Merge branch 'master' into minor

vendure-ecommerce · Oct 16, 2024 · 0240f0b · 0240f0b
2 parents e42d1b3 + 54f6c7c
commit 0240f0b
Show file tree

Hide file tree

Showing 45 changed files with 1,458 additions and 1,049 deletions.
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -60,23 +60,25 @@ jobs:
       mariadb:
         image: bitnami/mariadb:10.3
         env:
-          ALLOW_EMPTY_PASSWORD: yes
+          MARIADB_ROOT_USER: vendure
+          MARIADB_ROOT_PASSWORD: password
         ports:
           - 3306
         options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
       mysql:
         image: bitnami/mysql:8.0
         env:
-          ALLOW_EMPTY_PASSWORD: yes
           MYSQL_AUTHENTICATION_PLUGIN: mysql_native_password
+          MYSQL_ROOT_USER: vendure
+          MYSQL_ROOT_PASSWORD: password
         ports:
           - 3306
         options: --health-cmd="mysqladmin ping --silent" --health-interval=10s --health-timeout=20s --health-retries=10
       postgres:
-        image: postgres:12
+        image: postgres:16
         env:
-          POSTGRES_USER: admin
-          POSTGRES_PASSWORD: secret
+          POSTGRES_USER: vendure
+          POSTGRES_PASSWORD: password
         ports:
           - 5432
         options: --health-cmd=pg_isready --health-interval=10s --health-timeout=5s --health-retries=3

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,45 @@
+## <small>3.0.5 (2024-10-15)</small>
+
+
+#### Fixes
+
+* **asset-server-plugin** Fix local file read vulnerability when using the LocalAssetStorageStrategy ([e2ee0c4](https://github.com/vendure-ecommerce/vendure/commit/e2ee0c43159b3d13b51b78654481094fdd4850c5)). See the [security advisory](https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq)
+* **admin-ui** Fix theme & ui language switcher ([c93589b](https://github.com/vendure-ecommerce/vendure/commit/c93589b)), closes [#3111](https://github.com/vendure-ecommerce/vendure/issues/3111)
+* **core** Do not include deleted variants when indexing productInStock (#3110) ([73cb190](https://github.com/vendure-ecommerce/vendure/commit/73cb190)), closes [#3110](https://github.com/vendure-ecommerce/vendure/issues/3110) [#3109](https://github.com/vendure-ecommerce/vendure/issues/3109)
+* **core** Fix coupon code validation across multiple channels ([e57cc1b](https://github.com/vendure-ecommerce/vendure/commit/e57cc1b)), closes [#2052](https://github.com/vendure-ecommerce/vendure/issues/2052)
+* **core** Fix filtering on list queries of tree entities ([227da05](https://github.com/vendure-ecommerce/vendure/commit/227da05)), closes [#3107](https://github.com/vendure-ecommerce/vendure/issues/3107)
+* **core** Improve error message on populating without tax rates ([7e36131](https://github.com/vendure-ecommerce/vendure/commit/7e36131)), closes [#1926](https://github.com/vendure-ecommerce/vendure/issues/1926)
+
+#### Features
+
+* **create** Improved getting started experience (#3128) ([adb4384](https://github.com/vendure-ecommerce/vendure/commit/adb4384)), closes [#3128](https://github.com/vendure-ecommerce/vendure/issues/3128)
+
+## <small>3.0.4 (2024-10-04)</small>
+
+
+#### Fixes
+
+* **admin-ui-plugin** Implement rate limiting on static server ([9516c71](https://github.com/vendure-ecommerce/vendure/commit/9516c71))
+* **admin-ui** Add padding to default relation custom field  dropdown ([02e68e0](https://github.com/vendure-ecommerce/vendure/commit/02e68e0))
+* **admin-ui** Add support for custom fields on CustomerGroup list ([7128a33](https://github.com/vendure-ecommerce/vendure/commit/7128a33))
+* **admin-ui** Enable selective loading of custom fields ([9d7744b](https://github.com/vendure-ecommerce/vendure/commit/9d7744b)), closes [#3097](https://github.com/vendure-ecommerce/vendure/issues/3097)
+* **admin-ui** Fix bad locale detection regex ([f336d7f](https://github.com/vendure-ecommerce/vendure/commit/f336d7f))
+* **admin-ui** Lazy-load only selected custom fields in list views ([690dd0f](https://github.com/vendure-ecommerce/vendure/commit/690dd0f)), closes [#3097](https://github.com/vendure-ecommerce/vendure/issues/3097)
+* **admin-ui** Unsubscribe from alerts when logging out (#3071) ([f38340b](https://github.com/vendure-ecommerce/vendure/commit/f38340b)), closes [#3071](https://github.com/vendure-ecommerce/vendure/issues/3071) [#2188](https://github.com/vendure-ecommerce/vendure/issues/2188)
+* **asset-server-plugin** Do not return raw error message on error ([801980e](https://github.com/vendure-ecommerce/vendure/commit/801980e))
+* **core** Correctly parse numeric sessionDuration and verificationTokenDuration values (#3080) ([98e4118](https://github.com/vendure-ecommerce/vendure/commit/98e4118)), closes [#3080](https://github.com/vendure-ecommerce/vendure/issues/3080)
+* **core** Fix issues caused by f235249f ([5a4299a](https://github.com/vendure-ecommerce/vendure/commit/5a4299a))
+* **core** Fix RequestContext race condition causing null activeOrder ([f235249](https://github.com/vendure-ecommerce/vendure/commit/f235249)), closes [#2097](https://github.com/vendure-ecommerce/vendure/issues/2097)
+* **core** Handle empty state for product and variant id filter (#3064) ([9a03c84](https://github.com/vendure-ecommerce/vendure/commit/9a03c84)), closes [#3064](https://github.com/vendure-ecommerce/vendure/issues/3064)
+* **core** Prevent theoretical polynomial regex attack ([9f4a814](https://github.com/vendure-ecommerce/vendure/commit/9f4a814))
+* **core** Remove duplicate call in applyCouponCode resolver ([bffc58a](https://github.com/vendure-ecommerce/vendure/commit/bffc58a))
+* **core** Replace insecure randomness with secure randomBytes ([cb556d8](https://github.com/vendure-ecommerce/vendure/commit/cb556d8))
+* **payments-plugin** Use default channel in Stripe webhook calls to reach all orders (#3076) ([8434111](https://github.com/vendure-ecommerce/vendure/commit/8434111)), closes [#3076](https://github.com/vendure-ecommerce/vendure/issues/3076)
+
+#### Perf
+
+* **core** Fix performance when using FacetValue-based checks ([a735bdf](https://github.com/vendure-ecommerce/vendure/commit/a735bdf))
+* **admin-ui** List views only load the visible custom fields, closes [#3097](https://github.com/vendure-ecommerce/vendure/issues/3097)
 
 ## <small>3.0.3 (2024-09-11)</small>
 

diff --git a/README.md b/README.md
@@ -62,39 +62,51 @@ Packages must be built (i.e. TypeScript compiled, admin ui app built, certain as
 
 Note that this can take a few minutes.
 
-### 3. Set up the server
+### 3. Start the docker containers
 
-The server requires an SQL database to be available. The simplest option is to use SQLite, but if you have Docker available you can use the [dev-server docker-compose file](./packages/dev-server/docker-compose.yml) which will start up both MariaDB and Postgres as well as their GUI management tools.
+All the necessary infrastructure is defined in the root [docker-compose.yml](./docker-compose.yml) file. At a minimum,
+you will need to start a database, for example:
 
-Vendure uses [TypeORM](http://typeorm.io), and officially supports **MySQL**, **PostgreSQL** and **SQLite**, though other TypeORM-supported databases may work.
+```bash
+docker-compose up -d mariadb
+```
 
-1. Configure the [dev config](./packages/dev-server/dev-config.ts), making sure the connection settings in the `getDbConfig()` function are correct for the database type you will be using.
-2. Create the database using your DB admin tool of choice (e.g. phpMyAdmin if you are using the docker image suggested above). Name it according to the `getDbConfig()` settings. If you are using SQLite, you can skip this step.
-3. Populate mock data: 
-   ```bash
-    cd packages/dev-server
-    DB=<mysql|postgres|sqlite> npm run populate
-    ```
-   If you do not specify the `DB` variable, it will default to "mysql".
+MariaDB/MySQL is the default that will be used by the dev server if you don't explicitly set the `DB` environment variable.
 
-### 4. Run the dev server
+If for example you are doing development on the Elasticsearch plugin, you will also need to start the Elasticsearch container:
 
+```bash
+docker-compose up -d elasticsearch
 ```
+
+### 4. Populate test data
+
+Vendure uses [TypeORM](http://typeorm.io), and officially supports **MySQL**, **MariaDB**, **PostgreSQL** and **SQLite**.
+
+The first step is to populate the dev server with some test data:
+
+```bash
 cd packages/dev-server
-DB=<mysql|postgres|sqlite> npm run start
-```
-Or if you are in the root package 
+
+[DB=mysql|postres|sqlite] npm run populate
+ ```
+
+If you do not specify the `DB` variable, it will default to "mysql". If you specifically want to develop against Postgres,
+you need to run the `postgres_16` container and then run `DB=postgres npm run populate`. 
+
+### 5. Run the dev server
+
 ```
-DB=<mysql|postgres|sqlite> npm run dev-server:start
+cd packages/dev-server
+[DB=mysql|postgres|sqlite] npm run dev
 ```
-If you do not specify the `DB` argument, it will default to "mysql".
 
 ### Testing admin ui changes locally
 
 If you are making changes to the admin ui, you need to start the admin ui independent from the dev-server:
 
 1. `cd packages/admin-ui`
-2. `npm run start`
+2. `npm run dev`
 3. Go to http://localhost:4200 and log in with "superadmin", "superadmin"
 
 This will auto restart when you make changes to the admin ui. You don't need this step when you just use the admin ui just
@@ -125,7 +137,7 @@ npm run watch:core-common
 ```shell
 # Terminal 2
 cd packages/dev-server
-DB=sqlite npm run start
+DB=sqlite npm run dev
 ```
 
 3. The dev-server will now have your local changes from the changed package.

diff --git a/SECURITY.md b/SECURITY.md
@@ -11,4 +11,4 @@
 
 ## Reporting a Vulnerability
 
-To report a security vulnarability, email [[email protected]](mailto:[email protected]).
+To report a security vulnerability, email [[email protected]](mailto:[email protected]).
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,117 @@
+# This contains the services required to develop and test Vendure
+# locally. It includes multiple SQL databases (for testing specific
+# versions), Elasticsearch, Redis etc.
+version: '3.7'
+name: vendure-monorepo
+services:
+  mariadb:
+    image: 'bitnami/mariadb:latest'
+    container_name: mariadb
+    environment:
+      MARIADB_DATABASE: vendure-dev
+      MARIADB_ROOT_USER: vendure
+      MARIADB_ROOT_PASSWORD: password
+    volumes:
+      - 'mariadb_data:/bitnami'
+    ports:
+      - '3306:3306'
+  mysql_8:
+    image: bitnami/mysql:8.0
+    container_name: mysql-8
+    environment:
+      MYSQL_AUTHENTICATION_PLUGIN: mysql_native_password
+      MYSQL_DATABASE: vendure-dev
+      MYSQL_ROOT_USER: vendure
+      MYSQL_ROOT_PASSWORD: password
+    volumes:
+      - 'mysql_data:/bitnami'
+    ports:
+      - '3306:3306'
+  mysql_5:
+    image: bitnami/mysql:5.7
+    container_name: mysql-5.7
+    environment:
+      MYSQL_AUTHENTICATION_PLUGIN: mysql_native_password
+      MYSQL_DATABASE: vendure-dev
+      MYSQL_ROOT_USER: vendure
+      MYSQL_ROOT_PASSWORD: password
+    volumes:
+      - 'mysql_data:/bitnami'
+    ports:
+      - '3306:3306'
+  postgres_12:
+    image: postgres:12.3
+    container_name: postgres_12
+    environment:
+      POSTGRES_DB: vendure-dev
+      POSTGRES_USER: vendure
+      POSTGRES_PASSWORD: password
+      PGDATA: /var/lib/postgresql/data
+    volumes:
+      - postgres_12_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    command: postgres -c shared_preload_libraries=pg_stat_statements -c pg_stat_statements.track=all -c pg_stat_statements.max=100000 -c max_connections=200
+  postgres_16:
+    image: postgres:16
+    container_name: postgres_16
+    environment:
+      POSTGRES_DB: vendure-dev
+      POSTGRES_USER: vendure
+      POSTGRES_PASSWORD: password
+      PGDATA: /var/lib/postgresql/data
+    volumes:
+      - postgres_16_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    command: postgres -c shared_preload_libraries=pg_stat_statements -c pg_stat_statements.track=all -c pg_stat_statements.max=100000 -c max_connections=200
+  # This is the Keycloak service which is used
+  # to test the Keycloak auth strategy
+  keycloak:
+    image: quay.io/keycloak/keycloak
+    ports:
+      - "9000:8080"
+    environment:
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: admin
+    command:
+      - start-dev
+      - --import-realm
+    volumes:
+      - keycloak_data:/opt/keycloak/data
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
+    container_name: elasticsearch
+    environment:
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    volumes:
+      - esdata:/usr/share/elasticsearch/data
+    ports:
+      - 9200:9200
+  redis:
+    image: bitnami/redis:7.4.1
+    hostname: redis
+    container_name: redis
+    environment:
+      - ALLOW_EMPTY_PASSWORD=yes
+    ports:
+      - "6379:6379"
+volumes:
+  postgres_16_data:
+    driver: local
+  postgres_12_data:
+    driver: local
+  mariadb_data:
+    driver: local
+  mysql_data:
+    driver: local
+  keycloak_data:
+    driver: local
+  esdata:
+    driver: local