vendurehq/vendure v3.5.3

on GitHub

Highlights

Security Fix

• Timing attack vulnerability patched - The NativeAuthenticationStrategy had a timing discrepancy that could allow attackers to enumerate valid email addresses by measuring login response times. All authentication attempts now take consistent time, preventing account enumeration attacks. Thanks to Christbowel for the responsible disclosure.
  • CVE-2026-25050
  • This is considered low severity

Performance

• Collections query N+1 fix - Added a new productVariantCount field that uses a simple count query instead of loading all variants just to get totals. Massively reduces database load when listing collections via the Dashboard

Dashboard Compilation

• Issues with compilation of the Dashboard were traced back to the use of the SWC compiler, which often conflicted with other dependencies in real projects. We moved to a different compiler now which should handle the issues people have been running into.

Dashboard New Features

• Refund & Cancel Order Dialog - The Dashboard now has a proper refund workflow with line item selection, quantity inputs, payment allocation across multiple payments, and configurable refund reasons.
• Sub-collection pagination - Large collection trees are now paginated for better performance and UX.
• Auth methods on profile page - Users can now see their linked authentication methods (native, external providers, etc.) on their profile.
• Customer search by phone - Customer list now filters by phone number as well as name/email.
• Dynamic schema-driven languages/currencies - Dashboard language and currency selectors are now driven by your server schema.

Notable Fixes

• Promotion usage counting - Seller orders are now excluded when counting promotion usage, fixing incorrect limits in multi-vendor setups.
• SubscribableJob.updates() - Fixed a bug where job.updates() would complete after a single emission instead of streaming updates until the job finished. This affected anyone using lastValueFrom(job.updates()) patterns.
• Custom fields on ProductVariantPrice - Both persistence and display in the Dashboard are now working correctly.
• Localized custom fields - localeString and localeText custom fields on translatable entities now persist properly.
• ChangeChannelEvent - Now correctly publishes with the new channel IDs instead of the old ones.
• pnpm and Bun support - Dashboard plugin detection now works properly with pnpm and Bun package managers.

What's Changed

• feat(dashboard): Provide entity object to draft-order-detail Page component by @lucatk in #4073
• fix(dashboard): Prevent NaN or empty values in Latest Orders table w… by @raidsobhi in #4092
• fix(dashboard): Re-sync channel token when activeChannelId persists but token is cleared by @niko91i in #4094
• fix(dashboard): Fix incorrect currency being displayed in dashboard u… by @raidsobhi in #4090
• fix(dashboard): Channel switcher not scrollable if list exceeds screen height by @lucatk in #4075
• fix(dashboard): hide "Add channel" button for users without CreateChannel permission by @niko91i in #4097
• fix(dashboard): Fix compilation issues caused by SWC version issues by @michaelbromley in #4105
• feat(core): Expand userHasPermissions docstring; Add new userHasAllPermissions method by @HouseinIsProgramming in #4107
• fix(dashboard): Fix struct custom fields not rendering options or custom components by @michaelbromley in #4115
• fix(core): Use previously unused relations filter in findByCustomerId by @DeltaSAMP in #4118
• feat(dashboard): Use dynamic schema-driven languages and currencies by @TheHypnoo in #4111
• fix(core): Fix SubscribableJob.updates() completing after single emission by @michaelbromley in #4120
• feat(create): Set api url to auto for newly created projects by @martijnvdbrug in #4102
• chore: Improve dashboard test reliability in publish workflow by @michaelbromley in #4122
• docs: add warning to distinguish custom field extension vs detail input field extension by @BibiSebi in #4123
• fix(create,docs): add useDefineForClassFields to fix ES2022 by @HouseinIsProgramming in #4116
• chore: Speed up publish_and_install workflow by @michaelbromley in #4127
• fix(dashboard): Dashboard plugin detection with pnpm by @oliverstreissi in #4126
• fix(core): Respect publishConfig.directory in npm publish workflow by @michaelbromley in #4131
• fix(dashboard): Bump @tanstack/react-router to fix ID param error by @jantokic in #4153
• fix(dashboard): Hide bulk action bar when no selected items are visible by @jantokic in #4151
• Fix(Mollie): allow overriding immediateCapture from the plugin level by @martijnvdbrug in #4142
• fix(dashboard): Resolve tsconfig path aliases in ESM mode by @michaelbromley in #4134
• feat: Implement productVariantCount in collections query by @biggamesmallworld in #4132
• docs: Fix typo in plugins documentation by @aidenBarrett96 in #4145
• fix(dashboard): Register text-form-input component by @BibiSebi in #4149
• fix(dashboard): Preserve string arg values without JSON parsing in form inputs by @gabriellbui in #4156
• fix(dashboard): Fix entity creation when using a non default language by @tbouliere-datasolution in #4157
• chore: Add Claude Code rules for dashboard i18n by @HouseinIsProgramming in #4166
• fix(dashboard): Fix gross price display under price includes tax by @Qingbao in #4138
• fix(dashboard): Fix usePaginatedList context duplication in extensions by @michaelbromley in #4164
• feat(dashboard): Add pagination for sub-collections in collection list by @biggamesmallworld in #4154
• fix(dashboard): Fix displaying HistoryEntry for CustomerEmailUpdateComponent by @SiebelsTim in #4167
• fix(dashboard): Fallback to default input when custom form component not found by @DeltaSAMP in #4168
• feat(docs): Migrate documentation to @vendure/docs package by @dlhck in #4124
• fix(core): Correctly publish ChangeChannelEvent with new channel IDs. by @Draykee in #4176
• feat(dashboard): Add disabled option to exclude columns in ListPage by @BibiSebi in #4170
• fix(dashboard): Show all items in the order details page, clean up fu… by @oidt in #4160
• feat(dashboard): Add refundOrder and cancelOrder GraphQL mutations by @HouseinIsProgramming in #4130
• fix: Sync package-lock.json with package.json by @HouseinIsProgramming in #4178
• feat(dashboard): Display authentication methods on profile page by @dlhck in #4179
• fix(dashboard): Clarify draft order completion UX and add ar translations by @mohamed7-dev in #4163
• fix(dashboard): Collection contents not showing after saving filters by @gabriellbui in #4128
• feat(dashboard): Add phone number field to customer list query and search functionality by @TheHypnoo in #4100
• fix(dashboard): Transform Lingui macros in third-party npm packages by @michaelbromley in #4182
• fix(dashboard): Support Bun package manager in plugin discovery by @oliverstreissi in #4183
• fix(core): Persist custom fields when creating new ProductVariantPrice by @michaelbromley in #4184
• fix(dashboard): Persist localeString/localeText custom fields on translatable entities by @michaelbromley in #4185
• fix(core): Exclude seller orders when counting promotion usage by @twlite in #4070
• fix(dashboard): Boolean fields in DetailPage now show correct value by @oliverstreissi in #4186
• fix(dashboard): Display custom fields on product variant prices by @mehringer68 in #4180

New Contributors

• @lucatk made their first contribution in #4073
• @raidsobhi made their first contribution in #4092
• @niko91i made their first contribution in #4094
• @TheHypnoo made their first contribution in #4111
• @aidenBarrett96 made their first contribution in #4145
• @tbouliere-datasolution made their first contribution in #4157
• @Qingbao made their first contribution in #4138
• @mehringer68 made their first contribution in #4180

Full Changelog: v3.5.2...v3.5.3