This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+2 more
Affected surfaces
Summary
AI summaryBroad release touches Chores, Bugs, https://github.com/shahednasser, and Highlights.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Adds admin MFA UI for managing authentication methods. Adds admin MFA UI for managing authentication methods. Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Feature | Medium |
Emits MFA lifecycle events for tracking authentication flows. Emits MFA lifecycle events for tracking authentication flows. Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Feature | Medium |
Adds email verification primitives for MFA. Adds email verification primitives for MFA. Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Feature | Medium |
Allows cancelling pending MFA setup. Allows cancelling pending MFA setup. Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Bugfix | Medium |
Corrects order list status badge colors when view_configurations is enabled. Corrects order list status badge colors when view_configurations is enabled. Source: llm_adapter@2026-06-01 Confidence: high |
— |
| Bugfix | Medium |
Avoids refunding captures from separate completeCartWorkflow executions. Avoids refunding captures from separate completeCartWorkflow executions. Source: llm_adapter@2026-06-01 Confidence: low |
— |
| Bugfix | Medium |
Respects allow_backorder when calculating pickup inventory availability. Respects allow_backorder when calculating pickup inventory availability. Source: llm_adapter@2026-06-01 Confidence: low |
— |
| Bugfix | Medium |
Uses hasPermission util for user role permission validation in core‑flows. Uses hasPermission util for user role permission validation in core‑flows. Source: llm_adapter@2026-06-01 Confidence: low |
— |
| Bugfix | Medium |
Aligns user permission checks with hasPermission util across core‑flows and medusa. Aligns user permission checks with hasPermission util across core‑flows and medusa. Source: llm_adapter@2026-06-01 Confidence: low |
— |
Full changelog
Highlights
Email Verification for Multi-Factor Authentication
Medusa now supports email verification primitives for multi-factor authentication (MFA). The admin dashboard includes a complete MFA UI that allows users to set up and manage their authentication methods. MFA lifecycle events are now emitted for tracking authentication flows.
Features
- feat: add admin MFA UI by @christiananese in #15493
- Emit MFA lifecycle events by @christiananese in #15495
- Emailpass email verification primitives by @christiananese in #15496
- feat(dashboard,framework,rbac,js-sdk,types,utils,medusa): rbac admin dashboard utils by @fPolic in #14593
Bugs
- fix(core-flows): avoid refunding captures made in separate completeCartWorkflow executions by @NicolasGorga in #15527
- fix(utils): add mfa to inline snapshot test assertion by @NicolasGorga in #15518
- fix(core-flows): respect allow_backorder when calculating pickup inventory availability by @marlinjai in #15440
- Allow cancelling pending MFA setup by @christiananese in #15475
- fix(dashboard): order list status badges show correct colors when view_configurations is enabled by @shiminshen in #15430
- fix(core-flows): use hasPermission util to perform checks in validateUserRolePermissionsStep by @NicolasGorga in #15470
- fix(core-flows,medusa): align validate user permissions check with hasPermission util by @NicolasGorga in #15465
Documentation
- docs: update cloudflare config by @shahednasser in #15499
- docs: migrate main docs to cloudflare by @shahednasser in #15498
- docs: add TSDocs for "rbac admin dashboard utils (#14593)" by @shahednasser in #15476
- doc: migrate to cloudflare + medusa cloud by @shahednasser in #15446
- docs: fix with ai in cloud by @shahednasser in #15474
Chores
- chore: add tests for stock location metadata in response by @jasonmerx in #15448
- chore: fix indexing job for algolia by @shahednasser in #15504
- chore: fix release pipeline by @shahednasser in #15500
- chore: fix sync action checkout step by @shahednasser in #15481
- chore: add commit hash option to sync actions by @shahednasser in #15480
- chore: fix sync actions by @shahednasser in #15479
- chore(docs): automated cloud documentation update by @shahednasser in #15473
- chore(docs): fix common issues in the docs-generator by @shahednasser in #15464
- chore(docs): Updated API Reference (automated) by @github-actions in #15461
- chore(docs): Generated References (automated) by @github-actions in #15462
- chore(docs): Generated DML JSON files (automated) by @github-actions in #15458
- chore(docs): Updated UI Reference (automated) by @github-actions in #15460
- chore(docs): Update version in documentation (automated) by @github-actions in #15459
- chore(docs): doc changes for next release (automated) by @shahednasser in #15380
- chore: fix trigger release job conflict by @shahednasser in #15457
- Chore: Release by @github-actions in #15477
- Chore: Release by @github-actions in #15467
Full Changelog: v2.15.3...v2.15.5
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Earlier breaking changes
- v2.15.0 Product and variant width/length/height/weight properties aligned to float type
Beta — feedback welcome: [email protected]