All Versions
Latest Version
Avg Release Cycle
14 days
Latest Release
620 days ago

Changelog History
Page 6

  • v2.5.0 Changes

    September 26, 2019


    🐎 Reaction v2.5.0 adds minor features and performance enhancements, fixes bugs and contains no breaking changes since v2.4.0.

    πŸš€ This release is being coordinated with Reaction Platform and is designed to work with v2.5.0 of Reaction Hydra and Example Storefront.

    Notable changes

    Filters have been added to Orders query

    βž• Adds API support to enable users to filter orders by: search keywords (fuzzy search), status, payment status, fulfillment status, date range.

    βœ… Faster Jest integration tests

    πŸ‘€ By switching to jest-mongodb, we've seen 8x speed improvement when running npm run test:integration

    πŸ”‹ Feature

    • feat: add various filters to the main orders query (#5575)
    • 🌐 feat: Translations without Meteor (#5514)

    πŸ›  Fixes

    • πŸ›  fix: restore Add/Remove menu item in products page (#5564)
    • πŸ›  fix: use catalyst button for mediauploader (#5563)
    • πŸ›  fix: restore loadTranslations fn (#5546)
    • πŸ›  fix: Add missing GraphQL argument descriptions (#5547)

    πŸ”¨ Refactors

    • πŸ”¨ refactor: create verifySMTPEmailSettings GraphQL mutation, replace meteor version (#5531)
    • πŸ”¨ refactor: various small fixes (#5561)
    • πŸ”¨ refactor: Add extra field to the error message (#5574)
    • πŸ”¨ refactor: use CardHeader for Filter by File card (#5569)
    • πŸ”¨ refactor: add indices on updatedAt for CDC (Products & SimpleInventory) (#5571)
    • πŸ”¨ refactor: rewrite accounts/sendResetPasswordEmail into a GraphQL mutation (#5558)
    • πŸ”¨ refactor: remove Reaction.Email (#5559)
    • πŸ”¨ refactor: remove all code releated to inviting a shop owner (#5553)
    • πŸ”¨ refactor: Fix proptype warning with ReactSortableTree (#5552)
    • πŸ”¨ refactor: remove catalog/publish/products meteor method, use publishProductsToCatalog GQL Mutation instead (#5541

    βœ… Tests

    • βœ… tests: faster Jest integration tests (#5549)

    πŸ“„ Docs

    • πŸ“„ docs: Fix test command in (#5565)


    • chore: fix various prop type validation errors (#5550)
  • v2.4.0 Changes

    September 19, 2019


    🐎 Reaction v2.4.0 adds minor features and performance enhancements, fixes bugs and contains no breaking changes since v2.3.0.

    πŸš€ This release is being coordinated with Reaction Platform and is designed to work with v2.4.0 of Reaction Hydra and Example Storefront.

    Notable changes

    🌐 Translations have been moved out of Meteor

    ⚑️ i18n translations have been moved outside of the Meteor context. This provides a standard route, /locales/resources.json, where all translations live, and allows for real-time updates to translations without needing to flush the cache.

    βœ… Meteor app-tests have

    🚚 As part of our move away from Meteor, all Meteor app-tests have been removed. This speeds up both local testing and testing on CI.

    πŸ”‹ Feature

    • 🌐 feat: Translations without Meteor (#5514)

    πŸ›  Fixes

    • πŸ›  fix: restore Add/Remove menu item in products page (#5564)
    • πŸ›  fix: use catalyst button for mediauploader (#5563)
    • πŸ›  fix: restore loadTranslations fn (#5546)

    πŸ”¨ Refactors

    • πŸ”¨ refactor: remove Reaction.Email (#5559)
    • πŸ”¨ refactor: remove all code releated to inviting a shop owner (#5553)
    • πŸ”¨ refactor: Fix proptype warning with ReactSortableTree (#5552)
    • πŸ”¨ refactor: remove catalog/publish/products meteor method, use publi#5541hProductsToCatalog GQL Mutation instead ([#](http:#5541//

    βœ… Tests

    • βœ… tests: Faster Jest integration tests (#5549)

    πŸ“„ Docs

    • πŸ“„ docs: Fix test command in (#5565)
    • πŸ“„ docs: Add missing GraphQL argument descriptions (#5547)


    • 🚚 chore: remove meteor app-tests (#5560)
    • chore: fix various prop type validation errors (#5550)
  • v2.3.0 Changes

    September 12, 2019


    🐎 Reaction v2.3.0 adds minor features and performance enhancements, fixes bugs and contains no breaking changes since v2.2.1.

    πŸš€ This release is being coordinated with reaction-platform and is designed to work with v2.3.0 of example-storefront and reaction-hydra.

    Notable changes

    🚚 Bulk add and remove Tags from Products

    🚚 Reaction Admin users can now add and remove tags from products in bulk. After selecting multiple products in the product table or filtering products with a CSV file, users can specify tags they'd like to add or remove from those products.

    This feature uses several new components from the Catalyst Design System, including SplitButton, Chip and MultiSelect. Several dependencies, including react-select, react-dropzone and material-ui/core were upgraded to their latest versions.

    Image uploading without Meteor

    ⚑️ file-collections has been updated to its latest version, which supports uploading without Meteor. All related code has been updated to remove Meteor.

    βœ‚ Remove context.callMeteorMethod

    ⚑️ All GraphQL mutations which still used Meteor methods via the context.callMeteorMethod function - inviteShopMember, addressBookRemove, removeAccountFromGroup, setAccountProfileCurrency, updateAccountAddressBookEntry - have been updated to fully use GraphQL. In turn context.callMeteorMethod is no longer used, and has been removed from the codebase.

    πŸ”‹ Feature

    • feat: manage product tags in bulk (#5485)
    • feat: Add Orders GraphQL query (#5483)
    • feat: Image uploading without Meteor (#5515)

    πŸ›  Fixes

    • πŸ›  fix: info inline alert should autoclose (#5502)
    • πŸ›  fix: Perform old password validation (#5527)

    πŸ”¨ Refactors

    • πŸ”¨ refactor: use moments calendar format to display time alongside date (#5523)
    • πŸ”¨ refactor: remove context.callMeteorMethod (#5524)
    • πŸ”¨ refactor: remove inviteShopMember meteor method and rewrite with GraphQL (#5520)
    • πŸ”¨ refactor: remove addressBookRemove meteor method and rewrite with GraphQL (#5492)
    • πŸ”¨ refactor: remove removeAccountFromGroup meteor method and rewrite with GraphQL (#5493)
    • πŸ”¨ refactor: add setAccountProfileCurrency GraphQL mutation (#5488)
    • πŸ”¨ refactor: rewrite updateAccountAddressBookEntry to not call through to Meteor method (#5484)

    βœ… Tests

    • βœ… tests: Add Integration Test for orderById GraphQL query (#5511)


    πŸš€ Thanks to @trojanh for contributing to this release! πŸŽ‰

  • v2.2.1 Changes

    September 04, 2019

    Reaction v2.2.1 adds a bug fix and contains no breaking changes since v2.2.0

    πŸš€ This release is being coordinated with reaction-platform and is designed to work with v2.2.1 of example-storefront and reaction-hydra.

    πŸ›  Fixes

    • πŸ›  fix: Checkout hangs on shipping methods step (#5516) and adds a migration to avoid breaking previous installations. The issue was caused by attempting to add a fulfillment method to a cart that included the prop fulfillmentTypes, which was not part of the ShippingMethod schema, which caused a validation error. This issue was resolved by adding the fulfillmentTypes prop to the ShippingMethod schema.


    πŸš€ Thanks to @alex-haproff for contributing to this release! πŸŽ‰

  • v2.2.0 Changes

    August 29, 2019


    🐎 Reaction v2.2.0 adds minor features and performance enhancements, fixes bugs and contains no breaking changes since v2.1.0.

    πŸš€ This release is being coordinated with reaction-platform and is designed to work with v2.2.0 of example-storefront and reaction-hydra.

    Notable changes

    πŸ‘• Elimination of all eslint warnings

    πŸ‘• The Reaction code base is now clean of all eslint warnings. Going forward, all eslint rules have been changed to error, and CI will fail if any are present.

    Product filtering by CSV

    Admins can filter products by uploading a CSV in the product admin.

    Introduce Apollo hooks

    ⚑️ Apollo has been updated to v3.0.0, which introduces GraphQL hooks into Reaction.

    ⚑️ Updated Orders Admin UI

    ⚑️ The new Orders UI allows is completely GraphQL based and allows for updates to multiple fulfillment groups on each order.


    βœ‚ Remove Snyk as a CI step

    ⚑️ Snyk was unable to work with PR's from forked repositories, which in turn caused every contribution to fail the CI check. We have removed Snyk as a blocking CI check because of this, and will run it locally on a schedule to still see which packages are in need of an update.

    πŸ”‹ Feature

    • βœ… feat: add offset for pagination with tests (#5228)
    • ⚑️ feat: bulk actions UI updates (#5461)
    • feat: add refunds GraphQL query (#5352)
    • feat: #5366 show filter count (#5395)
    • feat: #5379 integrate catalyst button (#5406)
    • feat: add bulk mutations to manage products and tags (#5404)
    • 🚚 feat: remove startup template import (#5430)
    • feat: add new setting to allow / disallow custom user locale lookup (#5444)
    • feat: add isvisible/hidden icons (#5407)
    • feat: Part I: An admin user can filter products by uploaded CSV (#5451)

    πŸ›  Fixes

    • πŸ›  fix: style the product table as close as possible (#5468)
    • πŸ›  fix: console warnings (#5463)
    • πŸ›  fix: update comp-lib to fix broken components (#5475)
    • πŸ›  fix: add check against missing riskLevel field, and missing string in capitalization function (#5452)
    • πŸ›  fix: partial product publish error (#5433)
    • πŸ›  fix: popover z-index (#5437)
    • πŸ›  fix: issues with refund queries (#5422)
    • πŸ›  fix: load account into context during surcharges (#5466)
    • πŸ›  fix: Correct index migration (#5408)


    • chore: add redirect for blank route (#5439)
    • ⚑️ chore: update vulnerable packages (#5470)
    • ⚑️ chore: update reaction to use reaction-eslint-rules v2.1.0 (#5445)
    • 🚚 chore: remove unused shop.appVersion (#5429)
    • ⚑️ chore: update bodyParser to use individual method (#5435)
    • chore: use file extensions for node 12 compatibility (#5415)
    • πŸ‘· chore: remove snyk as a CI task (#5403)
    • ⚑️ chore: Update Apollo packages to support hooks (#5427)
    • πŸ’… chore: update catalyst sidebar font and color styles (#5494)

    πŸ”¨ Refactors

    • πŸ”¨ refactor: use SplitButton from Catalyst instead of ConrifmButton (#5469)
    • πŸ”¨ refactor: Rewrite addAccountToGroup to not call through to Meteor method (#5431)
    • πŸ”¨ refactor: after-publish cart updates for speed (#5477)
    • πŸ”¨ refactor: order invoice print layout (#5476)
    • πŸ”¨ refactor: update Reaction Admin Orders panel (#5158)
    • πŸ”¨ refactor: payments-stripe to only use getStripeInstanceForShop (#4951)
    • πŸ”¨ refactor: add tag permissions to allow non-owner to edit (#5436)
    • πŸ”¨ refactor: refunds section of Orders 2.0 (#5405)
    • πŸ”¨ refactor: move filter outside of admin check (#5434)
    • πŸ”¨ refactor: use Accounts collection instead of Meteor.users to get admin accounts (#5432)
    • πŸ”¨ refactor: Remove legacy social plugin, PDP, product grid and WYSIWYG code (#5394)
    • πŸ”¨ refactor: expanded product admin permissions (#5428)

    πŸ’… Style

    • πŸ’… style: update jsdoc to always use returns instead of return (#5447)
    • πŸ’… style: ESLint errors and warnings === 0 (#5450)

    βœ… Tests

    • βœ… test: add integration test for primaryShop query (#5459)

    πŸ’₯ Breaking Changes



    πŸš€ Thanks to @cmbirk, @loan-laux and @rattrayalex-stripe for contributing to this release! πŸŽ‰

  • v2.1.0 Changes

    August 08, 2019


    🐎 Reaction v2.1.0 adds minor features and performance enhancements, fixes bugs and contains no breaking changes since v2.0.0.

    πŸš€ This release is being coordinated with reaction-platform and is designed to work with v2.1.0 of example-storefront and reaction-hydra.

    Notable changes

    Introduction of Catalyst

    0️⃣ Our new Catalyst design system has been introduced into the Reaction codebase, and is used on various components including ConfirmDialog and Button. All new default component theme modifications must come from Catalyst.

    🏷 Tag slugs are now editable independently of tag name

    πŸ‘ Allows operators to change aa tag slug independently of a tag name.

    Order related GraphQL mutations

    A createRefund GraphQL mutation has been added to allow refunds to be processed via GraphQL in addition to the existing meteor methods.

    Dataloaders introduced into the codebase

    🌐 "DataLoader is a generic utility to be used as part of your application's data fetching layer to provide a simplified and consistent API over various remote data sources such as databases or web services via batching and caching."

    βž• Added the first couple of DataLoaders for Shops and SimpleInventory. Shops will benefit product listing pages as product and variant resolvers all query Shops collection for each product. SimpleInventory query benefits from batching.

    Bulk simple inventory mutation

    ⚑️ When running large inventory import via an external sync system, the lack of a bulk mutation made the import takes many hours. This update introduces a bulk import option which cuts down import time significantly.

    πŸ‘• Overhaul of eslint rules, and bulk fix of over 500 eslint warnings

    ⚑️ We've updated to using v2.0.0 of our Reaction ESLint Config package, and have brought our eslint warnings down from 800 to under 300.

    πŸ”‹ Feature

    • feat: catalog partial publish / rerun transformations (#5355)
    • feat(product table): show Action dropdown, even if no products are selected (#5391)
    • feat: filter products by id in products table (#5387)
    • feat: editable tag slug (#5382)
    • feat: add createRefund GraphQL mutation (#5354)
    • feat: add handle to tag autosuggest results (#5262)
    • feat: Add DataLoaders for Shops and SimpleInventory (#5294)
    • feat: Introduce DataLoaders infrastructure (#5280)
    • feat: new button component to wrap MUI button with isWaiting loading state (#5266)
    • feat: bulk simple inventory mutation (#5229)
    • πŸ“¦ feat: integrate catalyst ConfirmDialog component from new Catalyst package (#5372)

    πŸ›  Fixes

    • πŸ›  fix: set slugified title as permalink (#5264)
    • πŸ›  fix: Add migration for index (#5358)
    • πŸ›  fix: red textfields (#5371)
    • πŸ›  fix: Make catalog indexes unique for product (#5350)
    • πŸ›  fix: fix consistent-return eslint warnings (#5334)
    • πŸ›  fix: replace simpl-schema.validate() … (#5306)
    • πŸ›  fix: use SimpleInventory collection to fe… (#5314)
    • πŸ›  fix: #5300 Wrong template reference (#5301)
    • πŸ›  fix: typo breaking docs build (5286) (#5287)

    🐎 Performance Improvements

    • βœ… perf: wrap tests in check to make sure app is ready when they run (#5317)
    • perf: up data transfer limit to allow bigger sizes (#5396)

    πŸ“„ Docs

    • πŸ“„ docs(admin): Introducing Reaction Admin (#5400)
    • πŸ“„ docs(readme): introducing the Storefront Component Library to develop (#5398)
    • πŸ“„ docs: Update (#5319)


    • ⚑️ chore: updated Dockerfile to change .meteor/ permissions to the node … (#5353)
    • πŸ‘• chore(ci): add eslint check to only check changed files and fail when warnings are thrown (#5357)
    • chore(ci): Work more robustly on forks (#5386)
    • πŸ‘• chore: fix no-undef lint issues (#5360)
    • ⚑️ chore: update Material-UI 4.x (#5278)
    • ⚑️ chore: Update README DCO - sign-off not sign (#5318)
    • ⚑️ chore: update snyk ignore (#5331)
    • ⚑️ chore: update CHANGELOG, update version (#5260)
    • chore: use npm command rather than meteor npm (#5328)
    • ⚑️ chore: update js-doc throughout the app, batch 1 (#5309)
    • πŸ‘• chore: fix all react/no-deprecated and react/prop-type eslint warnings (#5307)
    • ⚑️ chore: update reaction-eslint-config version in package.json (#5320)
    • βœ… chore: organize integration tests (#5316)
    • πŸ‘• chore: add overrides for eslint rules that stlll need fixing (#5308)
    • πŸ‘• chore: fix all id-length eslint warnings (#5298)
    • πŸš‘ chore: update lodash to fix snyk critical error (#5299)
    • πŸ‘• chore: fix all max-len eslint warnings (#5296)
    • πŸ‘• chore: fix prefer-const eslint error (#5290)

    πŸ”¨ Refactors

    • πŸ”¨ refactor: add title as backup in product admin breadcrumb (#5342)
    • πŸ”¨ refactor: add isSoldOut prop to variants and options in Catalog (#5289)
    • πŸ”¨ refactor: how to get reaction version (#5324)
    • πŸ”¨ refactor: fulfillment section of Orders 2.0 (#5302)
    • πŸ”¨ refactor: payments section of Orders 2.0 (#5279)

    βœ… Tests

    • βœ… test: add integration test for ping query (#5326)

    πŸ’₯ Breaking Changes



    πŸš€ Thanks to @janus-reith for contributing to this release! πŸŽ‰

  • v2.0.0 Changes

    July 06, 2019


    πŸš€ Reaction v2.0.0 is an API-first, real-time commerce engine built using Node.js, React, and GraphQL. It’s the second major release of our open source commerce software.

    πŸš€ This release is coordinated with Reaction Platform and is designed to work with the Example Storefront (previously Storefront Starter Kit) and reaction-hydra.

    πŸ’» Reaction v2.0.0 is built as a truly headless commerce platform that decouples the Reaction backend services from the frontend. We’ve decoupled the storefront application from the API. Reaction platform now consists of the reaction project, which is now primarily our GraphQL API, and for the time being also our operator UI and our identity provider, along with our new-to-2.0 Example Storefront built on Next.js, which connects with the Reaction application via GraphQL API to provide a customer-facing storefront. The legacy integrated Meteor storefront is no longer part of the Reaction project.

    Notable changes

    πŸš€ Check out previous release notes for details and associated issues and PRs.

    πŸ’» Operator experience and UI
    πŸ‘€ The store operator experience has been substantially enhanced from v1.x. We’ve shifted the operator UI for managing products from a What You See Is What You Get (WYSIWYG) product editor to one that is designed for greater flexibility. We have transitioned from a single-page admin experience to a full-page operator experience that’s fully separate from the storefront. The new operator UI uses 100% of the screen space for store management and operation, and will benefit users managing large product catalogs and complex fulfillment patterns.



    We’ve also added lots of new functionality around tags (tag dashboard and new tag management features), site navigation (including sitemaps and navigation tree editor), and fulfillment options (ability to add restrictions or surcharges based on product tags and/or customer location).

    GraphQL API coverage
    🚚 Most Meteor methods are removed in favor of the new GraphQL API. GraphQL is the only way to interact with the API from a storefront app. The operator UI uses a mixture of GraphQL and Meteor DDP while we complete the transition to GraphQL on the administrative side.

    🐎 Developer experience and performance
    πŸ“š For developers, we’ve made a number of enhancements to improve the overall developer experience, especially debugging, logging, and updated documentation.

    • 🐳 Examples for how to debug Node.js in Docker
    • πŸ‘ Better logging of packages and plugins loading
    • bin/setup improvements
    • ⚑️ Updated main Reaction app to use .env file (#4826)
    • Added envalid for validation of environment variables

    🐎 We’ve made some tweaks to increase performance and improve initial boot time:

    • βœ‚ Removed reaction-cli (v2.0.0-rc.10)
    • βž• Added and removed a number of indexes since 1.x, see #4819, #5106, #5090, etc. for examples

    We’ve also improved Reaction’s extensibility in a number of ways, such as:

    • πŸ”Œ Reaction now supports remote graphql schemas in plugins (#4870)
    • πŸ”Œ Plugins can now directly register React components (#4875)
    • πŸ”Œ Plugins can register functions to handle GraphQL transformation of catalog product media items (#4988)
    • πŸ”Œ There is now a collections option for registerPlugin, which allows plugins to define their MongoDB collections and indexes in a standard way (#5196)

    ⚑️ And finally, we’ve updated all Reaction dependencies (such as React and Apollo) to the latest versions, and updated our base docker image to use Meteor 1.8 (#4760).

    πŸ”’ Security audit
    πŸš€ For the 2.0 release we’ve done a full security audit of the application, including cart, order methods, payment processing methods, and more, and fixed potential vulnerabilities.

    ⚑️ Other updates

    • Authentication is now handled via Hydra
    • πŸ”Œ Taxes have been completely re-worked in a new plugin (v2.0.0-rc.10)
    • 🚚 Inventory has been moved into its own simple-inventory plugin, and is no longer directly tied to the Products collection
    • 🚚 Pricing has been moved into its own simple-pricing plugin, and allows for a 3rd party pricing service integration. (#5014 & #5143)
    • 🚚 Search plugins have been removed (#5053)
    • 0️⃣ A plugin can now be used to override the default orderId and cartId and create IDs of a different type or in a specific order (#5054)

    πŸ†• New documentation

    πŸš€ See this page for a non-comprehensive list of new and updated docs.

    Some highlights:

    OS notes

    πŸ‘Œ Support for Windows.
    🏁 [reaction-platform]( is not compatible with Windows and has not been fully tested on Windows at this time.

    🍎 MacOS and Linux are supported.
    πŸ“š Reaction will support development in a dockerized environment and will focus on tooling and documentation for installation and configuration on the macOS and Linux OSes.

    We've adopted the DCO

    We've adopted the Developer Certificate of Origin (DCO) in lieu of a Contributor License Agreement for all contributions to Reaction Commerce open source projects. We request that contributors agree to the terms of the DCO and indicate that agreement by signing all commits made to Reaction Commerce projects by adding a line with your name and email address to every Git commit message contributed:

    Signed-off-by: Jane Doe <[email protected]>

    πŸ”§ You can sign your commit automatically with Git by using git commit -s if you have your and set as part of your Git configuration.

    We ask that you use your real name (please no anonymous contributions or pseudonyms). By signing your commit you are certifying that you have the right have the right to submit it under the open source license used by that particular Reaction Commerce project. You must use your real name (no pseudonyms or anonymous contributions are allowed.)

    We use the Probot DCO GitHub app to check for DCO signoffs of every commit. If you forget to sign your commits, the DCO bot will remind you and give you detailed instructions for how to amend your commits to add a signature.

    🐳 We're following in the footsteps of several other open source projects in adopting the DCO such as Chef, Docker, and GitLab


    πŸš€ Our sincere thanks to @rattrayalex-stripe, @willmoss1000, @pmn4, @loan-laux, @lcampanis and the @artlimes folks, @dhonig, and everyone on our Community Council for contributing to this release.

    Share your feedback

    We want to hear from you! Here are some good ways to get in touch.

    • Want to request a new feature for Reaction? There’s now a Reaction repo just for new feature requests.
    • Reaction engineers and community engineers and developers are always collaborating in our Gitter chat channel
    • πŸ†“ Ask Us Anything! Join the Reaction Team on a Community Call on Wed, July 24 at 9:00am PT (4:00pm UTC) to get answers to your questions about Reaction v2.0.0. No registration required. Just use this link to attend, and feel free to send us your questions ahead of time.
  • v2.0.0-rc.9 Changes

    January 25, 2019


    πŸš€ This is our ninth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

    πŸš€ This release is being coordinated with reaction-platform and is designed to work with the same versions of reaction-next-starterkit and reaction-hydra

    Inventory improvements

    ⚑️ We've made some updates to the way inventory is tracked, introducing a new inventory field: inventoryAvailableToSell. This field tracks inventory that has been ordered, but has not yet been processed and so is still counted in-stock. This number is what is displayed to customers and determines whether a product is considered "sold out" or not. The old inventory number inventoryQty has been renamed to inventoryInStock and continues to represent the inventory available in stock.

    πŸ’₯ Breaking changes


    • Migration 51 has been added to attach inventoryAvailableToSell to all products / variants, to correctly calculate the numbers on parent products / variants, and to publish this data to already published Catalog items.
    • 🚚 currentQuantity has been marked with depreciated in the cart. This isn't a breaking change at the moment, but lays the path to remove this field and replace with inventoryAvailableToSell and inventoryInStock in the future.
    • ⚑️ Catalog.getVariantQuantity and ReactionProduct.getVariantQuantity have been removed. Custom plugins using these methods will need to be updated. The same data returned by these methods is now on the object that was being passed into these methods as the field inventoryQuantity or inventoryAvailableToSell
    • ⚑️ Moved isBackorder, isLowQuantity, and isSoldOut functions from the catalog plugin to the new inventory plugin. Custom plugins using these methods will need to update their import path.

    πŸ”‹ Features

    • feat: Add flag to enable only IDP routes (#4903)
    • πŸ”Œ feat: Record plugin versions in DB and show in Shop panel (#4895)
    • πŸ‘ feat: Add support for fallback tax service (#4871)
    • ⚑️ feat: Update to Apollo Server 2.0 (#4884)
    • feat(#4848): Return only isVisible Tags, unless admin (#4879)
    • πŸ”Œ feat: Support remote graphql schemas in plugins (#4870)
    • πŸ”Œ feat: Support plugins directly registering React components (#4875)

    πŸ›  Bugfixes

    • πŸ›  fix: Password reset page not found (#4917)
    • πŸ›  fix: add replace to remove comma from formatting (#4910)
    • πŸ›  fix: add contentForLanguage resolver for nav item content (#4913)
    • πŸ›  fix: Restore CORS for 401s (#4894)
    • πŸ›  fix: Meteor method permissions fixes (#4883)
    • πŸ›  fix: Multi-shop permission fixes (#4872)
    • πŸ›  fix: check permissions for order workflow methods (#4863)

    βœ… Tests

    • βœ… test: Fix sitemaps test timeouts (#4920)

    πŸ”¨ Refactors

    • πŸ”¨ refactor: updates to inventory counts and statuses (#4859)
  • v2.0.0-rc.8 Changes

    January 11, 2019


    πŸš€ This is our eighth release candidate for v2.0.0 of Reaction. Please check it out and let us know what works and what doesn't for you.

    πŸ†• New Bits

    Operator 2.0

    ⚑️ The core experience and UI for a shop operator using Reaction Commerce has not changed much over the last couple of years. We've been hard at work on the new and improved storefront but until now have not revealed any of our design or plans for improving the updated operator UI.

    πŸš€ This release includes the first beta of the new Reaction operator UI. Our focus with this new operator UI has several goals. First, we’re transitioning from a single page storefront and admin experience to a full page admin experience that will be separate from the storefront. . We believe this change is necessary and beneficial for anyone operating a store that works with a large number of products and/or does a high-volume of order. This change also decouples the customer facing storefront from the operator UI. The existing UI had a WYSIWYG flavor to it where the product and catalog management was done in an interface that was identical to what the customer saw. There are some benefits to this - having a good perspective of what your customers see when you make a change - but for large catalogs, it's not very practical. In addition, we’ve received feedback that the experience could be confusing for admin users who wanted to concentrate on their admin tasks only. Once decoupled the operator UI can use 100% of the screen space for store management and operation. The change will be a big benefit to users managing large product catalogs and complex fulfillment patterns.

    πŸ’… Right now this new operator UI is opt-in and the existing, drawer style operator experience will continue to function as it has. You can access the new operator UI by visiting /operator.

    operator_2 0

    πŸ’» This UI should have all existing functionality baked in, but we anticipate that there may be some rough edges and from a user experience standpoint it is the first step on a longer path. The first step here has been to replicate existing functionality by moving existing components into the new layout and fixing bugs that we've found. Going forward, we'll be implementing improved UIs for many of the operator tools - Catalog Management, Inventory, Pricing, Order Management, etc.

    πŸ’» Please file an issue for any bugs that you find, whether they be weird UI quirks or things that don't as expected.

    .env file

    ⚑️ Most services that make up the Reaction platform use a .env file in the root of the service folder to define environment variables that should be set while running. They also have a pre-build script that the reaction-platform tool runs to create or update the .env file from a .env.example file, which is committed. Until now, this project did not use .env file, so we've added one. See #4826 for more details.

    πŸ‘Œ Improved Bits

    πŸ‘Œ Support for extending GraphQL enums and unions

    ⚑️ We've updated GraphQL and GraphQL Tools to new versions and added support for extend enum and extend union. This permits extending the core schema in this way from a plugin. See #4798 for more details

    🐎 Developer performance

    🐳 When we introduced reaction-platform and begun developing in Docker environments, we began to notice high CPU utilization that for those of us developing on OSX.


    🐳 Long story short, this is an issue with filesystem operations in Docker for Mac and there's not much we can do to resolve the core issue. In development mode, we leverage Meteor to watch for file changes. By adjusting the polling interval for the Meteor file watcher, we can greatly reduce the issues introduced by Docker for Mac. We've set two environment variables in the example .env file .env.example (#4826) as follows, but if these don't work for you, I'd start by adjusting the polling interval to something higher - 20000 (20s) or 30000 (30s). If you're working directly on the core reaction project, this may impact how long it takes before a change you've made is recognized and rebuilt, but that may be a small price to pay to reduce CPU burn by hyperkit. There shouldn't be any other consequences to increasing this number.


    πŸ’₯ Breaking changes

    πŸš€ This release contains a number of breaking changes that we've been working to get into Reaction before we cut the final 2.0.0 release. If you're planning to update an existing shop, please read through this list


    • βž• Added a new, final param to xformVariant with the processed inventory flags (#4742)

    Meteor Methods

    • πŸ”Œ Payment plugins that use Meteor methods for capture and refund will not be compatible with this PR. This is intentional as we're migrating toward GraphQL and away from Meteor Methods for client-server interaction. Custom payment methods will need to be rewritten to follow the pattern in #4803. (#4803)
    • ⚑️ If a custom plugin uses any of these methods, it will need to be updated. (#4815)
      • shop/getBaseLanguage
      • shop/getCurrencyRates
      • shop/getWorkflow
      • getTemplateByName
      • orders/addOrderEmail
      • taxes/updateTaxCode
      • workflow/coreOrderWorkflow/coreOrderProcessing
      • workflow/coreOrderWorkflow/coreOrderCompleted
    • ⚑️ Custom code relying on being able to call the "accounts/sendWelcomeEmail" Meteor method will break. Calls from client code must be removed. Calls from server code should be updated to import and call the util function. (#4867)


    • 🚚 We've created a new taxes-rates plugin in the included folder, and all features related to custom rates have been moved there. This includes the "Custom Rates" panel in tax settings; the Taxes collection and its related schemas; the "taxes/addRate", "taxes/editRate", and "taxes/deleteRate" Meteor methods, and the "Taxes" Meteor publication.
    • πŸ“¦ The core taxes plugin has a new API for registering tax services (such as the included "Custom Rates" service, or a custom Avalara service for example). They are registered by passing in a taxServices array to registerPackage (example and details in #4785)
    • 🚚 Some tax-related fields on Cart, CartItem, Order, OrderFulfillmentGroup, and OrderItem have been moved, renamed, added, or removed. We've attempted to remove all unused fields, and group or rename other fields for clarity. One example is the taxes array, which now has a different schema and appears for individual items as well as the full cart or order fulfillment group.
    • On Products documents, taxable is now isTaxable. This change had previously been made in the Catalog schema and now is made in Products to match.
    • βͺ For the Custom Rates plugin, be aware that the taxCode value is now used for filtering which products should be taxed at that rate. This requires a review of all your products to ensure that they have a tax code specified, in addition to being marked as taxable. If you'd rather not do this review, you can revert to the old behavior of ignoring tax codes by editing each of your Custom Rates entries, clearing the the "Tax Code" field, and saving.
    • ⬆️ If you are upgrading from 1.x and use only Custom Rates for taxes, data migrations should provide a seamless transition. Most tax changes are breaking only for third-party non-included tax plugins. However, please verify after upgrading that the correct tax service is active.

    βž• Address Validation

    πŸ’₯ Breaking changes to how address validation works. Affects all plugins that provide address validation and all clients that validate addresses. (#4767)

    πŸ”§ Configuration

    • ⚑️ Propel was updated and any propel scripts must be updated. (#4802)
    • If you run Reaction locally, such as for development, you will now need to be sure there is a .env file with correct environment variables set in it. The .env.example file, with no changes, should work for most people. When running with reaction-platform, this should happen automatically. But if you've already been developing locally and you pull in this change, you'll need to run bin/setup once. You can also run bin/setup anytime you pull in the future, to add any new ENV variables. (#4826)
    • 🐳 Docker network streams.reaction.localhost must be created, which developers can do by pulling down the latest reaction-platform and running make (or make network-create if they want to be surgical about it). (#4805)

    πŸ”Œ Meteor Plugins

    • πŸ“¦ Custom plugins that rely on the dispatch:run-as-user Meteor package will need to find a different solution and remove the dependent code. (#4825)

    πŸ”‹ Features

    • feat: Navigation Backend (#4683)
    • feat: shipping method restrictions (#4821)
    • ⚑️ feat: Update main Reaction app to use .env file (#4826)
    • feat(tag): add Display Title to Tag (#4856)
    • feat: Operator 2.0 first draft (#4800)
    • πŸš€ feat: Deploy feature branches to ECS (#4834)
    • feat: Add Order.referenceId (#4827)
    • feat: Use no-meteor functions for payment capture and refund methods (#4803)
    • 🚚 feat: Remove unused meteor methods (#4815)
    • feat: Put mongo on the streams network (#4805)
    • ⚑️ feat: Update graphql packages to support extend enum and extend union (#4798)
    • πŸ”Œ feat: Improve tax API, split out Custom Rates plugin (#4785)
    • feat: Address validation GraphQL (#4767)
    • feat: add isBackorder data to variants (#4855)

    πŸ›  Fixes

    • πŸ›  fix: Migrate existing tag nav to new navigation tree structure (#4882)
    • πŸ›  fix: primaryShopId query fallback (#4862)
    • πŸ›  fix: permission issues with Meteor methods for Accounts plugin (#4867)
    • πŸ›  fix: Add migration file for plugin route name change (#4858)
    • πŸ›  fix: CartCleanupJob (#4799)
    • πŸ›  fix: 404 on Hydra Oauth page (#4835)
    • πŸ›  fix: Jest integration tests (#4824)
    • πŸ›  fix: ECS deployments (#4836)
    • πŸ›  fix: ECS deployment: move TLS certificate ARN from propel.yaml to ENV vars (#4802)
    • πŸ›  fix: catalog variant inventory flags always false (#4742) .. Resolves #4741
    • πŸ›  fix: tax calculation arguments, other tax fixes (#4811)

    πŸ”¨ Refactor

    • πŸ”¨ refactor: shipping rules (#4789)

    🐎 Performance

    • ⚑️ perf: Add a mongodb index on Catalog.updatedAt (#4819)


    • chore: use ci env var for staging url (#4885)
    • πŸš€ chore: e2e integration for release branches (#4878)
    • πŸ‘• chore: Configure prettier arrowParens to match our eslint rules (#4876)
    • 🐳 chore: Add node_modules/.bin to PATH in docker (#4820)
    • πŸ“¦ chore: remove unused dispatch:run-as-user package (#4825)


    πŸš€ Thanks to @willmoss1000 for contributing to this release! πŸŽ‰

  • v2.0.0-rc.7 Changes

    November 27, 2018


    πŸš€ Security Release

    πŸš€ This security release addresses to potential vulnerabilities

    πŸ”§ We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.

    βœ‚ Remove dependency on event-stream

    Event Stream Dependency Removal

    🚚 This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

    🚚 event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

    From the original post in the event-stream repo:

    Am I affected?:
    πŸ‘€ > If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

    $ npm ls event-stream flatmap-stream ... [email protected] ...

    What does it do :
    πŸ›° > Other users have done some good analysis of what these payloads actually do.
    dominictarr/event-stream#116 (comment)
    dominictarr/event-stream#116 (comment)
    dominictarr/event-stream#116 (comment)

    What can I do:
    πŸš€ > By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.

    πŸ“¦ Snyk has a great writeup about this issue in their blog:

    πŸ‘€ See the issue on the event-stream repo for more information: dominictarr/event-stream#116

    Reaction Social Issue Overview

    πŸš€ This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.


    πŸ”§ | oAuth Service Configuration Publication Vulnerability | | Severity | High | | Description | oAuth social plugin secrets could be shared with unauthenticated users via a publication. | | Affected Installations | Any shops with a configured Facebook appSecret in the Reaction Social dashboard. | | Affected Versions | All versions greater or equal to v0.5.3 | | Remediation | Apply patch or upgrade to patched version of Reaction Commerce. |


    πŸš€ Patches are attached to this release.

    πŸ”’ Patches will download as a .zip file named: which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

    πŸ’» Patch files for removing the UI dependent on software version
    πŸ’» fb-app-secret-ui-{version-number}-2018-11-19.patch

    πŸ”– Version specific migration patch file for removing the appSecret from the database


    Option 1: Install patched version of Reaction Commerce

    βœ… If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

    Invalidate Existing Secrets

    If you had a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

    Generate New Secrets

    If you used this App Secret in any other applications or for Facebook oAuth login within Reaction Commerce, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.