Skip to content

Spree Commerce

v5.4.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

b2b-commerce e-commerce ecommerce ecommerce-api ecommerce-framework ecommerce-platform
+8 more
headless headless-commerce headless-ecommerce marketplace multi-tenant multi-vendor multi-vendor-ecommerce spree-commerce

Summary

AI summary

Updates Admin, Core, and Emails across a mixed release.

Changes in this release

Security Medium

Prevent CSV formula injection in CSV exports affecting Customer CSV.

Prevent CSV formula injection in CSV exports affecting Customer CSV.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

Auto-generate gift card codes when not provided in Admin interface.

Auto-generate gift card codes when not provided in Admin interface.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

Include gift card in order email notifications.

Include gift card in order email notifications.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

State Based Zone updates states on country change in Admin interface.

State Based Zone updates states on country change in Admin interface.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

Add `type` column to `spree_payment_setup_sessions` for STI support.

Add `type` column to `spree_payment_setup_sessions` for STI support.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Feature Medium

Improve admin product bulk actions permissions.

Improve admin product bulk actions permissions.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Performance Medium

Update all badges when shipping to improve user experience in Admin interface.

Update all badges when shipping to improve user experience in Admin interface.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Fix orphaned inventory units when destroying line items on completed orders.

Fix orphaned inventory units when destroying line items on completed orders.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Fix tags in Products Serializer for Store API and Admin API.

Fix tags in Products Serializer for Store API and Admin API.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Update datetime filter to respect end of day (EOD).

Update datetime filter to respect end of day (EOD).

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Fix undefined method 'update_thumbnail!' for nil in Spree core.

Fix undefined method 'update_thumbnail!' for nil in Spree core.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Change invalid/expired invitation handling to render 404 page in Admin interface.

Change invalid/expired invitation handling to render 404 page in Admin interface.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Handle auth/capture flow correctly in Payment Sessions webhooks.

Handle auth/capture flow correctly in Payment Sessions webhooks.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Bugfix Low

Prevent deletion of default and last market in store.

Prevent deletion of default and last market in store.

Source: granite4.1:30b@2026-05-19-audit

Confidence: low
Refactor Medium

Fix tailwind look up paths in other gems for admin UI styling.

Fix tailwind look up paths in other gems for admin UI styling.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Refactor Medium

Make admin line item partial more robust for Spree Multi Vendor.

Make admin line item partial more robust for Spree Multi Vendor.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Full changelog

This release includes a huge number of fixes and improvements from the Spree community and a security patch - we recommend upgrading as soon as possible!

Security

  • GHSA-p6pv-q7rc-g4h9 CSV Formula Injection in CSV exports, Customer CSV affected, as this one uses information from signups (Medium severity)

Other changes

Core

  • Prevent deletion of default and last market in store by @damianlegawiec in https://github.com/spree/spree/pull/13961
  • Fixed: Add type column to spree_payment_setup_sessions for STI support https://github.com/spree/spree/commit/bd8b058c755436571721b6b1e21dda8dda7891d5
  • Fix orphaned inventory units when destroying line items on completed orders https://github.com/spree/spree/commit/f0bef2f1769c17ec25ff0ba75ff8fd5a8127d950
  • Fixed undefined method 'update_thumbnail!' for nil https://github.com/spree/spree/commit/30ac12e5d0e66758d889c39c6e0f5262b9837e78
  • Sanitize CSV export output to avoid CSV formula injection attacks https://github.com/spree/spree/commit/36c0617958522da76fdf1433cc6e3fa19fca9b73

API

  • Fixed tags in Products Serializer (both Store API and Admin API) https://github.com/spree/spree/commit/c0d8f85b0126f63489aec53281149e46fb6f2ce8
  • Fix handling auth/capture flow in Payment Sessions webhooks flow https://github.com/spree/spree/commit/a6242f8d9553e5ef9a409b4e11126fec85458547

Admin

  • Fix tailwind look up paths in other gems https://github.com/spree/spree/commit/1fe8b9d5c31a68742cd805b43ebbccfc6fe64c66
  • Auto-generate gift card codes when not provided https://github.com/spree/spree/commit/5ad9f34e95a08a1660b8371414a65acaa48be3b2
  • Change invalid/expired invitation handling to render 404 page https://github.com/spree/spree/commit/3feaf1496022c1a4c8eb82bbf98d679348c9480e
  • Update all badges when shipping to improve UX https://github.com/spree/spree/commit/01510fe1877cce43c9bd10426af777ac880f24d5
  • improve admin product bulk actions permissions https://github.com/spree/spree/commit/57997d8d5523f9676c85cf3dc0188081ba218bc4
  • State Based Zone -> update states on country change https://github.com/spree/spree/commit/c2fd1a1cd5aa1a51eb8ead0ef49016326f9482b2
  • make admin line item partial more robust for spree multi vendor https://github.com/spree/spree/commit/e323fcf67ddccf8b6fd09d796eaf2a564a79ec9f
  • FIX datetime filter to respect EOD https://github.com/spree/spree/commit/79c8d0d9238813a95b50d4583093f96826e18427

Emails

  • Include gift card in order email https://github.com/spree/spree/commit/13b46262501939fd2581759b75d11c646f590006

Documentation

  • Use correct even names in docs, specs, examples, comments. https://github.com/spree/spree/commit/2e565b9eac08d3557013374e3148a1d189982a92

Installation

npx create-spree-app@latest my-store

Updating

1. Update gems

bundle update

2. Run DB migrations

This release includes a small database migration as well:

bin/rake spree:install:migrations
bin/rails db:migrate

Feedback / Support

Join our Discord server to chat with Spree core team members and other Spree developers!

Full Changelog: https://github.com/spree/spree/compare/v5.4.2...v5.4.3

Security Fixes

  • GHSA-p6pv-q7rc-g4h9 — CSV formula injection vulnerability fixed in Customer CSV exports (Medium severity)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Spree Commerce

Get notified when new releases ship.

Sign up free

About Spree Commerce

Spree is a complete, modular & API-driven open source e-commerce solution for Ruby on Rails.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]