Mailchimp Open Commerce is an API-first, headless commerce platform built using Node.js, React, GraphQL. Deployed via Docker and Kubernetes.
GPL-3.0 License
Bot releases are visible (Hide)
Published by spencern over 5 years ago
This is our tenth release candidate for v2.0.0 of Reaction.
Please check it out and let us know what works and what doesn't for you.
This release is being coordinated with reaction-platform
and is designed to work with the same versions of reaction-next-starterkit
and reaction-hydra
.
We have removed several UI components to transition and solidify that in 2.0 the application will only be used as an API and a UI for shop operators.
Additional PRs will be coming to remove other pieces of the storefront UI bit by bit until only an operator UI is left. (#4947 , #4948)
reaction-cli
with this update. (#4992)localhost:3000/graphiql
to localhost:3000/graphql-alpha
calculateOrderTaxes
to return a custom data object. (#4955)Hooks
usage with the newer appEvents
. This does not break anything within the core and included plugins, however:@reactioncommerce/hooks
package, you will need to update or obtain updated versions that use context.appEvents
instead.MethodHook
s, update it to implement those hooks a different way.appEvents
consumed and emitted by custom plugins. Update expected and emitted arguments. See the table. (#4915)placeOrder*
GraphQL mutations provided by the built-in payment plugins are removed and replaced with a single placeOrder
mutation which supports multiple payments. Any custom payment method plugins will break due to the removal of createOrder
internal mutation. Look at all changes. (#4908)inventoryQuantity
to inventoryInStock
in Products
collection, update if used in your codebase. (#4930)In relation to improving performance, we have added new debugging statements (#4992) so you can use the Node debugger while developing Reaction!:
"inspect": "node --experimental-modules --inspect ./.reaction/run/index.mjs",
"inspect-brk": "node --experimental-modules --inspect-brk ./.reaction/run/index.mjs",
"inspect-docker": "node --experimental-modules --inspect=0.0.0.0:9229 ./.reaction/run/index.mjs",
"inspect-brk-docker": "node --experimental-modules --inspect-brk=0.0.0.0:9229 ./.reaction/run/index.mjs",
Example Usage :
docker-compose run --rm --service-ports reaction yarn run inspect-brk --service-ports
docker-compose run --rm --service-ports reaction yarn run inspect --service-ports
We have added new documentation! :
reaction-platform
has not been fully tested or is compatible with Windows.NaN
in rare circumstances based on Migrations (#4946)inventoryQuantity
field to be inventoryInStock
(#4930)Thanks, @rattrayalex-stripe for contributing to this release!
Published by spencern over 5 years ago
This is our ninth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.
This release is being coordinated with reaction-platform
and is designed to work with the same versions of reaction-next-starterkit
and reaction-hydra
We've made some updates to the way inventory is tracked, introducing a new inventory field: inventoryAvailableToSell
. This field tracks inventory that has been ordered, but has not yet been processed and so is still counted in-stock. This number is what is displayed to customers and determines whether a product is considered "sold out" or not. The old inventory number inventoryQty
has been renamed to inventoryInStock
and continues to represent the inventory available in stock.
inventoryAvailableToSell
to all products / variants, to correctly calculate the numbers on parent products / variants, and to publish this data to already published Catalog items.currentQuantity
has been marked with depreciated
in the cart. This isn't a breaking change at the moment, but lays the path to remove this field and replace with inventoryAvailableToSell
and inventoryInStock
in the future.Catalog.getVariantQuantity
and ReactionProduct.getVariantQuantity
have been removed. Custom plugins using these methods will need to be updated. The same data returned by these methods is now on the object that was being passed into these methods as the field inventoryQuantity
or inventoryAvailableToSell
isBackorder
, isLowQuantity
, and isSoldOut
functions from the catalog
plugin to the new inventory
plugin. Custom plugins using these methods will need to update their import path.Published by spencern almost 6 years ago
This is our eighth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.
The core experience and UI for a shop operator using Reaction Commerce has not changed much over the last couple of years. We've been hard at work on the new and improved storefront but until now have not revealed any of our design or plans for improving the updated operator UI.
This release includes the first beta of the new Reaction operator UI. Our focus with this new operator UI has several goals. First, we’re transitioning from a single page storefront and admin experience to a full page admin experience that will be separate from the storefront. . We believe this change is necessary and beneficial for anyone operating a store that works with a large number of products and/or does a high-volume of order. This change also decouples the customer facing storefront from the operator UI. The existing UI had a WYSIWYG flavor to it where the product and catalog management was done in an interface that was identical to what the customer saw. There are some benefits to this - having a good perspective of what your customers see when you make a change - but for large catalogs, it's not very practical. In addition, we’ve received feedback that the experience could be confusing for admin users who wanted to concentrate on their admin tasks only. Once decoupled the operator UI can use 100% of the screen space for store management and operation. The change will be a big benefit to users managing large product catalogs and complex fulfillment patterns.
Right now this new operator UI is opt-in and the existing, drawer style operator experience will continue to function as it has. You can access the new operator UI by visiting /operator
.
This UI should have all existing functionality baked in, but we anticipate that there may be some rough edges and from a user experience standpoint it is the first step on a longer path. The first step here has been to replicate existing functionality by moving existing components into the new layout and fixing bugs that we've found. Going forward, we'll be implementing improved UIs for many of the operator tools - Catalog Management, Inventory, Pricing, Order Management, etc.
Please file an issue for any bugs that you find, whether they be weird UI quirks or things that don't as expected.
Most services that make up the Reaction platform use a .env file in the root of the service folder to define environment variables that should be set while running. They also have a pre-build script that the reaction-platform tool runs to create or update the .env file from a .env.example file, which is committed. Until now, this project did not use .env
file, so we've added one. See https://github.com/reactioncommerce/reaction/pull/4826 for more details.
We've updated GraphQL and GraphQL Tools to new versions and added support for extend enum
and extend union
. This permits extending the core schema in this way from a plugin. See https://github.com/reactioncommerce/reaction/pull/4798 for more details
When we introduced reaction-platform
and begun developing in Docker environments, we began to notice high CPU utilization that for those of us developing on OSX.
Long story short, this is an issue with filesystem operations in Docker for Mac and there's not much we can do to resolve the core issue. In development mode, we leverage Meteor to watch for file changes. By adjusting the polling interval for the Meteor file watcher, we can greatly reduce the issues introduced by Docker for Mac. We've set two environment variables in the example .env file .env.example
(https://github.com/reactioncommerce/reaction/pull/4826) as follows, but if these don't work for you, I'd start by adjusting the polling interval to something higher - 20000 (20s) or 30000 (30s). If you're working directly on the core reaction
project, this may impact how long it takes before a change you've made is recognized and rebuilt, but that may be a small price to pay to reduce CPU burn by hyperkit. There shouldn't be any other consequences to increasing this number.
METEOR_DISABLE_OPTIMISTIC_CACHING=1
METEOR_WATCH_POLLING_INTERVAL_MS=10000
This release contains a number of breaking changes that we've been working to get into Reaction before we cut the final 2.0.0 release. If you're planning to update an existing shop, please read through this list
shop/getBaseLanguage
shop/getCurrencyRates
shop/getWorkflow
getTemplateByName
orders/addOrderEmail
taxes/updateTaxCode
workflow/coreOrderWorkflow/coreOrderProcessing
workflow/coreOrderWorkflow/coreOrderCompleted
taxes-rates
plugin in the included
folder, and all features related to custom rates have been moved there. This includes the "Custom Rates" panel in tax settings; the Taxes
collection and its related schemas; the "taxes/addRate", "taxes/editRate", and "taxes/deleteRate" Meteor methods, and the "Taxes" Meteor publication.taxes
plugin has a new API for registering tax services (such as the included "Custom Rates" service, or a custom Avalara service for example). They are registered by passing in a taxServices
array to registerPackage
(example and details in #4785)taxes
array, which now has a different schema and appears for individual items as well as the full cart or order fulfillment group.Products
documents, taxable
is now isTaxable
. This change had previously been made in the Catalog
schema and now is made in Products
to match.taxCode
value is now used for filtering which products should be taxed at that rate. This requires a review of all your products to ensure that they have a tax code specified, in addition to being marked as taxable. If you'd rather not do this review, you can revert to the old behavior of ignoring tax codes by editing each of your Custom Rates entries, clearing the the "Tax Code" field, and saving.Breaking changes to how address validation works. Affects all plugins that provide address validation and all clients that validate addresses. (https://github.com/reactioncommerce/reaction/pull/4767)
.env
file with correct environment variables set in it. The .env.example
file, with no changes, should work for most people. When running with reaction-platform, this should happen automatically. But if you've already been developing locally and you pull in this change, you'll need to run bin/setup once. You can also run bin/setup anytime you pull in the future, to add any new ENV variables. (https://github.com/reactioncommerce/reaction/pull/4826).env
file (#4826)Thanks to @willmoss1000 for contributing to this release! 🎉
Published by spencern almost 6 years ago
This security release addresses to potential vulnerabilities
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.
Remove dependency on event-stream
This fix removes a dependency on event-stream
introduced by nodemon
via pstree
by bumping nodemon
and pstree.remy
through nodemon
to a version that does not include pstree
.
event-stream had a malicious bit of code added to version 3.3.6
which has since been removed from github and appears to have specifically targeted copay.
From the original post in the event-stream
repo:
Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:$ npm ls event-stream flatmap-stream ... [email protected] ...
What does it do:
Other users have done some good analysis of what these payloads actually do.
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441746370
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441749105
What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.
Snyk has a great writeup about this issue in their blog: https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream.
See the issue on the event-stream
repo for more information: https://github.com/dominictarr/event-stream/issues/116
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Patch files for removing the UI dependent on software version
fb-app-secret-ui-{version-number}-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-{version-number}-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
If you had a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login within Reaction Commerce, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
This security release addresses to potential vulnerabilities
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.
Remove dependency on event-stream
This fix removes a dependency on event-stream
introduced by nodemon
via pstree
by bumping nodemon
and pstree.remy
through nodemon
to a version that does not include pstree
.
event-stream had a malicious bit of code added to version 3.3.6
which has since been removed from github and appears to have specifically targeted copay.
From the original post in the event-stream
repo:
Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:$ npm ls event-stream flatmap-stream ... [email protected] ...
What does it do:
Other users have done some good analysis of what these payloads actually do.
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441746370
https://github.com/dominictarr/event-stream/issues/116#issuecomment-441749105
What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.
See the issue on the event-stream
repo for more information: https://github.com/dominictarr/event-stream/issues/116
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.
This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Patches are attached to this release.
Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch
If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.
If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch
migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.
Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
If you’re running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.
Published by spencern almost 6 years ago
This release contains mostly bug fixes, many of which are focused on Marketplace implementations. Thanks to @pmn4 for contributing many of the marketplace fixes and additions.
There's also a little bit of cleanup of unused code in this release. This will likely be our last release on the 1.x line as our new work is focused on our 2.x version.
getSlug
instead of using this.getSlug
(#4547)Thanks to @pmn4, @nadaa, and @janus-reith for contributing to this release! 🎉
Published by spencern almost 6 years ago
This is our sixth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.
We've been using a release candidate of Meteor 1.8 in all of our 2.0 release candidates to this point - this has also included release candidate versions of Babel 7. In this release we're updating to the final version of Meteor 1.8 and Babel 7.
There are a lot of great updates that are included in Meteor 1.8 and you can read all about them in the Meteor blog. I think the one that we'll notice the most is significant improvement to build performance that. We've been focused on improving the performance and developer experience with Reaction for a while now and this update makes significant progress towards improving the developer experience and build times. Anyone who's been using Reaction for a while should notice big improvements to the amount of time it takes for the app to rebuild after making changes.
We're still working with Node.js 8.11.4 as the upgrade to Node 8.12.0 got postponed to the Meteor 1.8.1 release. If you're itching to play with it, you can run meteor update --release 1.8.1-beta.n
from the directory that you've got the core reaction
project installed. There may be some additional speed improvements related to Meteor's use of Fiber
s that come along in this version.
We've also updated the our base docker image to use Meteor 1.8 (#4760)
We've extracted the core email sending functionality into a new reaction-email-smtp
plugin which is included
and created a new sendEmail
event which is emitted for each email job. The core smtp email plugin now listens for these events and sends an email if an SMTP provider is configured. By doing this we've made it possible to create plugins which send emails via an API rather than via SMTP.
The email provider config form found at Dashboard -> Emails -> Mail Provider is now also able to be overridden. Plugins can use register.js to provide a React component to use here.
Added a primaryShop GraphQL query & resolver, eliminating the need to first query for the primary shop ID, followed by another query for shop by ID.
In #4749 we changed the names of our included payment method plugins. We've included a migration to automatically update any existing installation, but if you have custom code that relies on these payment method names you may need make some changes.
We've been ignoring some of our integration tests as the in-memory MongoDB they rely on has not been working effectively. Previously we did this by skipping our entire test:integration
tests in CI, we're now just skipping the tests that are failing due to this db incompatibility and have plans to address this soon.
Published by spencern almost 6 years ago
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.
We have prepared a patch release with a fix for every affected minor version since v1.10.0
Pull latest from release branch release-2.0.0-rc.6
Pull latest from release branch release-1.17.0
Install version v1.16.1
Install version v1.15.1
Install version v1.14.2
Install version v1.13.2
Install version v1.12.2
Install version v1.11.1
Install version v1.10.1
Please contact [email protected] for patch files for your version.
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.
Published by spencern almost 6 years ago
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.
We have prepared a patch release with a fix for every affected minor version since v1.10.0
Pull latest from release branch release-2.0.0-rc.6
Pull latest from release branch release-1.17.0
Install version v1.16.1
Install version v1.15.1
Install version v1.14.2
Install version v1.13.2
Install version v1.12.2
Install version v1.11.1
Install version v1.10.1
Please contact [email protected] for patch files for your version.
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.
Published by spencern almost 6 years ago
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.
We have prepared a patch release with a fix for every affected minor version since v1.10.0
Pull latest from release branch release-2.0.0-rc.6
Pull latest from release branch release-1.17.0
Install version v1.16.1
Install version v1.15.1
Install version v1.14.2
Install version v1.13.2
Install version v1.12.2
Install version v1.11.1
Install version v1.10.1
Please contact [email protected] for patch files for your version.
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.
Published by spencern almost 6 years ago
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.
We have prepared a patch release with a fix for every affected minor version since v1.10.0
Pull latest from release branch release-2.0.0-rc.6
Pull latest from release branch release-1.17.0
Install version v1.16.1
Install version v1.15.1
Install version v1.14.2
Install version v1.13.2
Install version v1.12.2
Install version v1.11.1
Install version v1.10.1
Please contact [email protected] for patch files for your version.
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.
Published by spencern almost 6 years ago
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.
We have prepared a patch release with a fix for every affected minor version since v1.10.0
Pull latest from release branch release-2.0.0-rc.6
Pull latest from release branch release-1.17.0
Install version v1.16.1
Install version v1.15.1
Install version v1.14.2
Install version v1.13.2
Install version v1.12.2
Install version v1.11.1
Install version v1.10.1
Please contact [email protected] for patch files for your version.
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.
Published by spencern almost 6 years ago
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact [email protected] for patch files for your version.
We have prepared a patch release with a fix for every affected minor version since v1.10.0
Pull latest from release branch release-2.0.0-rc.6
Pull latest from release branch release-1.17.0
Install version v1.16.1
Install version v1.15.1
Install version v1.14.2
Install version v1.13.2
Install version v1.12.2
Install version v1.11.1
Install version v1.10.1
Please contact [email protected] for patch files for your version.
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.