This release includes a huge number of fixes and improvements from the Spree community and a security patch - we recommend upgrading as soon as possible!
Security
- GHSA-p6pv-q7rc-g4h9 CSV Formula Injection in CSV exports, Customer CSV affected, as this one uses information from signups (Medium severity)
Other changes
Core
- Prevent deletion of default and last market in store by @damianlegawiec in #13961
- Fixed: Add
typecolumn tospree_payment_setup_sessionsfor STI support bd8b058 - Fix orphaned inventory units when destroying line items on completed orders f0bef2f
- Fixed undefined method 'update_thumbnail!' for nil 30ac12e
- Sanitize CSV export output to avoid CSV formula injection attacks 36c0617
API
- Fixed tags in Products Serializer (both Store API and Admin API) c0d8f85
- Fix handling auth/capture flow in Payment Sessions webhooks flow a6242f8
Admin
- Fix tailwind look up paths in other gems 1fe8b9d
- Auto-generate gift card codes when not provided 5ad9f34
- Change invalid/expired invitation handling to render 404 page 3feaf14
- Update all badges when shipping to improve UX 01510fe
- improve admin product bulk actions permissions 57997d8
- State Based Zone -> update states on country change c2fd1a1
- make admin line item partial more robust for spree multi vendor e323fcf
- FIX datetime filter to respect EOD 79c8d0d
Emails
- Include gift card in order email 13b4626
Documentation
- Use correct even names in docs, specs, examples, comments. 2e565b9
Installation
npx create-spree-app@latest my-storeUpdating
1. Update gems
bundle update2. Run DB migrations
This release includes a small database migration as well:
bin/rake spree:install:migrations
bin/rails db:migrateFeedback / Support
Join our Discord server to chat with Spree core team members and other Spree developers!
Full Changelog: v5.4.2...v5.4.3