Release: 3.19

Permissions, marketplace features, and session reliability

Front-Commerce 3.19 introduces a permission system that gives integrators fine-grained control over feature access. Gezy Marketplace receives two brand-new modules — disputes and conversations — along with merchant selection on the product page. Redis connections now support password authentication and TLS, external login providers gain new extension points, and a series of session and payment fixes make the platform more reliable than ever.

Let's dive into the details!

Permission system

Front-Commerce now ships a built-in permission system. The new UserPermissions class lets extensions declare named permissions that are resolved at runtime based on the current user context. On the frontend, the usePermissions() hook and the <Restricted> component make it straightforward to gate UI elements based on those permissions.

• Declarative permissions: extensions call addPermission to register capabilities such as negotiableQuote, dispute, or conversation
• React integration: usePermissions() returns an isAllowedTo(key) helper; <Restricted to="key" fallback={...}> conditionally renders children
• Replaces legacy guards: useCompanyPermissions is deprecated in favor of the new unified API

The first consumers are the negotiable quotes, disputes and conversations modules in Gezy, but any extension can leverage the system.

Learn more in the migration guide.

Gezy Marketplace: Disputes

Customers can now open and track disputes directly from their account area. The module provides a complete workflow:

• Dispute list: a dedicated page at /user/disputes with status badges, pagination and a "send reminder" action
• Create dispute: customers select an order, pick a reason, describe the issue and attach files
• Eligibility control: DisputeEligibility on the Order type lets the backend enforce cooldown periods before a new dispute can be submitted
• Dispute details: a timeline view displays the full message history with file attachments; customers can reply until the dispute is resolved or closed

Access to the disputes module is gated by the new permission system via the dispute permission.

Gezy Marketplace: Conversations

A new messaging module lets customers contact merchants directly from their account:

• Conversation list: /user/messages displays all conversations with status badges and pagination
• New conversation: customers pick a merchant through an autocomplete search field, write a message and attach files
• Conversation detail: a message timeline with reply form, reusing the same components as the disputes module for a consistent experience

Access is controlled by the conversation permission. The MessageTimeline and MessageForm components are shared between disputes and conversations through a generic FcMessage GraphQL interface.

Gezy Marketplace: Merchant selection on product pages

On marketplace storefronts, customers can now choose which merchant's offer to add to their cart. A new ProductOffers component displays available offers on the product page, and the selected merchantId is propagated through the entire add-to-cart chain. Merchant information also appears on RMA line items, and return creation is restricted to a single merchant at a time.

Redis password authentication and TLS

All Redis connections — sessions, rate limiter, maintenance mode, server events, and caching — now support password authentication and TLS. A new unified FrontCommerceRedisConfig type and the defineRedisConfig helper provide consistent configuration across all Redis-backed features. This is essential for production environments where Redis instances are password-protected or require encrypted connections.

Learn more in the migration guide.

External login: profile and payload transformers

External login providers now expose two new extension points:

• registerProfileTransformer(): enrich the OAuth profile returned by providers (e.g. add custom fields, normalize data)
• registerPayloadTransformer(): customize the Magento2 customer creation payload before it is sent to the backend

The parseProfileFromProviderCallback method now returns { profile, rawProfile } instead of just Profile, giving transformers access to the complete provider response.

Learn more in the migration guide.

Other changes

Features

• Core:
  • We implemented a permission system allowing extensions to declare and check named permissions at runtime (migration guide
  • We added support for multiple deliveries per order with new fields on the Shipment GraphQL type (implemented for Magento2, Magento1 and Gezy)
  • We added an onShopFallback lifecycle hook so extensions can customize redirect behavior when no shop matches the current URL
  • We added a server configuration option to exclude specific routes from the trailing slash middleware
• Gezy-Marketplace:
  • We added a complete disputes module with list, creation, details and messaging
  • We added a conversations module with list, creation, details and merchant search
  • We added marketplace merchant selection on the product page and propagation of merchantId through the add-to-cart flow
  • We added merchant information on RMA line items
  • We rebranded negotiable quotes as "requests for proposal" in the gezy-marketplace package
• External Login:
  • We added registerProfileTransformer() and registerPayloadTransformer() extension points for external login providers (migration guide)
• Buybox:
  • We migrated the Buybox payment module from v2 to v3
• Skeleton:
  • We added classnames and prop-types as standard dependencies so integrators no longer need to install them manually

Improvements

• Core:
  • We switched GraphQL Codegen to inlineFragmentTypes: combine mode, reducing generated TypeScript file size by ~93% and preventing memory crashes during tests
• CMS:
  • We improved the CMS editor with a toggle disable/re-enable fix and a save confirmation alert
• Skeleton:
  • We fixed the Vitest configuration so integrators can properly run React tests with TypeScript alias resolution
• Redis:
  • We added password authentication and TLS support for all Redis connections (migration guide)

Bug Fixes

• Adyen:
  • We fixed an issue where Apple Pay payment selection would do nothing due to improper module registration within Drop-In
  • We fixed an issue where external provider payment modals (Google Pay, etc.) would never close after payment submission
• Cart:
  • We fixed an issue where the cart cache was not invalidated after mutations when the cart was created in the same session (affects Magento2, Magento1 and Gezy)
• Codemod:
  • We fixed an issue where codemods were filtered out due to file:// URL incompatibility with fs.existsSync
• Compat:
  • We fixed ReferenceError: require is not defined in production builds when using Apollo SSR by replacing CJS require with ESM import
• Core:
  • We fixed an issue where the FRONT_COMMERCE_SERVER_DISABLE_TRAILING_SLASH_REDIRECT environment variable was misinterpreted as truthy whenever defined
  • We fixed an issue where the server configuration from front-commerce.config.ts was not applied to middleware configuration
• CSP:
  • We fixed an issue where CSP violation reports returned 404 when the shop uses a baseUrl prefix
• External Login:
  • We fixed an issue where OAuth2 flow failure (technical error, access denied) caused the Promise to never resolve
• Gezy-Marketplace:
  • We fixed an issue where adding a single negotiable quote line to cart displayed an incomplete popup instead of a proper confirmation modal
  • We fixed incorrect prices displayed on the negotiable quote detail page
  • We fixed the missing negotiable quotes link in the account navigation
  • We fixed draft negotiable quotes appearing in the list view
• Magento1:
  • We fixed an issue where sensitive authentication headers could leak in error objects returned to end users
• Magento2:
  • We fixed an issue where isAdmin() returned false despite valid admin data due to a serialization mismatch
• Netup:
  • We fixed an issue where the "Product Removed" analytic event was only fired from the mini cart
  • We fixed incorrect parameters in "Product Added/Removed to Wishlist" events
  • We added tracking for the "Product Removed from Wishlist" event on clear and delete actions
  • We fixed filter deselection tracking and page navigation tracking
  • We fixed search page tracking to assign correct products
  • We added publishing zone support for the cart page
• Remix:
  • We fixed an intermittent logout failure caused by a session race condition where concurrent requests recreated destroyed sessions in Redis
  • We fixed false-positive CSRF detection on POST actions (logout, login, add to cart) by stripping Origin: null headers
  • We fixed a dev server crash on HMR by recreating a fresh OpenTelemetry NodeSDK instance on each start
• Theme Chocolatine:
  • We fixed an issue where the redirect after payment duplicated the baseUrl when the shop uses sub-folder URLs

Dependencies updates

Major upgrades:

• react-intl from v7 to v8 and @formatjs/cli-lib from v6 to v8
• chalk from v4 to v5
• @envelop/testing from v7 to v10 and jsdom from v24 to v28
• Pact from v13 to v16
• @graphql-tools/utils from v10 to v11

Core / Runtime packages:

Package	From	To
react	19.2.3	19.2.4
react-dom	19.2.3	19.2.4
react-intersection-observer	10.0.0	10.0.3
react-slick	0.30.2	0.31.0
swr	2.3.8	2.4.0
dotenv	17.2.3	17.3.1
axios	1.13.2	1.13.5
cors	2.8.5	2.8.6
qs	6.14.0	6.15.0
lodash	4.17.21	4.17.23
lodash-es	4.17.22	4.17.23
lru-cache	11.2.4	11.2.6
minimatch	10.1.1	10.2.2
memoize	10.0.0	10.2.0
p-queue	9.0.1	9.1.0
semver	7.7.3	7.7.4
isbot	5.1.32	5.1.35
ua-parser-js	2.0.7	2.0.9
terser	5.44.1	5.46.0
card-validator	10.0.3	10.0.4

Server / Backend:

Package	From	To
ioredis	5.8.2	5.9.3
pino	10.1.0	10.3.1
winston	3.17.0	3.19.0

GraphQL:

Package	From	To
graphql-yoga	5.17.1	5.18.0
@envelop/core	5.4.0	5.5.1
@graphql-yoga/plugin-disable-introspection	2.18.1	2.19.0
@graphql-yoga/render-graphiql	5.17.1	5.18.0
@graphql-codegen/cli	6.1.0	6.1.2
@graphql-codegen/client-preset	5.2.2	5.2.3
@graphql-codegen/typescript	5.0.7	5.0.8
@graphql-tools/merge	9.1.6	9.1.7
@graphql-tools/schema	10.0.30	10.0.31
vite-plugin-graphql-codegen	3.7.0	3.8.0

Remix:

Package	From	To
@remix-run/dev	2.17.2	2.17.4
@remix-run/eslint-config	2.17.2	2.17.4
@remix-run/express	2.17.2	2.17.4
@remix-run/node	2.17.2	2.17.4
@remix-run/react	2.17.2	2.17.4
@remix-run/server-runtime	2.17.2	2.17.4
@remix-run/testing	2.17.2	2.17.4

Payment Providers:

Package	From	To
@adyen/adyen-web	6.26.0	6.31.1
@adyen/api-library	30.0.1	30.1.0
@stripe/react-stripe-js	5.4.1	5.6.0
@stripe/stripe-js	8.5.3	8.8.0
stripe	20.0.0	20.3.1

CMS / Content:

Package	From	To
@prismicio/client	7.21.0	7.21.6
contentful	11.10.1	11.10.4

Search:

Package	From	To
algoliasearch	5.46.1	5.49.0
@algolia/autocomplete-core	1.19.4	1.19.6
@algolia/client-search	5.46.0	5.49.1

Observability:

Package	From	To
@opentelemetry/instrumentation-http	0.208.0	0.212.0
@opentelemetry/sdk-node	0.208.0	0.212.0

Build Tools:

Package	From	To
rollup	4.53.5	4.59.0
esbuild	0.27.2	0.27.3
@parcel/watcher	2.5.1	2.5.6
autoprefixer	10.4.23	10.4.24
postcss	8.4.49	8.5.6
sass	1.96.0	1.97.3

Dev Tools / Testing:

Package	From	To
prettier	3.7.4	3.8.1
happy-dom	20.0.10	20.7.0
supertest	7.1.4	7.2.2
memfs	4.51.1	4.56.10
@testing-library/react	16.3.1	16.3.2
typescript	5.7.2	5.9.3

Storybook:

Package	From	To
storybook	10.1.10	10.2.10
@storybook/addon-docs	10.1.10	10.2.10
@storybook/addon-links	10.1.10	10.2.10
@storybook/addon-onboarding	10.1.10	10.2.10
@storybook/builder-vite	10.1.10	10.2.10
@storybook/react-vite	10.1.10	10.2.10

---

Fixes from 3.19 have also been backported into previous minor versions. The following patch versions were released: 3.18.3, 3.17.2, 3.16.3, 3.15.4, 3.14.5, 3.13.6, and 3.12.8.

---

Upgrade Front-Commerce (Migration guides): 3.19.0
Read the full changelog (Customers only): 3.19.0.