This is a high-priority security patch that addresses a vulnerability that was reported a few days ago, described in https://github.com/vendurehq/vendure/security/advisories/GHSA-9pp3-53p2-ww9v
You should update your Vendure version as soon as possible. Due to the severity of this vulnerability, we have also published patches for older versions for those who cannot yet update to the latest v3.6.x version:
- v3.6.x -> v3.6.2
- v3.5.x -> v3.5.7
- v2.3.x -> v2.3.4
Thank you to @jacobfrantz1 for responsibly disclosing this issue.
What's Changed
- core Fix SQL injection via languageCode query parameter (3ff0bc1)
- core Sanitize search term for Postgres tsquery syntax (32c947d)
- fix: Use shipping line tax instead of channel tax by @Ryrahul in #4624
Full Changelog: v3.6.1...v3.6.2