Proper application design, intelligent programming, and secure infrastructure are all essential in creating a secure e-commerce store using any software (Spree included). The Spree team has done its best to provide you with the tools to create a secure and profitable web presence, but it is up to you to take these tools and put them in good practice. We highly recommend reading and understanding the Rails Security Guide.
This is a list of all Spree versions currently being supported by the Spree team.
LTS means Long-term support releases, usually last release in the major release cycle.
Please do not announce potential security vulnerabilities in public. We have a dedicated email address [email protected]. We will work quickly to determine the severity of the issue and provide a fix for the appropriate versions. We will credit you with the discovery of this patch by naming you in a blog post.
If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:
git format-patch HEAD~1..HEAD --stdout > patch.txt
This command will generate a file called
patch.txt with your changes. Please email a description of the patch along with the patch itself to our dedicated email address.