Self-Managed Commerce 8.7.x Release Notes

Learn about changes to Self-Managed Commerce for this release. Fixes since the release are summarized in the changelog.

Changelog

The changelog contains the list of fixes and improvements made to Self-Managed Commerce 8.7 since its release date. To learn how to consume the updates, see Consuming Support Fixes.

Commit	Description	Badges	Release Date
42862cd6	Changed "No product was found for base amount" error to a warning.		28‑Aug‑2025
ff9b43cd	Upgraded Tomcat from 10.1.42 to 10.1.44 to address CVE-2025-52520, CVE-2025-53506, and CVE-2025-48989.	Security	26‑Aug‑2025
56be14d9	Modified the XPFTaxableShoppingItem so that its GUID matches the shopping cart line item GUID, so that the ElasticPathTaxCalculator cache doesn't miss on subsequent identical tax lookups.		25‑Aug‑2025
745fc35c	Removed all ESAPI dependencies, which were not effectively protecting the Cortex API endpoints and were including vulnerable transitive dependencies.		20‑Aug‑2025
1db31ec0	Fixed issue with service level options in the Commerce Manager promotion actions not updating correctly after the selected stores are changed.		20‑Aug‑2025
29072bea	Removed extra super.configure() call in ImportRouteBuilder.		15‑Aug‑2025
9a281811	Upgraded Spring Security from 6.4.5 to 6.4.6 to address CVE-2025-41232.	Security	13‑Aug‑2025
92c97b7b	Upgraded ActiveMQ from 5.18.5 to 5.18.7 to address CVE-2025-27533.	Security	12‑Aug‑2025
f5b0852f	Upgraded Spring Framework from 6.2.6 to 6.2.8 to address CVE-2025-41234 and CVE-2025-22233.	Security	12‑Aug‑2025
cdb98f9c	Fixed duplicate guid in facet test data that was causing intermittent test failures.		12‑Aug‑2025
c2f2ee9e	Fixed issue on promotion editor where store and catalog assignments were not persisted if changed after an initial save.		12‑Aug‑2025
d34f8e00	Jakarta migration in committed source code.	Security	1‑Aug‑2025
df6cdeb4	Jakarta migration in replacer output.		1‑Aug‑2025

8.7.0

Released: August 2025

Release highlights

Javax to Jakarta migration

For many years, Java EE was developed under the stewardship of Oracle, and core packages used the javax.* namespace (e.g., javax.servlet, javax.persistence). In 2017, Oracle donated Java EE to the Eclipse Foundation, and the platform was rebranded as Jakarta EE.

However, Oracle retained the rights to the javax namespace as part of the Java trademark. This created a major roadblock: although Jakarta EE could evolve independently, it could not modify any API under javax.*.

To move forward with innovation, the Eclipse Jakarta EE Working Group made the decision to rename all relevant packages to the jakarta.* namespace. This change officially occurred starting with Jakarta EE 9, released in December 2020.

Key changes included:

• javax.servlet --> jakarta.servlet
• javax.persistence --> jakarta.persistence
• javax.ws.rs --> jakarta.ws.rs
• And many more.

As a result, many of the Open Source dependencies used by Self-Managed Commerce have released new artifacts that use the jakarta.* namespace, often with updated Maven coordinates. In order to consume these updates, Self-Managed Commerce needed to migrate all dependencies using the javax.* packages to new dependencies that use the jakarta.* packages at once, so that they can use the API interfaces defined by the new Jakarta EE version.

This allowed Self-Managed Commerce 8.7 to upgrade key dependencies such as Spring 5.x to Spring 6.x, OpenJPA 3.2.x to 4.x, and Tomcat 9.x to 10.x. Without making these changes, Self-Managed Commerce would be unable to consume the new versions of these dependencies which include important security fixes and new features.

For information about the impact of these changes on your custom code, see Upgrade Notes: Jakarta migration.

Promotions Calculator extension point

A new extension point has been added that can be used to externalize promotion calculations. This means that developers can delegate the calculation of promotions to a third-party service, or to a separate Self-Managed Commerce environment that exposes APIs for promotion calculations.

By default, the ElasticPathPromotionsCalculator extension will implement this extension point, which reads promotion rules from the database and uses Drools to evaluate conditions.

For more information, see Promotions Calculator extension point.

Notification Events extension point

A new extension point has been added that allows developers to control how notifications are sent to customers and business users. This extension point is the basis for all notification events, including email, text message, and push notifications.

When Self-Managed Commerce needs to notify a customer or business user, all registered notification event extensions are notified by invoking the send method. The context passed to this method includes details such as the notification type, recipients, and placeholder values. It is the responibility of the extension to both render and deliver the message to the recipients.

By default, the VelocitySMTPEmailSender extension will implement this extension point, which renders emails using Apache Velocity and uses SMTP to send out the emails. However, this extension can be replaced with integrations to third-party services such as SendGrid or Postmark, so that business users can modify email templates themselves without needing to involve the development team. Additionally, other extensions could be created to send notifications to customers via text message (using Twilio) or other push notification services.

For more information, see Notification Events extension point and Email Delivery.

Product Events extension point

A new extension point has been added that is notified when a product is created or updated. This is useful for notifying back-end systems when catalog changes occur in Self-Managed Commerce. Extensions will be notified no matter how the product was changed, including Import/Export imports, Data Sync, or changes made in Commerce Manager.

For more information, see Product Events extension point.

Full support for Trusted Header Authentication

Previously, Cortex had partial support for Trusted Header Authentication, which allows the use of headers to authenticate a shopper.

However, this functionality had two major limitations:

• There was no support for creating a new customer record for an unrecognized X-Ep-User-Id header value.
• There was no support for transitioning a PUBLIC shopper to a REGISTERED shopper.

These limitations were previously addressed by wiring in the Cortex Trusted Header Mode Accelerator, however, this functionality is now built into the platform.

For more information, see Trusted Header Authentication.

New in this release

In addition to the Release Highlights, this release contains the following updates:

Added support for IS NULL and IS NOT NULL in the EP Search Query Language

Added support for the IS NULL and IS NOT NULL operators when specifying a filter for an Import/Export export. This allows API clients to filter fields based on whether a value is set or not.

For more details, see EP Search Query Language.

JMX endpoints for logging

A new com.elasticpath.logging MBean server has been added to all Self-Managed Commerce services. This allows you to modify the log levels of running services in real time.

For more details, see Log level updates.

Added subquery support to JpqlQueryBuilder

The JpqlQueryBuilder class now supports generation of queries with subqueries. This is useful for using the results from one query as a filter for another query.

This feature is supported through the new void appendWhereInSubquery(final String fieldName, final JpqlQueryBuilder subQueryBuilder) method. This method adds a where clause to the query that ensures that the specified fieldName value is contained in the results of the subQueryBuilder result.

As an example, we can create a JPQL query that returns all customer records that are associated to a stores in the OPEN state:

// Create subquery that returns store codes for all stores in the OPEN state
JpqlQueryBuilder subQuery = new JpqlQueryBuilder(persistenceEngine, "StoreImpl", "store", "store.code");
subQuery.getDefaultWhereGroup().appendWhereEquals("store.storeState", StoreState.OPEN);

// Create query that returns all customer records that are associated to stores in the OPEN state
JpqlQueryBuilder query = new JpqlQueryBuilder(persistenceEngine, "CustomerImpl", "cust");
query.getDefaultWhereGroup().appendWhereInSubquery("cust.storeCode", subQuery);
query.getDefaultWhereGroup().appendWhereEquals("cust.sharedId", "test");

// Execute query
persistenceEngine.retrieve(query.buildQuery(), query.buildParameterList().toArray());

Local developers now use the Cargo plugin to start webapps

Starting webapps on a local developer machine now uses the Cargo plugin instead of the Tomcat plugin. Therefore, webapps are now started by running mvn clean package cargo:run from the appropriate webapp folder.

For more details, see Running Applications and Changes to webapp startup instructions for local development.

Added new Maven build parameter for quick builds

Developers can now use the -DskipSlowTests parameter with Maven to run a quick build with basic validation. This parameter is similar to -DskipAllTests, but also runs all static analysis checks and unit tests. Integration tests and Cucumber (and Selenium) tests are skipped. On a Mac M1, running mvn clean install -DskipSlowTests should take about 19 minutes to run.

For more details, see Building source code.

Enhancements to the Operations Specification

Added a new jvmRuntimeArguments field to the activemq section of the ops-spec.json file. This allows us to specify system properties to pass to the JVM when starting the ActiveMQ broker.

For more details, see Operations Specification.

Added build-time checks for multiple JARs providing the same classes

When a Java runtime classpath contains multiple JARs that provide the same fully qualified class name, the classloader will randomly choose one of the class implementations. This can lead to confusing intermittent issues such as MethodNotFound at runtime.

To prevent this, a new plugin has been addedto the build process called duplicate-finder-maven-plugin, which detects this situation and will fail the build if it finds multiple JARs providing the same class.

Along with this change, several conflicting dependencies have been resolved:

• Multiple conflicting jars: jakarta.xml.bind:jakarta.xml.bind-api:2.3.3, javax.xml.bind:jaxb-api:2.3.1
  • javax.xml.bind:jaxb-api was removed.
  • jakarta.xml.bind:jakarta.xml.bind-api is now the primary JAR providing Java Architecture for XML Binding functionality.
• Multiple conflicting jars: javax.servlet:javax.servlet-api:3.1.0, org.eclipse.jetty.toolchain:jetty-servlet-api:4.0.6
  • org.eclipse.jetty.toolchain:jetty-servlet-api was removed.
  • javax.servlet:javax.servlet-api is now the primary JAR providing servlet functionality.
• Multiple conflicting jars: org.slf4j:jcl-over-slf4j:1.7.32, org.springframework:spring-jcl:5.3.39, commons-logging:commons-logging:1.1.1
  • commons-logging:commons-logging was removed and banned.
  • org.slf4j:jcl-over-slf4j is now the primary JAR providing commons logging functionality.
• Multiple conflicting jars: aopalliance:aopalliance:1.0, org.glassfish.hk2.external:aopalliance-repackaged:3.1.1, org.springframework:spring-aop:5.3.39
  • aopalliance:aopalliance was removed and banned.
  • org.glassfish.hk2.external:aopalliance-repackaged is now the primary JAR providing Aspect-Oriented Programming functionality.
• Multiple conflicting jars: jakarta.validation:jakarta.validation-api:2.0.2, javax.validation:validation-api:2.0.1.Final
  • Core is only using javax.validation:validation-api (jakarta.validation-api was removed).
  • Search Server is using both:
    • jakarta.validation-api version 3.0.2 which provides the jakarta.validation packages for SOLR.
    • javax.validation-api version 2.0.1 which provides the javax.validation packages.
• Multiple conflicting jars: javax.el:javax.el-api:3.0.0, org.glassfish:jakarta.el:3.0.4
  • jakarta.el:jakarta.el-api and javax.el:javax.el-api were removed and banned.
  • org.glassfish:jakarta.el is now the only JAR providing expression language functionality.
• Multiple conflicting jars: io.swagger.core.v3:swagger-annotations-jakarta:2.2.22, io.swagger.core.v3:swagger-annotations:2.1.13
  • io.swagger.core.v3:swagger-annotations was removed and banned.
  • io.swagger.core.v3:swagger-annotations-jakarta is now the only JAR providing Swagger annotations functionality.
• Multiple conflicting jars: com.sun.mail:imap:1.5.6, com.sun.mail:jakarta.mail:1.6.7, com.sun.mail:javax.mail:1.5.6
  • com.sun.mail:javax.mail, com.sun.mail:imap, javax.mail:mailapi, and javax.mail:mail and were removed and banned.
  • com.sun.mail:jakarta.mail is now the only JAR providing mail functionality.
• Multiple conflicting jars: com.sun.activation:jakarta.activation:1.2.2, com.sun.activation:javax.activation:1.2.0, jakarta.activation:jakarta.activation-api:1.2.2, javax.activation:activation:1.1
  • com.sun.activation:javax.activation, javax.activation:activation, javax.activation:javax.activation-api, and jakarta.activation:jakarta.activation-api were removed and banned.
  • com.sun.activation:jakarta.activation is now the only JAR providing activation functionality.

For more information, see Duplicate JAR finder.

Added new integration test for testing JPQL queries

A new integration test has been added to the ep-core-itests module to make it easier to test JPQL queries against a Self-Managed Commerce database.

For more information, see JPQL Query Test.

Added pagination support for wish list line items in Cortex

Added a new link to the wishlists.wishlist resource named lineitemspaginated. This returns the same elements as the existing lineitems link, but the results are paginated. The page size is defined by the COMMERCE/STORE/listPagination setting value.

For more information, see Read paginated wishlist line items.

Added a new setting to disable price faceting to improve search indexing performance

For customers with a large number of price lists, rebuilding the product search index may be very slow, since the price for each product in every price list must be determined and populated in the index. However, this functionality is only needed for a specific aspect of filtered navigation functionality which allows shoppers to filter their search results by price.

If this functionality is not needed, it can be disabled by setting the COMMERCE/STORE/FILTEREDNAVIGATION/priceFacetingEnabled setting to false. This has two effects:

1. The price faceting option is not shown when viewing facets on offer search results or category results.
2. Pricing is not calculated during product search indexing, and is not stored in the SOLR index.

If this setting is disabled, product search indexing may be significantly faster for some customers.

Multiple extension point framework improvements

See the Extension Point Framework release notes.

Fixed issues

Commerce Engine

Performance optimization for retrieving extensions for Extension Points

Profiling revealed that the XPFExtensionLookup#getMultipleExtensions and XPFExtensionLookup#getSingleExtension methods were a major performance bottleneck.

Within the call stack of these methods is a call to PluginManager#getExtensions. Although this call used a cache to avoid expensive extension instantiation costs, it still ended up doing classpath scanning to determine which classes support the passed extension point.

We were able to completely avoid doing this classpath scanning since we’ve already identified the available extensions within XPFInMemoryExtensionResolverImpl#init.

These changes resulted in approximately a 7% improvement in overall Cortex response times.

Corrected bundle availability logic

The previous availability logic for bundles was correct for fixed bundles but not always correct for dynamic bundles.

Previous behavior: If any constituent was OUT_OF_STOCK, then the entire bundle was considered OUT_OF_STOCK. New behavior: The bundle availability status is set to AVAILABLE when the number of available constituents is greater than or equal to the selection rule count, and OUT_OF_STOCK otherwise.

For example, given a scenario where the selection rule is 2, the bundle is assigned 5 constituents:

• If 3 are out of stock, the bundle will show as AVAILABLE.
• If 4 or more are out of stock, then the bundle availability will show as OUT_OF_STOCK.

Order shipment shipping discount is now persisted

The TORDERSHIPMENT table stores shipping subtotal (including discounts) in the SHIPPING_COST column. However, the shipping subtotal before discounts and the shipping discount were not stored separately.

To address this issue, a SHIPPING_DISCOUNT field has been added to track the shipping discount, and we use the previously ignored SHIPPING_SUBTOTAL field to track shipping subtotal before discounts.

To summarize:

• Shipping subtotal before discounts: TORDERSHIPMENT.SHIPPING_COST
• Shipping discount: TORDERSHIPMENT.SHIPPING_DISCOUNT
• Shipping subtotal including discounts: TORDERSHIPMENT.SHIPPING_SUBTOTAL

note

Since it's not possible to retroactively derive these values, existing TORDERSHIPMENT records will contain null SHIPPING_DISCOUNT and SHIPPING_SUBTOTAL values. However, these fields will be populated for all newly created orders.

Added a new warning to the logs if application cache implementation is not being used

A new warning is now logged when a service using SwitchableProxyBinder is using the fallback implementation, which usually indicates that application-level caching is not working. This can happen if no OSGi or Spring beans registered a cache implementation binding with the SwitchableProxyBinder.

Example warning message:

WARN: Using fallback implementation of `com.elasticpath.service.pricing.PriceListAssignmentService`. This usually means that caching is disabled for this service. See https://documentation.elasticpath.com/commerce/docs/core/platform/cross-platform/ehcache.html#switchable-proxy-binder for more information.

For more information, see Switchable Proxy Binder: Determining if extensions are registered properly.

Added missing test modules to the Maven reactor

Previously, there were a number of modules that were not included in the Maven reactor. These modules are typically run tests that require a deployment to exist.

Since these modules are not included in the Maven reactor, they were not compiled or checked by the static analysis tools until the tests were actually run. This led to long delays in feedback about compilation, Checkstyle, and PMD errors.

Refactoring was much harder since IntelliJ wasn't aware of these classes. It also breaks the IntelliJ navigation to and from Cucumber features and their step definitions.

To address this issue, the following modules have been added to the Maven reactor:

• ep-commerce/commerce-engine/core/ep-core-tool-itests
• ep-commerce/extensions/cortex/ext-system-tests/cucumber
• ep-commerce/extensions/catalog
• ep-commerce/extensions/catalog/ext-system-tests
• ep-commerce/extensions/catalog/system-tests
• ep-commerce/extensions/system-tests/performance-tests/cucumber
• ep-commerce/extensions/cm/ext-cm-modules/ext-system-tests
• ep-commerce/extensions/cm/ext-cm-modules/system-tests/selenium

Cortex

Cortex OSGi console is no longer accessible by default

Previously, the OSGi console was accessible by default at the system/console path. Although this was secured with a username/password, the default credentials are very easy to guess, so this presented a security risk.

To mitigate this risk, the OSGi console is now blocked by default, unless the ep.management.port system property is set to the desired port. For production environments, we recommend setting this value to a port that is internally accessible for debugging production issues, but not externally accessible. Note that Tomcat must also be configured to listen on the specified port.

Commerce Manager

Added caching for CartOrderService#getCartOrderGuidByShoppingCartGuid

Normally, services handling shopper-controlled entities are not cached because they are changed frequently. However, the CartOrderService#getCartOrderGuidByShoppingCartGuid service is used to retrieve the cart order GUID for a shopping cart GUID, which will never change, so it's cachable. This change eliminates several unnecessary database queries during shopping cart operations.

Search Server

Re-index products when catalog promotions are added

Fixed functionality to ensure that affected products are re-indexed when catalog promotions are added, modified, or become active or inactive to ensure that the indexed price is correct.

Tests

Consolidated and cleaned up Cucumber test Cargo configurations

Reduced duplication and complexity in the configuration of the Cargo plugins for Cucumber tests. Many of the properties, dependencies, and Cargo plugin configuration parameters have been moved out of the individual Cucumber module POMs and into extensions/pom.xml and root pom.xml. The root pom.xml contains the shared dependencies and Cargo plugin configuration needed by all modules, while the extensions/pom.xml contains specific execution configurations for starting each Self-Managed Commerce service for use by the Cucumber tests.

Additionally, the Cargo configuration defined in the root pom.xml is reused by the webapp modules when local developers are starting the webapps with mvn clean package cargo:run.

Database

• Added missing Liquibase checksums to changesets that were updated during the Liquibase upgrade.
• Fixed preconditions in core-changelog-2020-08-cleanup-expired-failed-orders-job changeset to avoid potential upgrade error.
• Removed checksum validation from core-changelog-2024-07-expired-data-point-values-job changeset due to required changes in earlier versions.
• Fixed SchemaSpy document generation on PostgreSQL.
• Upgraded SchemaSpy plugin from 1.0.4 to 5.3.0.

Additional Commerce Engine fixes

• Modified the build process to fail if ops-spec.json isn't a valid json file.
• Fixed Core Request-Scoped Caching to ensure that retrievals with different load tuners or fetch groups are cached separately.
• Removed unused CustomerTagStrategy interface.
• Removed unused PricingCacheKey class.
• Removed unnecessary methods from the PriceListService interface.
• Enabled Checkstyle and PMD for the webapp-smoketests module.
• Enabled Checkstyle and PMD for the http-mock-server-services module.
• Modified AspectJ logging to use the same format as the rest of the application.
• Added new entries to .gitignore: .sonarlint/ and .vscode/.
• False-positive FindBugs warnings are now suppressed with @SuppressFBWarnings instead of @SuppressWarnings, to ensure that Static Application Security Testing tools can ignore these false-positive warnings properly.
• Minor code refactoring for TimeIntervalCacheImpl#get to simplify implementation.
• Added debug logging for SwitchableProxyBinder.
• Fixed race condition in TimeIntervalCacheImpl that can result in a NoSuchElementException when retrieving values from the cache.
• Colored logging in Self-Managed Commerce services is now disabled by default; only enabled for local development deployments.
• Fixed issue where the shopping cart memento object was not correctly passed to bundle items during instantiation.
• Fixed issue with logging of some Catalog Syndication failures.
• Fixed infinite recursion bug in CacheableFacetService#findAllFacetsForStore.
• Fixed issue where resending a Gift Certificate for a specific order line item was resending all order gift certificates to the specified recipient.
• Fixed an issue where domain events are not always triggered as expected if the domain class has been extended.
• Added calls to super.configure() within configure methods of route builders extending CRSCEnabledRouteBuilder.
• Fixed issue with Extension Point Framework entities missing all non-localized attribute values when a localized attribute contains a non-localized fallback value.
• Fixed issue that was sending messages to VirtualTopic.ep.catalog containing an error message when Catalog Syndication was triggered.
• Fixed multiple issues with limited usage promotions:
  • Promotion wizard not saving the limited use promotion setting.
  • An error was occurring when checking out with limited use promotions: Attempt to attach a modified class com.elasticpath.domain.rules.impl.PromotionRuleImpl which has @ShopperReadOnly annotation.
  • Potential race condition when incrementing the promotion usage count during checkout, causing some uses to be missed.
• Fixed potential race condition for limited use coupons when incrementing the coupon usage count during checkout, causing some uses to be missed.
• Fixed issue with CouponUsageDaoImpl#findEligibleUsagesByEmailAddressInStore passing wrong value to named query when email address is empty.
• Fixed behavior of the first time buyer flag if the shopper's first order fails.
• Fixed Tax Calculator extension IndexOutOfBoundsException exception for empty tax records collection.
• Fixed incorrect environment subfolder names in ext-data.
• Ensure that affected products are re-indexed when catalog promotions are added, modified, or become active or inactive to ensure that the indexed price is correct.
• Fixed stack trace logging on Camel routes for event-based extension points.
• Changed the way that SkuOptionValue is associated with ProductSkuOptionValue, using a lazy load approach instead of the Eager Field Post Load Strategy, to prevent possible "context has been closed" exceptions.
• Fixed error handling for shipping option determination so that the actual underlying error is reported rather than a NullPointerException.
• Fixed vulnerability in DownloadServiceHandler.
• Fixed SQL injection warnings identified by SAST tooling in ep-persistence-openjpa.
• Refactored ProductAssociationQueryBuilder to use JPQLQueryBuilder and optimized generated query for determining product associations.
• Fixed NullPointerException in coupon auto-apply role transition if registered user email was null.
• Fixed NullPointerException that could occur if looking up a non-existent compound GUID with CategoryLookup#findByCompoundCategoryAndCatalogCodes.
• Fixed NullPointerException that could occur if RuleService#findByRuleGuid is called with a non-existent guid.
• Fixed a race condition in service health checks that could report false health check failures if multiple requests were submitted concurrently.
• Fixed LibJarUtil parser to properly exclude #runtime refs when scanning the payment plugin classpath.
• Updated the Log4j configuration for all services to ensure that log file sizes are limited by using a fixed window rolling policy.
• Improved warning "Setting retrieval strategy {} threw an exception." to ensure that full stack trace is logged.
• Fixed all query strings defined on beans for Catalog Syndication JpaPagingItemReader instances to ensure they have an ORDER BY clause.
• Non-physical skus were treated as always available, regardless of the product availability rule setting. Now their availability is determined by the availability rule.
• Fixed issue where importing entities did't properly invalidate the application cache in some circumstances.
• Refactored assertThat imports from org.assertj.core.api.AssertionsForClassTypes and org.assertj.core.api.Java6Assertions to org.assertj.core.api.Assertions. A new checkstyle IllegalImport rule was also configured to flag if these imports are used in the future.
• Modified how email locale is determined to ensure that the customer's preferred locale is used (if specified) instead of the store default locale.
• Fixed issue in which CM_USER_CREATED event is sent before user is persisted.

Additional Cortex fixes

• Fixed issue with structured error messages from some shopping item validators not showing a link to the affected shopping item.
• Fixed race condition that can occur when multiple users execute keyword or navigation searches with different sort keys.
• Removed unused bundles from Cortex: javaparser-core, big-math, and antlr4-runtime.
• Fixed issue where dependent items could not be removed from dynamic bundles in the shopping cart.
• Fixed Cortex keyword search functionality so it correctly reads the COMMERCE/SEARCH/* system configuration settings.
• Suppressed misleading "JWT signature does not match locally computed signature" errors in the Cortex log.
• Added JVM system property to ensure that Log4j always uses the BasicContextSelector to avoid OSGi issues in Cortex.
• Hardcoded mobee and vestri values removed from scope autocomplete in Cortex Studio.
• Changed coupon validation failure code ERROR_COUPON_USAGE_MISSING to ERROR_EMAIL_NOT_ASSIGNED to improve clarity.
• Added additional details to the structured error message response when a coupon is determined to be invalid.
• Fixed Cortex structured message response when purchase form is submitted with validation errors.
• Fixed Cortex applied promotions response for cart subtotal promotions to ensure that it returns the applied 'best of' promotion instead of all eligible promotions.
• Suppressed misleading "JWT signature does not match locally computed signature" errors in Cortex log.
• Fixed issue with Cortex attempting to write logs to a folder based on the build machine home folder instead of the runtime machine home folder.
• Payment method elements returned by Cortex are now returned in a consistent order (alphabetical based on configuration name).
• Removed support for user-name and user-company fields in JWT metadata payload, which was leading to unique constraint errors in PunchOut.
• Fixed bug that caused a 404 error to be returned for wish list elements if the product or sku became unavailable.

Additional Commerce Manager fixes

• Fixed performance issue when adding actions to catalog promotions in Commerce Manager when database contains a large number of price lists.
• Improved performance in Commerce Manager when removing an attribute from a product type.
• Fixed potential table scan when retrieving the order list in Commerce Manager.
• Fixed split packages issue in com.elasticpath:shipping-calculation-epcommerce that was caused by ep-core being embedded.
• Updated Commerce Manager cookies to always set the HttpOnly flag for improved security.
• Fixed parent references in Commerce Manager modules to improve Maven reactor hygiene.
• Fixed error that can occur when editing boolean attributes in Commerce Manager.
• Fixed Commerce Manager error that occurs when searching for products using Advanced Search Query Builder.
• Fixed problem with "All Stores" filter being ignored on the customer search tab.
• Fixed sorting for "Enabled" and "Expiration Date" columns on cart and catalog promotion search results in Commerce Manager.
• Removed unused Felix Webconsole dependency from Commerce Manager.
• Fixed issue with the simulated selling context dialog in Commerce Manager in which labels were not appearing.
• Fixed issue with order hold getting stuck in RESOLVE_PENDING if order lock is present.
• Fixed issue with private use coupons not working after adding new users to an existing promotion.
• Enabled state comparison version strategy on order holds to ensure that two users don't resolve the same hold simultaneously, leading to the order hold getting stuck in the RESOLVE_PENDING state.
• Improved order hold resolution error handling to ensure that order holds don't get stuck in the RESOLVE_PENDING state.
• Changed the orders list on the customer record in Commerce Manager to sort by created date instead of order number to avoid alphanumeric sorting issues.
• Fixed issues with the shopper conditions user interface in Commerce Manager where conditions were sometimes duplicated or could not be removed.
• Fixed potential NullPointerException that could occur if opening an address with a null sub-country in Commerce Manager.
• Removed line from com.elasticpath.cmclient.core/plugin.xml that caused the XML to be invalid.
• Fixed the "Cancel order" button to ensure that it is disabled for orders that have already been released.
• Fixed error that was occurring on the Commerce Manager exchange wizard after modifying items to be exchanged.
• Improved clarity of the dialog that appears in Commerce Manager when editing an order that has been edited by another user.

Additional Search Server fixes

• Fixed issue where the parentCategoryCodes field was not populated in the SOLR index for linked categories.
• Enabled HTTP/2 support for Solr replication.
• Fixed parsing of queries in LuceneRawQueryComposerImpl that was causing problems for the search server when processing some index notifications.
• Fixed search index rebuild when a product was added or updated using Import/Export.
• Fixed search indexing issue in which delete requests were ignored if there are no corresponding add/update requests.
• Fixed SolrFacetAdapter to consistently expect searchCriteria.getSearchHint("priceSourceIds") to contain a list of strings.
• Fixed issue that causes search indexing to fail if multiple attribute values exist for the same attribute with the same locale.

Additional Integration Server fixes

• Fixed Spring circular dependency that was causing NullPointerExceptions during Integration Server startup.
• Removed unused CXFServlet references from Integration Server web.xml.

Additional Batch Server fixes

• Fixed out of memory error that could occur on the Batch Server if the database contains a large number of TCUSTOMERCONSENT records.

Additional Data Sync fixes

• Fixed a NullPointerException that can occur when publishing multi-sku products through the Data Sync Webapp.
• Fixed issue with Data Sync Webapp where changesets containing base amounts were causing multiple product index notifications to be created and were also holding the base amount objects in memory until the service was restarted.

Additional Import/Export fixes

• Fixed Import/Export to ensure that the necessary product search indexes are rebuilt when base amounts are updated.
• Renamed notsoldseperately to notsoldseparately in the Snap-it-up products.xml.

Additional Operational Insights fixes

• Fixed issue with Operational Insights interpreting serviceResponseWaitTime in minutes instead of milliseconds.
• Fixed the Operational Insights revenue calculations to exclude failed orders.
• Added java.base/java.lang.ref add-opens JVM parameter to prevent possible failures when Operational Insights evaluates cache sizes.
• Fixed bad value for type int error that appeared in the logs when running Operational Insights with a PostgreSQL database.
• Improved performance of the Operational Insights revenue query.

Additional Performance fixes

• Eliminated unnecessary shopper and shopping cart lookups during cart order retrieval.
• Fixed a performance issue in LocalizedAttributeKeyUtils#getLocaleFromLocalizedKeyName by removing a complex regular expression and caching Locale instantiation.
• Fixed an issue that was causing unnecessary TORDER and TORDERAUDIT update queries to be created.
• Fixed issue with Core Request Scoped Caching where some database lookups were not being cached.
• Added missing indexes to PostgreSQL and Oracle that were created implicitly in MySQL.
• Changed featuredoffers link on navigations resource from a conditional to a static link to avoid an unnecessary product query.
• Fixed issue with ProductDaoImpl#findUidBySkuCode that could cause OpenJPA to read all product skus from the database in rare circumstances.
• Updated product, product sku, and category default cache timeouts from 1 second to 1 hour.

Additional Test fixes

• Fixed intermittent failure in the "Verify price facets are updated when a promotion is changed" Selenium test.
• Fixed intermittent failure in "Sort products by product code" Selenium test.
• Fixed intermittent failure in "Export Import all data - same server" Selenium test.
• Fixed intermittent failure in "Search product for Merchandising Associations can be filtered by brand" Selenium test.
• Improved "View Disabled Data Policy for Customer" Selenium test to not fail on retry.
• Fixed intermittent failure in ExternalPluginTest integration tests.
• Allow Cucumber tests in coupon-apply-validation.feature to pass in Trusted Header Mode.
• Refactored b2b-buyer-functionality.feature to use client.authRegisteredUserByName instead of JWT authentication.
• Removed unnecessary product/category cleanup after Cucumber tests and fixed issue that allowed bundles to be created in Commerce Manager without a valid sku code.
• Fixed NullPointerException in ShippingOptionInfoSelectorRepositoryImplTest unit test.
• Fixed intermittent Selenium issue related to the ErrorDialog class.
• Fixed issue where Selenium cucumber tests in extensions/cm/ext-cm-modules/system-tests/selenium did not have access to all test step definitions.
• Fixed connection leak in DBConnector classes.
• Fixed issue where Commerce Manager errors were not being logged until after the error dialog was acknowledged and closed.
• Fixed intermittent failure in Selenium tests due to problems verifying that a user interface element contains the expected value.
• Fixed intermittent failure in Selenium tests due to problems obtaining focus on a user interface element.
• Improved assertion output in CatalogBatchIntegrationTest.
• Improved assertion output in RawJsonTestFacade.
• Fixed issue with a NullPointerException appearing in Operational Insights when the webapp smoketests were run.
• Fixed Catalog Syndication cucumber test stability issue.
• Fixed issue where Selenium tests were executed multiple times when using cucumber.options to attempt to run a single Selenium test.
• Removed some unnecessary log output while running Selenium tests.

Supported technology updates

Self-Managed Commerce 8.7.0 is compatible with the following Elastic Path releases:

Elastic Path Component	Compatibility
Extension Point Framework	Extension Point Framework compatibility matrix
CloudOps for Kubernetes	CloudOps for Kubernetes compatibility matrix
Self-Managed Commerce Docker	Self-Managed Commerce Docker compatibility matrix

Additionally, the following changes have been made to the Supported Technologies:

• Dropped certification for MySQL 5.7. MySQL 5.7 reached its end-of-life on October 31, 2023. We recommend that customers upgrade to MySQL 8.0 or MySQL 8.4.
• Added certified support for MySQL 8.4.
• Upgraded certified PostgreSQL version from 16.6 to 16.8.
• Upgraded certified MySQL 8.0 Aurora version from 8.0.mysql_aurora.3.04.2 to 8.0.mysql_aurora.3.08.2.
• Upgraded certified MySQL RDS version from 8.0.35 to 8.0.41.
• Upgraded certified Oracle version from 19.0.0.0.ru-2024-01.rur-2024-01.r1 to 19.0.0.0.ru-2025-01.rur-2025-01.r2.

Dependency changes

Many dependencies were updated as part of Self-Managed Commerce 8.7.0. The highlights are shown below:

• Upgraded JavaEE 8 to JakartaEE 10.x.
• Upgraded Tomcat from 9.0.x to 10.1.x.
• Upgraded Spring Framework from 5.3.x to 6.2.x.
• Upgraded Camel from 3.x to 4.x.
• Upgraded OpenJPA from 3.2.x to 4.0.x.
• Upgraded Eclipse Remote Application Platform from 3.5 to 4.2.
• Upgraded Quartz from 2.3.2 to 2.5.0.
• Upgraded Solr from 9.4.1 to 9.8.0.
• Upgraded Wiremock from 2.x to 3.x.

Database changes

• Added new setting definition records:
  • COMMERCE/SYSTEM/EXPIREDDATAPOINTVALUECLEANUP/batchSize
  • COMMERCE/SYSTEM/REVOKEDDATAPOINTVALUECLEANUP/batchSize
  • COMMERCE/SYSTEM/CATALOGSYNDICATION/batchSize
  • COMMERCE/STORE/FILTEREDNAVIGATION/priceFacetingEnabled
• Added new setting value context records:
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderConfirmationNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderShipmentShippedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderShipmentReleaseFailedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context returnExchangeNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderOnHoldNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderCancelledNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserPasswordResetNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserCreatedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserPasswordChangedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context anonymousCustomerRegisteredNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context passwordChangedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context customerRegistrationNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context passwordForgottenNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/GIFTCERTIFICATES/channelUri with context giftCertificateCreatedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/GIFTCERTIFICATES/channelUri with context importJobCompletedNotificationHandler
  • COMMERCE/SYSTEM/MESSAGING/DOMAIN/channelUri with context productEventsExtensionHandler
  • COMMERCE/SYSTEM/MESSAGING/DOMAIN/deadLetterChannelUri with context productEventsExtensionHandler
• Removed setting value context records:
  • COMMERCE/SYSTEM/CUSTOMER/identifier with context punchout_attrval.
  • COMMERCE/SYSTEM/CUSTOMER/identifier with context punchout_shared_id.
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderConfirmationEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderShipmentShippedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context orderShipmentReleaseFailedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/ORDERS/channelUri with context returnExchangeEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/GIFTCERTIFICATES/channelUri with context giftCertificateCreatedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/DATAIMPORT/channelUri with context importJobCompletedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context anonymousCustomerRegisteredEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context passwordChangedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CUSTOMERS/channelUri with context passwordForgottenEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserPasswordResetEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserCreatedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserCreatedEmailHandler.
  • COMMERCE/SYSTEM/MESSAGING/CMUSERS/channelUri with context cmUserPasswordChangedEmailHandler.
• Modified TCHANGESET table:
  • Added PUBLISHED_DATE field.
• Modified TCARTORDER table:
  • Removed unused PAYMENT_METHOD_UID field.
• Modified TCUSTOMER table:
  • Removed unnecessary index on the CREATED_DATE field.
• Modified TORDERSHIPMENT table:
  • Added SHIPPING_DISCOUNT field.
• Modified TAPPLIEDRULE table:
  • Renamed RULE_UID field to RULE_GUID, and updated the values accordingly.
• Created TRULEUSAGE table:
  • UIDPK: BIGINT
  • RULE_GUID: VARCHAR(50)
  • USE_COUNT: BIGINT
• Modified TRULE table:
  • Dropped CURRENT_LUP_NUMBER field. This value is transferred into TRULEUSAGE.USE_COUNT.
• Dropped all Spring Batch tables:
  • BATCH_JOB_STEP_EXECUTION_CONTEXT
  • BATCH_JOB_EXECUTION_CONTEXT
  • BATCH_STEP_EXECUTION
  • BATCH_JOB_EXECUTION_PARAMS
  • BATCH_JOB_EXECUTION
  • BATCH_JOB_INSTANCE
  • BATCH_STEP_EXECUTION_SEQ
  • BATCH_JOB_EXECUTION_SEQ
  • BATCH_JOB_SEQ
• Modified default setting definition values from 1 second to 3600 seconds (1 hour) for the following settings:
  • COMMERCE/SYSTEM/CACHING/CATEGORY/timeToLive
  • COMMERCE/SYSTEM/CACHING/CATEGORY/timeToIdle
  • COMMERCE/SYSTEM/CACHING/PRODUCT/timeToLive
  • COMMERCE/SYSTEM/CACHING/PRODUCT/timeToIdle
  • COMMERCE/SYSTEM/CACHING/PRODUCTSKU/timeToLive
  • COMMERCE/SYSTEM/CACHING/PRODUCTSKU/timeToIdle
  • Note: These values will not be changed if they have already been modified to a different value.
• Added new index to improve performance of Operational Insights revenue query:
  • Added index to TORDER on CREATED_DATE, STORECODE, and CURRENCY.
• Dropped unnecessary index on TCUSTOMER.CREATED_DATE field.

Database index consistency

In MySQL, if a foreign key constraint is added to a table and no index exists on the base column, the index is created automatically. However, in Oracle and PostgreSQL, if a foreign key constraint is added to a table and no index exists on the base column, the index is not created automatically.

As a result, some Self-Managed Commerce tables had implicit indexes on MySQL, but not on Oracle or PostgreSQL. To correct this, Liquibase changesets have been created to make the following changes:

On MySQL, these changes are applied to ensure that the index names are consistent with the index names in Oracle and PostgreSQL:

• On the TAPPLIEDRULECOUPONCODE table, drop the TAPPLIEDRULECOUPONCODE_COUPON_GUID_FK foreign key constraint (to remove the implicit index), add the I_APPLIEDRULECOUPONCODE_COUPONGUID index, and re-add the TAPPLIEDRULECOUPONCODE_COUPON_GUID_FK foreign key constraint.
• On the TCARTORDERPAYMENTINSTRUMENT table, drop the FK_CARTORDERPAYMENTINSTRUMENT_PI foreign key constraint (to remove the implicit index), add the I_CARTORDERPAYMENTINSTRUMENT_PAYMENTINSTRUMENTGUID index, and re-add the FK_CARTORDERPAYMENTINSTRUMENT_PI foreign key constraint.
• On the TCSDYNAMICCONTENTSPACE table, drop the FK_DELSPACE_CONTENTSPACE foreign key constraint (to remove the implicit index), add the I_CSDYNAMICCONTENTSPACE_DCCONTENTSPACEUID index, and re-add the FK_DELSPACE_CONTENTSPACE foreign key constraint.
• On the TCUSTOMERCONSENT table, drop the FK_CONSENT_CUSTOMER foreign key constraint (to remove the implicit index), add the I_CUSTOMERCONSENT_CUSTOMERGUID index, and re-add the FK_CONSENT_CUSTOMER foreign key constraint.
• On the TCUSTOMERPAYMENTINSTRUMENT table, drop the FK_CUSTOMERPAYMENTINSTRUMENT_PI foreign key constraint (to remove the implicit index), add the I_CUSTOMERPAYMENTINSTRUMENT_PAYMENTINSTRUMENTGUID index, and re-add the FK_CUSTOMERPAYMENTINSTRUMENT_PI foreign key constraint.
• On the TDATAPOLICYDATAPOINT table, drop the TDATAPOLICYDATAPOINT_IBFK_2 foreign key constraint (to remove the implicit index), add the I_DATAPOLICYDATAPOINT_DATAPOINTUID index, and re-add the TDATAPOLICYDATAPOINT_IBFK_2 foreign key constraint.
• On the TORDERPAYMENT table, drop the FK_ORDERPAYMENT_PI foreign key constraint (to remove the implicit index), add the I_ORDERPAYMENT_PAYMENTINSTRUMENTGUID index, and re-add the FK_ORDERPAYMENT_PI foreign key constraint.
• On the TORDERPAYMENT table, drop the FK_ORDERPAYMENT_PPC foreign key constraint (to remove the implicit index), add the I_ORDERPAYMENT_PAYMENTPROVIDERCONFIGUID index, and re-add the FK_ORDERPAYMENT_PPC foreign key constraint.
• On the TORDERPAYMENTINSTRUMENT table, drop the FK_ORDERPAYMENTINSTRUMENT_PI foreign key constraint (to remove the implicit index), add the I_ORDERPAYMENTINSTRUMENT_PAYMENTINSTRUMENTGUID index, and re-add the FK_ORDERPAYMENTINSTRUMENT_PI foreign key constraint.
• On the TSHOPPER table, drop the SHOPPER_STORECODE_FK foreign key constraint (to remove the implicit index), add the I_SHOPPER_STORECODE index, and re-add the SHOPPER_STORECODE_FK foreign key constraint.
• On the TSTORECUSTOMERATTRIBUTE table, drop the SCA_ATTRIBUTE_KEY_FK foreign key constraint (to remove the implicit index), add the I_STORECUSTOMERATTRIBUTE_ATTRIBUTEKEY index, and re-add the SCA_ATTRIBUTE_KEY_FK foreign key constraint.
• On the TTAGALLOWEDVALUE table, drop the FK_TAGALLOWEDVAL_TAGTYPE foreign key constraint (to remove the implicit index), add the I_TAGALLOWEDVALUE_TAGVALUETYPEGUID index, and re-add the FK_TAGALLOWEDVAL_TAGTYPE foreign key constraint.
• On the TTAGVALUETYPEOPERATOR table, drop the FK_TAGOPERATOR_TAGVALUETYPE foreign key constraint (to remove the implicit index), add the I_TAGVALUETYPEOPERATOR_TAGOPERATORGUID index, and re-add the FK_TAGOPERATOR_TAGVALUETYPE foreign key constraint.

On PostgreSQL and Oracle, these changes are applied to ensure that all expected indexes are present:

• On the TAPPLIEDRULECOUPONCODE table, add the I_APPLIEDRULECOUPONCODE_COUPONGUID index.
• On the TCARTORDERPAYMENTINSTRUMENT table, add the I_CARTORDERPAYMENTINSTRUMENT_PAYMENTINSTRUMENTGUID index.
• On the TCSDYNAMICCONTENTSPACE table, add the I_CSDYNAMICCONTENTSPACE_DCCONTENTSPACEUID index.
• On the TCUSTOMERCONSENT table, add the I_CUSTOMERCONSENT_CUSTOMERGUID index.
• On the TCUSTOMERPAYMENTINSTRUMENT table, add the I_CUSTOMERPAYMENTINSTRUMENT_PAYMENTINSTRUMENTGUID index.
• On the TDATAPOLICYDATAPOINT table, add the I_DATAPOLICYDATAPOINT_DATAPOINTUID index.
• On the TORDERPAYMENT table, add the I_ORDERPAYMENT_PAYMENTINSTRUMENTGUID index.
• On the TORDERPAYMENT table, add the I_ORDERPAYMENT_PAYMENTPROVIDERCONFIGUID index.
• On the TORDERPAYMENTINSTRUMENT table, add the I_ORDERPAYMENTINSTRUMENT_PAYMENTINSTRUMENTGUID index.
• On the TSHOPPER table, add the I_SHOPPER_STORECODE index.
• On the TSTORECUSTOMERATTRIBUTE table, add the I_STORECUSTOMERATTRIBUTE_ATTRIBUTEKEY index.
• On the TTAGALLOWEDVALUE table, add the I_TAGALLOWEDVALUE_TAGVALUETYPEGUID index.
• On the TTAGVALUETYPEOPERATOR table, add the I_TAGVALUETYPEOPERATOR_TAGOPERATORGUID index.