number for the group

    • Auth: Going directly to auth base causes redirect to internal docker/kubernetes URL

    • PayPal: Fixed issues with how paypal responds to captures in their v2 APIs

    • PayPal: Fix refunding an immediately captured order

    • PayPal: uto-add assertions header for refunds when a seller ID is available

  • Security Fixes

    • Bouncy Castle - OpenBSDBCrypt.checkPassword utility method compared incorrect data : CVE-2020-28052 : Broadleaf Severity (LOW) : Broadleaf does not exercise vulnerable flows : Remediation was to upgrade dependency

    • Log4j : SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data : CVE-2019-17571 : Broadleaf Severity (LOW) : Broadleaf does not use Log4j : Remediated by excluding the dependency

    • Netty : When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled : CVE-2021-21290 : Broadleaf Severity (LOW) : Broadleaf does not leverage the vulnerable flow: Remediated transitive exposure via dependency upgrade