Broadleaf Microservices

Broadleaf Commerce Microservices Release Notes

Broadleaf follows semantic versioning with the following addendum regarding database schema:

  • Minor releases can involve additive (rollback compatible) database schema changes.

  • If your process supports liquibase, the main changelog in the Broadleaf base service jar contains any liquibase scripted migration required (no drops). There are also optional drop changelogs (if applicable) that can be included in your application managing changelog and vetted after a completed upgrade.

  • If you require raw SQL migration, review each service SQL section to study the changes. Update sql scripts and drop sql scripts (for any defunct tables, FKs, and columns) are available. Drop sql scripts are optional and you may vet them at your convenience after a completed upgrade.

  • While the API remains backward compatible and the schema change risk is generally minimal, it is still useful to review update and drop scripts before an upgrade to ascertain scope.

  • An update or drop sql script always targets mutation of schema from the immediately preceding minor release and does not include migration from releases prior to that. To upgrade several versions ahead using sql, each version migration must be performed consecutively. This is different than the main liquibase changelog in the service jar which accounts for the entire database update change history across multiple versions (no drop). This is one of the advantages of adopting a liquibase process, rather than raw sql.

  • Unless otherwise noted here, patch releases will never include database schema changes.

  • Any further instructions required for an individual upgrade will be provided in this document in the notes for the specific version.

💡
See individual services for a Software Bill Of Materials (SBOM) for each service. You can review an SBOM file to determine all OSS dependencies referenced in the service, their version, and OSS license. This can be used as part of a supply chain component analysis. See the CycloneDX standard for more information.
💡
Security fixes often involve dependency updates to remediate issues being tracked in external OSS components. It is worth considering adopting releases with security fixes (even Broadleaf Severity LOW) to avoid any possibility of transitive exposure in your codebase.

Release Collections

1.4.0-GA

  • New Features

    • Service

      • Auth: Refresh Token Rotation implementation

      • Marketplace features

      • Catalog: Product type grouping

      • Catalog: Standard and Variant product enhancements

      • Catalog: Introduce priced bundle

      • Search: Introduce Availability Data Strategy for product indexing

      • Search: Products search by product option

    • Presentation

      • Admin: Entity long form view

      • Admin: Refactor Styles to use Tailwind

      • NextJS Starter: Stripe and Paypal Express support

  • Bug Fixes

    • Service

      • Auth: Unable to add permissions or grant types to AuthorizedClient

      • Cart: Unable to use an extended type for the StoredCartItem list in JpaCart

      • CartOps: Improve the error message shown to users when checkout fails due to lack of inventory

      • CartOps: NullPointerException when adding to cart with ItemChoice sale price data

      • CartOps: Checking inventory availability for dependent cart items assumes that the item is an IncludedProduct even if it’s from an ItemChoice instead

      • CartOps: If a product is not discountable, then any related FulfillmentItems should not receive any prorated discounts

      • CartOps: Add rounding for prorated order adjustments split across fulfillment items.

      • Catalog: Product can reference itself as a product Option

      • Catalog: Unable to edit category at the application level

      • Catalog: Unable to select an asset when creating a product at the tenant level

      • Menu: Adding a new Menu Item of type Link doesn’t allow you to enter an absolute URL

      • Pricing: Price Lists that target a customer segment don’t work

      • Pricing: Subtotal does not reflect price data pricing tiers

      • Promotions: Offer proration type cannot be changed

      • Promotions: Product’s discountable" flag should also be used to declare if order-level offers are applicable"

      • Promotions: Error deploying extended Offer with an Offer Code

      • Search: Rule-Based Categories returns an unexpected search result

      • Tenant: Policy validation prevents application-restricted users from managing application catalogs

    • Presentation

      • NextJs Starter: Use asset services image resize functionality

      • NextJS Starter: Sale price difference is not shown in cart

      • NextJS Starter: Inventory exception in the cart clears out and empties the cart instead of displaying an error message

      • NextJS Starter: Unable to add to cart due to cart missing guest token

      • NextJS Starter: Search results displayed not being updated when new request sent after selecting facet value

      • OMS: Click the "Capture Payment and Fulfill Items" button causes an error for the order items of the bundle product

      • OMS: The price for the order item displays incorrectly if the offer was applied and the prorated price is applied to this item

      • OMS: Order Item price breakdown does not include tax in the item total

  • Security Fixes

    • Service

      • Spring Security - Changing SecurityContext More Than Once in Single Request Can Fail to Save : CVE-2021-22112 : Broadleaf Severity (LOW) : Broadleaf does not leverage code to engage the issue : Remediated transitive exposure via dependency upgrade

      • Spring Core - Local Privilege Escalation within Spring Webflux Multipart Request Handling : CVE-2021-22118 : Broadleaf Severity (LOW) : Broadleaf does not leverage code to engage the issue : Remediated transitive exposure via dependency upgrade

      • Tomcat Embed Core - CVE-2020-9484 CVE-2021-25329 CVE-2021-25122 : Broadleaf Severity (LOW) : Broadleaf usage is only for a test harness: Remediated transitive exposure via dependency upgrade

      • Netty and Jetty : CVE-2021-21409 CVE-2021-21295 CVE-2021-28163 CVE-2021-28165 : Broadleaf Severity (LOW) : Broadleaf does not leverage Netty or Jetty in the context of any vulnerable flow: Remediated transitive exposure via dependency upgrade

    • Presentation

      • Admin: Handlebars : Remote Code Execution : CVE-2021-23369 : HIGH : Remediation was to upgrade

1.3.0-GA

  • New Features

    • Marketplace Features

    • Demo: Enhance k8s startup behavior for containers

    • OMS: Add frontend components for returns and refunds

  • Bug Fixes

    • Catalog: Assigning image to category can cause it to be removed from another category

    • Testing: TestContainers is not always able to reliably pull the ryuk image

    • Catalog: 2 categories with the same URL cause an issue when searching a category by URL

    • CartOps: Fixed possible NPE if no product description is present

    • Vendor: Fix saving of the vendor attributes

    • Inventory: Adjustments for fulfilled, cancelled, and returned inventory don’t work if Fulfillment doesn’t have an inventory location

    • REFERENCE MutabilityType between two Catalogs is not being honored

    • CartOps: Registering post-checkout does not add order to customer

    • Demo: CSR Shop as Guest and Shop as Customer do not work

    • Customer: Change additional phone domain to not use @Delegate

    • Customer: Make use of new Phone field for customer metadata

    • OrderOps: Error during createPaymentTransactionLog while capturing fulfillment is swallowed

    • OrderOps: Reverse auth might not occur with multiple payments and a cancelled fulfillment while fulfilling

    • Demo: Product details page for Sudden Death sauce only shows the Variant of Sudden Death Sauce"

    • Admin: Add better message and link to login when session reaches final" expiration"

    • Search: Revisit filters used by AbstractBatchIndexRequestHandler implementations to gather indexables

    • Search: Ensure that ContextualProductConsolidationContributor implementations exclude archived entities

    • Search: Multiple application-assigned catalogs contributing to one CategoryProduct doesn’t index Category

    • Search: Tenant-level inventory becoming unavailable doesn’t cause Solr representation to be cleared

    • Promotions: DefaultFulfillmentGroupOfferProcessor#sort throws NPE

    • Admin: Added fulfillment reference number for the group

    • Auth: Going directly to auth base causes redirect to internal docker/kubernetes URL

    • PayPal: Fixed issues with how paypal responds to captures in their v2 APIs

    • PayPal: Fix refunding an immediately captured order

    • PayPal: uto-add assertions header for refunds when a seller ID is available

  • Security Fixes

    • Bouncy Castle - OpenBSDBCrypt.checkPassword utility method compared incorrect data : CVE-2020-28052 : Broadleaf Severity (LOW) : Broadleaf does not exercise vulnerable flows : Remediation was to upgrade dependency

    • Log4j : SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data : CVE-2019-17571 : Broadleaf Severity (LOW) : Broadleaf does not use Log4j : Remediated by excluding the dependency

    • Netty : When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled : CVE-2021-21290 : Broadleaf Severity (LOW) : Broadleaf does not leverage the vulnerable flow: Remediated transitive exposure via dependency upgrade