Bump craftcms/commerce from 5.1.2 to 5.5.2

[dependabot]

Bumps craftcms/commerce from 5.1.2 to 5.5.2.

Release notes

Sourced from craftcms/commerce's releases.

5.5.2

• Improved transaction refund amount validation.
• Fixed a bug where settings were being saved to the project config incorrectly. (#4006)
• Fixed a PHP error that could occur when saving a shipping rule. (#4134)
• Fixed a bug where the “New Customers” widget was counting all customers with orders in the date range, rather than only customers whose first order was in the date range.
• Fixed XSS vulnerabilities. (GHSA-w8gw-qm8p-j9j3, GHSA-h9r9-2pxg-cx9m, GHSA-g92v-wpv7-6w22, GHSA-p6w8-q63m-72c8, GHSA-wqc5-485v-3hqh, GHSA-v585-mf6r-rqrc, GHSA-frj9-9rwc-pw9j, GHSA-8478-rmjg-mjj5, GHSA-2h2m-v2mg-656c, GHSA-wq2m-r96q-crrf)

5.5.1

• Added craft\commerce\models\CatalogPricingRule::afterPreparePurchasableQuery().
• Fixed a bug where tax and shipping categories weren’t getting saved from the Edit variant screen. (#4180)
• Fixed a bug where newly-created variants weren’t visible on product edit screens.
• Fixed a SQL error that could occur when viewing product indexes.
• Fixed a PHP error that could occur when applying project config changes after updating. (#4185)
• Fixed a bug where an order’s origin could be set incorrectly if it was created in the control panel.
• Fixed a bug where order edit screens weren’t formatting prices using the user’s preferred formatting locale.
• Fixed a SQL error that could occur when generating the pricing catalog. (#4175)

5.5.0.1

• Fixed an error that could occur when querying for products via GraphQL. (#4122)

5.5.0

Store Management

• Added the ability to suppress order emails when marking an order as complete in the control panel. (#4144)
• PDF download URLs are now generated with time-limited security tokens.
• Anonymous users attempting to download a PDF with an expired or missing token are now shown an email verification form.
• Added a new system message for customizing PDF download emails.
• Added the ability to select multiple products in variant conditions. (#4166)
• Added the ability to select multiple variants in pricing rules’ “Match Variant” conditions. (#4167)
• Added the ability to select multiple users in pricing rules’ “Match Customer” conditions. (#4167)

Administration

• Added billing and shipping address conditions to payment gateways. (#4100)
• Added preview targets for products. (#4128)
• Added slug translation options to product types. (#4088)
• Gateway condition rules now allow multiple gateways to be selected. (#4112)
• Product action menus now have a “Product type settings” action, for admin users on environments that allow admin changes. (#4157)
• Added the “Link Duration” setting to PDF settings.

Development

• Orders now have a dateFirstPaid property that records the date and time when the order was first paid in full.
• Improved product and variant query performance.
• Improved the performance of retrieving a line item’s catalog pricing rule ID.
• Added the children, parent, ancestors and descendants fields to products’ GraphQL data. (#4122)
• Added the productStatus variant query param. (#4158)
• Added the productStatus GraphQL variant query argument. (#4158)
• Added the --force option to the commerce/reset-data command. (#4115)

Extensibility

• Added craft\commerce\controllers\BaseStoreManagementController::asStoreManagementCpScreen().
• Added craft\commerce\controllers\DownloadsController::actionEmailChallenge().

... (truncated)

Changelog

Sourced from craftcms/commerce's changelog.

5.5.2 - 2025-12-31

• Improved transaction refund amount validation.
• Fixed a bug where settings were being saved to the project config incorrectly. (#4006)
• Fixed a PHP error that could occur when saving a shipping rule. (#4134)
• Fixed a bug where the “New Customers” widget was counting all customers with orders in the date range, rather than only customers whose first order was in the date range.
• Fixed low, moderate, and high-severity XSS vulnerabilities. (GHSA-w8gw-qm8p-j9j3, GHSA-h9r9-2pxg-cx9m, GHSA-g92v-wpv7-6w22, GHSA-p6w8-q63m-72c8, GHSA-wqc5-485v-3hqh, GHSA-v585-mf6r-rqrc, GHSA-frj9-9rwc-pw9j, GHSA-8478-rmjg-mjj5, GHSA-2h2m-v2mg-656c, GHSA-wq2m-r96q-crrf)

5.5.1 - 2025-12-04

• Added craft\commerce\models\CatalogPricingRule::afterPreparePurchasableQuery().
• Fixed a bug where tax and shipping categories weren’t getting saved from the Edit variant screen. (#4180)
• Fixed a bug where newly-created variants weren’t visible on product edit screens.
• Fixed a SQL error that could occur when viewing product indexes.
• Fixed a PHP error that could occur when applying project config changes after updating. (#4185)
• Fixed a bug where an order’s origin could be set incorrectly if it was created in the control panel.
• Fixed a bug where order edit screens weren’t formatting prices using the user’s preferred formatting locale.
• Fixed a SQL error that could occur when generating the pricing catalog. (#4175)

5.5.0.1 - 2025-11-24

• Fixed an error that could occur when querying for products via GraphQL. (#4122)

5.5.0 - 2025-11-18

Store Management

• Added the ability to suppress order emails when marking an order as complete in the control panel. (#4144)
• PDF download URLs are now generated with time-limited security tokens.
• Anonymous users attempting to download a PDF with an expired or missing token are now shown an email verification form.
• Added a new system message for customizing PDF download emails.
• Added the ability to select multiple products in variant conditions. (#4166)
• Added the ability to select multiple variants in pricing rules’ “Match Variant” conditions. (#4167)
• Added the ability to select multiple users in pricing rules’ “Match Customer” conditions. (#4167)

Administration

• Added billing and shipping address conditions to payment gateways. (#4100)
• Added preview targets for products. (#4128)
• Added slug translation options to product types. (#4088)
• Gateway condition rules now allow multiple gateways to be selected. (#4112)
• Product action menus now have a “Product type settings” action, for admin users on environments that allow admin changes. (#4157)
• Added the “Link Duration” setting to PDF settings.

Development

• Orders now have a dateFirstPaid property that records the date and time when the order was first paid in full.
• Improved product and variant query performance.
• Improved the performance of retrieving a line item’s catalog pricing rule ID.
• Added the children, parent, ancestors and descendants fields to products’ GraphQL data. (#4122)
• Added the productStatus variant query param. (#4158)
• Added the productStatus GraphQL variant query argument. (#4158)
• Added the --force option to the commerce/reset-data command. (#4115)

... (truncated)

Commits

• fb12a9f Finish 5.5.2
• f76776b Changelog tweak
• c435f39 Merge branch '4.x' of https://github.com/craftcms/commerce into 5.x
• dc3642f Finish 4.10.1
• a079680 Changelog tweaks
• e0c742c Update CHANGELOG.md
• dd967c0 Fix encoding
• 50f08dc Merge branch '4.x' into 5.x
• 67ccf03 Fix encoding
• cb0efb3 Merge branch '5.x' of github.com:craftcms/commerce into 5.x
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.