What's Changed

• Added subscription to CUSTOMER_DELETED by @lkostrowski in https://github.com/saleor/saleor/pull/19174
• [3.23] CheckoutDelete mutation (Port) by @lkostrowski in https://github.com/saleor/saleor/pull/19196
• Change graphql-inspector to run against proper branch (#19197) by @lkostrowski in https://github.com/saleor/saleor/pull/19198
• Allow apps to receive their own lifecycle webhooks by @lkostrowski in https://github.com/saleor/saleor/pull/19160
• Release 3.23.5 by @lkostrowski in https://github.com/saleor/saleor/pull/19201

Full Changelog: https://github.com/saleor/saleor/compare/3.23.4...3.23.5

What's Changed

Upgraded cryptography, Pillow, and Django to latest security hotfixes:

Pillow package (image processor) (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19183):

• CVE-2026-40192: FITS GZIP decompression bomb in Pillow
• CVE-2026-42308: Pillow has an integer overflow when processing fonts
• CVE-2026-42309: Pillow has a heap buffer overflow with nested list coordinates
• CVE-2026-42310: Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
• CVE-2026-42311: Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)

Cryptography package (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19183):

• CVE-2026-39892: Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
• CVE-2026-34073: cryptography has incomplete DNS name constraint enforcement on peer names

Django (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19187):

• CVE-2026-5766: Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI
• CVE-2026-6907: Prevented caching of requests when Vary header contains an asterisk
• CVE-2026-35192: Ensured Vary header is sent when setting session cookie with SESSION_SAVE_EVERY_REQUEST=True

Other changes (non-security):

• Added validation for incorrect cursor shape by @lkostrowski in https://github.com/saleor/saleor/pull/19154
• fix: add logs for GraphQL validation errors by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19176
• Handle RequestDataTooBig error by @lkostrowski in https://github.com/saleor/saleor/pull/19180

Full Changelog: https://github.com/saleor/saleor/compare/3.23.3...3.23.4

What's Changed

Upgraded cryptography, Pillow, and Django to latest security hotfixes:

Pillow package (image processor) (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19184):

• CVE-2026-40192: FITS GZIP decompression bomb in Pillow
• CVE-2026-42308: Pillow has an integer overflow when processing fonts
• CVE-2026-42309: Pillow has a heap buffer overflow with nested list coordinates
• CVE-2026-42310: Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
• CVE-2026-42311: Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)

Cryptography package (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19184):

• CVE-2026-39892: Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
• CVE-2026-34073: cryptography has incomplete DNS name constraint enforcement on peer names

Django (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19188):

• CVE-2026-5766: Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI
• CVE-2026-6907: Prevented caching of requests when Vary header contains an asterisk
• CVE-2026-35192: Ensured Vary header is sent when setting session cookie with SESSION_SAVE_EVERY_REQUEST=True

Other changes (non-security):

• fix: add logs for GraphQL validation errors by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19177

Full Changelog: https://github.com/saleor/saleor/compare/3.22.49...3.22.50

What's Changed

Upgraded cryptography, Pillow, and Django to latest security hotfixes:

Pillow package (image processor) (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19185):

• CVE-2026-40192: FITS GZIP decompression bomb in Pillow
• CVE-2026-42308: Pillow has an integer overflow when processing fonts
• CVE-2026-42309: Pillow has a heap buffer overflow with nested list coordinates
• CVE-2026-42310: Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
• CVE-2026-42311: Pillow has an OOB Write with Invalid PSD Tile Extents (Integer Overflow)

Cryptography package (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19185):

• CVE-2026-39892: Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
• CVE-2026-34073: cryptography has incomplete DNS name constraint enforcement on peer names

Django (by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19189):

• CVE-2026-5766: Enforced DATA_UPLOAD_MAX_MEMORY_SIZE in MemoryFileUploadHandler on ASGI
• CVE-2026-6907: Prevented caching of requests when Vary header contains an asterisk
• CVE-2026-35192: Ensured Vary header is sent when setting session cookie with SESSION_SAVE_EVERY_REQUEST=True

Full Changelog: https://github.com/saleor/saleor/compare/3.21.57...3.21.58

What's Changed

• Extend stock related webhooks with webhooks events info by @IKarbowiak in https://github.com/saleor/saleor/pull/19156
• Fix CVE-2026-42175 - SSRF bypass via unfiltered RFC 6598 shared address space (100.64.0.0/10) by upgrading requests-hardened to v1.2.1 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19163

Full Changelog: https://github.com/saleor/saleor/compare/3.23.2...3.23.3

What's Changed

• Fix CVE-2026-42175 - SSRF bypass via unfiltered RFC 6598 shared address space (100.64.0.0/10) by upgrading requests-hardened to v1.2.1 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19165

Full Changelog: https://github.com/saleor/saleor/compare/3.21.56...3.21.57

What's Changed

• Fix failed request handler in AvataxPlugin by @korycins in https://github.com/saleor/saleor/pull/19120
• Fix CVE-2026-42175 - SSRF bypass via unfiltered RFC 6598 shared address space (100.64.0.0/10) by upgrading requests-hardened to v1.2.1 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19164

Full Changelog: https://github.com/saleor/saleor/compare/3.22.48...3.22.49

What's Changed

• Allow metadata crud for STAFF for apps by @lkostrowski in https://github.com/saleor/saleor/pull/19116
• Promisify checkout calculate taxes webhook by @korycins in https://github.com/saleor/saleor/pull/19091
• Fix failed request handler in AvataxPlugin by @korycins in https://github.com/saleor/saleor/pull/19122
• Add channel-scoped stock availability webhooks by @IKarbowiak in https://github.com/saleor/saleor/pull/19144

Full Changelog: https://github.com/saleor/saleor/compare/3.23.1...3.23.2

What's Changed

• Upgraded Django to 5.2 by @patrys & @NyanKiyoshi in #19109 + #19125
• Added support for PostgreSQL 18 by @patrys in #19109

Full Changelog: https://github.com/saleor/saleor/compare/3.21.55...3.21.56

[!WARNING]
This is the last release for 3.20. We recommend upgrading as soon as possible to 3.23, 3.22, or 3.21 (the latter not being recommended due to being planned for removal in the near future)

What's Changed

• feat(graphql): mark slow spans as errored by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19061
• Fix a possible crash that could happen when channel would be deleted (#19015) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19043
• fix(accounts): missing validations for accountRegister by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19078
• fix(graphql): missing error handling when no channel in DB by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19079
• fix(graphql): increase mutation limit to 4 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19099
• Introduce maximum file size limit for uploaded images by @wcislo-saleor in https://github.com/saleor/saleor/pull/19086

Full Changelog: https://github.com/saleor/saleor/compare/3.20.118...3.20.119

What's Changed

• feat(graphql): mark slow spans as errored by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19059
• feat(graphql): add additional metrics by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19063
• Fix a possible crash that could happen when channel would be deleted (#19015) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19041
• fix(accounts): missing validations for accountRegister by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19083
• fix(graphql): missing error handling when no channel in DB by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19082
• fix(graphql): increase mutation limit to 4 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19097
• Introduce maximum file size limit for uploaded images by @wcislo-saleor in https://github.com/saleor/saleor/pull/19088

Full Changelog: https://github.com/saleor/saleor/compare/3.22.47...3.22.48

What's Changed

• Allow to assigning product without variant to collection by @korycins in https://github.com/saleor/saleor/pull/19044
• feat(graphql): mark slow spans as errored by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19058
• feat(graphql): add additional metrics by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19062
• Fix a possible crash that could happen when channel would be deleted (#19015) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19040
• Legacy shipping zone stock availability improvements by @IKarbowiak in https://github.com/saleor/saleor/pull/19065
• Add missing mock to deferred payload test by @korycins in https://github.com/saleor/saleor/pull/19071
• fix(accounts): missing validations for accountRegister by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19085
• fix(graphql): missing error handling when no channel in DB by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19084
• fix(graphql): increase mutation limit to 4 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19096
• Introduce maximum file size limit for uploaded images by @wcislo-saleor in https://github.com/saleor/saleor/pull/19089
• Extract stock logic from webhook plugin to webhook module by @IKarbowiak in https://github.com/saleor/saleor/pull/19092

Full Changelog: https://github.com/saleor/saleor/compare/3.23.0...3.23.1

What's Changed

• feat(graphql): mark slow spans as errored by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19060
• feat(graphql): add additional metrics by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19064
• Fix a possible crash that could happen when channel would be deleted (#19015) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19042
• fix(accounts): missing validations for accountRegister by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19080
• fix(graphql): missing error handling when no channel in DB by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19081
• fix(graphql): increase mutation limit to 4 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/19098
• Introduce maximum file size limit for uploaded images by @wcislo-saleor in https://github.com/saleor/saleor/pull/19087

Full Changelog: https://github.com/saleor/saleor/compare/3.21.54...3.21.55

Saleor 3.23.0 🐰

Following changelog contains brief summary of changes that differ from latest 3.22 version.

Saleor backports most of patches to at least one version behind, hence following changelog is not a full list of commits, but a summary of functional changes.

Please read the announcement post to get familiar with the release.

Follow migration guide for safe upgrade.

Breaking changes

• Made refundSettings field on RefundSettingsUpdate mutation nullable to correctly reflect that it can be null when errors occur.

• Fix missing denormalization of shipping methods metadata when creating an order.

  • Shipping method metadata is now copied to dedicated order fields (shipping_method_metadata and shipping_method_private_metadata) during checkout-to-order conversion. This ensures that order metadata remains consistent even if the original shipping method is modified or deleted. As a result, updates made to a shipping method's metadata after order creation will no longer be reflected in the order's shippingMethod.metadata field.
  • Shipping method metadata is now also denormalized during draft order finalization, ensuring consistent behavior across all order creation flows.

• Fields options, mount and target are removed from AppExtension and AppManifestExtension types. Use mountName, targetName and settings

• Deprecate the hasVariants field on ProductType. This setting is a legacy artifact from the former Simple/Configurable product distinction. Products can have multiple variants regardless of this flag. Previously, it only prevented assigning variant attributes to a product type; this restriction will no longer apply.

• Improved error handling in Federation - #18718 by @NyanKiyoshi

  The type for GraphQL field representations in { _entities(representations: [_Any!]!) { ... } } was changed.

  Before: [_Any]
  After: [_Any!]!

  Make sure to adapt your GraphQL queries if you use the _entities query.

• Mutations channelCreate and channelUpdate now raise GraphQL errors instead INVALID when negative MINUTE/HOUR/DAY values are passed.

• AppInstallInput for appInstall mutation now requires appName and manifestUrl fields in the schema, matching the validation that was always enforced by the mutation logic.

• Removed Adyen plugin (payment gateway). Switch to the app.

• Removed partial field from the Payment GraphQL type. This field was an Adyen-specific workaround and always returned false after the Adyen plugin removal. Ensure you are not relying on this field (on Adyen gateway in general) before upgrading.

• Removed the NP Atobarai payment gateway plugin (saleor.payment.gateways.np_atobarai). Use the App instead.

• Removed support for the legacy digital products API - #18952 by @NyanKiyoshi

  Important: digital products are still fully supported in Saleor. Only the legacy,
  undocumented digital content API has been removed, the supported approach is documented here: https://docs.saleor.io/recipes/digital-products

• Product media images from external URLs are now fetched asynchronously via background tasks in productMediaCreate and productBulkCreate mutations, improving response times. During download, the API returns HTTP 503 for the media image.

• Shipping-zone-based stock filtering is deprecated and will be removed in a future release. A new useLegacyShippingZoneStockAvailability shop setting controls the behavior: when disabled, stock availability across checkouts, orders, and product queries is resolved via the direct warehouse-channel link instead of shipping zones.

GraphQL API

• Gift cards support as payment method within Transaction API (read more in the docs).
• Attribute fields name, slug and type are now non-nullable in schema.
• Added new scalar NonNegativeInt which allows integer values greater than or equal to zero.
• Scalars Minute, Hour and Day now inherit from NonNegativeInt, which mean GraphQL disallows negative values for time units.
• Removed partial field from the Payment GraphQL type.
• Added sorting and filtering support for transactions query:
  • sort by CREATED_AT, MODIFIED_AT;
  • filter by createdAt, modifiedAt date ranges and by transaction events (type, createdAt).
• Added PasswordLoginMode setting to control password-based authentication. When set to DISABLED, all password authentication mutations (tokenCreate, setPassword, passwordChange, requestPasswordReset, tokenRefresh) return errors. When set to CUSTOMERS_ONLY, staff users who log in with a password are treated as customers without staff
  permissions.
• staffDelete mutation now always deletes the staff user. Previously, staff members with existing orders were only deactivated (is_staff set to False); now they are fully removed regardless of order history.

Webhooks

• For order webhook events, sync webhooks (such as ORDER_CALCULATE_TAXES and ORDER_FILTER_SHIPPING_METHODS) are no longer pre-fired before sending async webhook events. Sync webhooks are now only triggered when their data is actually requested, improving performance and decoupling async event delivery from sync webhook execution.
• Building payloads for webhook order events (including draft orders and fulfillments) is now delegated to a separate background task. This speeds up the execution of most order mutations by deferring the expensive payload serialization out of the request path.

Explicit delivery options

• Introduced deliveryOptionsCalculate mutation to give storefronts explicit, deterministic control over when shipping webhook calls happen. Previously SHIPPING_LIST_METHODS_FOR_CHECKOUT and CHECKOUT_FILTER_SHIPPING_METHODS webhooks were fired implicitly, inside checkout mutations (e.g., on address change) and while resolving query fields, causing unpredictable latency, uncontrolled webhook traffic, and increased costs. Developers can now decide exactly when to fetch delivery options by calling deliveryOptionsCalculate, which returns a list of Delivery objects.

  The selected delivery method is available on the new Checkout.delivery field, which replaces the deprecated Checkout.shippingMethod and Checkout.deliveryMethod fields.

  To help storefronts detect when the delivery method requires attention, two new problem types are introduced in Checkout.problems:

  • CheckoutProblemDeliveryMethodStale: the currently selected method may be outdated due to checkout changes (e.g., a different shipping address, an applied voucher). This problem does not block checkout completion but triggers re-validation of the delivery method when checkoutComplete is called. Calling deliveryOptionsCalculate will re-validate the assigned delivery.
  • CheckoutProblemDeliveryMethodInvalid: the selected delivery method is no longer valid (e.g., the shipping address no longer falls within it). This problem blocks checkoutComplete until a valid delivery method is assigned via checkoutDeliveryMethodUpdate.

  See the upgrading guide to learn more.

• checkoutDeliveryMethodUpdate mutation now accepts CheckoutDelivery ID as deliveryMethodId (ID returned by deliveryOptionsCalculate mutation). Usage of ShippingMethod ID is deprecated in favor of CheckoutDelivery ID.

EditorJS (Rich Text Editor)

• Made the EditorJS parser stricter. We no longer accept unknown/extra fields. - #18969 by @NyanKiyoshi

• Removed the following deprecated behaviors:

  • EDITOR_JS_LINK_REL configuration behavior has changed.
    Links rendered by EditorJS (<a href="..." rel="...">) now default to
    rel="noopener noreferrer" instead of an empty value.
    Learn more in the documentation.

  • UNSAFE_EDITOR_JS_ALLOWED_URL_SCHEMES has been removed.
    It's no longer possible to extend the list of allowed URL schemes via settings.

    If you require support for additional URL schemes, open a request:
    https://github.com/saleor/saleor/issues

  (Via #18976 by @NyanKiyoshi)

Other changes

• Fix Google OAuth OIDC login failing with invalid_scope error when enable_refresh_token is enabled. Google does not support the offline_access scope; use access_type=offline authorization parameter instead. - #18919 by @dnplkndll
• Add saleor.graphql.field.usage OTel metric to track GraphQL field resolver call counts. The metric is emitted for deprecated fields (detected automatically) and for fields explicitly opted in with monitor_usage=True on a BaseField declaration.
• Fix send order confirmation email to staff - #18342 by @Shaokun-X
• Validation on AppExtension is now removed. Saleor will accept string values for mount and target from Manifest during App installation and JSON value for options field.
  Validation is now performed on the frontend (Dashboard). This change increases velocity of features related to apps and extensions, now Dashboard is only entity that ensures the contract
• Add optional usage telemetry. - #18789 by @wcislo-saleor
• The app can now be installed without providing a tokenTargetUrl in the manifest file.
• Removed the setting JWT_EXPIRE which allowed to configure Saleor to ignore the JWT token expiration. - #18856 by @NyanKiyoshi
• Removed support for custom User DB models in ./manage.py createsuperuser command. - #18890 by @NyanKiyoshi
• OIDC: When an existing user is claimed by an OIDC provider for the first time, their password is now invalidated to prevent login with stale credentials. This covers the case where a previously deleted staff account is recreated via OIDC.

Search improvements

• Improved page search with search vectors. Pages can now be searched by slug, title, content, attribute values, and page type information.
• Improve user search. Use search vector functionality to enable searching users by email address, first name, last name, and addresses.
• Improved checkout search with search vectors. The search_index_dirty flag is set whenever indexed checkout data changes, and a background task runs every minute to update search vectors for dirty checkouts, processing the oldest first. Search results are returned in order of best match relevance.
• Enhanced search functionality across key entities (products, orders, gift cards, checkouts, pages, and users) with advanced query capabilities:
  • Prefix matching: partial word searches (e.g., "coff" matches "coffee")
  • Boolean operators: AND, OR, and - (NOT) for complex queries
  • Exact phrase matching: use quotation marks " " for precise searches
  • Accent-insensitive search: queries automatically normalize diacritical marks, allowing searches to match regardless of accents (e.g., "cafe" matches "café")
  • Relevance-based ranking: exact matches score higher than prefix matches and appear first by default (can be overridden with sortBy parameter)
  • New RANK sort field available when using search filters to sort by relevance score

Direct warehouse-channel stock availability

• Added useLegacyShippingZoneStockAvailability setting to Shop and ShopSettingsInput. When enabled (default for existing installations), stock availability is filtered through shipping zones and the destination address. When disabled stock availability is determined by the direct warehouse-channel link, ignoring shipping zones.
• Checkout mutations (checkoutCreate, checkoutLinesAdd, checkoutLinesUpdate, checkoutShippingAddressUpdate, checkoutCreateFromOrder) now respect the new setting during stock validation and reservation.
• Order mutations (draftOrderCreate, draftOrderComplete, orderLinesCreate, orderLineUpdate) and the fulfillment flow now respect the setting during stock allocation.
• Product filtering by stock availability and Product.isAvailable resolver now respect the setting.
• Webhook payloads for checkout and fulfillment events select the warehouse based on the setting.
• Deprecated the address argument on ProductVariant.stocks, ProductVariant.quantityAvailable, and Product.isAvailable. When useLegacyShippingZoneStockAvailability is disabled, the address argument is ignored.

Deprecations

• Deprecate the hasVariants field on ProductType.
• Deprecate export mutations (exportProducts, exportGiftCards, exportVoucherCodes). All data can be fetched via the GraphQL API and parsed into the desired format by apps or external tools.
• Deprecate voucher input field on DraftOrderInput and DraftOrderCreateInput. Use voucherCode instead.

What's Changed

• Fixed CVE-2026-33756: Denial of service via unbounded GraphQL query batching
• Fixed CVE-2026-35401: Resource exhaustion vulnerability in GraphQL queries
• Fixed CVE-2026-35407: Cross-account email change via unbound confirmation token
• Fixed CVE-2026-39851: User enumeration vulnerability due to different error messages

[!WARNING]
Potential breaking changes are included:

• If you use GraphQL query batching, the environment variable GRAPHQL_BATCH_MAX_COUNT should be increased. By default it is set to 1, meaning only 1 query can be sent inside a single batch. You need to audit your usages and choose the correct value for your use-case.

  Example request that uses batching (JSON arrays):

  $ json_data='[
      {"query": "{ products(first: 1) { __typename } }"},
      {"query": "{ categories(first: 1) { __typename } }"}
    ]'
  $ curl --json "$json_data" https://example.com/graphql/
  

• If you use GraphQL aliases, and use more than 100 of them within a single query, you need to increase GRAPHQL_ALIAS_COUNT_LIMIT (defaults to 100)

  Example query using aliases:

  query myQuery {
    products(first: 10) {
      alias1: id
      alias2: id
      alias3: id
    }
  }
  

• If you send more than 3 GraphQL mutation per API call, you need to increase GRAPHQL_MUTATION_COUNT_LIMIT (default to 3), for example, the following GraphQL query uses two mutations within a single request:

  mutation {
    productUpdate(input: {name: "my-product"}, id: "UHJvZHVjdDox") {
      product {
        id
      }
    }
    
    collectionUpdate(input: {name: "my-collection"}, id: "Q29sbGVjdGlvbjoy") {
      collection {
        id
      }
    }
  }
  

Full Changelog: https://github.com/saleor/saleor/compare/3.20.117...3.20.118

What's Changed

• Fixed CVE-2026-33756: Denial of service via unbounded GraphQL query batching
• Fixed CVE-2026-35401: Resource exhaustion vulnerability in GraphQL queries
• Fixed CVE-2026-35407: Cross-account email change via unbound confirmation token
• Fixed CVE-2026-39851: User enumeration vulnerability due to different error messages

[!WARNING]
Potential breaking changes are included:

• If you use GraphQL query batching, the environment variable GRAPHQL_BATCH_MAX_COUNT should be increased. By default it is set to 1, meaning only 1 query can be sent inside a single batch. You need to audit your usages and choose the correct value for your use-case.

  Example request that uses batching (JSON arrays):

  $ json_data='[
      {"query": "{ products(first: 1) { __typename } }"},
      {"query": "{ categories(first: 1) { __typename } }"}
    ]'
  $ curl --json "$json_data" https://example.com/graphql/
  

• If you use GraphQL aliases, and use more than 100 of them within a single query, you need to increase GRAPHQL_ALIAS_COUNT_LIMIT (defaults to 100)

  Example query using aliases:

  query myQuery {
    products(first: 10) {
      alias1: id
      alias2: id
      alias3: id
    }
  }
  

• If you send more than 3 GraphQL mutation per API call, you need to increase GRAPHQL_MUTATION_COUNT_LIMIT (default to 3), for example, the following GraphQL query uses two mutations within a single request:

  mutation {
    productUpdate(input: {name: "my-product"}, id: "UHJvZHVjdDox") {
      product {
        id
      }
    }
    
    collectionUpdate(input: {name: "my-collection"}, id: "Q29sbGVjdGlvbjoy") {
      collection {
        id
      }
    }
  }
  

Full Changelog: https://github.com/saleor/saleor/compare/3.21.53...3.21.54

What's Changed

• Fixed CVE-2026-33756: Denial of service via unbounded GraphQL query batching
• Fixed CVE-2026-35401: Resource exhaustion vulnerability in GraphQL queries
• Fixed CVE-2026-35407: Cross-account email change via unbound confirmation token
• Fixed CVE-2026-39851: User enumeration vulnerability due to different error messages

[!WARNING]
Potential breaking changes are included:

• If you use GraphQL query batching, the environment variable GRAPHQL_BATCH_MAX_COUNT should be increased. By default it is set to 1, meaning only 1 query can be sent inside a single batch. You need to audit your usages and choose the correct value for your use-case.

  Example request that uses batching (JSON arrays):

  $ json_data='[
      {"query": "{ products(first: 1) { __typename } }"},
      {"query": "{ categories(first: 1) { __typename } }"}
    ]'
  $ curl --json "$json_data" https://example.com/graphql/
  

• If you use GraphQL aliases, and use more than 100 of them within a single query, you need to increase GRAPHQL_ALIAS_COUNT_LIMIT (defaults to 100)

  Example query using aliases:

  query myQuery {
    products(first: 10) {
      alias1: id
      alias2: id
      alias3: id
    }
  }
  

• If you send more than 3 GraphQL mutation per API call, you need to increase GRAPHQL_MUTATION_COUNT_LIMIT (default to 3), for example, the following GraphQL query uses two mutations within a single request:

  mutation {
    productUpdate(input: {name: "my-product"}, id: "UHJvZHVjdDox") {
      product {
        id
      }
    }
    
    collectionUpdate(input: {name: "my-collection"}, id: "Q29sbGVjdGlvbjoy") {
      collection {
        id
      }
    }
  }
  

Full Changelog: https://github.com/saleor/saleor/compare/3.22.46...3.22.47

What's Changed

• Fix error handling and parse errors when dealing with unexpected and/or incorrect JSON payloads (#19016) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19023
• Upgraded django to 4.2.30 in https://github.com/saleor/saleor/pull/19032, fixes:
  • CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
  • CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
  • CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
  • CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
  • CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
  • More info: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Full Changelog: https://github.com/saleor/saleor/compare/3.20.116...3.20.117

What's Changed

• Fix error handling and parse errors when dealing with unexpected and/or incorrect JSON payloads (#19016) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19022
• Upgraded django to 4.2.30 in https://github.com/saleor/saleor/pull/19031, fixes:
  • CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
  • CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
  • CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
  • CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
  • CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
  • More info: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Full Changelog: https://github.com/saleor/saleor/compare/3.21.52...3.21.53

What's Changed

• Fix error handling and parse errors when dealing with unexpected and/or incorrect JSON payloads (#19016) by @wcislo-saleor in https://github.com/saleor/saleor/pull/19021
• Upgraded django to 5.2.13 in https://github.com/saleor/saleor/pull/19030, fixes:
  • CVE-2026-3902: ASGI header spoofing via underscore/hyphen conflation
  • CVE-2026-4277: Privilege abuse in GenericInlineModelAdmin
  • CVE-2026-4292: Privilege abuse in ModelAdmin.list_editable
  • CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload
  • CVE-2026-33034: Potential denial-of-service vulnerability in ASGI requests via memory upload limit bypass
  • More info: https://www.djangoproject.com/weblog/2026/apr/07/security-releases/

Full Changelog: https://github.com/saleor/saleor/compare/3.22.45...3.22.46

What's Changed

• Add PRODUCT_VARIANT_DISCOUNTED_PRICE_UPDATED webhook event by @IKarbowiak in https://github.com/saleor/saleor/pull/18973
• Fix duplicate attributes in inCategory/inCollection filters by @IKarbowiak in https://github.com/saleor/saleor/pull/19002
• Fix deadlocks on checkout and order by @IKarbowiak in https://github.com/saleor/saleor/pull/19000

Full Changelog: https://github.com/saleor/saleor/compare/3.22.44...3.22.45

What's Changed

• Introduce a metric for tracking GraphQL field usage by @przlada in https://github.com/saleor/saleor/pull/18957

Full Changelog: https://github.com/saleor/saleor/compare/3.22.43...3.22.44

What's Changed

• Fix memory leak for cached states by @IKarbowiak in https://github.com/saleor/saleor/pull/18946
• Validate empty product ID in ProductMediaCreate mutation by @lkostrowski in https://github.com/saleor/saleor/pull/18942
• Fix creation of the event. (#18959) by @wcislo-saleor in https://github.com/saleor/saleor/pull/18960

Full Changelog: https://github.com/saleor/saleor/compare/3.22.42...3.22.43

What's Changed

• Fix memory leak for cached states by @IKarbowiak in https://github.com/saleor/saleor/pull/18947
• Introduce a metric for tracking GraphQL field usage by @przlada in https://github.com/saleor/saleor/pull/18956
• Fix creation of the event. (#18959) by @wcislo-saleor in https://github.com/saleor/saleor/pull/18961

Full Changelog: https://github.com/saleor/saleor/compare/3.21.51...3.21.52

What's Changed

• Fix memory leak for cached states by @IKarbowiak in https://github.com/saleor/saleor/pull/18948
• Fix creation of the event. (#18959) by @wcislo-saleor in https://github.com/saleor/saleor/pull/18962

Full Changelog: https://github.com/saleor/saleor/compare/3.20.115...3.20.116

What's Changed

• Upgraded pyjwt to latest to fix CVE-2026-32597 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18936

Full Changelog: https://github.com/saleor/saleor/compare/3.20.114...3.20.115

What's Changed

• Deprecated legacy Adyen plugin Payment.partial field by @lkostrowski in https://github.com/saleor/saleor/pull/18924
• Upgraded pyjwt to latest to fix CVE-2026-32597 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18934

Full Changelog: https://github.com/saleor/saleor/compare/3.22.41...3.22.42

What's Changed

• Upgraded pyjwt to latest to fix CVE-2026-32597 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18935

Full Changelog: https://github.com/saleor/saleor/compare/3.21.50...3.21.51

What's Changed

• Deprecated digital contents by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18798
• Fixed unsafe access to writer warnings by @wcislo-saleor in https://github.com/saleor/saleor/pull/18824
• Upgraded authlib to latest to fix CVE-2026-28802 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18907

Misc:

• Fixed flaky tests due to relying on the order of returned shipping methods in tests (#17597) by @wcislo-saleor in https://github.com/saleor/saleor/pull/18826

Full Changelog: https://github.com/saleor/saleor/compare/3.20.113...3.20.114

What's Changed

• Fixed empty permissions in AppInstall mutation by @IKarbowiak in https://github.com/saleor/saleor/pull/18884
• Fixed TypeError when app manifest contains empty extensions and webhooks by @IKarbowiak in https://github.com/saleor/saleor/pull/18889
• Upgrade authlib to latest to fix CVE-2026-28802 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18910

Full Changelog: https://github.com/saleor/saleor/compare/3.22.40...3.22.41

What's Changed

• Deprecated digital contents by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18797
• Fixed unsafe access to writer warnings by @wcislo-saleor in https://github.com/saleor/saleor/pull/18819
• Upgrade authlib to latest to fix CVE-2026-28802 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18908

Misc:

• tests: fixed missing cache in account tests by @korycins in https://github.com/saleor/saleor/pull/18800

Full Changelog: https://github.com/saleor/saleor/compare/3.21.49...3.21.50

What's Changed

• Extend CustomerOrderWhereInput with metadata by @IKarbowiak in https://github.com/saleor/saleor/pull/18882

Full Changelog: https://github.com/saleor/saleor/compare/3.22.39...3.22.40

What's Changed

• Make USED_IN_ORDER gift card events accessible for users with MANAGE_ORDERS by @IKarbowiak in https://github.com/saleor/saleor/pull/18868
• Extend user.orders with where option by @IKarbowiak in https://github.com/saleor/saleor/pull/18866
• Fix trackInventory not being applied in productBulkCreate by @IKarbowiak in https://github.com/saleor/saleor/pull/18875
• Fix media creation mutations when alt field is null by @przlada in https://github.com/saleor/saleor/pull/18873

Full Changelog: https://github.com/saleor/saleor/compare/3.22.38...3.22.39

What's Changed

• Add missing descriptions to the CountryCodeEnum by @patrys in https://github.com/saleor/saleor/pull/18836
• Allow preserving address extra fields not present in allowed once during address validation by @IKarbowiak in https://github.com/saleor/saleor/pull/18825

Full Changelog: https://github.com/saleor/saleor/compare/3.22.37...3.22.38

What's Changed

• Media validation - extend MIME type allowlist by @przlada in https://github.com/saleor/saleor/pull/18832

Full Changelog: https://github.com/saleor/saleor/compare/3.22.36...3.22.37

What's Changed

• [3.22] Add AppProblem API by @lkostrowski in https://github.com/saleor/saleor/pull/18808
• Fix the missing descriptions in the LanguageCodeEnum by @patrys in https://github.com/saleor/saleor/pull/18823
• Fix unsafe access to writer warnings by @wcislo-saleor in https://github.com/saleor/saleor/pull/18820
• Release 3.22.36 by @lkostrowski in https://github.com/saleor/saleor/pull/18815

Full Changelog: https://github.com/saleor/saleor/compare/3.22.35...3.22.36

What's Changed

• Fix pagination for resolvers operates on lists by @IKarbowiak in https://github.com/saleor/saleor/pull/18811
• Release 3.22.35 by @IKarbowiak in https://github.com/saleor/saleor/pull/18814

Full Changelog: https://github.com/saleor/saleor/compare/3.22.34...3.22.35

What's Changed

• Add missing cache to account tests by @korycins in https://github.com/saleor/saleor/pull/18801
• Deprecate digital contents in Saleor v3.22 by @NyanKiyoshi in https://github.com/saleor/saleor/pull/18796
• Refactor media validation in product mutations by @przlada in https://github.com/saleor/saleor/pull/18803

Full Changelog: https://github.com/saleor/saleor/compare/3.22.33...3.22.34

What's Changed

• Prevent app already installed error in quiet mode (#18742) by @cmiacz in https://github.com/saleor/saleor/pull/18763
• Release 3.20.113 by @cmiacz in https://github.com/saleor/saleor/pull/18792

Full Changelog: https://github.com/saleor/saleor/compare/3.20.112...3.20.113

What's Changed

• Prevent app already installed error in quiet mode (#18742) by @cmiacz in https://github.com/saleor/saleor/pull/18765
• Add transactions query and extend order transactions where filter with pspReference by @IKarbowiak in https://github.com/saleor/saleor/pull/18759
• Fix products export with filters by @IKarbowiak in https://github.com/saleor/saleor/pull/18774

Full Changelog: https://github.com/saleor/saleor/compare/3.22.32...3.22.33

What's Changed

• Prevent app already installed error in quiet mode (#18742) by @cmiacz in https://github.com/saleor/saleor/pull/18764
• Fix products export with filters by @IKarbowiak in https://github.com/saleor/saleor/pull/18768

Full Changelog: https://github.com/saleor/saleor/compare/3.21.48...3.21.49

What's Changed

• Upgraded Django to latest version to fix CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 (more details at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/ ) by @przlada in https://github.com/saleor/saleor/pull/18751

Full Changelog: https://github.com/saleor/saleor/compare/3.22.31...3.22.32

What's Changed

• Upgraded Django to latest version to fix CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 (more details at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/ ) by @przlada in https://github.com/saleor/saleor/pull/18754

Full Changelog: https://github.com/saleor/saleor/compare/3.20.111...3.20.112

What's Changed

• Upgraded Django to latest version to fix CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 (more details at https://www.djangoproject.com/weblog/2026/feb/03/security-releases/ ) by @przlada in https://github.com/saleor/saleor/pull/18753

Full Changelog: https://github.com/saleor/saleor/compare/3.21.47...3.21.48

What's Changed

• Enable configurable dedicated Celery queue for data migration tasks by @przlada in https://github.com/saleor/saleor/pull/18740

Full Changelog: https://github.com/saleor/saleor/compare/3.22.30...3.22.31

What's Changed

• Enable configurable dedicated Celery queue for data migration tasks by @przlada in https://github.com/saleor/saleor/pull/18741

Full Changelog: https://github.com/saleor/saleor/compare/3.21.46...3.21.47

What's Changed

• Do not return installed/created app token when not needed (#18704) by @cmiacz in https://github.com/saleor/saleor/pull/18706
• Enable configurable dedicated Celery queue for data migration tasks by @przlada in https://github.com/saleor/saleor/pull/18743

Full Changelog: https://github.com/saleor/saleor/compare/3.20.110...3.20.111

What's Changed

• Do not return installed/created app token when not needed (#18704) by @cmiacz in https://github.com/saleor/saleor/pull/18708
• Improve voucher validations in draft orders by @IKarbowiak in https://github.com/saleor/saleor/pull/18727
• Fix Kosovo not recognized as valid country in checkout by @IKarbowiak in https://github.com/saleor/saleor/pull/18729

Full Changelog: https://github.com/saleor/saleor/compare/3.22.29...3.22.30

What's Changed

• Do not return installed/created app token when not needed (#18704) by @cmiacz in https://github.com/saleor/saleor/pull/18707
• Improve voucher validations in draft orders by @IKarbowiak in https://github.com/saleor/saleor/pull/18726
• Fix Kosovo not recognized as valid country in checkout by @IKarbowiak in https://github.com/saleor/saleor/pull/18730

Full Changelog: https://github.com/saleor/saleor/compare/3.21.45...3.21.46

What's Changed

• Fix CVE-2026-24136 by @korycins in https://github.com/saleor/saleor/pull/18712

Full Changelog: https://github.com/saleor/saleor/compare/3.21.44...3.21.45

What's Changed

• Fix CVE-2026-24136 by @korycins in https://github.com/saleor/saleor/pull/18713

Full Changelog: https://github.com/saleor/saleor/compare/3.22.28...3.22.29

What's Changed

• Fix CVE-2026-24136 by @korycins in https://github.com/saleor/saleor/pull/18711

Full Changelog: https://github.com/saleor/saleor/compare/3.20.109...3.20.110

What's Changed

• Deactivate single use voucher when completing draft order by @IKarbowiak in https://github.com/saleor/saleor/pull/18697

Full Changelog: https://github.com/saleor/saleor/compare/3.22.27...3.22.28

New release fixing missing missing docker image for v3.20.108. No changes were made in the code since v3.20.108.

Full Changelog: https://github.com/saleor/saleor/compare/3.20.108...3.20.109

What's Changed

• Deactivate single use voucher when completing draft order by @IKarbowiak in https://github.com/saleor/saleor/pull/18690

Full Changelog: https://github.com/saleor/saleor/compare/3.21.43...3.21.44

• Fixed CVE-2026-22849 - Lack of proper HTML sanitization in rich text fields
• Fixed CVE-2026-23499 - Stored XSS via Unrestricted File Uploads

Upgrade Notes (Important)

[!NOTE]
This a security release with major changes, we recommend to read the release notes carefully.

This release fixes two stored XSS vulnerabilities, if you believe you are impacted, or if you are unsure or want to verify, you should run the following commands:

• CVE-2026-22849: ./manage.py clean_editorjs_fields - this scan all rich text fields and will display
  any differences detected. You should look for suspicious differences (e.g., unexpected javascript code)
  and if you want to fix the differences, run ./manage.py clean_editorjs_fields --apply
• CVE-2026-23499: ./manage.py remove_invalid_files - scans all uploaded files (in the media storage,
  e.g., the filesystem, a S3 bucket, etc.). You should look for unexpected files, if you see differences,
  then either:
  • Change the configuration so that Saleor allows the file (see the File Uploads section below)
  • Delete the file manually or automatically (./manage.py remove_invalid_files --apply)

Am I impacted by the major changes?

• level 1
  • level2

Do you use the mutations fileUpload() and digitalContentCreate()? And do you upload files in any format other than the following?

• Images: AVIF, GIF, JPEG, BMP, PNG, TIFF, WebP
• Documents: Word documents (.docx, .doc), Excel Files (.xls, .xlsx), Powerpoints (.ppt, .pptx)
• Videos: MP4, WebM, QuickTime (.mov), Vorbis (.ogg, .ogv)
• Audio: MP3, .m4a, .weba, Vorbis (.oga, .ogg), Wav (.wav)
• Text: CSV (.csv), plain text (.txt)

Huge thanks to the security researchers who reported these issues responsibly: @vuquyen03, and @lukasz-rybak.

Full Changelog: https://github.com/saleor/saleor/compare/3.22.26...3.22.27

• Fixed CVE-2026-22849 - Lack of proper HTML sanitization in rich text fields
• Fixed CVE-2026-23499 - Stored XSS via Unrestricted File Uploads

Upgrade Notes (Important)

[!NOTE]
This a security release with major changes, we recommend to read the release notes carefully.

This release fixes two stored XSS vulnerabilities, if you believe you are impacted, or if you are unsure or want to verify, you should run the following commands:

• CVE-2026-22849: ./manage.py clean_editorjs_fields - this scan all rich text fields and will display
  any differences detected. You should look for suspicious differences (e.g., unexpected javascript code)
  and if you want to fix the differences, run ./manage.py clean_editorjs_fields --apply
• CVE-2026-23499: ./manage.py remove_invalid_files - scans all uploaded files (in the media storage,
  e.g., the filesystem, a S3 bucket, etc.). You should look for unexpected files, if you see differences,
  then either:
  • Change the configuration so that Saleor allows the file (see the File Uploads section below)
  • Delete the file manually or automatically (./manage.py remove_invalid_files --apply)

Am I impacted by the major changes?

• level 1
  • level2

Do you use the mutations fileUpload() and digitalContentCreate()? And do you upload files in any format other than the following?

• Images: AVIF, GIF, JPEG, BMP, PNG, TIFF, WebP
• Documents: Word documents (.docx, .doc), Excel Files (.xls, .xlsx), Powerpoints (.ppt, .pptx)
• Videos: MP4, WebM, QuickTime (.mov), Vorbis (.ogg, .ogv)
• Audio: MP3, .m4a, .weba, Vorbis (.oga, .ogg), Wav (.wav)
• Text: CSV (.csv), plain text (.txt)

Huge thanks to the security researchers who reported these issues responsibly: @vuquyen03, and @lukasz-rybak.

Full Changelog: https://github.com/saleor/saleor/compare/3.21.42...3.21.43

[!WARNING]
Docker image is missing for this release due to a build issue, use v3.20.109 instead.

• Fixed CVE-2026-22849 - Lack of proper HTML sanitization in rich text fields
• Fixed CVE-2026-23499 - Stored XSS via Unrestricted File Uploads

Upgrade Notes (Important)

[!NOTE]
This a security release with major changes, we recommend to read the release notes carefully.

This release fixes two stored XSS vulnerabilities, if you believe you are impacted, or if you are unsure or want to verify, you should run the following commands:

• CVE-2026-22849: ./manage.py clean_editorjs_fields - this scan all rich text fields and will display
  any differences detected. You should look for suspicious differences (e.g., unexpected javascript code)
  and if you want to fix the differences, run ./manage.py clean_editorjs_fields --apply
• CVE-2026-23499: ./manage.py remove_invalid_files - scans all uploaded files (in the media storage,
  e.g., the filesystem, a S3 bucket, etc.). You should look for unexpected files, if you see differences,
  then either:
  • Change the configuration so that Saleor allows the file (see the File Uploads section below)
  • Delete the file manually or automatically (./manage.py remove_invalid_files --apply)

Am I impacted by the major changes?

• level 1
  • level2

Do you use the mutations fileUpload() and digitalContentCreate()? And do you upload files in any format other than the following?

• Images: AVIF, GIF, JPEG, BMP, PNG, TIFF, WebP
• Documents: Word documents (.docx, .doc), Excel Files (.xls, .xlsx), Powerpoints (.ppt, .pptx)
• Videos: MP4, WebM, QuickTime (.mov), Vorbis (.ogg, .ogv)
• Audio: MP3, .m4a, .weba, Vorbis (.oga, .ogg), Wav (.wav)
• Text: CSV (.csv), plain text (.txt)

Huge thanks to the security researchers who reported these issues responsibly: @vuquyen03, and @lukasz-rybak.

Full Changelog: https://github.com/saleor/saleor/compare/3.20.107...3.20.108

What's Changed

• Improve OIDC plugin compatibility with AWS Cognito by @wcislo-saleor in https://github.com/saleor/saleor/pull/18676

Full Changelog: https://github.com/saleor/saleor/compare/3.21.41...3.21.42

What's Changed

• Improve OIDC plugin compatibility with AWS Cognito by @wcislo-saleor in https://github.com/saleor/saleor/pull/18673

Full Changelog: https://github.com/saleor/saleor/compare/3.22.25...3.22.26

What's Changed

• Add missing celery conf and reapply migration for fixing shared address instances by @IKarbowiak in https://github.com/saleor/saleor/pull/18670

Full Changelog: https://github.com/saleor/saleor/compare/3.22.24...3.22.25

What's Changed

• Improve OIDC plugin compatibility with AWS Cognito by @wcislo-saleor in https://github.com/saleor/saleor/pull/18664

Full Changelog: https://github.com/saleor/saleor/compare/3.20.106...3.20.107

What's Changed

• Ensure there is no memory build-up during test execution by @wcislo-saleor in https://github.com/saleor/saleor/pull/18661
• Fix shared adress instances by @IKarbowiak in https://github.com/saleor/saleor/pull/18650

Full Changelog: https://github.com/saleor/saleor/compare/3.22.23...3.22.24

What's Changed

• Ensure there is no memory build-up during test execution by @wcislo-saleor in https://github.com/saleor/saleor/pull/18660
• Fix shared adress instances by @IKarbowiak in https://github.com/saleor/saleor/pull/18647

Full Changelog: https://github.com/saleor/saleor/compare/3.21.40...3.21.41