Documentation Home

Broadleaf Commerce 6.1.6-GA

Released on April 13, 2021

This is the 6th patch release for Broadleaf Framework 6.1.x. To upgrade a 6.1.x application to the 6.1.6-GA release, it should only require updating the parent pom.xml broadleaf-boot-starter-parent to 6.1.6-GA.

New and Noteworthy


Following are the various library upgrades that addresses security vulnerabilities

  • Google Guava -> from 24.1.1 to 30.1.1
  • Commons Validator -> from 1.5.1 to 1.7

An at-a-glance view of the issues that were closed in this release:

Major Bugs(2)

  • Fixed the issue with MVEL where parser failed to parse some specific valid expressions.
  • Fixed the issue where Customer data was persisted while validation errors were present.

Minor Bugs(7)

  • Fixed the issue with 'Link'/'Unlink' button in the Redactor link which would not enable save button for the entity.
  • Added refreshCustomer in CustomerDao and proper logic to refresh customer after changing the address.
  • Removed Thymeleaf message syntax #{} in mediaGrid.html when checking for media grid row actions
  • Removed the ability to login user by email.
  • Removed the Deprecated annotation from method collapsed in AdminGroupPresentation.
  • Added sorting of ChildItems in CartOperationRequest to resolve several issues during checkout.
  • Fixed the javascript errors which occurs while editing parameters for Scheduled Job.


  • Added Hibernate proxy handling while retrieving entity in GenericEntityDaoImpl
  • Added post fetch validation and foreign key security check in PersistentMangerImpl
  • Updated XssFilter and XssRequestWrapper to make them easier to override.
  • Update stripXSS logic to use ESAPI.encoder().encodeForHTML instead of ESAPI.validator(). getValidSafeHTML so that input isn't completely removed.
  • Improved logic for building invalid product option error message.

Total Resolved Issues: 14