Broadleaf Microservices

Release Notes for 1.8.0

Table of Contents


  • Added: Support for read-only field conditionals through metadata

Bug Fixes

  • Fixed: Query Builder not allowing multiple rules

  • Fixed: Application dropdown displaying under navigation fade

  • Fixed: Form state not updating after trigger action is invoked

  • Fixed: Environment variable resolution since moving to Vite

  • Fixed: Left navigation does not update when route changes

  • Fixed: Marketplace shared inventory locations are not mutable for vendors

  • Fixed: DynamicField’s clearValueOnMatch is matched in update forms even if no field is changed causing fields to clear

  • Fixed: OMS confirming returned items quantity field non-responsive

  • Fixed: Display $0.00 when amount is undefined

  • Fixed: Asset picker’s z-index value

  • Fixed: Empty values being submitted as translations

Security Fixes

  • Address vulnerability with nanoid valueOf

    • The package nanoid before 3.1.31 is vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

    • Normally, this would not be necessary since it is used only by postcss. However, sanitize-html pulls in postcss during runtime to sanitize CSS user input

  • Upgraded axios to 0.25.0 from 0.24.0 to include their upgrade of follow-redirects to 1.14.7.

    • Previous version of follow-redirects was vulnerable to Information Exposure by leaking the cookie header to a third party site in the process of fetching a remote URL with the cookie in the request body. If the response contains a location header, it will follow the redirect to another URL of a potentially malicious actor, to which the cookie would be exposed.