Upgrade instructions and considerations for Configured Commerce SDK 5.1

  • Updated

Follow the steps below to upgrade Optimizely Configured Commerce SDK:

  1. Download the latest Configured Commerce SDK release and unzip it
  2. Copy the following from the 5.1.0 SDK src folder:
    • FrontEnd
    • Web/_SystemResources
    • Web/App_Config
    • Web/Excel
    • Web/Licensing
    • Web/Properties
    • Web/config *
    • Web/gruntfile.js *
    • Web/package.json *
    • aspx *
    • aspx.cs *
    • Web/validateLicensing.ps

* check for customizations you may have made that are lost

  1. Update InsiteCommerce.Web.csproj

There are three possible approaches: 

  • Update your existing csproj, then compare it to the 5.1.0 SDK and pull in any changes needed:
    1. Install dotnet tool install -g upgrade-assistant
    2. Run the assistant from the root of your project
      upgrade-assistant upgrade InSiteCommerce.sln --ignore-unsupported-features
    3. Convert project file to SDK style
    4. Use a diffing tool to compare the csproj files
    5. Copy in any changes

OR

  • Copy in the new csproj, then determine what you need to change. Some possibilities are:
    • Missing Nuget references
    • Missing project references
    • Extra files included that need to be excluded
    • Custom targets or Pre/Post build steps

OR

  • Compare your current copy of InsiteCommerce.Web.csproj to the current 4.6.0 release, then apply those changes to the 5.1.0 InsiteCommerce.Web.csproj
  1. Update web.config

There are two possible approaches:

  • Update your existing csproj, then compare it to the 5.1.0 SDK and pull in any changes needed:
    1. Install dotnet tool install -g upgrade-assistant
    2. Run the assistant from the root of your project
      upgrade-assistant upgrade InSiteCommerce.sln --ignore-unsupported-features
    3. Convert project file to SDK style
    4. Use a diffing tool to compare the csproj files
    5. Copy in any changes

OR

  • Copy in the new csproj, then determine what you need to change. Some possibilities are:
    • Missing Nuget references
    • Missing project references
    • Extra files included that need to be excluded
    • Custom targets or Pre/Post build steps 
  1. Delete the following
    1. packages
    2. Web/packages.config
  2. Build your SDK solution in Visual Studio
  3. Fix any custom server-side compilation errors
  4. Fix any custom client-side compilation errors

Upgrade considerations

All features introduced between 4.6 and 5.1 are incorporated into the 5.1 SDK release. This document highlights specific areas to consider when upgrading from a 4.6 version of Configured Commerce.

Key Features

The major features introduced in this SDK are listed in the 5.1 SDK Release Announcement

Upgrade Process

  1. Download the new SDK
  2. Update your Nuget packages
  3. Recompile to identify breaking changes and resolve
  4. Attempt to run the site with new code in place and identify inconsistencies
  5. Determine which new features are desired
  6. Use the Responsive theme to weave in any new changes (if you use the Classic CMS)

Note: The Configured Commerce private Nuget feed moved from MyGet to the Optimizely public server. You will need to point your Nuget host to this location.

Breaking Changes

Optimizely attempts to minimize breaking changes, but sometimes they are inevitable. The specific changes are detailed in the cumulative spreadsheet attached to each set of release notes, but it may be easier to look for compilation problems and remediate them individually. (Note the two tabs at the bottom of the spreadsheet: one for cumulative breaking changes, one for Spire breaking changes.)

Potential Warnings

When running npm audit on the 5.1 SDK code, you may run into the following vulnerabilities:

Immer

This only applies to the applyPatches and enablePatches functions, which are not used in Optimizely Configured Commerce, making this low risk for the application.

Title

Severity

Vulnerable Versions

Prototype Pollution in immer

High

<9.0.6

Prototype Pollution in immer

Critical

<9.0.6

Prototype Pollution in immer

High

<8.0.1

ANSI-HTML

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time. This is a limited risk for Optimizely Configured Commerce, because this is a peer dependency of our development environments.

Title

Severity

Vulnerable Versions

Uncontrolled Resource Consumption in ansi-html

High

<=0.0.7

Glob-parent

This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator. Because glob-parent is a dependency of webpack and babel, which are developmental dependencies, this is a limited risk for Optimizely Configured Commerce.

Vulnerable Versions

Title

Severity

Regular expression denial of service

High

<5.1.2

SSRI

npm `ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. SSRI is a dependency of webpack and therefore this risk is limited for Optimizely Configured Commerce

Title

Severity

Vulnerable Versions

Regular Expression Denial of Service (ReDoS)

High

>=5.2.2 <6.0.2

Handlebars

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This is a limited risk for Optimizely Configured Commerce, because we do not use Handlebars directly; it is peer dependency of a development dependency.

Title

Severity

Vulnerable Versions

Remote code execution in handlebars when compiling templates

Critical

<4.7.7

 Ini

The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. Ini is a development dependency for Optimizely Configured Commerce, and is therefore low risk.

Title

Severity

Vulnerable Versions

Prototype Pollution

High

<1.3.6

 Trim-newlines

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. This dependency is a dependency of template-file, which is used on specific files for generating templates on the backend, making it low risk for Optimizely Configured Commerce.

Title

Severity

Vulnerable Versions

Regular Expression Denial of Service in trim-newlines

High

<3.0.1

Node-fetch

Node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. This is a dependency of isomorphic-fetch, which performs data calls for serverside rendering. Therefore it is low risk for Optimizely Configured Commerce.

Title

Severity

Vulnerable Versions

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

High

<2.6.7