Minor releases can involve additive (rollback compatible) database schema changes.
If your process supports liquibase, the main changelog in the Broadleaf base service jar contains any liquibase scripted migration required (no drops). There are also optional drop changelogs (if applicable) that can be included in your application managing changelog and vetted after a completed upgrade.
If you require raw SQL migration, review each service SQL section to study the changes. Update sql scripts and drop sql scripts (for any defunct tables, FKs, and columns) are available. Drop sql scripts are optional and you may vet them at your convenience after a completed upgrade.
While the API remains backward compatible and the schema change risk is generally minimal, it is still useful to review update and drop scripts before an upgrade to ascertain scope.
An update or drop sql script always targets mutation of schema from the immediately preceding minor release and does not include migration from releases prior to that. To upgrade several versions ahead using sql, each version migration must be performed consecutively. This is different than the main liquibase changelog in the service jar which accounts for the entire database update change history across multiple versions (no drop). This is one of the advantages of adopting a liquibase process, rather than raw sql.
Unless otherwise noted here, patch releases will never include database schema changes.
Any further instructions required for an individual upgrade will be provided in this document in the notes for the specific version.
|See individual services for a Software Bill Of Materials (SBOM) for each service. You can review an SBOM file to determine all OSS dependencies referenced in the service, their version, and OSS license. This can be used as part of a supply chain component analysis. See the CycloneDX standard for more information.|
|Security fixes often involve dependency updates to remediate issues being tracked in external OSS components. It is worth considering adopting releases with security fixes (even Broadleaf Severity LOW) to avoid any possibility of transitive exposure in your codebase.|
Demo: Enhance k8s startup behavior for containers
OMS: Add frontend components for returns and refunds
Catalog: Assigning image to category can cause it to be removed from another category
Testing: TestContainers is not always able to reliably pull the ryuk image
Catalog: 2 categories with the same URL cause an issue when searching a category by URL
CartOps: Fixed possible NPE if no product description is present
Vendor: Fix saving of the vendor attributes
Inventory: Adjustments for fulfilled, cancelled, and returned inventory don’t work if Fulfillment doesn’t have an inventory location
REFERENCE MutabilityType between two Catalogs is not being honored
CartOps: Registering post-checkout does not add order to customer
Demo: CSR Shop as Guest and Shop as Customer do not work
Customer: Change additional phone domain to not use @Delegate
Customer: Make use of new Phone field for customer metadata
OrderOps: Error during createPaymentTransactionLog while capturing fulfillment is swallowed
OrderOps: Reverse auth might not occur with multiple payments and a cancelled fulfillment while fulfilling
Demo: Product details page for Sudden Death sauce only shows the Variant of Sudden Death Sauce"
Admin: Add better message and link to login when session reaches final" expiration"
Search: Revisit filters used by AbstractBatchIndexRequestHandler implementations to gather indexables
Search: Ensure that ContextualProductConsolidationContributor implementations exclude archived entities
Search: Multiple application-assigned catalogs contributing to one CategoryProduct doesn’t index Category
Search: Tenant-level inventory becoming unavailable doesn’t cause Solr representation to be cleared
Promotions: DefaultFulfillmentGroupOfferProcessor#sort throws NPE
Admin: Added fulfillment reference number for the group
Auth: Going directly to auth base causes redirect to internal docker/kubernetes URL
PayPal: Fixed issues with how paypal responds to captures in their v2 APIs
PayPal: Fix refunding an immediately captured order
PayPal: uto-add assertions header for refunds when a seller ID is available
Bouncy Castle - OpenBSDBCrypt.checkPassword utility method compared incorrect data : CVE-2020-28052 : Broadleaf Severity (LOW) : Broadleaf does not exercise vulnerable flows : Remediation was to upgrade dependency
Log4j : SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data : CVE-2019-17571 : Broadleaf Severity (LOW) : Broadleaf does not use Log4j : Remediated by excluding the dependency
Netty : When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled : CVE-2021-21290 : Broadleaf Severity (LOW) : Broadleaf does not leverage the vulnerable flow: Remediated transitive exposure via dependency upgrade