Version: 2.x

LTS version

This page details information about the LTS version of Front-Commerce.

Front-Commerce 2.x LTS

Front-Commerce 2.x has entered Long Term Support (LTS) mode in 2025. This means that since version 2.35.0, only dependencies updates, critical security fixes and bug fixes will be released for this branch by default.

We still maintain the documentation and provide support for this version for a period of 2 years after the LTS date (9th January 2027). We will continue to update dependencies to ensure compatibility with the latest supported versions as long as it is technically possible. However, we will not introduce new major features, and you must be aware that technical limitations may prevent us to update some dependencies or be compatible with the latest Node.js versions.

This version is recommended for all 2.x projects. Front-Commerce 3.x was released in September 2023 and is now the recommended version for new projects. With the 2.x LTS version, we want to ensure that you have enough time to plan and migrate your projects to the latest major version.

Key takeaways

Front-Commerce 3.x was released on the 28th September 2023.
Front-Commerce 2.x LTS will be maintained until 9th January 2027.
We recommend updating your projects to the latest 2.x version and start planning your migration to 3.x if you haven't already.
New projects should start with 3.x.

This page details the compatibility and security information for the LTS version, so that you can make an informed decision about your project's update plan. We will keep this page up-to-date with the latest information.

Compatible Node.js versions

Front-Commerce 2.x is compatible with these Node.js versions:

16.13+ (End Of Life: 11 September 2023)
18.12+ (End Of Life: 30 April 2025)

Dependencies security

In the LTS version of Front-Commerce, we have practiced a deep security audit of dependencies by using multiple CVE databases.

We went through multiple dependencies update and intensive testing to ensure that the LTS version of Front-Commerce is secure.

Some dependencies are still pinned to specific versions to ensure compatibility with existing code. This page list security issues that couldn't be addressed along with more details on the reason and impacts.

Update your project

To benefit from these security fixes, please complete these steps

Remove your `node_modules` folder as well as the `package-lock.json` file:

rm -r node_modules package-lock.json

Update your `package.json`'s `overrides` to add the following

  "overrides": {
    // ... Your existing overrides
    "front-commerce": {
      "@babel/traverse": "^7.23.2",
      "@storybook/addon-graphql": {
        "graphiql": "1.4.8"
      },
      "@storybook/core": {
        "ejs": "^3.1.10"
      },
      "braces": "^3.0.3",
      "browserify-sign": "^4.2.2",
      "core-js-compat": {
        "semver": "7.5.2"
      },
      "cross-fetch": "^3.1.5",
      "cross-spawn@^6.0.0": "^6.0.6",
      "decode-uri-component": "^0.2.1",
      "dset": "^3.1.4",
      "enzyme": {
        "cheerio": "1.0.0-rc.11"
      },
      "fbjs": {
        "ua-parser-js": "^0.7.33"
      },
      "highlight.js": "^10.4.0",
      "http-cache-semantics": "^4.1.1",
      "ip": "^1.1.9",
      "json5": "^2.2.2",
      "loader-utils@^1.0.0": "^1.4.2",
      "loader-utils@^2.0.0": "^2.0.4",
      "loader-utils@^3.0.0": "^3.2.1",
      "minimatch": "^3.0.5",
      "node-fetch": "^2.6.7",
      "nth-check": "^2.0.1",
      "prismjs": "^1.27.0",
      "prismjs@^1.0.0": "^1.27.0",
      "react-router": {
        "path-to-regexp": "^1.9.0"
      },
      "recompose": {
        "node-fetch": "^2.6.7",
        "ua-parser-js": "^0.7.33"
      },
      "roarr": "7.15.0",
      "rollup@^2.0.0": "^2.79.2",
      "semver@^5.0.0": "^5.7.2",
      "semver@^6.0.0": "^6.3.1",
      "shell-quote": "^1.7.3",
      "terser@^4.0.0": "^4.8.1",
      "tsconfig-paths": {
        "json5": "^1.0.2"
      },
      "undici": "^5.28.4",
      "ws@^5.0.0": "^5.2.4",
      "ws@^6.0.0": "^6.2.3",
      "ws@^7.0.0": "^7.5.10",
      "ws@^8.0.0": "^8.17.1"
    }
  }

Run `npm install`

Runtime

warning

These dependencies are used in production and development environments.

It affects the /graphql endpoint only when using the Upload Scalar type (which is disabled by default in Front-Commerce).

Front-Commerce V2 will stick with Apollo Express Server since it's the core of the HTTP transaction layer for GraphQL queries and mutations.

Front-Commerce V3 has been updated to don't use Apollo anymore, all GraphQL queries are executed server side.

`dicer`

dicer is deprecated and isn't maintained anymore. However, it is still used for the Apollo Express Server (responsible for GraphQL queries) and cannot be updated.

Related security advisory:

Crash in HeaderParser in dicer

`lodash.pick`

lodash.pick is deprecated and isn't maintained anymore. lodash main package should be used instead. However, one of our GraphQL Fragment tool is using lodash.pick and cannot be updated.

Related security advisory:

Prototype Pollution in lodash

Development

info

These dependencies are only used in development environment and are not used in production. Related security advisories are only applicable to development builds (using NODE_ENV=development).

Front-Commerce V2 will stick with Webpack V4, updating Webpack to latest version isn't possible because it would break compatibility with the current code.

Front-Commerce V3 adressed this issue by switching to Vite bundling system instead of Webpack.

`webpack-dev-middleware`

webpack-dev-middleware is still maintained, however the fix for this security issue is available for Webpack 5 and upward, in Front-Commerce V2 we are using Webpack V3 and update this bundling system cannot be done.

Related security advisory:

Path traversal in webpack-dev-middleware

Developper Experience

info

These dependencies are only used for Storybook, related security advisories are only applicable when running Storybook (only locally).

Front-Commerce V2 will stick with Storybook V5 due to uncompatibility of current stories with versions upward.

Front-Commerce V3 has been updated to use latest Storybook version.

`html-minifier`

html-minifier is deprecated and isn't maintained anymore. It is used for Storybook addon and cannot be updated since we won't be able to use Readme in Storybook if we do.

Related security advisory:

kangax html-minifier REDoS vulnerability

`ip`

ip is deprecated and isn't maintained anymore. It is used for the Storyshoot testing system and cannot be updated.

Related security advisory:

ip SSRF improper categorization in isPublic

`marked`

marked is still maintained and can be used. However, Storybook Readme addon is using a legacy version of marked and cannot be updated.

Related security advisories:

Front-Commerce 2.x LTS​

Compatible Node.js versions​

Dependencies security​

Update your project​

Runtime​

dicer​

lodash.pick​

Development​

webpack-dev-middleware​

Developper Experience​

html-minifier​

ip​

marked​

Front-Commerce 2.x LTS

Compatible Node.js versions

Dependencies security

Update your project

Runtime

`dicer`

`lodash.pick`

Development

`webpack-dev-middleware`

Developper Experience

`html-minifier`

`ip`

`marked`