Ecommercen Docs

Appearance

<div style="display: none;" hidden="true" aria-hidden="true">Are you an LLM? You can read better optimized documentation at /changelog/Changelog.4.100.md for this page in Markdown format</div>

Home | Changelog

Version 4

version 4.100

  • [4.100.0] fix(middleware): prevent fatal in AdvSiteModeMiddleware when SITE_MODE=AdminFrontend

    • Root cause. Adv_base_controller::__construct() calls siteModeGuard() before the child constructors (Adv_front_controller, Adv_admin_controller) load the session library — that load now lives in the child ctors after the 4.99.16 stateless-REST fix (ad33be8bf). In SiteMode::AdminFrontend mode, the middleware's first condition is isLoggedIn()get_instance()->session->userdata(...) → fatal Call to a member function userdata() on null because $ci->session is still null at that point. The crash was reported in production on v4-evripidis (evripidis.gr) at auth_helper.php:16 and reproduces on any HTTP controller flow when the registry value GLOBAL.SITE_MODE is 2.
    • Why the naive fix is wrong. Loading session unconditionally in Adv_base_controller::__construct() would re-introduce the regression ad33be8bf removed: REST endpoints, payment webhooks, feed XML and job runners would each start a PHP session and emit Set-Cookie on otherwise stateless requests.
    • Fix in ecommercen/libraries/AdvSiteModeMiddleware.php. Re-ordered the AdminFrontend branch so namespace/route exemptions (siteModeInstanceOf() + allowedRoutes) are evaluated before isLoggedIn(). With this order, REST controllers (matched via siteModeAllowedNamespaces = ['Advisable\Rest\\']) and configured allowed routes (advisable, advisable/login, soon, maintenance, ...) break out of the switch before any session machinery is touched. Only the surviving frontend path — a controller that actually serves storefront HTML in AdminFrontend mode — proceeds, and at that point the middleware lazy-loads session via $ci->load->library('session') so isLoggedIn() has a live session to read. CI3's loader is idempotent, so the later child-constructor load is a no-op.
    • Other modes untouched. Online, AdminOnly, and CLI paths never reach the AdminFrontend branch — no session is loaded in those modes, statelessness preserved.
    • Tests. --testsuite=Unit 2617/2617, --testsuite=Legacy 234/234 (6 pre-existing skips unrelated to this change).

  • [4.100.0] chore(deps): patch/minor LTS hygiene bumps (Symfony 6.4, flysystem, JWT, FPDI, postal-code-validator)

    • firebase/php-jwt v7.0.3 → v7.0.5
    • league/flysystem 3.32.0 → 3.33.0
    • setasign/fpdi v2.6.4 → v2.6.6
    • sirprize/postal-code-validator 1.5.0 → 1.5.1
    • symfony/config v6.4.34 → v6.4.37
    • symfony/dependency-injection v6.4.34 → v6.4.38
    • composer audit: "No security vulnerability advisories found"
    • Autoloader smoke: Firebase\JWT\JWT, League\Flysystem\Filesystem, Symfony Config + DI co-instantiate cleanly with the bumped versions.

  • [4.100.0] chore(deps): bump phpspreadsheet to 2.4.5 + phpseclib to 3.0.52 (security)

    • CVE-2026-34084 (critical) — SSRF/RCE in IOFactory::load when reading attacker-controlled spreadsheets.
    • CVE-2026-40863 (high) — DoS via unbounded row index in the XLSX reader.
    • CVE-2026-40902 (high) — DoS via unbounded row number in XLSX row reader.
    • CVE-2026-35453 (moderate) — XSS via NumberFormat @ text format.
    • CVE-2026-40296 (moderate) — XSS via number-format-code @ text format.
    • CVE-2026-44167 (high) — CVE-2024-27355 mitigation bypass: OID parsing in phpseclib.
    • CVE-2026-40194 (low) — variable-time HMAC comparison in phpseclib.
    • composer audit: "No security vulnerability advisories found".
    • Autoloader smoke: PhpOffice\PhpSpreadsheet\Spreadsheet and phpseclib classes load cleanly.
    • composer.json unchanged — pure lockfile move.

  • [4.100.0] chore(deps): bump grapesjs floor to ^0.22.16 (#219)

    • grapesjs.init({ container, fromElement, height, width, plugins, pluginsOpts, storageManager }) — stable API.
    • editor.getHtml({ cleanId: true }), editor.getCss(), editor.RichTextEditor.add(...), editor.getSelected(), editor.on('storage:store', ...) — stable event surface.
    • All seven plugins remain compatible (grapesjs-preset-webpage, etc.).
    • 0.22.13 — attribute escaping. getHtml() now emits &amp; &lt; etc. correctly.
    • 0.22.15 — border-radius shorthand order in CSS output.
    • 0.22.15 — rgba → hex8 conversion for color-picker values.
    • npm install: no resolution change (lockfile already had ^0.22.16-compatible version).
    • npm run all-production: exit 0, 142 / 41 warnings, 0 errors — unchanged from baseline.

  • [4.100.0] chore(deps): override webpackbar to ^7.0.0 to support webpack 5.106.x (#225)

    • package.json pins webpack: ^5.98.0 (wide caret).
    • The previously committed lockfile had webpack@5.99.9, where webpackbar@5.0.2 (transitive via laravel-mix@6.0.49) still worked.
    • Fresh resolution picks webpack@5.106.2, which tightened the WebpackPluginInstance.apply schema; webpackbar@5.0.2 no longer satisfies it and build fails.
    • laravel-mix@6.0.49 pulls in webpackbar@^5.0.0-3webpackbar@5.0.2 by default.
    • webpackbar@7.0.0 (Nov 2024) was rewritten to use the new schema.
    • Surgical fix on the actual broken dep, not a workaround.
    • Keeps us on current webpack patches (security and otherwise).
    • Aligned with the Node 24 cutover direction; staying on a six-year-old webpackbar would block future updates.
    • rm package-lock.json && rm -rf node_modules && npm install: clean resolve.
    • npm run all-production: exit 0. Storefront 142 warnings, admin 41 warnings, 0 errors.

  • [4.100.0] chore(deps): tighten vue-apexcharts pin to ~1.6.2 (#223)

    • rm package-lock.json && rm -rf node_modules && npm install clean against the new tilde range.
    • npm run all-production exit 0 against the committed lockfile, no behaviour change.

  • [4.100.0] chore(deps): bump axios, lodash-es, lottie-web, sweetalert2 security floors (#216)

    • axios >=1.12.0 &lt;1.14.1 || >=1.14.2^1.16.0 (1.16.0). Also closes axios SSRF advisories.
    • lodash-es ^4.17.21^4.18.1 (4.18.1). Closes prototype-pollution advisories.
    • lottie-web ^5.12.2^5.13.0 (5.13.0). Preventive for the Node 24 cutover.
    • sweetalert2 ^11.7.20^11.22.4 (11.26.24). Closes button-focus XSS advisory.
    • axios: JSON-only usage, no FormData via axios (uploads go through native FormData + fetch).
    • lodash-es: only template is imported from lodash-es. None of the changed surfaces in 4.18 affect us.
    • lottie-web: single call site (assets/main/vue/Lottie.vue) uses the stable loadAnimation API.
    • sweetalert2: no :focus overrides on .swal2-confirm/-deny/-cancel in our SCSS — accent-color-aware focus rings inherit cleanly.
    • rm package-lock.json && rm -rf node_modules && npm install fails were verified to be unrelated to these deps.
    • npm run all-production (= npm ci && npm run production && npm run admin-production): exit 0.

Notes

  • [4.100.0] REQUIRES composer install:

    • composer.lock updated — phpspreadsheet 2.4.5, phpseclib 3.0.52 (security CVEs), Symfony 6.4 patch bumps, flysystem, JWT, FPDI, postal-code-validator hygiene bumps.

  • [4.100.0] REQUIRES npm ci && npm run all-production:

    • package.json and package-lock.json updated — axios, lodash-es, lottie-web, sweetalert2 security floors (#216); vue-apexcharts pin (#223); webpackbar override (#225); grapesjs floor (#219).

  • [4.100.0] Check for overrides (AdminFrontend site-mode middleware fix):

    • ecommercen/libraries/AdvSiteModeMiddleware.phpAdminFrontend branch reordered so namespace/route exemptions run before isLoggedIn(). Any client override of this middleware that pinned the old order will re-introduce the userdata() on null fatal when SITE_MODE=AdminFrontend.