Skip to content

Bump craftcms/commerce from 5.0.5 to 5.6.0#82

Open
dependabot[bot] wants to merge 1 commit into
craft-5from
dependabot/composer/craftcms/commerce-5.6.0
Open

Bump craftcms/commerce from 5.0.5 to 5.6.0#82
dependabot[bot] wants to merge 1 commit into
craft-5from
dependabot/composer/craftcms/commerce-5.6.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 14, 2026

Copy link
Copy Markdown

Bumps craftcms/commerce from 5.0.5 to 5.6.0.

Release notes

Sourced from craftcms/commerce's releases.

5.6.0

Administration

  • Added the “UI Label Format” and “Variant UI Label Format” settings to product types. (#4178)

Extensibility

  • Added relatedToProducts and relatedToVariants GraphQL query arguments, enabling queries for elements related to specific products or variants. (#4202)
  • Added craft\commerce\elements\db\ProductQuery::$savable.
  • Added craft\commerce\elements\db\ProductQuery::savable().
  • Added craft\commerce\elements\db\VariantQuery::$savable.
  • Added craft\commerce\elements\db\VariantQuery::editable().
  • Added craft\commerce\elements\db\VariantQuery::savable().
  • Added craft\commerce\helpers\ProductQuery::cleanseQueryCriteria().
  • Added craft\commerce\services\ShippingRuleCategories::getShippingRuleCategoriesByRuleIds().
  • Added craft\commerce\services\ShippingRuleCategories::getShippingRuleCategoriesByRuleIds().
  • craft\commerce\elements\db\ProductQuery::$editable is now nullable.
  • craft\commerce\elements\db\VariantQuery::$editable is now nullable.

System

  • Craft Commerce now requires Craft CMS 5.9.15 or later.
  • Cart numbers are now generated using a cryptographically secure random number generator.
  • Cart controller actions that accept an explicit cart number are now rate limited to mitigate enumeration attacks.
  • Shipping rule categories are now eager loaded on shipping rules automatically. (#4220)
  • Improved product index performance by not eager-loading variants for table attributes that are already fetched via SQL joins. (#4236)
  • Fixed a bug where coupon codes were submitted too early while being entered on order edit screens.
  • Fixed a bug where variants with empty SKUs didn’t show validation errors when saving a product after it was duplicated. (#4197)
  • Fixed high-severity SQL injection vulnerabilities. (GHSA-875v-7m49-8x88, GHSA-r54v-qq87-px5r)
  • Fixed a low-severity information disclosure vulnerability. (GHSA-3vxg-x5f8-f5qf)

5.5.4

  • Fixed a bug where subscription plan edit screens weren’t showing their linked description entries, if the entries were disabled. (#4229)
  • Fixed an error that could occur when editing inventory locations. (#4233)
  • Fixed a SQL error that could occur when querying for unfulfilled orders on PostgreSQL. (#4228)
  • Fixed an error that could occur when resaving variants. (#4226)

5.5.3

  • Added craft\commerce\models\LineItemStatus::getDisplayName().
  • Fixed a bug where Orders tables on user edit pages were showing an incorrect column heading.
  • Fixed a bug where product selector modals didn’t have “Add a product” buttons. (#4205)
  • Fixed a bug where order status and line item status names weren’t translatable. (#4213)
  • Fixed a bug where it wasn’t possible to change a variant’s shipping category.
  • Fixed an error that occurred when adjusting inventory levels with an adjustment of zero. (#4212)
  • Fixed a SQL error that could occur when querying variants on PostgreSQL. (#4210)
  • Fixed an error that could occur when merging canonical product changes into a draft. (#4199)
  • Fixed a bug where variants weren’t being marked as modified when variants were added, deleted, or reordered. (#4222)
  • Fixed high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
  • Fixed a high-severity XSS vulnerability in the control panel. (GHSA-cfpv-rmpf-f624)
  • Fixed low-severity XSS vulnerabilities in the control panel. (GHSA-mqxf-2998-c6cp, GHSA-wj89-2385-gpx3, GHSA-mj32-r678-7mvp)

5.5.2

  • Improved transaction refund amount validation.

... (truncated)

Changelog

Sourced from craftcms/commerce's changelog.

5.6.0 - 2026-03-11

Administration

  • Added the “UI Label Format” and “Variant UI Label Format” settings to product types. (#4178)

Extensibility

  • Added relatedToProducts and relatedToVariants GraphQL query arguments, enabling queries for elements related to specific products or variants. (#4202)
  • Added craft\commerce\elements\db\ProductQuery::$savable.
  • Added craft\commerce\elements\db\ProductQuery::savable().
  • Added craft\commerce\elements\db\VariantQuery::$savable.
  • Added craft\commerce\elements\db\VariantQuery::editable().
  • Added craft\commerce\elements\db\VariantQuery::savable().
  • Added craft\commerce\helpers\ProductQuery::cleanseQueryCriteria().
  • Added craft\commerce\services\ShippingRuleCategories::getShippingRuleCategoriesByRuleIds().
  • Added craft\commerce\services\ShippingRuleCategories::getShippingRuleCategoriesByRuleIds().
  • craft\commerce\elements\db\ProductQuery::$editable is now nullable.
  • craft\commerce\elements\db\VariantQuery::$editable is now nullable.

System

  • Craft Commerce now requires Craft CMS 5.9.15 or later.
  • Cart numbers are now generated using a cryptographically secure random number generator.
  • Cart controller actions that accept an explicit cart number are now rate limited to mitigate enumeration attacks.
  • Fixed a PHP error that could occur when using the manual gateway. (#4245)
  • Fixed high-severity SQL injection vulnerabilities. (GHSA-875v-7m49-8x88)
  • Fixed a low-severity information disclosure vulnerability. (GHSA-3vxg-x5f8-f5qf)

5.5.4 - 2026-02-18

  • Fixed a bug where subscription plan edit screens weren’t showing their linked description entries, if the entries were disabled. (#4229)
  • Fixed an error that could occur when editing inventory locations. (#4233)
  • Fixed a SQL error that could occur when querying for unfulfilled orders on PostgreSQL. (#4228)
  • Fixed an error that could occur when resaving variants. (#4226)
  • Fixed high-severity SQL injection vulnerabilities in the control panel. (GHSA-r54v-qq87-px5r)
  • Added craft\commerce\helpers\ProductQuery::cleanseQueryCriteria().

5.5.3 - 2026-02-09

  • Added craft\commerce\models\LineItemStatus::getDisplayName().
  • Fixed a bug where Orders tables on user edit pages were showing an incorrect column heading.
  • Fixed a bug where product selector modals didn’t have “Add a product” buttons. (#4205)
  • Fixed a bug where order status and line item status names weren’t translatable. (#4213)
  • Fixed a bug where it wasn’t possible to change a variant’s shipping category.
  • Fixed an error that occurred when adjusting inventory levels with an adjustment of zero. (#4212)
  • Fixed a SQL error that could occur when querying variants on PostgreSQL. (#4210)
  • Fixed an error that could occur when merging canonical product changes into a draft. (#4199)
  • Fixed a bug where variants weren’t being marked as modified when variants were added, deleted, or reordered. (#4222)
  • Fixed high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
  • Fixed a high-severity XSS vulnerability in the control panel. (GHSA-cfpv-rmpf-f624)
  • Fixed low-severity XSS vulnerabilities in the control panel. (GHSA-mqxf-2998-c6cp, GHSA-wj89-2385-gpx3, GHSA-mj32-r678-7mvp)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump craftcms/commerce from 5.0.5 to 5.6.0
a779771 
Bumps [craftcms/commerce](https://github.com/craftcms/commerce) from 5.0.5 to 5.6.0.
- [Release notes](https://github.com/craftcms/commerce/releases)
- [Changelog](https://github.com/craftcms/commerce/blob/5.x/CHANGELOG.md)
- [Commits](craftcms/commerce@5.0.5...5.6.0)

---
updated-dependencies:
- dependency-name: craftcms/commerce
  dependency-version: 5.6.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file php Pull requests that update php code labels Apr 14, 2026
@dependabot dependabot Bot mentioned this pull request Apr 14, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file php Pull requests that update php code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants