Bump craftcms/commerce from 5.1.2 to 5.5.3

[dependabot]

Bumps craftcms/commerce from 5.1.2 to 5.5.3.

Release notes

Sourced from craftcms/commerce's releases.

5.5.3

• Added craft\commerce\models\LineItemStatus::getDisplayName().
• Fixed a bug where Orders tables on user edit pages were showing an incorrect column heading.
• Fixed a bug where product selector modals didn’t have “Add a product” buttons. (#4205)
• Fixed a bug where order status and line item status names weren’t translatable. (#4213)
• Fixed a bug where it wasn’t possible to change a variant’s shipping category.
• Fixed an error that occurred when adjusting inventory levels with an adjustment of zero. (#4212)
• Fixed a SQL error that could occur when querying variants on PostgreSQL. (#4210)
• Fixed an error that could occur when merging canonical product changes into a draft. (#4199)
• Fixed a bug where variants weren’t being marked as modified when variants were added, deleted, or reordered. (#4222)
• Fixed high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
• Fixed a high-severity XSS vulnerability in the control panel. (GHSA-cfpv-rmpf-f624)
• Fixed low-severity XSS vulnerabilities in the control panel. (GHSA-mqxf-2998-c6cp, GHSA-wj89-2385-gpx3, GHSA-mj32-r678-7mvp)

5.5.2

• Improved transaction refund amount validation.
• Fixed a bug where settings were being saved to the project config incorrectly. (#4006)
• Fixed a PHP error that could occur when saving a shipping rule. (#4134)
• Fixed a bug where the “New Customers” widget was counting all customers with orders in the date range, rather than only customers whose first order was in the date range.
• Fixed XSS vulnerabilities. (GHSA-w8gw-qm8p-j9j3, GHSA-h9r9-2pxg-cx9m, GHSA-g92v-wpv7-6w22, GHSA-p6w8-q63m-72c8, GHSA-wqc5-485v-3hqh, GHSA-v585-mf6r-rqrc, GHSA-frj9-9rwc-pw9j, GHSA-8478-rmjg-mjj5, GHSA-2h2m-v2mg-656c, GHSA-wq2m-r96q-crrf)

5.5.1

• Added craft\commerce\models\CatalogPricingRule::afterPreparePurchasableQuery().
• Fixed a bug where tax and shipping categories weren’t getting saved from the Edit variant screen. (#4180)
• Fixed a bug where newly-created variants weren’t visible on product edit screens.
• Fixed a SQL error that could occur when viewing product indexes.
• Fixed a PHP error that could occur when applying project config changes after updating. (#4185)
• Fixed a bug where an order’s origin could be set incorrectly if it was created in the control panel.
• Fixed a bug where order edit screens weren’t formatting prices using the user’s preferred formatting locale.
• Fixed a SQL error that could occur when generating the pricing catalog. (#4175)

5.5.0.1

• Fixed an error that could occur when querying for products via GraphQL. (#4122)

5.5.0

Store Management

• Added the ability to suppress order emails when marking an order as complete in the control panel. (#4144)
• PDF download URLs are now generated with time-limited security tokens.
• Anonymous users attempting to download a PDF with an expired or missing token are now shown an email verification form.
• Added a new system message for customizing PDF download emails.
• Added the ability to select multiple products in variant conditions. (#4166)
• Added the ability to select multiple variants in pricing rules’ “Match Variant” conditions. (#4167)
• Added the ability to select multiple users in pricing rules’ “Match Customer” conditions. (#4167)

Administration

• Added billing and shipping address conditions to payment gateways. (#4100)
• Added preview targets for products. (#4128)
• Added slug translation options to product types. (#4088)
• Gateway condition rules now allow multiple gateways to be selected. (#4112)
• Product action menus now have a “Product type settings” action, for admin users on environments that allow admin changes. (#4157)

... (truncated)

Changelog

Sourced from craftcms/commerce's changelog.

5.5.3 - 2026-02-09

• Added craft\commerce\models\LineItemStatus::getDisplayName().
• Fixed a bug where Orders tables on user edit pages were showing an incorrect column heading.
• Fixed a bug where product selector modals didn’t have “Add a product” buttons. (#4205)
• Fixed a bug where order status and line item status names weren’t translatable. (#4213)
• Fixed a bug where it wasn’t possible to change a variant’s shipping category.
• Fixed an error that occurred when adjusting inventory levels with an adjustment of zero. (#4212)
• Fixed a SQL error that could occur when querying variants on PostgreSQL. (#4210)
• Fixed an error that could occur when merging canonical product changes into a draft. (#4199)
• Fixed a bug where variants weren’t being marked as modified when variants were added, deleted, or reordered. (#4222)
• Fixed high-severity SQL injection vulnerabilities in the control panel. (GHSA-j3x5-mghf-xvfw, GHSA-pmgj-gmm4-jh6j)
• Fixed a high-severity XSS vulnerability in the control panel. (GHSA-cfpv-rmpf-f624)
• Fixed low-severity XSS vulnerabilities in the control panel. (GHSA-mqxf-2998-c6cp, GHSA-wj89-2385-gpx3, GHSA-mj32-r678-7mvp)

5.5.2 - 2025-12-31

• Improved transaction refund amount validation.
• Fixed a bug where settings were being saved to the project config incorrectly. (#4006)
• Fixed a PHP error that could occur when saving a shipping rule. (#4134)
• Fixed a bug where the “New Customers” widget was counting all customers with orders in the date range, rather than only customers whose first order was in the date range.
• Fixed low, moderate, and high-severity XSS vulnerabilities. (GHSA-w8gw-qm8p-j9j3, GHSA-h9r9-2pxg-cx9m, GHSA-g92v-wpv7-6w22, GHSA-p6w8-q63m-72c8, GHSA-wqc5-485v-3hqh, GHSA-v585-mf6r-rqrc, GHSA-frj9-9rwc-pw9j, GHSA-8478-rmjg-mjj5, GHSA-2h2m-v2mg-656c, GHSA-wq2m-r96q-crrf)

5.5.1 - 2025-12-04

• Added craft\commerce\models\CatalogPricingRule::afterPreparePurchasableQuery().
• Fixed a bug where tax and shipping categories weren’t getting saved from the Edit variant screen. (#4180)
• Fixed a bug where newly-created variants weren’t visible on product edit screens.
• Fixed a SQL error that could occur when viewing product indexes.
• Fixed a PHP error that could occur when applying project config changes after updating. (#4185)
• Fixed a bug where an order’s origin could be set incorrectly if it was created in the control panel.
• Fixed a bug where order edit screens weren’t formatting prices using the user’s preferred formatting locale.
• Fixed a SQL error that could occur when generating the pricing catalog. (#4175)

5.5.0.1 - 2025-11-24

• Fixed an error that could occur when querying for products via GraphQL. (#4122)

5.5.0 - 2025-11-18

Store Management

• Added the ability to suppress order emails when marking an order as complete in the control panel. (#4144)
• PDF download URLs are now generated with time-limited security tokens.
• Anonymous users attempting to download a PDF with an expired or missing token are now shown an email verification form.
• Added a new system message for customizing PDF download emails.
• Added the ability to select multiple products in variant conditions. (#4166)
• Added the ability to select multiple variants in pricing rules’ “Match Variant” conditions. (#4167)
• Added the ability to select multiple users in pricing rules’ “Match Customer” conditions. (#4167)

Administration

... (truncated)

Commits

• 00debfb Finish 5.5.3
• 263cf5f Release note tweaks
• f19b21a Merge branch '4.x' of https://github.com/craftcms/commerce into 5.x
• 1a8afef Finish 4.10.2
• c15579d Release note tweak
• 4431fcb release notes for #4222
• 278ed8e Merge pull request #4222 from craftcms/feature/variant-mgmt-improvements
• 3ef8d3c Not needed
• 5d83a64 fix phpstan
• 4eda061 Update with rector
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.