Posts tagged ‘release’
The Spree team was recently alerted to several potential security vulnerabilities. If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at email@example.com and we will investigate and fix the issue as quickly as possible.
Spree Roles Mass-assignment Vulnerability
The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.
Thanks to Laurens Nienhaus of asdfasdf.de, Web Entwicklung for reporting this.
1.2.x, 1.3.x, Edge
If you are using spree_auth_devise, run the following command to update to the latest version:
bundle update spree_auth_devise
It’s recommended that you update to v1.1.6. This release contains the security fix.
JSON Gem Object Creation Vulnerability
The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.
The problem is not with Spree itself but the json gem upon which it relies. By using the suggested fix below you can ensure you are running a secure version of the json gem.
This is easily fixed by upgrading to the latest version of the JSON gem, which can be done by running the following command:
We have added a hard dependency on JSON to spree_core to ensure that in future versions of Spree you are using an unaffected version of the gem.
Thanks to Steve Root of Roots Kitchens Bedrooms Bathrooms for bringing this to our attention. More info on this vulnerability can be found on the rails-security group.
Unsafe Use of Constantize in Admin
The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.
Thanks to Gabriel Quadros of Conviso Application Security for reporting this.
Spree 1.0.x – 1.3.x, Edge
The problem can be addressed by updating to edge Spree. There is no urgent need to upgrade if you are running an affected version as long as your admin users can be trusted to not attempt a complicated technical exploit of this vulnerability.
Last week the Rails team announced a new release which addresses an important security vulnerability. This is a Rails security problem, but since Spree relies on these insecure versions of Rails, all Spree users are advised to upgrade to a more secure version immediately.
Existing Spree 1.3.0 users should upgrade to the new Spree 1.3.1 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.
Existing Spree 1.2.x users should upgrade to the new Spree 1.2.3 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.
Other Versions of Spree
If you are using Spree versions 1.1.x and older you should consider upgrading to Spree version 1.2.3 or higher. Our current policy is to only maintain the latest two versions of Spree along with the current master.
Upgrading Rails Without Updating Spree
If you’re not ready to update your version of Spree, you may want to consider updating just the version of Rails you’re using. Spree gems will not allow you to use arbitrary versions of Rails (we like to test them first) so you’ll have to do a little hacking if you want to go it alone. To accomplish this you need to work with the source code and checkout from Git using the exact tag of your version of Spree. You can then modify the gemspec to allow a newer version of Rails. Finally, you’ll need to push this change to a fork and modify the
Gemfile in your project to point to the fork.
Spree 1.3.0 has now been officially released. We’ve been working on this release since late August and it’s truly been a group effort. There were 867 commits by 31 different authors. Only a few of those authors actually work for Spree Commerce Inc. so that means our awesome community has once again taken the time to make invaluable contributions to Spree. Keep up the fantastic work!
Let’s go over some of the highlights of this release:
API Updates and Documentation
As Spree constantly evolves, so does our API. To help you keep up with the latest changes, we launched our API Documentation recently. Internally, we are now using Versioncake to version our API and ensure that any significant changes don’t affect our end-users. Additionally, we have added searching capabilities throughout the API and the ability to customize output by specifying a template.
Please see the API Improvements blog post and our API Documentation for more details.
New Admin Interface
We are excited for you to try our newly redesigned admin interface, courtesy of our designer Alexey (aka devilcoders). The main focus of the redesign was to put a “fresh coat of paint” on everything to make it a little easier to look at all day long. This is just the first step of reworking our admin interface and we are looking forward to receiving your feedback to help us improve our further iterations on the design.
Please see the Announcing Admin Redesign blog post for more details.
Currency settings have been added to Spree that make it possible to change the currency used by the store and the format of displayed prices. This is the foundation for planned multi-currency support in the future. The goal with these changes is to eventually allow various objects in Spree to store and track their own currency. Currently the currency is set on a global level.
Special thanks to Gregor MacDougall for his great work on adding currency support to Spree.
Please see this commit for more information on currencies in Spree.
As with every major Spree release, there are also a ton of commits related to minor bug fixes and other subtle improvements. Please see the Github compare for a complete list of changes in this release. You can also see a written summary of the changes with additional details in the release notes.
Spree 1.3.0.rc2 is now available. The final release for Spree 1.3.0 is expected later this week barring any last minute discoveries so we need your help with testing. Please report any issues you encounter.
We’ll have a comprehensive set of release notes once the release is final. In the meantime, please see the Github compare for a complete list of changes.
Spree 1.3.0.rc1 is now available. The final release for Spree 1.3.0 is expected shortly so we need your help with testing. Please report any issues you encounter.
If you’ve been following the recent admin refactoring on the master branch then you have an idea of what’s in this release. We’ll have a comprehensive set of release notes once the release is final. In the meantime, please see the Github compare for a complete list of changes.
Spree 1.2.2 has been officially released. The primary purpose of this release is to upgrade to the latest secure version of Rails. Previous versions of Rails 3.2.x have a DoS vulnerability that was fixed in the recent Rails 3.2.9 release. The DoS vulnerability is actually a Ruby security issue as well, so it is recommended that you upgrade your Ruby installation to Ruby 1.9.3.p327 or higher.
There are no new Spree security vulnerabilities addressed in this release – just those mentioned above concerning Ruby/Rails. Please note that earlier last week we issued a flawed Spree 1.2.1 release but that has since been “yanked” (due to a minor glitch) and the fixed version has been released as Spree 1.2.2.
This release also contains a series of minor bug fixes and improvements which you can read more about in the Spree 1.2.2 release notes. As always, this has been a group effort by the outstanding members of our community. This release contained 248 contributions by 44 different authors. You can see the Github compare for full details.
This release does not contain the new admin interface. That functionality is currently available on the master branch and will be released as part of Spree 1.3.0 in early December.
Spree 1.1.4 has been officially released. The primary purpose of this release is to upgrade to the latest secure version of Rails. Previous versions of Rails 3.2.x have a DoS vulnerability that was fixed in the recent Rails 3.2.9 release. The DoS vulnerability is actually a Ruby security issue as well, so it is recommended that you upgrade your Ruby installation to Ruby 1.9.3.p327 or higher.
There are no new Spree security vulnerabilities addressed in this release – just those mentioned above concerning Ruby/Rails. This release also contains a series of minor bug fixes which you can read more about in the Spree 1.1.4 release notes. You can also see the Github compare for full details.
Due to the upcoming Spree 1.3.0 release, this will be the final patch release of Spree 1.1.×. We encourage you to update to Spree 1.2.x as soon as possible.
Spree 1.2.0 has now been officially released. We’ve been working on this release all summer and it’s truly been a group effort. There were 961 commits by 32 different authors. Only a few of those authors actually work for Spree Commerce Inc. so that means our awesome community continues to step up and make invaluable contributions. Keep up the great work!
Special thanks to Ryan Bigg who did a ton of work on this release. The authentication changes and checkout flow in particular represent huge improvements to Spree and were a direct result of close coordination with our users who were struggling on these fronts.
Let’s review some of the highlights of this release:
Authentication Has Been Removed
Spree no longer ships with authentication included. Previous version of Spree have relied on a third pary library known as Devise. By removing the dependency on Devise this allows Spree to be more easily integrated with larger Rails applications that may have their own authentication system. For those that are using Devise (or have no strong preference for which system they use), we still have Devise support for Spree. You’ll just need to add the spree_auth_devise extension to your application.
Please see the Authentication Guide for more details.
Changes to the State Machine
Up until now, it’s been a little to difficult to customize the checkout flow in Spree. It was certainly possible but the workaround for doing so wasn’t particularly elegant and was even more difficult to support. This has all changed now with a new DSL for specifying checkout flow. If you’ve made changes to the checkout flow in your application (or if you have been hesitant to do so until now) then you may want to learn more about how this works.
Please see the Checkout Guide for more details
Introducing the Money Gem
In earlier versions of Spree, we used number_to_currency to display prices for products. This made it difficult to change only the currency symbol for all prices across your store. We have improved this by using the Money gem to handle all of the price formatting. Please note this was a last minute addition to Spree that was not contained in the previous release candidates. You can look forward to many more improvements to international support in future releases.
There are also a ton of commits related to minor bug fixes and other subtle improvements. Please see the Github compare for a complete list of changes in this release. You can also see a written summary of the changes with additional details in the release notes.
Spree 1.2.0.rc2 is now available. The final release for Spree 1.2.0 is expected shortly so we need your help with testing. Please report any issues you encounter. Please see the Github compare for a complete list of changes in this release.
Final release will be later this week – just in time for SpreeConf!
Spree 1.2.0.rc1 is now available. The final release for Spree 1.2.0 is expected shortly so we need your help with testing. Please report any issues you encounter. Please see the Github compare for a complete list of changes in this release.
Spree 1.1.3 has been released. This is a patch release to be compatible with the new Rails 3.2.7 release. The newest version of Rails contains a minor security release fix so you’re encouraged to update at your earliest convenience.
This release also contains a variety of other small bug fixes. Special thanks to Moritz Breit for reporting a potential security issue which has since been investigated and addressed.
Please see the Github compare for a complete list of changes in this release.
Spree 1.0.6 has been released. This release is just a minor patch release to fix a few issues with attr_accessible and the latest Rails 3.1.6 release. The previous Spree 1.0.5 release has been yanked since it was not compatible with the latest Rails 3.1.x version.
Please see the Github compare for a complete list of changes in this release. There are no security fixes in this release.
Spree 1.1.1 has been released. This release is just a minor patch release to fix a few issues with the previous release. There are no security fixes in this release so there is no rush to upgrade if things are working fine for you.
The primary reason to upgrade is if you are experiencing issues with the new 2.1.x version of Devise which may get used by bundler in new Spree deployments. Please see the Github compare for a complete list of changes in this release.
Spree 1.1.0 has been released. We’ve been hard at work the past two months getting this release ready. This is also the first Spree release to support Rails 3.2.×. All it took was 790 commits by 34 different authors (including many first-time committers.)
Here’s a list of highlights of what is contained in the new release:
- Support for Rails 3.2.x
- Product groups have been moved to a stand alone extension
- Major overhaul of the API
- Simplified the internals of model
- Replaced meta_search with ransack
- Instant activation for live analytics
- Several other minor changes
Please see the Github compare for a complete list of changes in this release. Please see the Spree 1.1.0 release notes for more details.
Spree 1.0.4 has been released. This is just a minor patch release that contains several minor fixes made since the prior release. There are no security fixes contained in the release so there’s no need to upgrade unless you’re experiencing one of the problems fixed in this release.
Please see the Github compare for a complete list of changes in this release. If your store is not yet running on a 1.0.x version of Spree you are encouraged to upgrade at your earliest convenience. Once Spree 1.1.0 is released we will no longer be maintaining versions of Spree prior to 1.0.x except in the case of a critical security fix.
We have just released Spree 1.1.rc2! In this version, you’ll find bug fixes for bugs detected within the first release candidate, as well as some refactoring.
Pending any other issues brought up on the Spree issues, this will be the final release candidate before the actual
Probably the most substantial change from this release candidate is the clean up of the Creditcard
class. We don’t anticipate any problems with these changes, but if you do find
some, please bring them up on the Spree issues page.
If you want to see all the changes that have gone into this second release candidate since the first, be sure to check out the comparison
view on GitHub.
One final note, both the Railsdog and Spree teams are at Railsconf this week! Come find us and talk to us about how you’re using Spree.
Spree 0.60.6 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.
Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running any version of Spree prior to 0.60.6.
Spree 1.0.3 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.
Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a prior version of Spree 1.0.×.
NOTE: Earlier this week we released Spree 1.0.2 which contained this fix. Before we could write up the release announcement we discovered a newly introduce bug that required a quick follow up release which is now Spree 1.0.3. It is recommended that you update to version 1.0.3 if you are running version 1.0.2 because of this bug but it is not required for security purposes.
Spree 0.70.5 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.
Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a previous 0.70.x version of Spree.
Spree 0.60.5 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.0.12 release. Anyone using a prior version of Spree is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.
Please see the Github compare for a complete list of changes in this release.
Spree 1.0.1 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.1.4 release. Anyone using a prior version of Spree 1.0.x is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.
We have also fixed several issues that have come up since the 1.0.0 release. Please see the Github compare for a complete list of changes in this release.
Spree 0.70.4 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.1.4 release. Anyone using a prior version of Spree 0.70.x is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.
Please see the Github compare a complete list of changes in this release.
Today we are extremely proud to announce the long-awaited release of Spree 1.0.0. The project began almost five years ago with a simple post. After several years of development and thousands of deployed stores we are now convinced Spree will play an essential role in building the next generation of e-commerce.
Our community continues to grow stronger with each successive release. This latest release contains over 1,500 commits made by 35 different contributors. Only four of those contributors work as employees of Spree Commerce. The best part is that all of this work was done in just ten weeks! There are additional developers and resources flowing into the project each day so we’re really only seeing a glimpse of what is possible.
The list of people to thank is too numerous to list here. There’s also a lot more to say about extensions and the online demo but that will have to wait for another day. We’re going to keep the announcement short in order to get this out to you as fast as possible.
We have done our best to test the upgrade process on older versions of Spree. Our team has also been hard at work making last minute fixes and significant improvements to the online documentation. Just like the Rails project, there will always be a few glitches discovered after a major release. Please report issues you find in the Github issue tracker. If you are developing a store using 1.0 you can always reference the 1-0-stable branch in your Gemfile and then you can take advantage of patches as they are added. Otherwise you can wait until we do a minor patch release.
A complete list of changes can be found in the Github compare for 1.0.0. For more information on this release and upgrading from a previous version of Spree please see the release notes.
Spree 0.70.3 has been released. The only change in this release is support for Rails 3.1.3. It should be a trivial upgrade from Spree 0.70.2. There are no security issues with the previous version of Rails but this newer version fixes several problems that were introduced by Rails 3.1.2.
Spree 0.70.2 has been released. The primary reason for this release is support for the new Rails 3.1.2 release which contains some important security updates. There are also a couple of other minor changes which you can find using the Github compare.
We’re also experimenting with a new approach to Rails versions in this release. We’ve traditionally locked down the specific version of Rails that you can use with any one release of Spree. This is because in the past, even minor changes to Rails often caused problems with Spree if users tried to upgrade before we had a chance to verify everything.
This version of Spree will allow you to use either Rails 3.1.1 or the new 3.1.2 release. It will not, however, work with a possible future release of Rails until we also release a new Spree 0.70.×. This will allow us to ensure that Spree works with each new version of Rails but allow more flexibility for users who wish to upgrade Rails versions without upgrading Spree and visa versa.
Spree 0.70.1 is now officially released. There are two important changes in this release. The first change is a fix to the asset precompile stuff. If you’re running 0.70.0 you’ll want to upgrade because this will result in a performance increase.
The other major change is that we have introduced the concept of security and release alerts. You will now receive a notification in your control panel whenever there is a new release. This feature also allows us to notify you of important security announcements. The alerts can be dismissed once they’re read and you have the option to disable them entirely (not recommended.)
The Security Guide contains more information on alerts. You can also view the Github compare for a complete list of changes in this release.
Spree 0.70.0 is now officially released. The most important change with this release is that is is fully compatible with the brand new Rails 3.1.1 release. Please read the release notes for more information on what has changed and how to upgrade from previous versions.
Prior to today’s new release of Rails, there were significant problems with the asset pipeline and other features. These problems were severe enough to cause us to hold off on the new Spree release until they were addressed. Spree 0.70.0 represents another massive release (due mostly to the massive amount of change in Rails itself.) The Github compare shows this release to consist of a total of 356 commits by 36 different contributors and a whopping 1,093 files changed!
There have been signficant improvements to themes which now rely on Brian Quinn’s awesome deface library. Themes are also now available as engines which means they can be more easily shared with others. This is just the start of what he have planned for themes in Spree. You can expect more improvements in the near future.
New Extension Generator
This release contains a brand new extension generator. Once you’ve installed the new Spree gem you can use this generator to create extensions using the following command:
One of the most important advances in this new generator is that you can now easily run specs for extensions in their own standalone repository. You just need to create a test application (one time only) as a context before running your specs.
$ rake test_app
$ bundle exec rspec spec
One of the most important features of Rails 3.1.x is the asset pipeline. There have been many changes to Spree to support the asset pipeline (which are covered more thoroughly in the release notes.)
Unfortunately some of the Rails 3.1.x changes have introduced significant performance issues when running Spree in development mode. The good news is you can improve performance significantly by using a special precompile task.
$ bundle exec rake assets:precompile RAILS_ENV=development
WARNING: Using the precompile rake task in development will prevent any changes to asset files from being automatically included in when you reload the page. You must re-run the precompile task for changes to become available.
Rail’s also provides the following rake task that will delete the entire public/assets directory, this can be helpful to clear out development assets before committing.
It might also be worthwhile to include the public/assets directory in your .gitignore file.
We have just released Spree 0.60.2 which contains an important security fix. A vulnerability exists in the
ProductScope class that could allow for unauthenticated remote command execution. To put it simply, you should either upgrade immediately or add your own custom fix based on this commit.
Special thanks to joernchen of Phenoelit for discovering and reporting the problem through the appropriate channels(which is a private email to firstname.lastname@example.org.) Roman Smirnov (aka romul) provided the necessary fix.
The edge code has also been updated to include this fix. There are also a few other minor issues addressed in this release. See the Github compare view for the full details.
We are currently working on an improved solution for handling the reporting of security issues. We will be announcing a new initiative on this front in the near future.
This can be especially noticeable in development mode when using a single process application server like Webrick. We’ve recently update the edge version of Spree to include a small tweak to the standard pre-compiling rake task that allows pre-compiling of assets in development mode.
Pre-compiling in production
Rails supports pre-compiling of assets which is intended to offload the overhead of generating and serving assets from the application server in production environments.
Pre-compiling is not required for the asset pipeline to function
correctly in production, if you choose to not pre-compile Rails will generate each asset only once and serve each subsequent request using Rack::Cache.
Rack::Cache is generally sufficient for lower traffic sites, but
pre-compiling will provide some additional speed increases by allowing
the web server to serve all assets, including gzipped versions of
To pre-compile assets for production you would normally execute the
following rake task (on the production server).
$ bundle exec rake assets:precompile
This would write all the assets to the public/assets directory while including an MD5 fingerprint in the filename for added caching benefits.
Pre-compiling for development
Spree alters the behaviour of the precompile rake task so when you execute it passing the RAILS_ENV environmental variable, as follows:
$ bundle exec rake assets:precompile RAILS_ENV=development
It will still output the assets to public/assets but it will not include the MD5 fingerprint in the filename, hence the files will be served in development directly by the web server (and not processed by Rails).
WARNING: Using the precompile rake task in development will prevent
any changes to asset files from being automatically loaded in when you
reload the page. You must re-run the precompile task for changes to
Rail’s also provides the following rake task that will delete the entire public/assets directory, this can be helpful to clear out development assets before committing.
It might also be worthwhile to include the public/assets directory in your .gitignore file.
As part of the upcoming 0.70.0 release we’re returning to an earlier approach
of bundling themes as their own Rails 3.1 engine. This is primarily designed to
make installing and managing themes fall inline with extensions.
We’ve created two front-end themes to help show this new approach in action:
- Spree Blue – Recreates the original “blue” front-end theme of 0.60.x as a stand alone theme.
- Rails Dog Radio – This recreates some of the aspects of the Rails Dog Radio demo application for a default Spree application.
Both themes can be installed by just adding a reference to the git repository to your Gemfile, ie:
gem ‘spree_blue_theme’, :git => ‘git://github.com/spree/spree_blue_theme.git’
NOTE: The repo’s for both themes have be recently moved and renamed,
be sure to use the new repos locations linked above.
Edge basic theme
The current edge version of Spree includes quite a substantial
simplication of the front-end views and styles aimed at providing a simpler base to start
building themes on top of. Some early adopters have mistaken these
changes as issues with the new asset pipeline, because it no longer
sports the classic “blue” look.
To restore the original 0.60.x look, please install the Spree Blue
Theme as mentioned above.
You can learn more about themes in the Extensions &
As the release of our next major version (0.70.0) draws ever nearer we
feel its time to merge the rails3-1 development branch into master, and
start helping you get ready for some of the changes you’ll need to make as part of the upgrade.
While most of the changes required are standard when upgrading any Rails
application to Rails 3.1, we’ve set out some guidelines and suggestions relating to the asset pipeline to help standardize how Spree applications and extensions make use of this new feature.
While edge has contained some new theming features (Deface) for a while now the rails3-1 branch really ties this together with the Rails asset pipeline to provide an amazingly powerful and flexiable theming eco-system.
Some lite reading
There’s a lot of changes and improvements to cover so we’ve created a lot of documentation to help explain all these new features, and we strongly recommend you read through them before diving in:
- 0.70.0 Release Notes – While 0.70.0 isn’t actually released yet, these notes are available now and provide detailed Upgrade Instructions for upgrading 0.60.x applications to 0.70.0.
- Customization Overview – This edge guide covers all customization options now available with
Spree, and explains how to organize (or bundle) those customizations.
- View Customization – Explains how to use Deface and template replacements to alter the appearance of a Spree application.
- Asset Customization – Covers Spree’s use of the asset pipeline and how you can leverage
All of these documents are works in progress and will be amended as we get closer to release.
Not ready for Rails 3.1 yet?
For those of you who have been developing on Spree edge and don’t want
to undertake the upgrade to Rails 3.1 yet, please update your Gemfile to
use the rails-3-0 branch, which is just a direct branch of the master
before rails-3-1 was merged down.
While this branch probably won’t get any direct development it’s the
safest version to use until you’re ready to upgrade to 0.70.0.
We’re always glad to help as many people as possible contribute to Spree
and there’s still plenty of
wating to be resolved, so now’s a great time to start contributing!
Spree 0.60.1 is now officially released. The major reason for this
release is to support the brand new Rails 3.0.9
There are also a few other minor changes. You can check out the Github
compare to see a full list of changes .
Spree 0.60.0 is now officially released. The primary purpose of this release is to deprecate use of the resource_controller gem. It’s been a long journey with this library but its usefulness has come to an end. Special thanks to Neeraj Singh, Roman Smirnov and Brian Quinn for their hard work on this.
We have gone to great lengths to preserve most of the functionality of
resource_controller by reimplementing it in a more "rails
like" way (using inheritance, etc.) In a few cases, however, we
have not been able to maintain 100% compatibility with previous releases
of Spree. This may affect some existing extensions as well as stores
that rely on this functionality. The new approach to overriding just the
respond to stuff in a controller is described in the customization
We’ve been doing a pretty good job these days of having regular releases. There are some pull requests piling up and the issues in Lighthouse need to be addressed so that will be the next step. We also have some cool promotions stuff coming to edge in the next few days.
For a more detailed description please check the 0.60.0 release notes. You can also use the Github compare tool to see a complete list of changes included in the 0.60.0 release.
Spree 0.50.2 has just been released. Its a minor patch release to address a performance issue with a previous version of Rails.
You can also use the Github compare tool to see a complete list of changes for the 0.50.2 release.
Spree 0.50.1 has just been released. Its a minor patch release to address a handful of small issues. It also contains an important security fix (see the recent security announcement for more details.)
You can also use the Github compare tool to see a complete list of changes for the 0.50.1 release.
Spree 0.50.0 has been officially released. Several important bugs in the 0.40.x release have been addressed. There are no crucial security fixes in this release but you are still encouraged to upgrade as soon as convenient. By making these small upgrades as they are released you will only need to focus on minor changes to each point release instead of a series of important changes covering several releases.
Special thanks to Neeraj Singh who worked tirelessly for several weeks to add a huge amount of test coverage that we desperately needed. This added test coverage will make it easier to improve Spree in the future while minimizing the chances of breaking legacy functionality in the process. We’re also please to welcome several new contributors who helped with important bug fixes. A complete list of contributors over time can be found here.
You may be wondering which extensions will work with this new version of Spree. Most extensions that work with Spree 0.40.x should work with Spree 0.50.x since we did not really change any of the public API. The one possible exception is if the extension in question uses search functionality. Please see the release_notes for more details on the changes to search and other topics. We’re also going to announce some improvements to the extension registry related to versioning. Expect more details on this shortly.
This new version of Spree requires Rails 3.0.5. You can also use Github to see a complete list of changes for the 0.50.0 release. NOTE: This comparison will take a few minutes to load given the sheer number of files added to support the test coverage.
If you are updating from Spree 0.40.x you should remove the ‘20101101185116_rename_columns_for_devise.rb’ migration from your Rails app. This is because 0.50.x contains a new version of that migration with a different timestamp so it will cause issues if you try to run both migrations. Sorry for the confusion.
Spree 0.40.3 has been officially released. This is a minor patch release with a few fixes. All users should consider an immediate upgrade due to the recently announced security vulnerability in previous versions of Rails. Spree now requires Rails 3.0.4 which resolves this problem.
We also made an important fix for anyone using payment gateways that do not support a credit card profile (this includes the standard Authorize.net gateway.) If you are developing on a version of Spree 0.30.x with one of these gateways you’ve probably already experienced difficulties submitted the card details to the gateway. Theses issues are solved in version 0.40.3 along with a separate issue related to voids.
If you’re running a version of Spree less than 0.30.0 or if you are using Authoriz.net CIM then you are not affected by this problem (but upgrading is still recommended due to the security fix mentioned above.)
Spree 0.40.2 has been officially released. This is a minor patch release with just three fixes. The main reason for this release is that there was an issue with the older version of activemerchant used in Spree 0.40.1. Its worth mentioning that the problem only affects those running Ruby 1.9. Rather than upgrading you can also work around that problem by adding the following to your application
<p>gem ‘activemerchant’, ‘1.9.0’</p>
Spree 0.40.1 has been officially released. This is a minor patch release with just a few trivial fixes. The main reason for this release is that there is a new version of the CanCan gem which is causing issues with Spree. This only affects new installs of Spree so if you are already running on 0.40.0 and you have a
Gemfile.lock file then there’s no urgent need to upgrade.
Moving forward we have decided to "lock down" the gem versions that Spree is depending on to minimize problems when new versions of gems come out. Since most users are deploying Spree independently this will not cause problems in most cases. We’ll keep an eye on this new approach and see if it makes things a little bit easier.
Spree 0.40.0 has been officially released. The primary change in this
release is a switch to the Devise authentication gem which was discussed
in the last blog post. You can
find more information on this and the token based permission changes in
the 0.40.0 release
Its been a month since version 0.30.1 was released and about six weeks since the major 0.30.0 release, so we’re definitely back on track with regular releases. In fact, the goal is to release every 3-4 weeks until we hit the final 1.0 release next year. This release also lays the ground work for many new exciting social integration features that we’re planning for Spree.
Speaking of social integration, please take a moment to show your support for Spree and follow us on Facebook.
Spree 0.30.1 has been officially released. This is a minor patch release that addresses some minor bugs in the previous 0.30.0 release. It also fixes some recent issues with a new restriction on routes introduced by Rails 3.0.2. For a complete list of changes, please see the Github compare.
The Spree team is proud to (finally) announce the release of Spree 0.30.0. Spree is now officially compatible with Rails 3.x after almost five months of relentless work. In addition to Rails 3 support, we took this opportunity to refactor a lot of the internals and to improve our test coverage.
According to the Github
release consisted of 666 distinct commits by 25 different authors and
touching 2,609 different files. The number of files is a bit overstated
because we moved almost every file in the project as we reorganized
things – but still, there were a ton of changes in this release. The
notes are available on the Spree site.
I want to thank everyone in the Spree community – especially those that contributed code and patches for the release. It took a lot longer than we wanted but we also took a huge step towards a more solid and standards-based foundation. Don’t worry, we won’t be resting after this release either. We’re looking to drop some major authentication improvements this month as well as to roll out 0.30.x compatible versions of several extensions. We’ve also started work on the new "social" extensions as promised.
The Spree team was recently alerted to a potential security vulnerability related to so-called JSON Hijacking. The potential exploit involves using social engineering to induce an administrator who is logged into Spree to visit a web page that contains code designed to exploit the vulnerability. If an authenticated admin loads a page containing this code in their browser it could expose sensitive user and order information via a JSON security exploit.
Most versions of Spree are affected including all versions of 0.11.x and the latest edge code for the upcoming 0.30.×. If you are running on an edge version of Spree, please update to the latest source code which includes these two important fixes.
Anyone using a previously released version of Spree is strongly encouraged to upgrade to the brand new 0.11.2 release. The new 0.11.2 release contains two crucial commits needed to address this vulnerability. The complete set of changes for the 0.11.2 release can be viewed in Github.
This is not a particularly new vulnerability nor is it unique to Spree. There is a very detailed blog post outlining the specifics of JSON Hijacking if you wish to read up on it further.
Special thanks to Conviso Security for reporting the problem to us as well as the team at Locaweb for helping us to test the fix. This was another great example of the OS community working together to report and fix security issues in a timely manner. Remember, if you spot a security issue, please do not report it in a public forum or issue tracker. Send an email to email@example.com so we can address the issue before publicizing the vulnerability.
Spree 0.11.1 has been officially released. This is a patch release that addresses several issues discovered since 0.11.0. It is also the last expected release before the new Rails3 compatible version of Spree. We’ll continue to maintain the 0-11-stable branch but the focus will be on bug fixes as opposed to adding new features.
The new release addresses the following issues:
- 818 – Migrate taxons to nested set for major performance boost
- 1303 – Taxonomies with no taxons cause NoMethodError
- 1414 – Bump will_paginate to 2.3.12
- 1439 – Bump state_machine to latest version
- 1452 – Extra closing tags in checkouts/_address
- 1462 – Fix path finding for script/extension script
- 1463 – Remove deprecated script/breakpointer
- 1464 – Remove deprecated script/performance/request
- 1475 – Require email address on checkout model
- 1482 – Creditcard model only integer validation is wrong in syntax
- 1492 – no such file to load — rspec when running the tests
- 1494 – Allow specifying where shipping methods are displayed
- 1499 – Fix escaping HTML issue with rails 2.3.8
- 1503 – Fix admin additional field labels id
- 1509 – Extensions are not being loaded
- 1515 – Shipping Methods mixed up between Country-based zone and State-based zone
- 1523 – error from double submit on checkout payment
- 1526 – Cannot proceed to delivery from address step when address fails to validate
- 1534 – Backport patches from rails3 branch
- 1538 – Could not use Check payment because validation js of credit card payment
- 1541 – Tidy up admin interface
- 1572 – Checkout validation can raise exception in certain states
- 1573 – Sample payments not capturing properly
- 1574 – Editing a paid order in admin screen can result in incorrect shipment states
- 1621 – Add validationMode support to Gateway::AuthorizeNetCim
- 1636 – Coupon submission destroying payment
- 1654 – RMA number changes when record updated
- 1658 – Credits / Voids can result in invalid order states
- 1668 – Canceled order should allow balance_due or credit_owed state
We’re pleased to announce our first beta release of a Rails3 compatible version of Spree. This time its a little bit rougher than our usual beta quality where we encourage as many of our users as possible to try it out in advance of the official release. There are several known bugs and deficiencies in this gem so you should really hold off until the next beta release which we hope to achieve at the end of next week.
So why bother releasing an unfinished beta? There a few reasons actually. The first reason is that we are working on upgrading one of our Railsdog customers to the latest code and they are on Heroku. Heroku is much simpler when you work with real gems (as opposed to edge git clones.) The second reason is that we’re now releasing Spree as a series of gems instead of a single gem so we wanted to make sure that we had this process working correctly before we started encouraging others to jump on board.
Spree is technically still a single gem but it now depends on five (soon to be six) additional gems.
- spree_core: Basic functionality – you won’t get very far without this one.
- spree_auth: Authentication and authorization stuff.
- spree_api: Restful API implementation
- spree_dash: A nice overview dashboard implementation.
- spree_sample: Contains sample products, orders and images.
When you install the Spree gem you still get all of these pieces installed automatically. We’ve structured things, however, so that you do have the option to pick and choose which pieces you would like to use if you’re so inclined. Think Rails and how it consits of Active Record, Active Support, etc.
There is pretty much no documentation other than a few README files at this point. That will change but we’re haven’t invested too much in documentation up until now because things were so fluid. We’re pretty comfortable with how things are working so don’t expect a lot of radical changes between beta releases and the final release. We’ll be focused on nailing things down and fixing bugs. Feel free to report issues in lighthouse – just be sure to tag as rails3 so we know you’re talking about the new code.
There’s been lots of discussion recently on spree-user and at the Spree BOF at RailsConf regarding Spree’s use of resource_controller (r_c), and our options as we move towards Rails 3. We’re confident that our migration to Rails 3 is going to be a great step forward for the platform, as it will greatly simplify how Spree implements extensions due to the fantastic engine and railtie features in Rails 3. Some members of the community have suggested that we use the Rails 3 migration to also remove r_c from Spree. We’ve seriously considered this and I’d like to explain how we’ve arrived at our decision to keep resource_controller.
Issue 1: Removing resource_controller will simplify controller code and make it more understandable especially to new developers:
This is probably one of the most compelling reasons to remove r_c as we accept that the learning curve for the controller logic can be a little steeper than a traditional rails application. Some controllers especially the checkouts controller would benefit greatly by removing r_c code as it’s not a true restful resource and not a good candidate for r_c use. In the future we plan to ensure all unsuitable controllers will be rewritten to reduce the usage of rc and improve readability and maintainability, starting with the checkoutscontroller.
Issue 2: resource_controller isn’t actively maintained and not currently Rails 3 compatible.
While r_c hasn’t been getting much attention from it’s original author (James Golick) it does have a large network of forks and it still receiving frequent improvements / bug fixes. We’ve spent a considerable amount of time migrating rc to Rails 3 and we’re happy to say that it’s now fully functional and we’re also very close to getting all tests passing after some badly needed attention at RailsConf / BohConf (thank you Derek). Please take a look at our http://github.com/bdq/resourcecontroller and patches / comments are welcome.
Issue 3: inherited_resources is a better alternative:
After some review we’ve found that inherited_resources is not missing many of the features that resource_controller offers, it does however implement them in a significantly different way which would add considerable overhead for any migration (as core and all extensions would need to be-written to match). There are two key features provided by resource_controller that differ in inherited_resources:
- In-action before and after filters that unlike standard Rails filters get executed just before / after the actual event takes place, when the object has already been loaded / built. This allows extensions and core Spree to cleanly and efficiently hook into actions without adding lots of unnecessary database activity that’s normally associated with traditional before / after filters. r_c also supports filters based on the result of a particular action (success / failure), and they’re also stack-able allowing core and multiple extensions to add multiple callbacks to a single filter.
- Render / redirect overrides allows developers to simply change what gets rendered or where an action will redirect a user after completion in both success and failure states.
Both of the these r_c features enable developers to add / replace small pieces of logic without overriding and replacing entire controller actions which greatly eases version upgrades, and provides a unique pluggable architecture for Spree extensions. Re-implementing these features using inherited_resources would be very time consuming and counter-productive at this point in time.
During one of our BohConf hacking sessions we decided to rewrite a single controller (admin zones_controller) removing r_c while still retaining all the hooks / extensibility features mentioned in issue 3. This exercise allowed us to evaluate what the codebase might look like after the removal of r_c. We did expect the code to grow a small amount but we were surprised that it actually ballooned from 35 lines to 105 lines after the change. While readability and simplicity did improve, DRYness and maintainability suffered greatly. The overall consensus on this point was that the DRYness / maintainability benefits far out weights any simplifications gained.
After reviewing both options of either removing resource_controller completely or switching to inherited_resources it’s become clear that a lot of the customization that Spree offers is deeply linked to resource_controller functionality. While inherited_resources is a promising option it currently poses too much of an overhead in terms of rewriting coding and changes to the overall internal workings of Spree.
Overall we think that resource_controller adds a lot of value to Spree and that any plans to remove it would damage Spree’s well known and loved extensibility.
Spree 0.11.0 has been officially released. This release makes Spree compatible with the latest Rails 2.3.8 release. Several changes to Spree were required to get this to work (especially without deprecation warnings.) The impact on existing 0.10.x stores should, however, be minimal. As always, it is suggested that you perform a complete backup of your database and system assets before upgrading.
The new release contains a change to the default Spree theme to match the new logo. Nothing drastic – just a slightly different color scheme to go better with the new logo colors. There aren’t any real major features in this release but there are a ton of ton of important bug fixes and other changes. The Github compare for this release shows 173 commits by 20 different authors. So thanks once again to all of the people in the community that are working to improve Spree.
This is another minor patch release to address a few additional issues with the 0.10.0 release. Please report any issues in our issue tracker.
- #1215 Update Vietnamese translation
- #1230 Product#recalculate_count_on_hand migration from 0.9.4 to 0.10.0
- #1234 Billing address not accepting UK state
- #1238 Should not create empty order in db for orders/new action
- #1240 Add test-unit to gem dependency
- #1249 Authorize.net CIM does not work with live account
- #1251 Skip confirmation step if payment profiles are not available
- #1253 Table variants doesn’t exist when bootstrapping with extensions installed that modify the Variant model
- #1255 Products groups edit error
- #1257 Coupons do not recalculate credit after redeemed
- #1261 Type Error when Checkout
- #1263 Submitting a coupon during the checkout confirmation fails
- #1269 Orders Overview page breaks when there are no orders in the last 7 days
- #1276 Product Images not updating properly
This is a minor patch release to address three minor issues reported with the latest release. These issues were severe enough that we’ve decided to fix them immediately rather than wait until another release.
- #1209 – Ruby Gems Warning (reverted this fix – RubyGems 1.3.6 is now required again)
- #1245 – payment_gateway extension fails to load in production when spree is gemified
- #759 – Error with creating admin user during bootstrap: unknown attribute: password_confirmation (Fixed in production mode)
We’ve done our best to minimize the need for patch releases but we always seem to get a few bug reports after each release. We still have an outstanding issue with Authorize.net CIM that will probably require another patch release later this week. We’ll try to hold off until we are sure there are not any more critical bugs to fix.
Spree 0.10.0 has been released. Its been several months since the last release so there is even more goodness than usual. Here are some of the highlights
- Named scopes and product groups
- Pluggable search (with extension support for Xapian, Sphinx and Solr.)
- New and improved multi-step checkout
- Improved gateway configuration
- Multiple payment methods
- Refunds and credits
- SEO improvements
- Restful API
- Support for Rails 2.3.5 and Ruby 1.9
Please see the release notes for the complete details.
I’m especially proud of the support we continue to receive from our awesome community! Checkout the Github compare between this and the last release.
- 583 commits
- 32 different authors
- 1727 files changed
I’d like to give a special thanks to our newest core team members: David North and Roman Smirnov. David helped to save the day and finish the massive payment refactoring when I needed to go on a much needed vacation. Roman has been tirelessly applying patches submitted by the community when he was not busy writing his own! Paul Callaghan also deserves a special thanks (welcome back Paul!) Not only has he been very active on the spree-user list, but he spent countless hours making improvements to our documentation.
We have just released a beta version of Spree 0.10.0. We’re asking developers who are planning on upgrading when the final 0.10.0 gem is released to help us with some testing. It is recommended that you try this upgrade in a "sandbox" environment that matches your production environment. This will allow you to experiment safely and observe the effects of the upgrade process.
You should make sure you have RubyGems version 1.3.6 installed and then upgrade your Spree gem as follows:
<p>gem update spree —pre</p>
You can then upgrade your existing Spree application by switching to your application root and running:
There is some online documentation for the edge
version but its still a work in progress. We hope to finalize the documentation next week when we push the final release. Please report any bugs you find in our issue tracker.
Spree 0.9.4 has been released. This is a trivial patch release. It fixes a bug that some users were experiencing installing the rdoc for the previous 0.9.3 gem. It is not necessary to upgrade from 0.9.3 if the gem is working for you since this affects only the documentation.
The Spree team is pleased to announce the latest release: v0.9.3. This is a patch release that provides support for the new Rails 2.3.5 release. Rails 2.3.5 contains a security fix so you may want to consider updating. We also addressed an issue with stylesheets when running Spree under a sub URI. We discovered that bug when preparing for another major announcement which should be coming soon.
This is also the first release on gemcutter (since Rubyforge gems are now out of fashion it seems.) If you’re not finding the gem, you just need to install the gemcutter gem.
<p>gem install gemcutter<br />
gem tumble<br />
gem install spree # .. or gem update spree if you already have it installed</p>
If you have an existing Spree app you can update it easily enough after you’ve upgraded the gem. Just run the following command in your application root:
This is a patch release containing a single important security fix. The security vulnerability was reported late yesterday and affects only the 0.9.0 and 0.9.1 versions of Spree. Sites running older versions of Spree (0.8.x, etc.) are not affected. If your site provides its own custom version of
checkout_controller.rb then you will want to make some modifications.
Add this filter to the top of your controller:
<p>before_filter :prevent_editing_complete_order, :only => [:edit, :update]</p>
Then add the following method to your controller as well:
<p>def prevent_editing_complete_order<br />
redirect_to order_url(parent_object) if @order.checkout_complete<br />
In the future if you suspect a security bug. Please send an email to
firstname.lastname@example.org. Please do not send a message to spree-user until we have a chance to verify the issue and hopefully provide a timely fix.
Spree 0.9.1 is a trivial patch release which addresses a gem dependency issue caused by a recent change in the Github gem repository. If you are already running Spree 0.9.0 you do not need to update. The new version simply uses a slightly newer version of the compass and haml gems. The older versions were no longer available in a public repo so we did this release to make sure that new users were able to run things without a hitch.
Spree 0.9.0 has been officially released. This is a major release with several new features and improvements. The most anticipated new feature is coupon and discount support. The Spree core now ships with a minimal set of coupon calculators and provides the framework for building much more powerful custom logic. Speaking of calculators, Spree is now sporting a significantly improved system of calculators.
The new release is also compatible with Rails 2.3.4 which contains some crucial security fixes. This release also contains some signficiant improvements to product variants. It is now possible to configure different product images for each variant and to display the specific variant image in the shopping cart. Please also see the very detailed release notes for more information on the release and how to upgrade an existing version of Spree.
Spree continues to improve its i18n support and is proud to announce the addition of the following localizations:
- Mexican Spanish
If you have a new localization to add or wish to make improvements to an existing one, please see our contribution guidelines for information on how you can contribute.
We are already hard at work on the next major release. The massive growth in real world deployments of Spree has provided us with valuable insight into possible new features and improvements. We’ll be doing a major push to add core features as well as new extensions. There will also be a concerted effort to document and update the existing extensions. Stay tuned!
We’ve just done another patch release to Spree. This release actually contains no changes other then those that were supposed to have made it into the 0.8.4 release. Due to some “enthusiastic” git branch deletion I accidentally removed some of the changes needed for the release. So the 0.8.4 release did not really do anything other then increment the version number. This release contains the minor rake task upgrades that were supposed to be part of that release.
The Spree team is proud to announce the official release of Spree 0.8.4. This is a minor patch release that takes care of a few pesky issues related to migrations and sample data. Specifically, the following issues have been fixed:
- 494 – There are no default states for United states when you don’t load sample data
- 551 – Remove bootstrap restriction in production mode
- 553 – Allow creation of default user through web interface
- 550 – Seed data no longer populated correctly
- 552 – Allow db:admin:create rake task to be run more then once
The most important change is that we have modified the migrations so that they are no longer loading so-called "seed" data (countries, states etc.) Keeping this seed data out of the migrations fixes a whole bunch of problems. You can still create everything from scratch with a single rake task
By popular demand, the bootstrap task is once again permissable in production mode. For safety reasons it will not drop the existing database in production mode (as it does automatically in development and test modes.)
You can also still build everything from scratch using individual rake tasks. In fact, we’ve created several new rake tasks so you can have fine grain control.
The following two rake tasks build an empty database with the required seed data.
<p>rake db:migrate<br />
You can create an admin user (or an additional admin user if you already have one) using
You can also load the sample data (assuming you don’t already have it through bootstrap) using