Spree Commerce

Try It Now

Posts in category ‘Releases’

Security Fix for all Spree Versions

Posted on August 19, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a security vulnerability present in all versions of Spree 1.1.x+.

Through specially crafted search parameters, an attacker is able to bypass authorization checks and determine the contents of database records. This may be used to expose customer details, and other sensitive information. This vulnerability exposes itself through the API (a key is not required). All users are advised to patch or upgrade their stores immediately.

This is a non-backwards compatible upgrade if you use custom ransack searches, as we are changing the allowed ransack searches to be whitelisted.

If you have custom ransack search associations, and/or attributes you may whitelist them following this example in:

config/initializers/spree.rb

Spree::Product.whitelisted_ransackable_associations |= ['reservation']
Spree::Product.whitelisted_ransackable_attributes |= ['presale']

Workaround

This initializer changes the ransack’s default to not allowing searching across associations. It is less complete than the patches which also require attributes to be whitelisted.

# Any custom ransack searches in your store will have to be added to this list.
#
# config/initializers/security_20150817.rb

Rails.application.config.to_prepare do
  raise "Spree.user_class must be defined first" unless Spree.user_class

  whitelisted_associations = {
    # Revoke the ability to search across associations via ransack
    ActiveRecord::Base => [],

    # Put back the ability to search across associations that we know are used
    Spree::LineItem => ['variant'],
    Spree::Order => ['shipments', 'user', 'promotions', 'bill_address', 'ship_address', 'line_items', 'inventory_units'],
    Spree::Product => ['stores', 'variants_including_master', 'master', 'variants'],
    Spree::Promotion => ['codes'],
    Spree::Variant => ['option_values', 'product', 'prices', 'default_price'],

    Spree.user_class => ['bill_address', 'ship_address']
  }

  whitelisted_associations.each do |klazz, associations|
    klazz.define_singleton_method(:ransackable_associations) { |auth_object=nil| associations }
  end
end

Credit

Thanks to Andrew Thal from Bonobos for reporting the issue privately. This allowed us to verify the problem and prepare the necessary security patches for public release.

If you find any security issues please notify us privately via the security@spreecommerce.com email address.

Full Changes

To see a complete list of changes please view the compare pages:

Security Fix for all Spree Versions

Posted on July 28, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability present in all versions of Spree 1.2.x+.

An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code.

We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers.

If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150728.rb as a quick workaround:

Spree::Api::TaxonomiesController.before_filter do
  params[:set] = nil if params[:set] != "nested"
end

If using an unsupported version, such as, 1.2.x, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.

Previous security releases

If you have not already read about and patched last weeks security release it’s urgent you immediately upgrade to these latest releases or patch the previous security vulnerability as well. While this current security issue does require a valid API key the previous security issue does not making all un-patched Spree stores vulnerable.

Credit

Thanks to John Hawthorn again from Free Running Tech for reporting the issue privately after his recent security audit via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Full Changes

To see a complete list of changes please view the compare pages:

Security Fix for all Spree Versions

Posted on July 20, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker read access to any file on the server.

We strongly advise everyone to upgrade to the latest version of Spree available for their stores immediately. For example, if you’re running v2.4.7, please upgrade to v2.4.8 immediately.

If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150720.rb as a quick workaround:

module Spree::Api::Responders::RablTemplate
  def template
    options[:default_template]
  end
end

If using an unsupported version, such as, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.

Credit

Thanks to John Hawthorn from Free Running Tech for reporting the issue privately after his recent security audit via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Full Changes

To see a complete list of changes please view the compare pages:

Spree 3.0.1 Released

Posted on May 05, 2015 by Jeff Dutil

Summary

Spree has issued new 2.3.10, 2.4.7, and 3.0.1 releases which are available now! These releases are primarily focused on bug fixes particularly with promotions.

You can review the Github Compare for a complete list of 2.3.x changes.
You can review the Github Compare for a complete list of 2.4.x changes.
You can review the Github Compare for a complete list of 3.0.x changes.

Follow Spree Commerce!

Spree 3.0.0 Released and Versions 2.2.11, 2.3.9 & 2.4.6 Released

Posted on March 10, 2015 by Jeff Dutil

Summary

The Spree 3.0.0, 2.4.6, 2.3.9, and 2.2.11 releases are out now!

What’s new in Spree 3? We’ve switched the front and back ends to use Bootstrap, added Rails 4.2 support, and added Google Analytics Enhanced Ecommerce tracking. We’ve also continued our move away from Spree handling things that should be done at the Rails application level, such as, specifying environments and setting up SSL.

You can view the Release Notes for more details, and upgrade tips.
Please feel free to submit a PR adding any of your own upgrade tips or gotchas not mentioned in the release notes.

Spree 2.2.11, 2.3.9, and 2.4.6 releases are focused on bug fixes related to regressions from the previous security release. You can view the full change comparisons on Github:

Older Versions of Spree

If you are using Spree versions 2.2.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Follow Spree Commerce!

Security Fix for all Spree Versions

Posted on March 03, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker to commit CSRF gaining access to private information. Users are advised to perform an immediate upgrade.

We have officially released the following new Spree versions: 2.2.10, 2.3.8, 2.4.5, and 3.0.0.rc4. These API versions are not backwards compatible, and contain breaking changes to address the security vulnerability. To see a complete list of changes please view the compare pages:

Details on the security patch

We strongly advise everyone to upgrade to the latest version of Spree available for their stores. For example, if you’re running v2.4.4, please upgrade to v2.4.5 immediately.

Alternatively, you can fork Spree to a local `vendor/gems/spree` directory within your application and apply the patch using one of these commands:

  • 2-2-stable: git cherry-pick e2adc67680c43eac82a44047cca62ab4d306a54b
  • 2-3-stable: git cherry-pick 5409de614da27431321e57f2cfcf940a1b15e3f0
  • 2-4-stable: git cherry-pick 02c4e6f8cfb0c2c13e904739f2991454b141c9b4
  • 3-0-stable: git cherry-pick 4688106985eeea4a211fb5d0d9c4cacb92e72145

For users of unsupported versions of Spree you should cherry-pick the 2-2-stable commit to back port changes to your own fork.

Credit

Thanks to Egor Homakov from Sakurity for following security procedures and reporting the issue privately for responsible disclosure via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Spree 3 Release Candidate 3 and Versions 2.3.7 & 2.4.4 Released

Posted on February 23, 2015 by Jeff Dutil

Summary

The Spree 3.0.0.rc3, 2.4.4, and 2.3.7 releases are out now!

What’s new in Spree 3? We’ve switched the front and back ends to use Bootstrap, added Rails 4.2 support, and added Google Analytics Enhanced Ecommerce tracking.

Please give the release candidate a try, and report any issues on Github project. If there are no serious issues reported in the coming week we will release a final version.

You can view the Release Notes for more details, and upgrade tips.
Please feel free to submit a PR adding any of your own upgrade tips or gotchas not mentioned in the release notes.

Spree 2.4.4 release is primarily focused on bug fixes, and minor performance improvements. You can review the Github Compare for a complete list of 2.4.x changes.

Spree 2.3.7 release is also primarily focused on bug fixes. You can review the Github Compare for a complete list of 2.3.x changes.

Older Versions of Spree

If you are using Spree versions 2.1.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Follow Spree Commerce!

Spree 3 Release Candidate and Version 2.4.3 Released

Posted on February 04, 2015 by Jeff Dutil

Summary

The Spree 3.0.0.rc1 and 2.4.3 releases are out now!

What’s new in Spree 3? We’ve switched the front and back ends to use Bootstrap, added Rails 4.2 support, and added Google Analytics Enhanced Ecommerce tracking.

Please give the release candidate a try, and report any issues on Github project. If there are no serious issues reported in the coming week we will release a final version.

You can view the Release Notes for more details, and upgrade tips.
Please feel free to submit a PR adding any of your own upgrade tips or gotchas not mentioned in the release notes.

Spree 2.4.3 release is primarily focused on bug fixes, and minor performance improvements. You can review the Github Compare for a complete list of 2.4.x changes.

Older Versions of Spree

If you are using Spree versions 2.1.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Follow Spree Commerce!

Spree 2.2.9 & 2.1.12 Released

Posted on December 23, 2014 by Jeff Dutil

Summary

We have just released new Spree versions 2.2.9 & 2.1.12.

The primary focus of these releases was resolving security flaws in the API. While no user or credit card data could be exploited with this flaw, there is the potential to commit fraud by manipulating order prices. It is recommended that all Spree installations running 2.1.x, and 2.2.x upgrade as soon as possible.

Thanks to Jordan Brough for finding the issue, and providing a patch to resolve the issue.

You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.

Reporting Security Issues

Please do not announce potential security vulnerabilities in public. We have a dedicated email address security@spreecommerce.com. We will work quickly to determine the severity of the issue and provide a fix for the appropriate versions. We will credit you with the discovery of this patch by naming you in a blog post.

If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:

$ git format-patch HEAD~1..HEAD —stdout > patch.txt

This command will generate a file called `patch.txt` with your changes. Please email a description of the patch along with the patch itself to security@spreecommerce.com.

Older Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. While this security flaw only affects versions 2.1.x & 2.2.x we have already reached the end of life for official 2.0.x support. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Follow Spree Commerce!

Spree 2.4.2 Released

Posted on December 05, 2014 by Jeff Dutil

Summary

We have just released new versions of all the currently supported Spree versions. The Spree 2.4.2, 2.3.6, 2.2.8, 2.1.11 releases are out now!

The primary focus of these releases was resolving a security flaw in the API. While no user or credit card data could be exploited with this flaw, there is the potential to commit fraud by manipulating an item’s price. It is recommended that all Spree installations running a 2.1.x, 2.2.x, 2.3.x, and 2.4.x upgrade as soon as possible.

Thanks to Leandro Julian for finding the issue, and providing a patch to resolve the issue.

You can review the Github Compare for a complete list of 2.4.x changes.
You can review the Github Compare for a complete list of 2.3.x changes.
You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.

Reporting Security Issues

Please do not announce potential security vulnerabilities in public. We have a dedicated email address security@spreecommerce.com. We will work quickly to determine the severity of the issue and provide a fix for the appropriate versions. We will credit you with the discovery of this patch by naming you in a blog post.

If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:

$ git format-patch HEAD~1..HEAD —stdout > patch.txt

This command will generate a file called `patch.txt` with your changes. Please email a description of the patch along with the patch itself to security@spreecommerce.com.

Older Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. While this security flaw only affects versions 2.1.x+ we have already reached the end of life for official 2.0.x support. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Follow Spree Commerce!

Spree 2.4.0 Released

Posted on November 20, 2014 by Jeff Dutil

Summary

The Spree 2.4.0 release is out now!

What’s new in Spree 2.4? We’ve completely overhauled the return authorization system in Spree, and made it much more robust and flexible. There are now also default html email templates, and an updated admin order form.

You can view the Release Notes for more details, and upgrade tips. Please feel free to submit a PR adding any of your own upgrade tips or gotchas not mentioned in the release notes.

What else is new?

We have also just released new versions of all the currently supported Spree versions.

The primary focus of these releases was updating to the latest version of Rails to patch
CVE-2014-7829

Users on Spree 2.3.x should also see some small performance improvements as well. These were primarily from adding database indexes, and improving the current order lookup hot spot.

You can review the Github Compare for a complete list of 2.3.x changes.
You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.
You can review the Github Compare for a complete list of 2.0.x changes.

Older Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. We have reached the end of life for official 2.0.x support. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

What’s next?

We’ve got lots of great feedback from the Spree community on what you would like to see next. There are going to be a lot of big changes coming soon, and here is a short list of things to expect in the near future:

  • Performance, Performance, Performance!
  • Extended REST API
  • Store Credits
  • Bootstrap Back & Front
  • Rails 4.2

As well as improving the Spree codebase we’ve also got lots of feedback on our community management & process. We will have a follow-up blog post about this in the near future, but here are a few things to expect:

  • Additional core members outside of Spree Commerce
  • Improved community communication
  • Improved upgrade paths
  • Stricter backporting policies
  • Stricter code reviews

Spree now powers billions of dollars in eCommerce transactions every year, and we hear you loud and clear that we must uphold strict standards to ensure you’re not losing your piece of the pie.

Follow Spree Commerce!

Spree 2.4.0.rc3 Released

Posted on November 07, 2014 by Jeff Dutil

Summary

The Spree 2.4.0.rc3 release is out now. We would like everyone to try it out, and report any issues before a final version is released. We expect that 2.4.0 final will be released in a week or two unless there are any major issues discovered.

What’s new in Spree 2.4? We’ve completely rewritten the return authorization system in Spree, and made it much more robust and flexible. There are now also default html email templates, extendable order populator options, and an updated admin order form.

You can view the Release Notes for more details, and upgrade tips. Please free to submit a PR adding any of your own upgrade tips or gotchas not mentioned in the release notes.

What’s next?

Once Spree 2.4.0 is released we will begin work on a 2.5.0 release, which we will be focusing on Rails 4.2 support & major performance improvements. Once we’ve provided Rails 4.2 support in what is expected to be a quick release, we will be moving on to a major Spree 3 update!

Older Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Spree 2.4.x will be released in the near future, and will mean the end of official 2.0.x support.

Follow Spree Commerce!

Spree 2.4.0.rc2 Released

Posted on October 09, 2014 by Jeff Dutil

Summary

Spree has issued new 2.4.0.rc2 & 2.3.4 releases which are available now!

The 2.3.4 release fixes a regression that allowed certain orders to transition to a complete state without completed payment. It is recommended to update soon as possible if you’re on the 2.3.x gem series.

You can review the Github Compare for a complete list of 2.3.x changes.

Spree 2.4.0.rc2

The Spree 2.4.0.rc2 release is out now. We would like everyone to try it out, and report any issues before a final version is released. We expect that 2.4.0 final will be released in a week or two unless there are any major issues discovered.

What’s new in Spree 2.4? We’ve completely rewritten the return authorization system in Spree, and made it much more robust and flexible. There are now also default html email templates, extendable order populator options, and an updated admin order form.

You can view the Release Notes for more details, and upgrade tips. Please free to submit a PR adding any of your own upgrade tips not mentioned to the release notes.

What’s next?

Once Spree 2.4.0 is released we will begin work on a 2.5.0 release, which we will be focusing on Rails 4.2 support & performance improvements. Once we’ve provided Rails 4.2 support in what is expected to be a quick release, we will be moving on to a major Spree 3 update!

Older Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Spree 2.4.x will be released in the near future, and will mean the end of official 2.0.x support.

Follow Spree Commerce!

Spree 2.3.3 Released

Posted on September 19, 2014 by Jeff Dutil

Summary

Spree has issued new 2.3.3, 2.2.6, and 2.1.9 releases which are available now! These releases are primarily all focused on bug fixes.

If you are upgrading to Rails 4.1.6 or 4.0.10 please make sure to update to these latest releases, which resolve regressions caused by the mail gem dependency.

You can review the Github Compare for a complete list of 2.3.x changes.
You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.

Other Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Spree 2.4.x will be released in the near future, and will mean the end of official 2.0.x support.

Happy Friday!

Have a great weekend everyone.

Follow Spree Commerce!

Spree 2.3.2 Released

Posted on August 29, 2014 by Jeff Dutil

Summary

Spree has issued new 2.3.2, 2.2.5, 2.1.8, and 2.0.12 releases which are available now! These releases are primarily all focused on bug fixes.

Version 2.3.2 has also received many API improvements as well.

You can review the Github Compare for a complete list of 2.3.x changes.
You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.
You can review the Github Compare for a complete list of 2.0.x changes.

Other Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Spree 2.4.x will be released in the near future, and will mean the end of official 2.0.x support.

Happy Labor Day Weekend Everyone :)

Follow Spree Commerce!

Spree 2.3.0 Released

Posted on June 30, 2014 by Ryan Bigg

Spree 2.3’s large changes include Rails 4.1 support, better preferences storage, better support for multi-store, and better guest user tracking. There have been 700 commits by 97 contributers to bring us to Spree 2.3, and we are excited to release it!

Rails 4.1 Support

Rails 4.1 is now supported by Spree 2.3. If you wish to use 4.1, Spree 2.3 is the release for you.

Preferences serialized on records

Preferences are now stored on their records, rather than being stored in `spree_preferences`. This means that to fetch a preference for say, a calculator, one query needs to be done to the database for that row, as that row has the `preferences` column which contains all preferences.

Previously, there would be a single DB call for the record itself, and then any number of database calls thereafter to fetch the required preference values for that record. What happens now is that there’s only one database call, which means there should be some minor speedups.

Better multi-store support

A `Spree::Store` model for basic multi-store/multi-domain support has been added. This provides a basic framework for multi-store/multi-domain, based on the spree-multi-domain extension. Some existing configuration has been moved to this model, so that they can have different values depending on the site being served:

  • `Spree::Config[:site_name]` is moved to `name`
  • `Spree::Config[:site_url]` is moved to `url`
  • `Spree::Config[:default_meta_description]` is moved to `meta_description`
  • `Spree::Config[:default_meta_keywords]` is moved to `meta_keywords`
  • `Spree::Config[:default_seo_title]` is moved to `seo_title`

A migration will move existing configuration onto a new default store.

A new `ControllerHelpers::Store` concern provides a `current_store` helper to fetch a helper based on the request’s domain.

Better guest user tracking

Now we are using a signed cookie to store the guests’ unique token in the browser. This allows customers who close their browser to continue their shopping when they visit again. More importantly, it allows you as a store owner to uniquely identify your guests’ orders. Since we set `cookies.signed[:guest_token]` whenever a vistor comes you may also use this cookie token on other objects than just orders.

For instance, if a guest user wants to favorite a product, you can assign the `cookies.signed[:guest_token]` value to a token field on your favorites model. This will then allow you to analyze the orders and favorites that this user has placed before, which is useful for recommendations.

Summary

You can view a more detailed list of these changes on Github.

Follow Spree Commerce!

Coinbase Releases Bitcoin Extension

Posted on April 08, 2014 by Alexander Diegel

Coinbase Releases Bitcoin Extension for Spree Commerce Stores

Coinbase has just announced that all of the 45,000-plus retailers that have elected to use the Spree Commerce platform can now easily take advantage of the benefits of Bitcoin payments.

Use of Bitcoin is on the rise, though as technology blog The Next Web detailed in a recent post, store owners still have a lot of factors to consider as they decide whether and how to accept it. There are security issues to take into account, as well as the currency’s volatility. The Coinbase platform helps merchants accept Bitcoin without having to adjust for rapid fluctuations in the currency’s price. Using Coinbase, merchants can accept Bitcoin while still specifying prices in their local currencies.

Accepting Bitcoin using Coinbase on your Spree store takes just a few minutes. For more information, visit the Coinbase blog here. To download the extension from Github, simply click here.

Important Security Fix for all Spree 2.x.x Versions

Posted on March 25, 2014 by Ryan Bigg

We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker to gain the security token for an order. The exploit would require the attacker to randomly guess valid order numbers, but once achieved, the technique would reveal private customer information associated with the order. Credit card details are never stored in Spree and were never at risk by this exploit. Users are advised to perform an immediate upgrade.

We have officially released the following new Spree versions: 2.0.10, 2.1.6, and 2.2.1. These versions also contain several other minor fixes. To see a complete list of changes please view the compare pages:

Tax calculation corrections

Also worth noting is that on the 2-2-stable branch, there have been some minor tweaks to improve the tax calculation there. In certain circumstances, the tax amount that was applied was incorrect. For information about that, please see Issue #4327.

Details on the security patch

We strongly advise everyone to upgrade to the latest version of Spree available for their stores. For example, if you’re running v2.0.9, please upgrade to v2.0.10 immediately.

Alternatively, you can fork Spree to a local `vendor/gems/spree` directory within your application and apply the patch using one of these commands:

  • 2-0-stable: git cherry-pick dc6f3b5b87f31e4f1ce7f8a5ef8378abbb3b16ea
  • 2-1-stable: git cherry-pick 71807994b779fc921d494234aa16b6f081a6c2c4
  • 2-2-stable: git cherry-pick ba4ab90dfb36a8bd25c465f763c977963821102b

Thanks to Michael Nowak from Taktsoft for following security procedures and reporting the issue privately to the security team via the security@spreecommerce.com email. This allowed us to quickly verify the problem and to quickly prepare the necessary security patches for public release.

Future security announcements

Going forward, the best way to ensure you receive all security announcements is to subscribe to the spree security mailing list. The mailing list is very low traffic, and it receives the public notifications the moment the embargo is lifted. Security announcements will also continue to be announced via our blog and social media.

Spree 2.2.0 Released

Posted on February 26, 2014 by Ryan Bigg

Spree 2.2’s large changes include a re-working of the built-in adjustments system, caching improvements, a slightly different location for Spree’s assets and a basic implementation of risk analysis.

Adjustments system refactoring

For a while now we’ve been wanting to refactor the adjustments system and make it less confusing. Adjustments are a key part of any store, and therefore these need to function smoothly. In the end, we’ve produced an adjustments system that is more consistent and flexible than the system found in earlier versions of Spree.

Caching improvements

We’ve listened to feedback where people wanted caching within the Frontend and API components of Spree, and have added that in. Fragment caching will now happen with things such as the products list and product pages on the frontend, and on key actions within the API.

New Spree asset locations

Spree’s assets have moved within an application out of `app` and into `vendor`. Along with this, the assets have been renamed. For more information, please read this section in Core’s changelog.

Risk analysis

If an order’s payment falls outside of the proper AVS and CVS classifications, then the order will be considered “risky”. The order will need to be approved (or rejected) before anything can be done on it.

Summary

Each component’s changelogs will provide you with a more detailed log of what’s changed, so be sure to check them out:

New 1.3, 2.0 and 2.1 releases

Posted on October 16, 2013 by Ryan Bigg

Today we have released new versions of the 1.3.x, 2.0.x and 2.1.x branches of Spree: 1.3.4, 2.0.6 and 2.1.2 respectively. These new releases contain contributions from the community as well as a security fix for the API.

For more information please check out the release notes on GitHub:

Spree 2.0.5 Released

Posted on September 16, 2013 by Sean Schofield

We have just released a patch version to the Spree 2.0.x series. Spree 2.0.5 is now officially available and it addresses several minor bug fixes discovered since the previous Spree 2.0.4 release. You can review the Github compare for a complete list of changes.

Spree 2.1.0 Released

Posted on September 16, 2013 by Ryan Bigg

Spree 2.1.0 has now been officially released. Around 700 commits by 48 contributors went into making this release the best release of Spree yet.

There are not that many significant changes in this release, but there are three major things we would like to point out:

Rails 4 compatibility

This is the first release of Spree which is completely Rails 4 compatible. This effort was largely undertaken by Washington Luiz (huoxito), one of our core team members. If you wanted Rails 4 compatibility, you have it now. Thank Washington when you see him around.

API changes

In this major Spree release, the API component has been battle-tested with our experimental Spree + Marionette project. As a result of our testing, we found the API needed some improvements and we’ve done that and a bit more.

Better PayPal Express extension

We now have a better Spree PayPal Express extension which is fully compatible with this release. If you are looking for PayPal Express Checkout integration for your new Spree store, check out this extension.

For other changes, please read our release notes.

Spree 2.0.0 Released

Posted on May 19, 2013 by John Dyer

Spree 2.0.0 has now been officially released. It’s been exactly five months since the last release -although we have had several minor releases along the way. This has been a massive community effort with 1,412 commits by 35 contributors affecting 2,303 different files.

Let’s go over some of the highlights of this release:

Removing Support for Ruby 1.8.7

In this major Spree release, we are removing support for Ruby 1.8.7. This version of Ruby is no longer supported by the Ruby core team, so if you are still using 1.8.7, it is time to upgrade.

Split Core

Due to numerous request to have the ability to either use the frontend or backend separately from the other, we have split Spree up into the following componenets:

  • Api
  • Backend
  • Core
  • Dash
  • Frontend
  • Sample

The Backend component provides the admin interface for Spree and the Frontend component provides the frontend user-facing checkout interface. These components were extracted out of Core to allow for users of Spree to override the frontend or backend functionality of Spree as they choose. Core now contains just the very basic needs for Spree (primarily the data models.)

Split Shipments

We’ve been grappling with the issue of complex Spree stores that require sophisticated shipping and warehouse logic for several years now. While it has always been manageable to get this to work on individual store basis, a more general solution that would be useful for all stores has always eluded us (until now). We are proud to introduce the new split shipments functionality to Spree.

There are 4 main components that make up split shipments described in this post: Stock Locations, Stock Items, and Stock Movements.

  • Stock locations are the locations where your inventory is shipped from. Each stock location can have many stock items. When creating a new stock location, stock items for that location are automatically created for each variant in your store.
  • Stock items represent the inventory at a stock location for a specific variant.
  • Stock movements allow you to manage the inventory of a stock item for a stock location.
  • Stock transfers allow you to bulk transfer stock from one or more variants between two stock locations.

This feature is discussed more in-depth in our Introducing Split Shipments blog post.

API Updates

The Spree API is always improving and the release of Spree 2.0.0 is no exception. We have introduced new API endpoints to allow for management of more Spree resources including those introduced with Split Shipments.

In addition, we have introduced instance level permissions, custom templates and many other features of which there are too many to list here. Please see the release notes for the complete list of changes to the API.

Miscellaneous Changes

As with every major Spree release, there are also a ton of commits related to minor bug fixes and other subtle improvements. Please see the Github compare for a complete list of changes in this release. You can also see a written summary of the changes with additional details in the release notes.

Spree 2.0.0.rc1 is Now Available

Posted on May 13, 2013 by Sean Schofield

We’re happy to announce Spree 2.0.0.rc1 is now available! We’ve been working around the clock to get the release ready before SpreeConf. Please test out the release candiate and report any showstopping issues you find ASAP. Please report any issues you have in our Github Issue tracker. Remember to indicate the problem is with the 2.0.0 code (as opposed to previous versions of Spree.)

Splitting the Spree Core

Posted on March 27, 2013 by Ryan Bigg

Coming in Spree 2.0 – Rearchitecting the Spree Core!

In my last post, I covered one of the features that will be going into Spree 2.0 – improved support for internationalization.

In this post, I’m going to cover a major rearchitecting of Spree, similar in size to the changes for Spree 1.0 (namespacing + cleanup), and Spree 1.2 when the auth component was removed and turned into spree_auth_devise.

In Spree 2.0, we’re splitting up the core component into three different pieces: Core, Frontend and Backend. This is due to a large number of requests from our users asking if they could just use the bare-essentials for Spree in one component.

Core

Core will contain the very basics of Spree; just enough to get going. This is what you would use if, for example, you only wanted the database structure of Spree and then to build your own frontend and backend on that. Core will also contain the Promo engine, which was used to manage promotions. This has been used by a lot of stores, and it makes sense to bake it right into Core, rather than having it out in its own separate module and then having it “hack” into Core.

Frontend

Frontend will contain the frontend of Spree; things like viewing products and the checkout process are contained within this module.

Backend

Backend will contain the admin functionality from Spree; things such as product data editing functions, taxons and promotion management.

The backend and frontend components also make use of the API component in order to perform some of their actions. You could also use the API to build a completely custom frontend for Spree, using a JavaScript framework such as
AngularJS or Ember, if you wanted. With the ability to pick just the Core and API components with Spree, this has never been easier.

We’ll be offering a lot more detail about splitting the Spree core and other new features included in Spree 2.0 at SpreeConf DC May 20th – 21st in Washington, DC. Check out the full conference schedule. Register below to get the $199 early bird rate before it ends March 31st.

Multiple Security Vulnerabilities Fixed

Posted on February 21, 2013 by John Dyer

The Spree team was recently alerted to several potential security vulnerabilities. If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at security@spreecommerce.com and we will investigate and fix the issue as quickly as possible.

Spree Roles Mass-assignment Vulnerability

The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.

Thanks to Laurens Nienhaus of asdfasdf.de, Web Entwicklung for reporting this.

Versions Affected

1.2.x, 1.3.x, Edge

The Fix

If you are using spree_auth_devise, run the following command to update to the latest version:


bundle update spree_auth_devise

1.1.x

It’s recommended that you update to v1.1.6. This release contains the security fix.

JSON Gem Object Creation Vulnerability

The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.

Versions Affected

All Versions

The problem is not with Spree itself but the json gem upon which it relies. By using the suggested fix below you can ensure you are running a secure version of the json gem.

The Fix

This is easily fixed by upgrading to the latest version of the JSON gem, which can be done by running the following command:


bundle update json

We have added a hard dependency on JSON to spree_core to ensure that in future versions of Spree you are using an unaffected version of the gem.

Thanks to Steve Root of Roots Kitchens Bedrooms Bathrooms for bringing this to our attention. More info on this vulnerability can be found on the rails-security group.

Unsafe Use of Constantize in Admin

The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.

Thanks to Gabriel Quadros of Conviso Application Security for reporting this.

Versions Affected

Spree 1.0.x – 1.3.x, Edge

The Fix

The problem can be addressed by updating to edge Spree. There is no urgent need to upgrade if you are running an affected version as long as your admin users can be trusted to not attempt a complicated technical exploit of this vulnerability.

Spree 1.3.1 and 1.2.3 Released

Posted on January 07, 2013 by Sean Schofield

Last week the Rails team announced a new release which addresses an important security vulnerability. This is a Rails security problem, but since Spree relies on these insecure versions of Rails, all Spree users are advised to upgrade to a more secure version immediately.

Spree 1.3.1

Existing Spree 1.3.0 users should upgrade to the new Spree 1.3.1 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.

Spree 1.2.3

Existing Spree 1.2.x users should upgrade to the new Spree 1.2.3 release. This release uses the more secure Rails 3.2.10 version and also includes some minor bug fixes unrelated to the security issue. You can review the Github compare for a complete list of changes.

Other Versions of Spree

If you are using Spree versions 1.1.x and older you should consider upgrading to Spree version 1.2.3 or higher. Our current policy is to only maintain the latest two versions of Spree along with the current master.

Upgrading Rails Without Updating Spree

If you’re not ready to update your version of Spree, you may want to consider updating just the version of Rails you’re using. Spree gems will not allow you to use arbitrary versions of Rails (we like to test them first) so you’ll have to do a little hacking if you want to go it alone. To accomplish this you need to work with the source code and checkout from Git using the exact tag of your version of Spree. You can then modify the gemspec to allow a newer version of Rails. Finally, you’ll need to push this change to a fork and modify the Gemfile in your project to point to the fork.

Spree 1.3.0 Released

Posted on December 19, 2012 by John Dyer

Spree 1.3.0 has now been officially released. We’ve been working on this release since late August and it’s truly been a group effort. There were 867 commits by 31 different authors. Only a few of those authors actually work for Spree Commerce Inc. so that means our awesome community has once again taken the time to make invaluable contributions to Spree. Keep up the fantastic work!

Let’s go over some of the highlights of this release:

API Updates and Documentation

As Spree constantly evolves, so does our API. To help you keep up with the latest changes, we launched our API Documentation recently. Internally, we are now using Versioncake to version our API and ensure that any significant changes don’t affect our end-users. Additionally, we have added searching capabilities throughout the API and the ability to customize output by specifying a template.

Please see the API Improvements blog post and our API Documentation for more details.

New Admin Interface

We are excited for you to try our newly redesigned admin interface, courtesy of our designer Alexey (aka devilcoders). The main focus of the redesign was to put a “fresh coat of paint” on everything to make it a little easier to look at all day long. This is just the first step of reworking our admin interface and we are looking forward to receiving your feedback to help us improve our further iterations on the design.

Please see the Announcing Admin Redesign blog post for more details.

Currency Settings

Currency settings have been added to Spree that make it possible to change the currency used by the store and the format of displayed prices. This is the foundation for planned multi-currency support in the future. The goal with these changes is to eventually allow various objects in Spree to store and track their own currency. Currently the currency is set on a global level.

Special thanks to Gregor MacDougall for his great work on adding currency support to Spree.

Please see this commit for more information on currencies in Spree.

Miscellaneous Changes

As with every major Spree release, there are also a ton of commits related to minor bug fixes and other subtle improvements. Please see the Github compare for a complete list of changes in this release. You can also see a written summary of the changes with additional details in the release notes.

Spree 1.3.0.rc2 Released

Posted on December 17, 2012 by John Dyer

Spree 1.3.0.rc2 is now available. The final release for Spree 1.3.0 is expected later this week barring any last minute discoveries so we need your help with testing. Please report any issues you encounter.

We’ll have a comprehensive set of release notes once the release is final. In the meantime, please see the Github compare for a complete list of changes.

Spree 1.3.0.rc1 Released

Posted on December 03, 2012 by Sean Schofield

Spree 1.3.0.rc1 is now available. The final release for Spree 1.3.0 is expected shortly so we need your help with testing. Please report any issues you encounter.

If you’ve been following the recent admin refactoring on the master branch then you have an idea of what’s in this release. We’ll have a comprehensive set of release notes once the release is final. In the meantime, please see the Github compare for a complete list of changes.

Spree 1.1.4 Released

Posted on November 26, 2012 by Sean Schofield

Spree 1.1.4 has been officially released. The primary purpose of this release is to upgrade to the latest secure version of Rails. Previous versions of Rails 3.2.x have a DoS vulnerability that was fixed in the recent Rails 3.2.9 release. The DoS vulnerability is actually a Ruby security issue as well, so it is recommended that you upgrade your Ruby installation to Ruby 1.9.3.p327 or higher.

There are no new Spree security vulnerabilities addressed in this release – just those mentioned above concerning Ruby/Rails. This release also contains a series of minor bug fixes which you can read more about in the Spree 1.1.4 release notes. You can also see the Github compare for full details.

Due to the upcoming Spree 1.3.0 release, this will be the final patch release of Spree 1.1.×. We encourage you to update to Spree 1.2.x as soon as possible.

Spree 1.2.2 Released

Posted on November 26, 2012 by Sean Schofield

Spree 1.2.2 has been officially released. The primary purpose of this release is to upgrade to the latest secure version of Rails. Previous versions of Rails 3.2.x have a DoS vulnerability that was fixed in the recent Rails 3.2.9 release. The DoS vulnerability is actually a Ruby security issue as well, so it is recommended that you upgrade your Ruby installation to Ruby 1.9.3.p327 or higher.

There are no new Spree security vulnerabilities addressed in this release – just those mentioned above concerning Ruby/Rails. Please note that earlier last week we issued a flawed Spree 1.2.1 release but that has since been “yanked” (due to a minor glitch) and the fixed version has been released as Spree 1.2.2.

This release also contains a series of minor bug fixes and improvements which you can read more about in the Spree 1.2.2 release notes. As always, this has been a group effort by the outstanding members of our community. This release contained 248 contributions by 44 different authors. You can see the Github compare for full details.

This release does not contain the new admin interface. That functionality is currently available on the master branch and will be released as part of Spree 1.3.0 in early December.

Spree 1.2.0 Released

Posted on August 31, 2012 by Sean Schofield

Spree 1.2.0 has now been officially released. We’ve been working on this release all summer and it’s truly been a group effort. There were 961 commits by 32 different authors. Only a few of those authors actually work for Spree Commerce Inc. so that means our awesome community continues to step up and make invaluable contributions. Keep up the great work!

Special thanks to Ryan Bigg who did a ton of work on this release. The authentication changes and checkout flow in particular represent huge improvements to Spree and were a direct result of close coordination with our users who were struggling on these fronts.

Let’s review some of the highlights of this release:

Authentication Has Been Removed

Spree no longer ships with authentication included. Previous version of Spree have relied on a third pary library known as Devise. By removing the dependency on Devise this allows Spree to be more easily integrated with larger Rails applications that may have their own authentication system. For those that are using Devise (or have no strong preference for which system they use), we still have Devise support for Spree. You’ll just need to add the spree_auth_devise extension to your application.

Please see the Authentication Guide for more details.

Changes to the State Machine

Up until now, it’s been a little to difficult to customize the checkout flow in Spree. It was certainly possible but the workaround for doing so wasn’t particularly elegant and was even more difficult to support. This has all changed now with a new DSL for specifying checkout flow. If you’ve made changes to the checkout flow in your application (or if you have been hesitant to do so until now) then you may want to learn more about how this works.

Please see the Checkout Guide for more details

Introducing the Money Gem

In earlier versions of Spree, we used number_to_currency to display prices for products. This made it difficult to change only the currency symbol for all prices across your store. We have improved this by using the Money gem to handle all of the price formatting. Please note this was a last minute addition to Spree that was not contained in the previous release candidates. You can look forward to many more improvements to international support in future releases.

Miscellaneous Changes

There are also a ton of commits related to minor bug fixes and other subtle improvements. Please see the Github compare for a complete list of changes in this release. You can also see a written summary of the changes with additional details in the release notes.

Spree 1.2.0.rc2 Released

Posted on August 14, 2012 by Sean Schofield

Spree 1.2.0.rc2 is now available. The final release for Spree 1.2.0 is expected shortly so we need your help with testing. Please report any issues you encounter. Please see the Github compare for a complete list of changes in this release.

Final release will be later this week – just in time for SpreeConf!

Spree 1.2.0.rc1 Released

Posted on August 09, 2012 by Sean Schofield

Spree 1.2.0.rc1 is now available. The final release for Spree 1.2.0 is expected shortly so we need your help with testing. Please report any issues you encounter. Please see the Github compare for a complete list of changes in this release.

Spree 1.1.3 Released

Posted on July 27, 2012 by Andrew Hooker

Spree 1.1.3 has been released. This is a patch release to be compatible with the new Rails 3.2.7 release. The newest version of Rails contains a minor security release fix so you’re encouraged to update at your earliest convenience.

This release also contains a variety of other small bug fixes. Special thanks to Moritz Breit for reporting a potential security issue which has since been investigated and addressed.

Please see the Github compare for a complete list of changes in this release.

Complete Redesign of Spree Analytics

Posted on July 16, 2012 by Sean Schofield

We’re pleased to announce a completely redesigned version of the analytics dashboard that ships with Spree. This dashboard is automatically available to all stores running Spree 1.0.x or higher and will be displayed in your admin panel without having to take any steps to upgrade.

The above screenshot doesn’t really do the new interface justice. You’ll have to see it in action to get a sense for how great the improvements are. If you are running a version of Spree prior to 1.0.x you can still get the analytics functionality by using the spree_analytics extension. Let us know what you think!

Spree 1.0.6 Released

Posted on July 12, 2012 by Sean Schofield

Spree 1.0.6 has been released. This release is just a minor patch release to fix a few issues with attr_accessible and the latest Rails 3.1.6 release. The previous Spree 1.0.5 release has been yanked since it was not compatible with the latest Rails 3.1.x version.

Please see the Github compare for a complete list of changes in this release. There are no security fixes in this release.

Important Security Updates

Posted on July 05, 2012 by Andrew Hooker

We have just released several new versions of Spree which contain important security fixes. A vulnerability exists in Product Scopes that could allow for unauthenticated remote command execution. There is also a potential XSS vulnerability related to the analytics dashboard. Finally, the new releases also upgrade to the latest version of Rails which include additional security fixes which were addressed by the Rails team.

The remote command execution vulnerability is quite serious and affects all versions of Spree. You should upgrade to one of the following secure versions of Spree immediately: 0.11.4, 0.70.6, 1.0.5 or 1.1.2.

Thanks to joernchen from Phenoelit and Michael Bianco from Ascension Press for bringing these issues to our attention.

If you believe you’ve found a security vulnerability, please do not post publicly about it. Email us at security@spreecommerce.com and we will investigate and fix the issue as quickly as possible.

Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.

Spree Versions Affected

Edge/Master

The patch has been applied to the repo with the following commits 7f1e5d3 and 3db9a6e . Update to 7f1e5d3 or a more recent one to be protected.

1.1.x

It’s recommended that you update to v1.1.2. This contains the security fix as well as other bug and stability fixes.

See the Github compare view for the full details.

1.0.x

It’s recommended that you update to v1.0.5. This contains the security fix as well as other bug and stability fixes.

0.70.x

It’s recommended that you update to v0.70.6. This release contains only the security fix.

0.20.x – 0.60.x

It’s recommended that you update to v0.70.6. This is a fairly easy upgrade (no major changes in Rails version, etc.) and we cannot continue to support older versions of Spree indefinitely.

0.11.x

It’s recommended that you update to v0.11.4. This release contains only the security fix.

Spree Analytics Extension

If you are using the spree_analytics extension you need to update to 079949fd to receive the most recent security fix. If you are using Spree 1.0.x or greater the analytics is included in Spree and updating to the latest secure Spree version will take care of this for you.

Spree Commitment to Security

The Spree team remains committed to the highest standard of security in it’s software. Spree is used by thousands of stores worldwide and the source code is under constant review by the community. We believe in disclosing all security vulnerabilities to the public in a timely and responsible fashion. Thanks again to joernchen from Phenoelit and Michael Bianco from Ascension Press for working with us while we resolved this issue.

Spree 1.1.2 Release Candidate

Posted on June 25, 2012 by Sean Schofield

Spree 1.1.2 is now available as a release candidate (rc1.) This means that the official release is imminent and we request your assistance in testing the code before we do so. We recommend you upgrade to 1.1.2 as soon as possible due to security issues that have been recently fixed in Rails 3.2.4 as well as Rails 3.2.6.

Using the RC in your project

Since the spree_cmd gem defaults to the latest official releases for Spree (and the associated payment gateway gems), it is recommended that you use the following approach to install the RC in a new project:


<p>spree install mystore &#8212;git=git://github.com/spree/spree.git<br />
  &#8212;branch=1-1-stable</p>

For existing stores you can follow the standard process of updating your Gemfile

Gemfile

<p>gem &#8216;spree&#8217;, &#8216;1.1.2.rc1&#8217;</p>

and then install and run the migrations


<p>bundle exec rake spree:install:migrations<br />
bundle exec rake db:migrate</p>

Spree 1.1.1 Released

Posted on May 16, 2012 by Sean Schofield

Spree 1.1.1 has been released. This release is just a minor patch release to fix a few issues with the previous release. There are no security fixes in this release so there is no rush to upgrade if things are working fine for you.

The primary reason to upgrade is if you are experiencing issues with the new 2.1.x version of Devise which may get used by bundler in new Spree deployments. Please see the Github compare for a complete list of changes in this release.

Spree 1.1.0 Released

Posted on April 30, 2012 by Sean Schofield

Spree 1.1.0 has been released. We’ve been hard at work the past two months getting this release ready. This is also the first Spree release to support Rails 3.2.×. All it took was 790 commits by 34 different authors (including many first-time committers.)

Here’s a list of highlights of what is contained in the new release:

  • Support for Rails 3.2.x
  • Product groups have been moved to a stand alone extension
  • Major overhaul of the API
  • Simplified the internals of Creditcard model
  • Replaced meta_search with ransack
  • Instant activation for live analytics
  • Several other minor changes

Please see the Github compare for a complete list of changes in this release. Please see the Spree 1.1.0 release notes for more details.

Spree 1.0.4 Released

Posted on April 28, 2012 by Sean Schofield

Spree 1.0.4 has been released. This is just a minor patch release that contains several minor fixes made since the prior release. There are no security fixes contained in the release so there’s no need to upgrade unless you’re experiencing one of the problems fixed in this release.

Please see the Github compare for a complete list of changes in this release. If your store is not yet running on a 1.0.x version of Spree you are encouraged to upgrade at your earliest convenience. Once Spree 1.1.0 is released we will no longer be maintaining versions of Spree prior to 1.0.x except in the case of a critical security fix.

Spree 1.1 Release Candidate 2

Posted on April 26, 2012 by Ryan Bigg

We have just released Spree 1.1.rc2! In this version, you’ll find bug fixes for bugs detected within the first release candidate, as well as some refactoring.
Pending any other issues brought up on the Spree issues, this will be the final release candidate before the actual
release.

Probably the most substantial change from this release candidate is the clean up of the Creditcard
class
. We don’t anticipate any problems with these changes, but if you do find
some, please bring them up on the Spree issues page.

If you want to see all the changes that have gone into this second release candidate since the first, be sure to check out the comparison
view
on GitHub.

One final note, both the Railsdog and Spree teams are at Railsconf this week! Come find us and talk to us about how you’re using Spree.

Spree 1.1.0 Release Candidate

Posted on April 09, 2012 by Sean Schofield

Spree 1.1.0 is now available as a release candidate (rc1.) This means that the official release is imminent and we request your assistance in testing the code before we do so. As part of this process we have created a new 1-1-stable branch in Github. As the branch name implies, the code in this branch should stay fairly stable over time as we move towards and beyond the 1.1 release.

What’s in the Upcoming Release?

  • Support for Rails 3.2.x
  • Product groups are now a stand alone extension
  • Major overhaul to the API
  • Replaced meta_search with ransack
  • Several other minor changes

Please see the edge version of the release notes for more details

Using the RC in your project

Since the spree_cmd gem defaults to the latest official releases for Spree (and the associated payment gateway gems), it is recommended that you use the following approach to install the RC in a new project:


<p>spree install mystore &#8212;git=git://github.com/spree/spree.git<br />
	&#8212;branch=1-1-stable</p>

For existing stores you can follow the standard process of updating your Gemfile

Gemfile

<p>gem &#8216;spree&#8217;, &#8216;1.1.0.rc1&#8217;</p>

and then install and run the migrations


<p>bundle exec rake spree:install:migrations<br />
bundle exec rake db:migrate</p>

Spree 0.70.5 Released

Posted on March 15, 2012 by Sean Schofield

Spree 0.70.5 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.

Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a previous 0.70.x version of Spree.

Spree 1.0.3 Released

Posted on March 15, 2012 by Sean Schofield

Spree 1.0.3 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.

Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running a prior version of Spree 1.0.×.

NOTE: Earlier this week we released Spree 1.0.2 which contained this fix. Before we could write up the release announcement we discovered a newly introduce bug that required a quick follow up release which is now Spree 1.0.3. It is recommended that you update to version 1.0.3 if you are running version 1.0.2 because of this bug but it is not required for security purposes.

Spree 0.60.6 Released

Posted on March 15, 2012 by Sean Schofield

Spree 0.60.6 has been released. The primary purpose of this release is to address a recently discovered security vulnerability which under certain circumstances allows any authenticated user to read the contents of another user’s order.

Please see the Github compare for a complete list of changes in this release. Due to this issue and other previously announced vulnerabilities you should upgrade to this version of Spree if you are running any version of Spree prior to 0.60.6.

Spree 0.60.5 Released

Posted on March 05, 2012 by Sean Schofield

Spree 0.60.5 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.0.12 release. Anyone using a prior version of Spree is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.

Please see the Github compare for a complete list of changes in this release.

Spree 1.0.1 Released

Posted on March 05, 2012 by Sean Schofield

Spree 1.0.1 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.1.4 release. Anyone using a prior version of Spree 1.0.x is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.

We have also fixed several issues that have come up since the 1.0.0 release. Please see the Github compare for a complete list of changes in this release.

Spree 0.70.4 Released

Posted on March 05, 2012 by Sean Schofield

Spree 0.70.4 has been released. The primary purpose of this release is to provide compatibility with the recent Rails 3.1.4 release. Anyone using a prior version of Spree 0.70.x is urged to upgrade immediately due to two different security fixes in Rails discussed here and here.

Please see the Github compare a complete list of changes in this release.

Spree 1.0.0 Released

Posted on February 09, 2012 by Sean Schofield

Today we are extremely proud to announce the long-awaited release of Spree 1.0.0. The project began almost five years ago with a simple post. After several years of development and thousands of deployed stores we are now convinced Spree will play an essential role in building the next generation of e-commerce.

Our community continues to grow stronger with each successive release. This latest release contains over 1,500 commits made by 35 different contributors. Only four of those contributors work as employees of Spree Commerce. The best part is that all of this work was done in just ten weeks! There are additional developers and resources flowing into the project each day so we’re really only seeing a glimpse of what is possible.

The list of people to thank is too numerous to list here. There’s also a lot more to say about extensions and the online demo but that will have to wait for another day. We’re going to keep the announcement short in order to get this out to you as fast as possible.

We have done our best to test the upgrade process on older versions of Spree. Our team has also been hard at work making last minute fixes and significant improvements to the online documentation. Just like the Rails project, there will always be a few glitches discovered after a major release. Please report issues you find in the Github issue tracker. If you are developing a store using 1.0 you can always reference the 1-0-stable branch in your Gemfile and then you can take advantage of patches as they are added. Otherwise you can wait until we do a minor patch release.

A complete list of changes can be found in the Github compare for 1.0.0. For more information on this release and upgrading from a previous version of Spree please see the release notes.

New base theme now on edge

Posted on January 25, 2012 by Brian Quinn

We’ve just pushed a new base front-end theme to edge that dramatically improves
on the original out-of-the-box look for Spree, while still maintaining a
simple base for additional theme and styling changes.


Responsive Layout

This new base theme also features a responsive layout which will
reorganize the structure of the page depending on the screen size of the
device that’s viewing page. Checkout the edge code and just resize your browser to see
it in action.

Maintaining Compatibility

While most of the underlying markup remains unchanged, some new elements
have been added only where necessary. Some tags have also changed for
example from h6 to h3, but we’ve maintained all object id’s, class names and
data-hook attributes as much as possible to maintain support for
existing Deface overrides.

Some of these changes will require updates to existing themes but we are
already working on updating both the Spree Blue and Rails Dog Radio
themes.

Spree 1.0.0.rc1 is Now Available

Posted on December 23, 2011 by Sean Schofield

We’re happy to announce Spree 1.0.0.rc1 is finally available! We’ve been working like crazy in order to meet our self-imposed deadline of “before Christmas.” Unfortunately in our drive to get the RC ready we did not have time to write a lot of explanatory posts and documentation. We’ll catch up in the next couple of weeks now that the major coding part is over.

One of the major changes in this release is related to taxation. You can see some of the recent taxation work on Github and look forward to completely revised documentation in the new year.

We have also started work on the 1.0.0 release notes. They’re still a work in progress but you may find some useful information in the edge guides. We still have some work to do in January but we’re on schedule to release 1.0.0 in time for SpreeConf.

Spree 0.70.3 Released

Posted on November 24, 2011 by Sean Schofield

Spree 0.70.3 has been released. The only change in this release is support for Rails 3.1.3. It should be a trivial upgrade from Spree 0.70.2. There are no security issues with the previous version of Rails but this newer version fixes several problems that were introduced by Rails 3.1.2.

Spree 0.70.2 Released

Posted on November 20, 2011 by Sean Schofield

Spree 0.70.2 has been released. The primary reason for this release is support for the new Rails 3.1.2 release which contains some important security updates. There are also a couple of other minor changes which you can find using the Github compare.

We’re also experimenting with a new approach to Rails versions in this release. We’ve traditionally locked down the specific version of Rails that you can use with any one release of Spree. This is because in the past, even minor changes to Rails often caused problems with Spree if users tried to upgrade before we had a chance to verify everything.

This version of Spree will allow you to use either Rails 3.1.1 or the new 3.1.2 release. It will not, however, work with a possible future release of Rails until we also release a new Spree 0.70.×. This will allow us to ensure that Spree works with each new version of Rails but allow more flexibility for users who wish to upgrade Rails versions without upgrading Spree and visa versa.

Spree 0.70.1 Released

Posted on October 20, 2011 by Sean Schofield

Spree 0.70.1 is now officially released. There are two important changes in this release. The first change is a fix to the asset precompile stuff. If you’re running 0.70.0 you’ll want to upgrade because this will result in a performance increase.

The other major change is that we have introduced the concept of security and release alerts. You will now receive a notification in your control panel whenever there is a new release. This feature also allows us to notify you of important security announcements. The alerts can be dismissed once they’re read and you have the option to disable them entirely (not recommended.)

The Security Guide contains more information on alerts. You can also view the Github compare for a complete list of changes in this release.

Spree 0.70.0 Released

Posted on October 07, 2011 by Sean Schofield

Spree 0.70.0 is now officially released. The most important change with this release is that is is fully compatible with the brand new Rails 3.1.1 release. Please read the release notes for more information on what has changed and how to upgrade from previous versions.

Prior to today’s new release of Rails, there were significant problems with the asset pipeline and other features. These problems were severe enough to cause us to hold off on the new Spree release until they were addressed. Spree 0.70.0 represents another massive release (due mostly to the massive amount of change in Rails itself.) The Github compare shows this release to consist of a total of 356 commits by 36 different contributors and a whopping 1,093 files changed!

Deface Themes

There have been signficant improvements to themes which now rely on Brian Quinn’s awesome deface library. Themes are also now available as engines which means they can be more easily shared with others. This is just the start of what he have planned for themes in Spree. You can expect more improvements in the near future.

New Extension Generator

This release contains a brand new extension generator. Once you’ve installed the new Spree gem you can use this generator to create extensions using the following command:


$ spree extension foofah

One of the most important advances in this new generator is that you can now easily run specs for extensions in their own standalone repository. You just need to create a test application (one time only) as a context before running your specs.


$ rake test_app
$ bundle exec rspec spec

Asset Pipeline

One of the most important features of Rails 3.1.x is the asset pipeline. There have been many changes to Spree to support the asset pipeline (which are covered more thoroughly in the release notes.)

Unfortunately some of the Rails 3.1.x changes have introduced significant performance issues when running Spree in development mode. The good news is you can improve performance significantly by using a special precompile task.


$ bundle exec rake assets:precompile RAILS_ENV=development
RAILS_ASSETS_NONDIGEST=true

WARNING: Using the precompile rake task in development will prevent any changes to asset files from being automatically included in when you reload the page. You must re-run the precompile task for changes to become available.

Rail’s also provides the following rake task that will delete the entire public/assets directory, this can be helpful to clear out development assets before committing.

 $ rake assets:clean

It might also be worthwhile to include the public/assets directory in your .gitignore file.

Rails 3.1 meets master

Posted on August 02, 2011 by Brian Quinn

As the release of our next major version (0.70.0) draws ever nearer we
feel its time to merge the rails3-1 development branch into master, and
start helping you get ready for some of the changes you’ll need to make as part of the upgrade.

While most of the changes required are standard when upgrading any Rails
application to Rails 3.1, we’ve set out some guidelines and suggestions relating to the asset pipeline to help standardize how Spree applications and extensions make use of this new feature.

While edge has contained some new theming features (Deface) for a while now the rails3-1 branch really ties this together with the Rails asset pipeline to provide an amazingly powerful and flexiable theming eco-system.

Some lite reading

There’s a lot of changes and improvements to cover so we’ve created a lot of documentation to help explain all these new features, and we strongly recommend you read through them before diving in:

  • 0.70.0 Release Notes – While 0.70.0 isn’t actually released yet, these notes are available now and provide detailed Upgrade Instructions for upgrading 0.60.x applications to 0.70.0.
  • Customization Overview – This edge guide covers all customization options now available with
    Spree, and explains how to organize (or bundle) those customizations.
  • View Customization – Explains how to use Deface and template replacements to alter the appearance of a Spree application.
  • Asset Customization – Covers Spree’s use of the asset pipeline and how you can leverage
    that to customize the stylesheets, javascripts and images included in Spree.

All of these documents are works in progress and will be amended as we get closer to release.

Not ready for Rails 3.1 yet?

For those of you who have been developing on Spree edge and don’t want
to undertake the upgrade to Rails 3.1 yet, please update your Gemfile to
use the rails-3-0 branch, which is just a direct branch of the master
before rails-3-1 was merged down.

While this branch probably won’t get any direct development it’s the
safest version to use until you’re ready to upgrade to 0.70.0.

Contributions

We’re always glad to help as many people as possible contribute to Spree
and there’s still plenty of
issues
wating to be resolved, so now’s a great time to start contributing!

Spree 0.60.1 Released

Posted on June 22, 2011 by Sean Schofield

Spree 0.60.1 is now officially released. The major reason for this
release is to support the brand new Rails 3.0.9
release
.
There are also a few other minor changes. You can check out the Github
compare to see a full list of changes .

Rails 3.1 Support

Posted on June 16, 2011 by Brian Quinn

Rails 3.1 adds some great new features that we’re keen to include in
Spree and some will form the basis for more theming features to
follow soon. We’re going to walk through some of these new features and
changes in this post and explain what they mean to you as Spree developers.

Those of you following along at home may have already noticed we recently pushed
a rails3-1 branch to the
Spree repository. All the details below pertain to this branch only
for now, but will be merged with master shortly and included in the upcoming Spree 0.70.0 release.

Assets Pipeline

Spree’s first Rails 3.0 based release (0.30.0) changed how extensions worked within
Spree and allowed us to adopt a standard Rails approach for supporting extension, where all extensions
became regular Rails Engines.

While engine support in Rails 3.0 was vastly improved it still had some
weak points in relation to asset and migration management that required
us to create our own approach. With the release of Rails 3.1 these weak
points have been addressed and we’re now able to remove our workarounds
and once again adopt the standard Rails approach.

All Spree generated (or upgraded) applications will now include a new
assets directory (as is standard for all Rails 3.1 apps). We’ve taken
this one step further by subdividing each top level asset
directory (images, javascripts, stylesheets) into store and admin
directories, this is designed to keep assets from the front end (store) and
back end (admin) from conflicting with each other.

A typical assets directory for a Spree application will look like:

app<br />
|&#8212; assets<br />
    |&#8212; images<br />
    |   |&#8212; store<br />
    |   |&#8212; admin<br />
    |&#8212; javascripts<br />
    |   |&#8212; store<br />
    |   |   |&#8212; all.js<br />
    |   |&#8212; admin<br />
    |       |&#8212; all.js<br />
    |&#8212; stylesheets<br />
    |   |&#8212; store<br />
    |   |   |&#8212; all.css<br />
    |   |&#8212; admin<br />
    |       |&#8212; all.css


Spree also generates four top level manifests (all.css & all.js, see
above) that require all the core extension’s and site specific stylesheets / javascripts.

Managing site specific assets

All site specific assets should be moved from the public directory into
the appropriate app/assets or vendor/assets sub-directory. All
javascript and stylesheet files in app/assets sub-directories will
be automatically included by the relevant all.(js|css) manifests.

Javascript & stylesheet files in vendor/assets sub-directories should be
manually required in the appropriate all.(js|css) manifests.

NOTE: Images will be served in development mode, or compiled into the
public directory automatically in production mode.

How core extensions (engines) manage assets

All core engines have been updated to provide four (or less) asset manifests that
are responsible for bundling up all the javascripts and stylesheets
required for that engine.

For example, spree_core provides the following manifests:

app<br />
|&#8212; assets<br />
    |&#8212; javascripts<br />
    |   |&#8212; store<br />
    |   |   |&#8212; spree_core.js<br />
    |   |&#8212; admin<br />
    |       |&#8212; spree_core.js<br />
    |&#8212; stylesheets<br />
    |   |&#8212; store<br />
    |   |   |&#8212; spree_core.css<br />
    |   |&#8212; admin<br />
    |       |&#8212; spree_core.css


These core engine specific manifests are included by default by the relevant
all.css or all.js in the host Spree application. For example,
app/assets/javascripts/admin/all.js includes:

//= require_tree .<br />
//= require admin/spree_core<br />
//= require admin/spree_promo<br />
//= require admin/spree_dash


External javascript libraries, stylesheets and images have also be
relocated into vendor/assets (again Rails 3.1 standard approach), and all
core extensions no longer have public directories.

How third party extensions should manage assets

We’re suggesting that all third party extensions should adopt the same approach and
provide the same four (or less depending on what the extension requires)
manifest files, using the same directory structure as outlined above.

Third party extension manifest files will not be automatically included in the
relevant all.(js|css) files so it’s important to document the
manual inclusion in your extensions installation instructions or provide a Rails generator to do so.

For an example of an extension using a generator to install assets and
migrations take a look at the recently added
install_generator
on the rails3-1 branch of spree_wishlist.

New migration handling

We’ve also been able to retire our own custom migration handling rake
tasks in favor of the Rails 3.1 built-in equivalentes.

The following style rake tasks have been removed:

rake spree:install<br />
   rake spree:install:migrations<br />
   rake spree_core:install<br />
   etc..


The new Rails equivalents are now:

rake railties:install:migrations


Which copies migrations from all engines / extensions.

To install the migrations from a single engine use:

rake railties:install:migrations <span class="caps">FROM</span>=spree_wishlist


NOTE: Migrations are copied one engine at a time, in the order that the
engine was included. All migrations are re-numbered (timestamped) with
the time they were copied. Subsequent executions of the same
rake tasks will not result in duplicate migrations as it compares the name
after the timestamp before copying.

Other changes of note

spree_site.rb no longer required

Earlier Rails 3.0 versions of Spree used to generate an application
engine file in lib/spree_site.rb, this file conflicts with recent engines
changes and has been removed.

The `activate` method that was originally housed in the file has been
replaced with a `to_prepare` block which will be automatically appended to
config/application.rb when you run the spree:site generator.

The new block will also contain the relevant require / load snippet to
include all your decorator files.

NOTE: It’s important when upgrading to remove lib/spree_site.rb and
move any logic into the new `to_prepare` block (or new intializers where
suitable).

Declaring `railtie_name`

All extensions (core and third party) should now include a
`railtie_name` call inside it’s engine definition, for example from spree_wishlist:

lib/spree_wishlist.rb

<p>module SpreeWishlist<br />
  class Engine &lt; Rails::Engine<br />
    engine_name &#8216;spree_wishlist&#8217;</p>
&#8230;
end
<p>end</p>

This is used to reference the engine by name within Rails (currently
used for installing migrations).

Call for help

The rails3-1 branch is
still pretty raw so we’ve inviting everyone to take it for a test drive
and help resolve any of the outstanding issues.

We’re logging Rails 3.1 related issues in Github
issues

with the rail3-1 label. Please feel free to grab an issue and help out.

Also, there’s several spec and cucumber failures just waiting for your
help!

Spree 0.60.0 Released

Posted on May 13, 2011 by Sean Schofield

Spree 0.60.0 is now officially released. The primary purpose of this release is to deprecate use of the resource_controller gem. It’s been a long journey with this library but its usefulness has come to an end. Special thanks to Neeraj Singh, Roman Smirnov and Brian Quinn for their hard work on this.

We have gone to great lengths to preserve most of the functionality of
resource_controller by reimplementing it in a more "rails
like" way (using inheritance, etc.) In a few cases, however, we
have not been able to maintain 100% compatibility with previous releases
of Spree. This may affect some existing extensions as well as stores
that rely on this functionality. The new approach to overriding just the
respond to stuff in a controller is described in the customization
guide
.

We’ve been doing a pretty good job these days of having regular releases. There are some pull requests piling up and the issues in Lighthouse need to be addressed so that will be the next step. We also have some cool promotions stuff coming to edge in the next few days.

For a more detailed description please check the 0.60.0 release notes. You can also use the Github compare tool to see a complete list of changes included in the 0.60.0 release.

Spree 0.50.2 Released

Posted on April 25, 2011 by Sean Schofield

Spree 0.50.2 has just been released. Its a minor patch release to address a performance issue with a previous version of Rails.

You can also use the Github compare tool to see a complete list of changes for the 0.50.2 release.

Security Fix: Content Controller & Search Logic

Posted on April 19, 2011 by John Dyer and Sean Schofield

The Spree team was recently alerted to two potential security vulnerabilities.

The first potential exploit, reported by John Hartzler, would allow a user to request a specially crafted URL and expose arbitrary files on the server. All prior versions of Spree are affected by this issue but it has since been patched in the edge code as well as the brand new Spree 0.50.1 release.

If you are not able to upgrade immediately there is a simple “hot fix” you can code into your site which should work with all prior versions of Spree. You need to create a file named `config/initializers/security_hotfix.rb` in your application and make sure it contains the following code:

config/initializers/security_hotfix.rb
ContentController.class_eval do<br />
  def show<br />
    render :template =&gt; params[:path]<br />
  end<br />
end

The second issue, reported by joernchen of Phenoelit, is a bug in the
rd_searchlogic gem which
would allow malacious users to execute arbitrary remote commands. The
rd_searchlogic gem was forked from the original searchlogic since the original still does not support Rails 3. The forked gem is the most vulnerable but the original searchlogic gem also contains a variation of this exploit.

This affects both the 0.30.x and the 0.40.x versions of Spree. Upgrading
your installation of Spree to 0.50.x is an easy solution to this problem (since we no longer use searchlogic.) If you are unable to upgrade at this time and are not using the search functionality provided by the REST API, then you can drop the following code into a new file titled `config/initializers/searchlogic_hotfix.rb`:

config/initializers/searchlogic_hotfix.rb
Api::BaseController.class_eval do<br />
  protected<br />
<br />
  def search<br />
    return nil<br />
  end<br />
end

Both of these fixes will require a restart of your production server to take effect.

Spree 0.50.1 Released

Posted on April 19, 2011 by Sean Schofield

Spree 0.50.1 has just been released. Its a minor patch release to address a handful of small issues. It also contains an important security fix (see the recent security announcement for more details.)

You can also use the Github compare tool to see a complete list of changes for the 0.50.1 release.

Spree 0.50.0 Released

Posted on March 23, 2011 by Sean Schofield

Spree 0.50.0 has been officially released. Several important bugs in the 0.40.x release have been addressed. There are no crucial security fixes in this release but you are still encouraged to upgrade as soon as convenient. By making these small upgrades as they are released you will only need to focus on minor changes to each point release instead of a series of important changes covering several releases.

Special thanks to Neeraj Singh who worked tirelessly for several weeks to add a huge amount of test coverage that we desperately needed. This added test coverage will make it easier to improve Spree in the future while minimizing the chances of breaking legacy functionality in the process. We’re also please to welcome several new contributors who helped with important bug fixes. A complete list of contributors over time can be found here.

You may be wondering which extensions will work with this new version of Spree. Most extensions that work with Spree 0.40.x should work with Spree 0.50.x since we did not really change any of the public API. The one possible exception is if the extension in question uses search functionality. Please see the release_notes for more details on the changes to search and other topics. We’re also going to announce some improvements to the extension registry related to versioning. Expect more details on this shortly.

This new version of Spree requires Rails 3.0.5. You can also use Github to see a complete list of changes for the 0.50.0 release. NOTE: This comparison will take a few minutes to load given the sheer number of files added to support the test coverage.

UPDATE:

If you are updating from Spree 0.40.x you should remove the ‘20101101185116_rename_columns_for_devise.rb’ migration from your Rails app. This is because 0.50.x contains a new version of that migration with a different timestamp so it will cause issues if you try to run both migrations. Sorry for the confusion.

New Spree Demo Launched

Posted on March 17, 2011 by Sean Schofield

Late yesterday we officially launched the new online Spree demo site. Thanks to all of my fellow team members at Rails Dog for putting this all together. We should also thank our friends at Sticker Mule (makers of fine custom stickers) for helping out with the site design. Finally, thanks to TSS Radio for donating their real world Spree catalog for us to use in the demo site. Please support them if you’re interested in any of the products for salein our "fake store."

We have a few reasons for upgrading the demo. The first reason is to just show off some of the cool stuff you can do with Spree with a real set of products. Spree is intentionally plain when you install it so you don’t waste time ripping out what you don’t need. Unfortunately, that doesn’t make for the most exciting demonstration of a typical Spree site.

We also wanted to provide users with a real working example of how to
pull together a series of useful extensions for a more full featured
store. So we’ve also made the entire store open source and its
available now in Github. We also expect that this might be a good starting point for some of you if you want to build a new store with most of the features used in the demo (as opposed to creating a barebones Rails app and building up from there.)

Finally, we wanted to create a "reference implementation" to assist with the upgrade process. The idea is to add more extensions to the site over time and to preserve all order data that people generate over the months of sample checkouts. This way when we release new versions of Spree we can test out the upgrade process on our own sample site before we push the actual release. Ultimately this should lead to smoother upgrade experiences and provide assurances that the extensions used in the demo site are comptatible with each release.

We have decided to disallow access to the admin portion of the demo. We had two problems that resulted in this decision. The first problem was that we were worried about people using real personal information during the checkout without realizing that others could see it on the backend. Yes, we could have obfuscated just those bits (and we tried) but after a while the admin started looking really lame and gave the wrong impression that you couldn’t do much of anything.

The other problem was with people adding products and doing things to break the experience for everyone else. Locking down the admin is how other projects do this and ultimately that made sense to us as well. Don’t worry, we have a pretty cool idea for how to show people the admin side of things. Look for an announcement on that shortly!

Please excuse a few broken links and other issues as we smooth
everything out. We decided to push this out rather than wait for it to
be perfect since the old demo was no longer an adequate representation
of the software. Please report any issues you find in the GH issue
tracker
.

Spree 0.40.3 Released

Posted on February 17, 2011 by Sean Schofield

Spree 0.40.3 has been officially released. This is a minor patch release with a few fixes. All users should consider an immediate upgrade due to the recently announced security vulnerability in previous versions of Rails. Spree now requires Rails 3.0.4 which resolves this problem.

We also made an important fix for anyone using payment gateways that do not support a credit card profile (this includes the standard Authorize.net gateway.) If you are developing on a version of Spree 0.30.x with one of these gateways you’ve probably already experienced difficulties submitted the card details to the gateway. Theses issues are solved in version 0.40.3 along with a separate issue related to voids.

If you’re running a version of Spree less than 0.30.0 or if you are using Authoriz.net CIM then you are not affected by this problem (but upgrading is still recommended due to the security fix mentioned above.)

Spree 0.40.2 Released

Posted on January 17, 2011 by Sean Schofield

Spree 0.40.2 has been officially released. This is a minor patch release with just three fixes. The main reason for this release is that there was an issue with the older version of activemerchant used in Spree 0.40.1. Its worth mentioning that the problem only affects those running Ruby 1.9. Rather than upgrading you can also work around that problem by adding the following to your application Gemfile:


<p>gem &#8216;activemerchant&#8217;, &#8216;1.9.0&#8217;</p>

Spree 0.40.1 Released

Posted on January 14, 2011 by Sean Schofield

Spree 0.40.1 has been officially released. This is a minor patch release with just a few trivial fixes. The main reason for this release is that there is a new version of the CanCan gem which is causing issues with Spree. This only affects new installs of Spree so if you are already running on 0.40.0 and you have a Gemfile.lock file then there’s no urgent need to upgrade.

Moving forward we have decided to "lock down" the gem versions that Spree is depending on to minimize problems when new versions of gems come out. Since most users are deploying Spree independently this will not cause problems in most cases. We’ll keep an eye on this new approach and see if it makes things a little bit easier.

Spree 0.40.0 Released

Posted on December 22, 2010 by Sean Schofield

Spree 0.40.0 has been officially released. The primary change in this
release is a switch to the Devise authentication gem which was discussed
in the last blog post. You can
find more information on this and the token based permission changes in
the 0.40.0 release
notes
.

Its been a month since version 0.30.1 was released and about six weeks since the major 0.30.0 release, so we’re definitely back on track with regular releases. In fact, the goal is to release every 3-4 weeks until we hit the final 1.0 release next year. This release also lays the ground work for many new exciting social integration features that we’re planning for Spree.

Speaking of social integration, please take a moment to show your support for Spree and follow us on Facebook.

Spree 0.30.1 Released

Posted on November 17, 2010 by Sean Schofield

Spree 0.30.1 has been officially released. This is a minor patch release that addresses some minor bugs in the previous 0.30.0 release. It also fixes some recent issues with a new restriction on routes introduced by Rails 3.0.2. For a complete list of changes, please see the Github compare.

Spree 0.30.0 Released

Posted on November 09, 2010 by Sean Schofield

The Spree team is proud to (finally) announce the release of Spree 0.30.0. Spree is now officially compatible with Rails 3.x after almost five months of relentless work. In addition to Rails 3 support, we took this opportunity to refactor a lot of the internals and to improve our test coverage.

According to the Github
compare
, this
release consisted of 666 distinct commits by 25 different authors and
touching 2,609 different files. The number of files is a bit overstated
because we moved almost every file in the project as we reorganized
things – but still, there were a ton of changes in this release. The
official release
notes
are available on the Spree site.

I want to thank everyone in the Spree community – especially those that contributed code and patches for the release. It took a lot longer than we wanted but we also took a huge step towards a more solid and standards-based foundation. Don’t worry, we won’t be resting after this release either. We’re looking to drop some major authentication improvements this month as well as to roll out 0.30.x compatible versions of several extensions. We’ve also started work on the new "social" extensions as promised.

Spree 0.11.1 Released

Posted on October 12, 2010 by Sean Schofield

Spree 0.11.1 has been officially released. This is a patch release that addresses several issues discovered since 0.11.0. It is also the last expected release before the new Rails3 compatible version of Spree. We’ll continue to maintain the 0-11-stable branch but the focus will be on bug fixes as opposed to adding new features.

The new release addresses the following issues:

  • 818 – Migrate taxons to nested set for major performance boost
  • 1303 – Taxonomies with no taxons cause NoMethodError
  • 1414 – Bump will_paginate to 2.3.12
  • 1439 – Bump state_machine to latest version
  • 1452 – Extra closing tags in checkouts/_address
  • 1462 – Fix path finding for script/extension script
  • 1463 – Remove deprecated script/breakpointer
  • 1464 – Remove deprecated script/performance/request
  • 1475 – Require email address on checkout model
  • 1482 – Creditcard model only integer validation is wrong in syntax
  • 1492 – no such file to load — rspec when running the tests
  • 1494 – Allow specifying where shipping methods are displayed
  • 1499 – Fix escaping HTML issue with rails 2.3.8
  • 1503 – Fix admin additional field labels id
  • 1509 – Extensions are not being loaded
  • 1515 – Shipping Methods mixed up between Country-based zone and State-based zone
  • 1523 – error from double submit on checkout payment
  • 1526 – Cannot proceed to delivery from address step when address fails to validate
  • 1534 – Backport patches from rails3 branch
  • 1538 – Could not use Check payment because validation js of credit card payment
  • 1541 – Tidy up admin interface
  • 1572 – Checkout validation can raise exception in certain states
  • 1573 – Sample payments not capturing properly
  • 1574 – Editing a paid order in admin screen can result in incorrect shipment states
  • 1621 – Add validationMode support to Gateway::AuthorizeNetCim
  • 1636 – Coupon submission destroying payment
  • 1654 – RMA number changes when record updated
  • 1658 – Credits / Voids can result in invalid order states
  • 1668 – Canceled order should allow balance_due or credit_owed state

Spree 0.30.0.beta1 Released

Posted on September 03, 2010 by Sean Schofield

We’re pleased to announce our first beta release of a Rails3 compatible version of Spree. This time its a little bit rougher than our usual beta quality where we encourage as many of our users as possible to try it out in advance of the official release. There are several known bugs and deficiencies in this gem so you should really hold off until the next beta release which we hope to achieve at the end of next week.

So why bother releasing an unfinished beta? There a few reasons actually. The first reason is that we are working on upgrading one of our Railsdog customers to the latest code and they are on Heroku. Heroku is much simpler when you work with real gems (as opposed to edge git clones.) The second reason is that we’re now releasing Spree as a series of gems instead of a single gem so we wanted to make sure that we had this process working correctly before we started encouraging others to jump on board.

Spree is technically still a single gem but it now depends on five (soon to be six) additional gems.

  • spree_core: Basic functionality – you won’t get very far without this one.
  • spree_auth: Authentication and authorization stuff.
  • spree_api: Restful API implementation
  • spree_dash: A nice overview dashboard implementation.
  • spree_sample: Contains sample products, orders and images.

When you install the Spree gem you still get all of these pieces installed automatically. We’ve structured things, however, so that you do have the option to pick and choose which pieces you would like to use if you’re so inclined. Think Rails and how it consits of Active Record, Active Support, etc.

There is pretty much no documentation other than a few README files at this point. That will change but we’re haven’t invested too much in documentation up until now because things were so fluid. We’re pretty comfortable with how things are working so don’t expect a lot of radical changes between beta releases and the final release. We’ll be focused on nailing things down and fixing bugs. Feel free to report issues in lighthouse – just be sure to tag as rails3 so we know you’re talking about the new code.

Spree 0.11.0 Released

Posted on June 14, 2010 by Sean Schofield

Spree 0.11.0 has been officially released. This release makes Spree compatible with the latest Rails 2.3.8 release. Several changes to Spree were required to get this to work (especially without deprecation warnings.) The impact on existing 0.10.x stores should, however, be minimal. As always, it is suggested that you perform a complete backup of your database and system assets before upgrading.

The new release contains a change to the default Spree theme to match the new logo. Nothing drastic – just a slightly different color scheme to go better with the new logo colors. There aren’t any real major features in this release but there are a ton of ton of important bug fixes and other changes. The Github compare for this release shows 173 commits by 20 different authors. So thanks once again to all of the people in the community that are working to improve Spree.

Spree 0.10.2 Released

Posted on March 29, 2010 by Sean Schofield

This is another minor patch release to address a few additional issues with the 0.10.0 release. Please report any issues in our issue tracker.

  • #1215 Update Vietnamese translation
  • #1230 Product#recalculate_count_on_hand migration from 0.9.4 to 0.10.0
  • #1234 Billing address not accepting UK state
  • #1238 Should not create empty order in db for orders/new action
  • #1240 Add test-unit to gem dependency
  • #1249 Authorize.net CIM does not work with live account
  • #1251 Skip confirmation step if payment profiles are not available
  • #1253 Table variants doesn’t exist when bootstrapping with extensions installed that modify the Variant model
  • #1255 Products groups edit error
  • #1257 Coupons do not recalculate credit after redeemed
  • #1261 Type Error when Checkout
  • #1263 Submitting a coupon during the checkout confirmation fails
  • #1269 Orders Overview page breaks when there are no orders in the last 7 days
  • #1276 Product Images not updating properly

Spree 0.10.0 Released

Posted on March 13, 2010 by Sean Schofield

Spree 0.10.0 has been released. Its been several months since the last release so there is even more goodness than usual. Here are some of the highlights

  • Named scopes and product groups
  • Pluggable search (with extension support for Xapian, Sphinx and Solr.)
  • Theming
  • New and improved multi-step checkout
  • Improved gateway configuration
  • Multiple payment methods
  • Refunds and credits
  • SEO improvements
  • Restful API
  • Support for Rails 2.3.5 and Ruby 1.9

Please see the release notes for the complete details.

I’m especially proud of the support we continue to receive from our awesome community! Checkout the Github compare between this and the last release.

  • 583 commits
  • 32 different authors
  • 1727 files changed

I’d like to give a special thanks to our newest core team members: David North and Roman Smirnov. David helped to save the day and finish the massive payment refactoring when I needed to go on a much needed vacation. Roman has been tirelessly applying patches submitted by the community when he was not busy writing his own! Paul Callaghan also deserves a special thanks (welcome back Paul!) Not only has he been very active on the spree-user list, but he spent countless hours making improvements to our documentation.

Spree 0.9.4 Released

Posted on December 10, 2009 by Sean Schofield

Spree 0.9.4 has been released. This is a trivial patch release. It fixes a bug that some users were experiencing installing the rdoc for the previous 0.9.3 gem. It is not necessary to upgrade from 0.9.3 if the gem is working for you since this affects only the documentation.

Spree 0.9.3 Released

Posted on December 06, 2009 by Sean Schofield

The Spree team is pleased to announce the latest release: v0.9.3. This is a patch release that provides support for the new Rails 2.3.5 release. Rails 2.3.5 contains a security fix so you may want to consider updating. We also addressed an issue with stylesheets when running Spree under a sub URI. We discovered that bug when preparing for another major announcement which should be coming soon.

This is also the first release on gemcutter (since Rubyforge gems are now out of fashion it seems.) If you’re not finding the gem, you just need to install the gemcutter gem.


<p>gem install gemcutter<br />
gem tumble<br />
gem install spree   # .. or gem update spree if you already have it installed</p>

If you have an existing Spree app you can update it easily enough after you’ve upgraded the gem. Just run the following command in your application root:


<p>spree &#8212;update</p>

Spree 0.9.2 Released

Posted on October 21, 2009 by Sean Schofield

This is a patch release containing a single important security fix. The security vulnerability was reported late yesterday and affects only the 0.9.0 and 0.9.1 versions of Spree. Sites running older versions of Spree (0.8.x, etc.) are not affected. If your site provides its own custom version of checkout_controller.rb then you will want to make some modifications.

Add this filter to the top of your controller:


<p>before_filter :prevent_editing_complete_order, :only =&gt; [:edit, :update]</p>

Then add the following method to your controller as well:


<p>def prevent_editing_complete_order<br />
  load_object<br />
  redirect_to order_url(parent_object) if @order.checkout_complete<br />
end</p>

In the future if you suspect a security bug. Please send an email to
security@railsdog.com. Please do not send a message to spree-user until we have a chance to verify the issue and hopefully provide a timely fix.

Spree 0.9.1 Released

Posted on October 13, 2009 by Sean Schofield

Spree 0.9.1 is a trivial patch release which addresses a gem dependency issue caused by a recent change in the Github gem repository. If you are already running Spree 0.9.0 you do not need to update. The new version simply uses a slightly newer version of the compass and haml gems. The older versions were no longer available in a public repo so we did this release to make sure that new users were able to run things without a hitch.

Spree 0.9.0 Released

Posted on September 22, 2009 by Sean Schofield

Spree 0.9.0 has been officially released. This is a major release with several new features and improvements. The most anticipated new feature is coupon and discount support. The Spree core now ships with a minimal set of coupon calculators and provides the framework for building much more powerful custom logic. Speaking of calculators, Spree is now sporting a significantly improved system of calculators.

The new release is also compatible with Rails 2.3.4 which contains some crucial security fixes. This release also contains some signficiant improvements to product variants. It is now possible to configure different product images for each variant and to display the specific variant image in the shopping cart. Please also see the very detailed release notes for more information on the release and how to upgrade an existing version of Spree.

Spree continues to improve its i18n support and is proud to announce the addition of the following localizations:

  • Thai
  • Hebrew
  • Dutch
  • Finnish
  • Mexican Spanish

If you have a new localization to add or wish to make improvements to an existing one, please see our contribution guidelines for information on how you can contribute.

We are already hard at work on the next major release. The massive growth in real world deployments of Spree has provided us with valuable insight into possible new features and improvements. We’ll be doing a major push to add core features as well as new extensions. There will also be a concerted effort to document and update the existing extensions. Stay tuned!

Spree 0.8.5 Released

Posted on July 08, 2009 by Sean Schofield

We’ve just done another patch release to Spree. This release actually contains no changes other then those that were supposed to have made it into the 0.8.4 release. Due to some “enthusiastic” git branch deletion I accidentally removed some of the changes needed for the release. So the 0.8.4 release did not really do anything other then increment the version number. This release contains the minor rake task upgrades that were supposed to be part of that release.

Spree 0.8.4 Released

Posted on July 03, 2009 by Sean Schofield

The Spree team is proud to announce the official release of Spree 0.8.4. This is a minor patch release that takes care of a few pesky issues related to migrations and sample data. Specifically, the following issues have been fixed:

  • 494 – There are no default states for United states when you don’t load sample data
  • 551 – Remove bootstrap restriction in production mode
  • 553 – Allow creation of default user through web interface
  • 550 – Seed data no longer populated correctly
  • 552 – Allow db:admin:create rake task to be run more then once

The most important change is that we have modified the migrations so that they are no longer loading so-called "seed" data (countries, states etc.) Keeping this seed data out of the migrations fixes a whole bunch of problems. You can still create everything from scratch with a single rake task


<p>rake db:bootstrap</p>

By popular demand, the bootstrap task is once again permissable in production mode. For safety reasons it will not drop the existing database in production mode (as it does automatically in development and test modes.)

You can also still build everything from scratch using individual rake tasks. In fact, we’ve created several new rake tasks so you can have fine grain control.

The following two rake tasks build an empty database with the required seed data.


<p>rake db:migrate<br />
rake db:seed</p>

You can create an admin user (or an additional admin user if you already have one) using


<p>rake db:admin:create</p>

You can also load the sample data (assuming you don’t already have it through bootstrap) using


<p>rake db:sample</p>

Spree 0.8.0 Released

Posted on May 04, 2009 by Sean Schofield

We’re kicking off the first day of RailsConf with the official release of Spree 0.8.0. This release is the result of two months of hard work and represents another major step forward for the Spree ecommerce platform. The most noticeable new feature is the massive redesign of the user interface (screenshots available.) Not only has the look of the interface improved, but we’ve switched from HTML tables to the more readable CSS-based approach. We’re also now using the very powerful Sass library to simplify stylesheets along with the Compass gem which provides a Sass implementation of the popular Blueprint CSS framework.

This new release is also using the very excellent authlogic gem to hand authentication and authorization. This has resulted in some immediate improvements, such as “forgot my password” links and more secure password encryption. It will also make it easier to provide more advanced security features in the future. Ryan Bates has just released a very timely screencast describing some of the hotness this gem provides. Existing Spree user accounts will work fine with this new scheme but of course you should do a full backup of your system (particularly the database) before upgrading.

Spree also now supports Rails 2.3.2. We’ve actually had this support for some time now but its been limitted to “edge” users. This is the first official Spree release with Rails 2.3.2 support. Spree is committed to staying current with the latest versions of Rails and we’ll be working towards Rails 3.0 support in the comming months. Ruby 1.9 is not yet supported but this will be on our short list after Railsconf.

This release is packed with new features. Here are some additional highlights:

  • Guest checkout
  • Expanded functionality for product prototypes
  • Improved upgrade rake task
  • Meta data keywords and description fields for products
  • Improved order security using tokens

This release has been a long time in the making and several people in our community need to be thanked. David North and Wynn Netherland for their tireless efforts on the interface redesign. Steph Powell also provided considerable CSS expertise and helped us to polish the new design. Both Steph and Paul Callagahan provided crucial last minute troubleshooting for several IE issues. Dale Hofkens should also be thanked for doing a ton of work to get Spree working with authlogic. We had so many contributions to this release that it would be impossible to name them all. So thanks to all of you for your continued interest and support of the Spree ecommerce project.

Core Payment Gateway Extension is Finished

Posted on May 23, 2008 by Sean Schofield

I have just checked in a major improvement to the payment_gateway extension (part of the core Spree functionality.) You can now use /admin/gateways to configure your payment gateway (the old method involved editing environment.rb). So far the only gateways supported are the Bogus Gateway and LinkPoint. Not a lot of choices but that is easily fixed. We just need to test each of the ActiveMerchant gateways with Spree and then add them to the extension.

In development mode, you will always use the BogusGateway no matter what gateway you have chosen. In test mode you will get your chosen gateway but it will be set to test mode. ActiveMerchant handles what exactly test mode implies for each gateway, but it usually involves a special test URL for your gateway and possibly passing other parameters to indicate a test. Production mode will use the live gateway in the manner your would expect.

Besides adding a useful feature, this was also a nice test of the extension mechanism. This also makes a good example to look at for those of you contemplating making your own extensions. The only real problem I have noticed is that the routes introduced by an extension do not automatically reload in development mode. So that stuff required restarting the server every time I wanted to change the route. Rails has spoiled me to the point that a single reload of my server annoys me. I’ll track this down and fix it shortly.

Core Extensions

Posted on May 14, 2008 by Sean Schofield

Now that the basic extension mechanism is in place I am experimenting with the concept of so-called “core extensions.” These are extensions that will ship with the gem and provide core functionality. They reside in #{SPREE_ROOT}/vendor/extensions. NOTE: This is not the same as #{RAILS_ROOT}/vendor/extensions. So far we have a PaymentGateway and TaxCalculator extension. The idea behind core extensions is to make it easier for developers to customize Spree to fit their own needs. Taxes in particular are likely to differ depending on your client and/or location. It will soon be a simple matter of turning off the default extension and dropping in your own replacement.

The payment gateway extension is not very interesting at the moment. Right now it always returns the BogusGateway, but in another day or two it will be possible to configure the Ã…ctiveMerchant gateway of your choice through a nice admin interface. No more configuring the gateways in environment.rb! The other cool thing it does is to mixin a payment_gateway method into Spree::BaseController. This is the method that returns the gateway to be used for processing credit cards. If for some reason you don’t want to use ActiveMerchant to talk to your gateway you could plug in something else here.

While it’s unlikely you will need to scrap ActiveMerchant (since you can always write your own ActiveMerchant implementation for your new gateway), you will probably have a definite need to customize your tax logic. The current TaxCalculator extension will allow you to set tax rates for individual states. If the order ships to that state then all items will be taxed at that rate. There is no admin menu item for this yet, but you can see the rate interface at admin/tax_rates if you are running the latest source (demo has yet to be upgraded.)

Although this is fairly crude, it’s also pretty much what you’re stuck with in many of the existing commerce platforms. Even though we will be adding to this basic calculator over time, we fully expect that your needs will go beyond this. This is where you unfortunately have to earn your money as a programmer and do a little programming. Its a fairly easy process to create your own extension. Documentation on extensions is ongoing but there is an in-progress tutorial in the Developer’s Guide. Stay tuned for more information on making your own extensions. We are also working on some interesting taxonomy features that should make it possible to mark only certain items as being taxable.