This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+2 more
ReleasePort's take
Light signalMedusa v2.15.3 ships multi-factor authentication primitives, API routes, and SDK helpers alongside a CodeInput UI component. This release also broadens React 18 support, hardens payment session creation, and includes fixes for product filtering, dashboard queries, and Thai translations.
Why it matters: MFA feature suite unlocks auth workflows; React 18 compatibility broadens deployment options. Payment session hardening and product filtering fixes address core flow edge cases. Test MFA implementation and verify payment/filtering changes before production rollout.
Summary
AI summaryBroad release touches Bugs, https://github.com/shahednasser, Chores, and Highlights.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Adds MFA primitives, API routes, and retrieval functionality Adds MFA primitives, API routes, and retrieval functionality Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Adds MFA authentication helpers to JavaScript SDK Adds MFA authentication helpers to JavaScript SDK Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Implements tokenized free text search in utilities module Implements tokenized free text search in utilities module Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Adds CodeInput component for multi-factor authentication UI Adds CodeInput component for multi-factor authentication UI Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Surfaces information when promotion codes skipped due to limits Surfaces information when promotion codes skipped due to limits Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Introduces CodeInput UI component for entering MFA codes Introduces CodeInput UI component for entering MFA codes Source: granite4.1:30b@2026-05-21-audit Confidence: low |
— |
| Bugfix | Medium |
Hardens payment session creation for accounts without account holders Hardens payment session creation for accounts without account holders Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Encodes URL credentials and fixes schema-qualified RENAME TO Encodes URL credentials and fixes schema-qualified RENAME TO Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixes incorrect stock location selection for backorder items Fixes incorrect stock location selection for backorder items Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Broadens React peer dependencies to support version 18 Broadens React peer dependencies to support version 18 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Includes inventory query in detail key for dashboard Includes inventory query in detail key for dashboard Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Completes and corrects Thai language translations in dashboard Completes and corrects Thai language translations in dashboard Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixes filtering by categories and tags in product store API Fixes filtering by categories and tags in product store API Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixes command replacement when using yarn and npm CLI Fixes command replacement when using yarn and npm CLI Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Low |
Expands React peer dependency range to include version 18 Expands React peer dependency range to include version 18 Source: granite4.1:30b@2026-05-21-audit Confidence: low |
— |
Full changelog
Highlights
Multi-Factor Authentication Support
This release adds the primitives to support Multi-Factor Authentication (MFA) for enhanced security. This includes new authentication provider primitives, API routes for MFA management, and retrieval functionality. The implementation provides a foundation for integrating various MFA methods.
Promotion Code Visibility Improvements
When promotion codes are skipped due to budget or usage limits, the system now surfaces this information to provide better visibility into why certain promotions weren't applied. This helps merchants understand promotion application behavior and troubleshoot issues.
Features
- feat(js-sdk): add MFA auth helpers by @christiananese in #15441
- feat(ui): add CodeInput component by @christiananese in #15424
Bugs
- fix(design-system): broaden React peer dependencies to support v18 an… by @Suh0161 in #15271
- fix(core-flows): harden create payment sessions when customer has no account holders by @Suh0161 in #15264
- fix(dashboard): include inventory query in detail key by @Derekko-web in #15417
- fix(dashboard): complete and correct Thai (th) translations by @Ligament in #15409
- fix(test-utils, link-modules): encode URL credentials and fix schema-qualified RENAME TO by @Ultron03 in #15344
- fix(medusa): fix filtering by categories and tags in /store/products with the index module by @shahednasser in #15405
- fix(create-medusa-app): fix incorrect command replacement when using yarn and npm by @shahednasser in #15436
- fix(utils): implement tokenized free text search by @Suh0161 in #15275
- fix(core-flows): fix incorrect stock location picked for item with backorder in a sales channel with multiple locations by @shahednasser in #15159
Documentation
- docs: configure posthog capturing by @shahednasser in #15449
- docs: fix information about preview environments by @shahednasser in #15445
- docs: fix documentation issues in triage inbox by @shahednasser in #15427
- docs: revert Cloudflare migration by @shahednasser in #15438
- docs: add logging by @shahednasser in #15435
- docs: prepare to deploy to medusa cloud by @shahednasser in #15429
- docs: track logged in users by @shahednasser in #15425
- docs: added cloud docs for backups by @shahednasser in #15408
- docs: migrate to cloudflare by @shahednasser in #15388
- docs: fix mcp instructions for cursor by @shahednasser in #15401
- docs: add TSDocs for "add MFA provider primitives by @shahednasser in #15387
Chores
- chore(docs): cloud doc changes (automated) by @shahednasser in #15451
- chore: fix docs automation job by @shahednasser in #15452
- chore: fix required secrets in review and triage actions by @shahednasser in #15421
- chore: fix actions required anthropic api key by @shahednasser in #15410
- chore: switch actions to use anthropic api key by @shahednasser in #15404
- chore(docs): Updated UI Reference (automated) by @app/github-actions in #15391
- chore(docs): Generated References (automated) by @app/github-actions in #15393
- chore(docs): Update version in documentation (automated) by @app/github-actions in #15390
- chore: fixes to pr reviewer and issue triager by @shahednasser in #15394
Full Changelog: v2.15.2...v2.15.3
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Earlier breaking changes
- v2.15.0 Product and variant width/length/height/weight properties aligned to float type
Beta — feedback welcome: [email protected]