All Versions
18
Latest Version
Avg Release Cycle
34 days
Latest Release
4 days ago

Changelog History
Page 1

  • v2.9.1

    January 24, 2020

    🚀 This release fixes a vulnerability issue in Saleor.

    The checkoutCustomerAttach mutation failed to verify whether the customer ID passed matched the currently logged in user. This allowed users to generate checkout sessions and attach them to random existing users. User IDs are integers, so with enough effort, valid ones could be enumerated using brute force.

    As the mutation returns the modified checkout object, the attacker could request its user field to retrieve information about the user the checkout was now assigned to. Information potentially disclosed includes: first and last name, address book contents, order history, and stored payment methods if any (card type, last four digits, expiration date).

    ➕ Additionally, we’ve also provided a solution that makes sure any embedded user object will only be obtainable by a privileged site admin or by the same user if currently logged in. This affects the following fields:

    • Checkout.events
    • Checkout.user
    • CustomerEvent.user
    • GiftCard.user
    • Order.events
    • Order.user
    • OrderEvent.user
    • User.storedPaymentSources

    CVE for this issue is pending.

    Affected versions

    🚀 All Saleor releases contain this mutation up to version 2.9.

    🔄 Changelog

  • v2.9.0

    October 25, 2019

    🚀 Welcome to the 2.9 release of Saleor! Read the full article about the release on our blog: https://medium.com/saleor/saleor-2-9-release-8f5b1361d2c0.

    🔄 Changelog

    API

    • ➕ Add mutation to change customer's first name last name - #4489 by @fowczarek
    • ➕ Add mutation to delete customer's account - #4494 by @fowczarek
    • ➕ Add mutation to change customer's password - #4656 by @fowczarek
    • ➕ Add ability to customize email sender address in emails sent by Saleor - #4820 by @NyanKiyoshi
    • ➕ Add ability to filter attributes per global ID - #4640 by @NyanKiyoshi
    • ➕ Add ability to search product types by value (through the name) - #4647 by @NyanKiyoshi
    • ➕ Add queries and mutation for serving and saving the configuration of all plugins - #4576 by @korycins
    • ➕ Add redirectUrl to staff and user create mutations - #4717 by @fowczarek
    • ➕ Add error codes to mutations responses - #4676 by @Kwaidan00
    • ➕ Add translations to countries in shop query - #4732 by @fowczarek
    • ➕ Add support for sorting product by their attribute values through given attribute ID - #4740 by @NyanKiyoshi
    • ➕ Add descriptions for queries and query arguments - #4758 by @maarcingebala
    • ➕ Add support for Apollo Federation - #4825 by @salwator
    • ➕ Add mutation to create multiple product variants at once - #4735 by @fowczarek
    • ➕ Add default value to custom errors - #4797 by @fowczarek
    • 🔧 Extend availablePaymentGateways field with gateways' configuration data - #4774 by @salwator
    • 🔄 Change AddressValidationRules API - #4655 by @Kwaidan00
    • 👉 Use search in a consistent way; add sort by product type name and publication status to products query. - #4715 by @fowczarek
    • 🚚 Unify menuItemMove mutation with other reordering mutations - #4734 by @NyanKiyoshi
    • Don't create an order when the payment was unsuccessful - #4500 by @NyanKiyoshi
    • Don't require shipping information in checkout for digital orders - #4573 by @NyanKiyoshi
    • ⬇️ Drop manage_users permission from the permissions query - #4854 by @maarcingebala
    • 🗄 Deprecate inCategory and inCollection attributes filters in favor of filter argument - #4700 by @NyanKiyoshi & @khalibloo
    • ✂ Remove PaymentGatewayEnum from the schema, as gateways now are dynamic plugins - #4756 by @salwator
    • Require manage_products permission to query costPrice and stockQuantity fields - #4753 by @NyanKiyoshi
    • ♻️ Refactor account mutations - #4510, #4668 by @fowczarek
    • 🛠 Fix generating random avatars when updating staff accounts - #4521 by @maarcingebala
    • 🛠 Fix updating JSON menu representation in mutations - #4524 by @maarcingebala
    • 🛠 Fix fetching staff user without manage_users permission - #4835 by @fowczarek
    • Ensure that a GraphQL query is a string - #4836 by @nix010
    • ➕ Add ability to configure the password reset link - #4863 by @fowczarek

    Core

    Dashboard 2.0

    🚚 Below are changes from the changelog in Saleor main repository. Since the dashboard was moved to its own repository, the rest of the changes can be found there .

    Other notable changes

    • Replace Pipenv with Poetry - #3894 by @michaljelonek
    • ⬆️ Upgrade django-prices to v2.1 - #4639 by @NyanKiyoshi
    • Disable reports from uWSGI about broken pipe and write errors from disconnected clients - #4596 by @NyanKiyoshi
    • 🛠 Fix the random failures of populatedb trying to create users with an existing email - #4769 by @NyanKiyoshi
    • 💅 Enforce pydocstyle for Python docstrings over the project - #4562 by @NyanKiyoshi
    • 🚚 Move Django Debug Toolbar to dev requirements - #4454 by @derenio
    • 🔄 Change license for artwork to CC-BY 4.0
    • 🆕 New translations:
      • Greek

  • v2.9.0.b5

    November 20, 2019

  • v2.9.0.b4

    November 12, 2019

  • v2.9.0.b3

    October 25, 2019

  • v2.9.0.b2

    October 25, 2019

  • v2.8.0

    July 12, 2019

    🚀 Welcome to the June 2019 release of Saleor! Read on to learn about the newest changes!

    Avalara Integration

    🚀 Saleor has, to date, only supported tax calculations for the EU with Vatlayer. To support taxes in other countries, we're integrating the popular Avalara tool with Saleor in this release! With Avalara enabled and configured, you'll get proper tax calculations during the checkout process. Your orders will also be accessible in the Avalara admin panel.

    Storing Credit Cards

    👍 We've improved the internal payment gateway interface, which now allows for storage and reuse of customers' payment sources, such as credit cards, if the gateway supports it. Additionally, we've implemented support in the Braintree gateway module and plan to add Stripe very soon.

    👌 Improved Vouchers Section

    ✅ Good user experience is always one of our top priorities. We are constantly testing Saleor and decided that the Vouchers section was quite challenging to use, so we set about designing an interface that would make it easier for you to quickly create attractive sales offers for your customers. We have now gathered common settings into visual cards, which makes for a clean and intuitive UI.

    CSRF Vulnerability Fix

    🚀 This release fixes a security issue that was introduced in version 2.7.0. In that release, we made customizations to the Django middleware in order to disable some elements that were unnecessary for requests coming to the GraphQL API. Unfortunately, we inadvertently disabled CSRF protection for all POST requests coming to static Django views in Storefront 1.0 and Dashboard 1.0. An attacker could therefore send a request without the valid CSRF token, and the server would accept it. In this release, to close this loophole, we've reverted to the original middleware configuration. We felt that the performance gain was minimal and it wasn't a crucial feature for the system, so the original solution is acceptable.

    The issue was introduced on 16 May, 2019: 94c0703
    Affected versions: 2.7.0

    ⬆️ All users of the affected version are encouraged to upgrade Saleor immediately.

    🔄 Changelog

    Vulnerabilities

    • 🛠 Fixed CSRF vulnerability introduced in Saleor 2.7.0 - CVE-2019-13594

    Core

    • 👍 Avatax backend support - #4310 by @korycins
    • ➕ Add ability to store used payment sources in gateways (first implemented in Braintree) - #4195 by @salwator
    • ➕ Add ability to specify a minimal quantity of checkout items for a voucher - #4427 by @fowczarek
    • 🔄 Change the type of start and end date fields from Date to DateTime - #4293 by @fowczarek
    • ⏪ Revert the custom dynamic middlewares - #4452 by @NyanKiyoshi

    Dashboard 2.0

    Other notable changes

    • 🛠 Fix error when creating a checkout with voucher code - #4292 by @NyanKiyoshi
    • 🛠 Fix error when users enter an invalid phone number in an address - #4404 by @NyanKiyoshi
    • 🛠 Fix error when adding a note to an anonymous order - #4319 by @NyanKiyoshi
    • 🛠 Fix gift card duplication error in the populatedb script - #4336 by @fowczarek
    • 🛠 Fix vouchers apply once per order - #4339 by @fowczarek
    • 🛠 Fix discount tests failing at random - #4401 by @korycins
    • ➕ Add SPECIFIC_PRODUCT type to VoucherType - #4344 by @fowczarek
    • 🆕 New translations:
      • Icelandic

    Thank you

    🍱 This month we need to give 5,000 thanks 🙏 to all contributors, stargazers, and supporters of Saleor! We've just hit that landmark number of GitHub stars.

    Contributing

    For those of you who are interested in contributing to the project, we prepared a bunch of issues labeled as help wanted. Don't worry if you don't fully understand the problem  -  our team will try to guide you and answer all your questions. Remember to check our channels on Gitter and Spectrum; they serve best if you have quick questions that don't require opening an issue on GitHub.

    🚀 Make sure to check out the article about this release on our blog!

  • v2.7.0

    June 13, 2019

    🚀 Welcome to the May 2019 release of Saleor! Read on to learn about the newest changes!

    Storefront's navigation management

    🔧 This month we're bringing you last missing section of Dashboard 2.0. Storefront navigation management allows you to configure which information and links are visible in the menu bars of your storefront. You can add new items and easily link them to existing categories, collections, and pages on your site, or add a link to any external site you choose. Once items are created, their structure can be arranged by dragging and dropping to reorder or nest them.

    Filtering capabilities

    👍 Dashboard 2.0 already provides management views for all data models in Saleor, but we wanted to make it even better by adding filtering capabilities to two dashboard sections. Products can now be filtered by price (exact value or price range), stock availability, or storefront visibility. Orders can be filtered by creation date and fulfillment status. We've also added search capabilities that let you find products by name or orders by customer's email, and many more. Lastly, each filtering can be saved as a new tab so it can be easily reused later!

    🆕 New order creation flow

    Having to deal with unpaid orders may be problematic for store owners for several reasons. Unpaid orders unnecessarily allocate stock quantity, which may be abused by malicious users. Staff members have to manually resolve each order and either contact the customer or close it after some time. It means more work and less revenue. We've now changed the flow of creating orders in our GraphQL API so that an order is only created if a successful payment was made. If a payment fails, customers will stay with an open checkout that they can either pay later or share with someone else who can pay for them.

    🔄 Changelog

    API

    • Create order only when payment is successful - #4154 by @NyanKiyoshi
    • Order Events containing order lines or fulfillment lines now return the line object in the GraphQL API - #4114 by @NyanKiyoshi
    • 🖨 GraphQL now prints exceptions to stderr as well as returning them or not - #4148 by @NyanKiyoshi
    • ♻️ Refactored API resolvers to static methods with root typing - #4155 by @NyanKiyoshi
    • ➕ Add phone validation in the GraphQL API to handle the library upgrade - #4156 by @NyanKiyoshi

    Core

    Dashboard 2.0

    Other notable changes

    🚀 Future releases

    There are a bunch of exciting things that we're now working on right now to improve Saleor.

    🔌 Plug-in architecture

    ⬆️ Saleor is highly customizable, but one trade-off that comes with it is the difficulty of upgrading to new versions after any customizations were made. We're investigating better approaches to customization with the use of plugin architecture which would allow integrating the Saleor flow with custom logic.

    Enterprise-grade attributes

    A proper attribute structure is a crucial factor for many businesses when presenting their products in the system. We want to make attributes in Saleor more flexible and allow them to be created independently from product types, as well as giving extra control over their visibility in the storefront's faceted search or product detail pages.

    Advanced product list capabilities

    Dashboard's product list will also become a lot more flexible. We're currently designing a new version in which users will be able to customize the visible columns, reorder them, and edit products with in-line forms.

    0️⃣ Lastly, we're getting a lot of questions regarding multi-vendor support in Saleor on our social channels. Right now we're focused on developing the default, single-vendor version and our cloud solution, but we want to assure everyone that it is a feature we want just as much as you do, and we'll keep it on our radar.

    Thank you

    🍱 A big thank you 🙏 to all contributors, stargazers, and supporters of Saleor!

    Contributing

    For those of you who are interested in contributing to the project, we prepared a bunch of issues labeled as help wanted. Don't worry if you don't fully understand the problem  -  our team will try to guide you and answer all your questions. Remember to check our channels on Gitter and Spectrum; they serve best if you have quick questions that don't require opening an issue on GitHub.

    🚀 Make sure to check out the article about this release on our blog!

  • v2.7.0.b1

    June 15, 2019

  • v2.6.0

    May 13, 2019

    🚀 Welcome to the April 2019 release of Saleor! Read on to learn about the newest changes!

    Any color you like, as long as it's Black

    💅 Proper code formatting is one of the essential things that help to keep an open-source project universally maintainable and understandable. We had Google's YAPF in Saleor, but the formatting was only applied to some of the newer code, while a lot of the original core was using inconsistent styles. To address this issue, we decided to pick a modern tool that a number of open-source projects have recently adopted. Black is an opinionated code formatting tool for Python that comes with a fixed set of rules which are subject to only limited adjusts. And that's one of the greatest powers of Black. We've also added support for Pre-commit which makes sure that every commit you create contains appropriately formatted code.

    Data classes as a universal payment interface

    🔌 One of our goals for the future is to extract payment gateways to separate repositories and provide a standard interface that'll make implementing new ones easier for the community. We're also investigating ways to have a plugin architecture where integrations can be optionally turned on and off. For that, we want to benefit from Python 3.7's data classes which can be used as standardized objects to pass data between various parts of the system. As data classes are not supported in Python versions before 3.6 (in 3.6 they're available through a third-party library), we decided to drop support for Python 3.5.

    Bulk actions in Dashboard 2.0

    👍 A useful management Dashboard is one that allows users to perform everyday actions quickly. From now on, users can perform selected actions for multiple objects rather than repeating actions. It currently supports the most common operations, such as deleting items or publishing/unpublishing products and pages, but more will be added in future.

    🔄 Changelog

    API

    Core

    Dashboard 2.0

    Other notable changes

    • ➕ Add setting to enable Django Debug Toolbar - #3983 by @koradon
    • 👉 Use newest GraphQL Playground - #3971 by @salwator
    • Ensure adding to quantities in the checkout is respecting the limits - #4005 by @NyanKiyoshi
    • 🛠 Fix country area choices - #4008 by @fowczarek
    • Fix price_range_as_dict function - #3999 by @zodiacfireworks
    • 🛠 Fix the product listing not showing in the voucher when there were products selected - #4062 by @NyanKiyoshi
    • 🛠 Fix crash in Dashboard 1.0 when updating an order address's phone number - #4061 by @NyanKiyoshi
    • ⬇️ Reduce the time of tests execution by using dummy password hasher - #4083 by @korycins
    • Set up explicit hash function - #3979 by @akjanik
    • ✅ Unit tests use none as media root - #3975 by @korycins
    • 💅 Update file field styles with materializecss template filter - #3998 by @zodiacfireworks
    • 🆕 New translations:
      • Albanian
      • Colombian Spanish
      • Lithuanian

    🚀 Future releases

    There are a few areas that we're currently working on and planning to ship in the next version:

    • Navigation menus management in Dashboard 2.0 - views to create and manage menus displayed in the storefront.
    • 👌 Improvements to the payment architecture and currently supported payment gateways.

    Thank you

    🍱 A big thank you 🙏 to all contributors, stargazers, and supporters of Saleor!

    Contributing

    For those of you who are interested in contributing to the project, we prepared a bunch of issues labeled as help wanted. Don't worry if you don't fully understand the problem  -  our team will try to guide you and answer all your questions. Remember to check our channels on Gitter and Spectrum; they serve best if you have quick questions that don't require opening an issue on GitHub.

    🚀 Make sure to check out the article about this release on our blog!