Follow the steps below to upgrade Optimizely Configured Commerce SDK:
- Download the latest Configured Commerce SDK release and unzip it
- Copy the following from the 5.1.0 SDK src folder:
- FrontEnd
- Web/_SystemResources
- Web/App_Config
- Web/Excel
- Web/Licensing
- Web/Properties
- Web/config *
- Web/gruntfile.js *
- Web/package.json *
- aspx *
- aspx.cs *
- Web/validateLicensing.ps
* check for customizations you may have made that are lost
- Update InsiteCommerce.Web.csproj
There are three possible approaches:
- Update your existing csproj, then compare it to the 5.1.0 SDK and pull in any changes needed:
-
- Install dotnet tool install -g upgrade-assistant
- Run the assistant from the root of your project
upgrade-assistant upgrade InSiteCommerce.sln --ignore-unsupported-features - Convert project file to SDK style
- Use a diffing tool to compare the csproj files
- Copy in any changes
OR
- Copy in the new csproj, then determine what you need to change. Some possibilities are:
-
- Missing Nuget references
- Missing project references
- Extra files included that need to be excluded
- Custom targets or Pre/Post build steps
OR
- Compare your current copy of InsiteCommerce.Web.csproj to the current 4.6.0 release, then apply those changes to the 5.1.0 InsiteCommerce.Web.csproj
- Update web.config
There are two possible approaches:
- Update your existing csproj, then compare it to the 5.1.0 SDK and pull in any changes needed:
-
- Install dotnet tool install -g upgrade-assistant
- Run the assistant from the root of your project
upgrade-assistant upgrade InSiteCommerce.sln --ignore-unsupported-features - Convert project file to SDK style
- Use a diffing tool to compare the csproj files
- Copy in any changes
OR
- Copy in the new csproj, then determine what you need to change. Some possibilities are:
-
- Missing Nuget references
- Missing project references
- Extra files included that need to be excluded
- Custom targets or Pre/Post build steps
- Delete the following
- packages
- Web/packages.config
- Build your SDK solution in Visual Studio
- Fix any custom server-side compilation errors
- Fix any custom client-side compilation errors
Upgrade considerations
All features introduced between 4.6 and 5.1 are incorporated into the 5.1 SDK release. This document highlights specific areas to consider when upgrading from a 4.6 version of Configured Commerce.
Key Features
The major features introduced in this SDK are listed in the 5.1 SDK Release Announcement.
Upgrade Process
- Download the new SDK
- Update your Nuget packages
- Recompile to identify breaking changes and resolve
- Attempt to run the site with new code in place and identify inconsistencies
- Determine which new features are desired
- Use the Responsive theme to weave in any new changes (if you use the Classic CMS)
Note: The Configured Commerce private Nuget feed moved from MyGet to the Optimizely public server. You will need to point your Nuget host to this location.
Breaking Changes
Optimizely attempts to minimize breaking changes, but sometimes they are inevitable. The specific changes are detailed in the cumulative spreadsheet attached to each set of release notes, but it may be easier to look for compilation problems and remediate them individually. (Note the two tabs at the bottom of the spreadsheet: one for cumulative breaking changes, one for Spire breaking changes.)
Potential Warnings
When running npm audit on the 5.1 SDK code, you may run into the following vulnerabilities:
Immer
This only applies to the applyPatches and enablePatches functions, which are not used in Optimizely Configured Commerce, making this low risk for the application.
Title |
Severity |
Vulnerable Versions |
Prototype Pollution in immer |
High |
<9.0.6 |
Prototype Pollution in immer |
Critical |
<9.0.6 |
Prototype Pollution in immer |
High |
<8.0.1 |
ANSI-HTML
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time. This is a limited risk for Optimizely Configured Commerce, because this is a peer dependency of our development environments.
Title |
Severity |
Vulnerable Versions |
Uncontrolled Resource Consumption in ansi-html |
High |
<=0.0.7 |
Glob-parent
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator. Because glob-parent is a dependency of webpack and babel, which are developmental dependencies, this is a limited risk for Optimizely Configured Commerce.
Vulnerable Versions
Title |
Severity |
|
Regular expression denial of service |
High |
<5.1.2 |
SSRI
npm `ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. SSRI is a dependency of webpack and therefore this risk is limited for Optimizely Configured Commerce
Title |
Severity |
Vulnerable Versions |
Regular Expression Denial of Service (ReDoS) |
High |
>=5.2.2 <6.0.2 |
Handlebars
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This is a limited risk for Optimizely Configured Commerce, because we do not use Handlebars directly; it is peer dependency of a development dependency.
Title |
Severity |
Vulnerable Versions |
Remote code execution in handlebars when compiling templates |
Critical |
<4.7.7 |
Ini
The `ini` npm package before version 1.3.6 has a Prototype Pollution vulnerability. Ini is a development dependency for Optimizely Configured Commerce, and is therefore low risk.
Title |
Severity |
Vulnerable Versions |
Prototype Pollution |
High |
<1.3.6 |
Trim-newlines
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method. This dependency is a dependency of template-file, which is used on specific files for generating templates on the backend, making it low risk for Optimizely Configured Commerce.
Title |
Severity |
Vulnerable Versions |
Regular Expression Denial of Service in trim-newlines |
High |
<3.0.1 |
Node-fetch
Node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor. This is a dependency of isomorphic-fetch, which performs data calls for serverside rendering. Therefore it is low risk for Optimizely Configured Commerce.
Title |
Severity |
Vulnerable Versions |
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor |
High |
<2.6.7 |
Please sign in to leave a comment.