Spryker Documentation

AiFoundation module Overview

Fri, 06 Feb 2026 18:03:08 +0000

This document describes how to integrate and use the AiFoundation module to interact with various AI providers in your Spryker application. The AiFoundation module provides a unified interface for working with multiple AI providers, such as OpenAI, Anthropic Claude, AWS Bedrock, and others.

Install the AiFoundation module

Access the CLI using docker/sdk cli, then require the package:
```
composer require spryker/ai-foundation
```
Generate transfers:
```
console transfer:generate
```

Configure AI providers

Configure AI providers in a dedicated configuration file. The module uses the AI_CONFIGURATIONS constant to define one or more AI configurations.

Best practice

Create a separate configuration file for AI settings to keep your configuration organized and maintainable.

Security

Store API keys as environment variables, not in configuration files. For Spryker Cloud, use the parameter store to manage sensitive credentials. For details, see Add variables in the parameter store.

Create a new configuration file config/Shared/config_ai.php:

<?php

use Spryker\Shared\AiFoundation\AiFoundationConstants;

// AI provider configurations
$config[AiFoundationConstants::AI_CONFIGURATIONS] = [
    // Your AI configurations will be defined here
];

Include the AI configuration file in your main configuration file (for example, config/Shared/config_default.php):
```
<?php

require 'config_ai.php';
```

Alternatively, you can define AI configurations directly in config/Shared/config_default.php if you prefer a single configuration file approach.

Configuration structure

Each AI configuration requires:

provider_name: The AI provider identifier (required)
provider_config: Provider-specific configuration (required)
system_prompt: Default system prompt for the AI provider

Default configuration

The module automatically uses the configuration named AI_CONFIGURATION_DEFAULT when you do not specify a configuration in the PromptRequest. Define at least one default configuration:

<?php

use Spryker\Shared\AiFoundation\AiFoundationConstants;

$config[AiFoundationConstants::AI_CONFIGURATIONS] = [
    AiFoundationConstants::AI_CONFIGURATION_DEFAULT => [
        'provider_name' => AiFoundationConstants::PROVIDER_OPENAI,
        'provider_config' => [
            'key' => getenv('OPENAI_API_KEY'),
            'model' => 'gpt-4o',
        ],
        'system_prompt' => 'You are a helpful assistant.',
    ],
];

Provider configuration examples

OpenAI

'openai-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_OPENAI,
    'provider_config' => [
        'key' => getenv('OPENAI_API_KEY'), // required
        'model' => 'gpt-4o', // required
        'parameters' => [], // optional
        'httpOptions' => [ // optional
            'timeout' => 60,
            'connectTimeout' => 5,
            'headers' => [],
        ],
    ],
    'system_prompt' => 'You are a helpful assistant.', // optional
],

Anthropic Claude

'anthropic-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_ANTHROPIC,
    'provider_config' => [
        'key' => getenv('ANTHROPIC_API_KEY'), // required
        'model' => 'claude-sonnet-4-20250514', // required
        'version' => '2023-06-01', // optional
        'max_tokens' => 8192, // optional
        'parameters' => [], // optional
        'httpOptions' => [ // optional
            'timeout' => 60,
        ],
    ],
],

AWS Bedrock

AWS Bedrock requires a system_prompt configuration. AWS credentials are automatically loaded from environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

'bedrock-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_BEDROCK,
    'provider_config' => [
        'model' => 'eu.anthropic.claude-sonnet-4-20250514-v1:0', // required
        'bedrockRuntimeClient' => [ // required
            'region' => 'eu-west-1', // required
            'version' => 'latest', // optional
        ],
    ],
    'system_prompt' => 'You are a helpful assistant.', // required for Bedrock
],

Ollama (local/self-hosted)

If Ollama runs outside the Docker SDK on macOS, use http://host.docker.internal:11434/api as the URL to access the host machine from within Docker containers.

'ollama-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_OLLAMA,
    'provider_config' => [
        'url' => 'http://host.docker.internal:11434/api', // required - use host.docker.internal for Mac when Ollama runs outside Docker
        'model' => 'llama3.2', // required
        'parameters' => [], // optional
        'httpOptions' => [ // optional
            'timeout' => 60,
            'connectTimeout' => 5,
        ],
    ],
],

Run Ollama with Docker SDK

To run Ollama as a service within the Spryker Docker SDK:

Create an ollama.yml file in your project root:

version: '3.8'

services:
    ollama:
        image: ollama/ollama:latest
        environment:
            OLLAMA_HOST: "0.0.0.0:11435"
        volumes:
            - ./data/tmp/ollama_data:/root/.ollama
        networks:
            - private
            - public

Reference the Ollama compose file in your current deploy file, for example deploy.dev.yml, under the docker section:
```
docker:
    compose:
        yamls: ['./ollama.yml']
```

Update your AI configuration to use the Ollama service URL:

'ollama-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_OLLAMA,
    'provider_config' => [
        'url' => 'http://ollama:11435/api', // use service name when running inside Docker SDK
        'model' => 'llama3.2',
    ],
],

Deploy the changes:

docker/sdk boot deploy.dev.yml
docker/sdk up

Pull the required Ollama model:

The container name is composed of the Docker deploy file namespace and the service name. Example: spryker_b2b_marketplace_ollama_1
```
docker exec spryker_b2b_marketplace_ollama_1 ollama pull llama3.2
```

The Ollama data is stored in the ./data/tmp/ollama_data directory, which you should exclude from version control (.gitignore or .dockerignore).

Google Gemini

'gemini-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_GEMINI,
    'provider_config' => [
        'key' => getenv('GEMINI_API_KEY'), // required
        'model' => 'gemini-2.0-flash', // required
        'parameters' => [], // optional
    ],
],

Deepseek

'deepseek-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_DEEPSEEK,
    'provider_config' => [
        'key' => getenv('DEEPSEEK_API_KEY'), // required
        'model' => 'deepseek-chat', // required
        'parameters' => [], // optional
    ],
],

HuggingFace

'huggingface-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_HUGGINGFACE,
    'provider_config' => [
        'key' => getenv('HUGGINGFACE_API_KEY'), // required
        'model' => 'meta-llama/Llama-3.3-70B-Instruct', // required
        'parameters' => [], // optional
    ],
],

Mistral AI

'mistral-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_MISTRAL,
    'provider_config' => [
        'key' => getenv('MISTRAL_API_KEY'), // required
        'model' => 'mistral-large-latest', // required
        'parameters' => [], // optional
    ],
],

xAI Grok

'grok-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_GROK,
    'provider_config' => [
        'key' => getenv('XAI_API_KEY'), // required
        'model' => 'grok-2-latest', // required
        'parameters' => [], // optional
    ],
],

Azure OpenAI

'azure-openai-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_AZURE_OPEN_AI,
    'provider_config' => [
        'key' => getenv('AZURE_OPENAI_API_KEY'), // required
        'endpoint' => 'https://your-resource.openai.azure.com', // required
        'model' => 'your-deployment-name', // required
        'version' => '2024-02-01', // optional
        'parameters' => [], // optional
    ],
],

Local override of LLM settings

To set up your local development settings and override the API key of your chosen provider:

Copy your provider’s configuration into a git-ignored local configuration file, such as config/Shared/config_local.php, and define your modifications.

Example:

'gemini-config' => [
    'provider_name' => AiFoundationConstants::PROVIDER_GEMINI,
    'provider_config' => [
        'key' => 'my-secret-key', // required
        'model' => 'gemini-2.0-flash', // required
        'parameters' => [], // optional
    ],
],

Use the AiFoundation client

Basic usage

<?php

namespace Pyz\Zed\YourModule\Business;

use Generated\Shared\Transfer\PromptMessageTransfer;
use Generated\Shared\Transfer\PromptRequestTransfer;
use Spryker\Client\AiFoundation\AiFoundationClientInterface;

class YourBusinessModel
{
    public function __construct(
        protected AiFoundationClientInterface $aiFoundationClient
    ) {
    }

    public function generateContent(string $userMessage): string
    {
        $promptRequest = (new PromptRequestTransfer())
            ->setPromptMessage(
                (new PromptMessageTransfer())->setContent($userMessage)
            );

        $response = $this->aiFoundationClient->prompt($promptRequest);

        return $response->getMessage()->getContent();
    }
}

Using a specific configuration

Specify a configuration name to use a configuration other than the default:

$promptRequest = (new PromptRequestTransfer())
    ->setAiConfigurationName('anthropic-config')
    ->setPromptMessage(
        (new PromptMessageTransfer())->setContent('Explain Spryker modules')
    );

$response = $this->aiFoundationClient->prompt($promptRequest);

Multiple configurations example

Configure multiple AI providers for different use cases in your application:

<?php

use Spryker\Shared\AiFoundation\AiFoundationConstants;

$config[AiFoundationConstants::AI_CONFIGURATIONS] = [
    AiFoundationConstants::AI_CONFIGURATION_DEFAULT => [
        'provider_name' => AiFoundationConstants::PROVIDER_OPENAI,
        'provider_config' => [
            'key' => getenv('OPENAI_API_KEY'),
            'model' => 'gpt-4o',
        ],
    ],
    'fast-responses' => [
        'provider_name' => AiFoundationConstants::PROVIDER_OPENAI,
        'provider_config' => [
            'key' => getenv('OPENAI_API_KEY'),
            'model' => 'gpt-4o-mini',
        ],
        'system_prompt' => 'Provide concise, brief responses.',
    ],
];

Available provider constants

The module provides the following provider constants in AiFoundationConstants:

PROVIDER_OPENAI - OpenAI (ChatGPT)
PROVIDER_ANTHROPIC - Anthropic Claude
PROVIDER_BEDROCK - AWS Bedrock Runtime
PROVIDER_GEMINI - Google Gemini
PROVIDER_DEEPSEEK - Deepseek AI
PROVIDER_HUGGINGFACE - HuggingFace
PROVIDER_MISTRAL - Mistral AI
PROVIDER_OLLAMA - Ollama (local/self-hosted)
PROVIDER_GROK - xAI Grok
PROVIDER_AZURE_OPEN_AI - Azure OpenAI

Transfer objects

PromptRequest

This transfer contains the request data for AI interaction:

promptMessage (PromptMessage, required): The message to send to the AI
aiConfigurationName (string, optional): The configuration name to use. If not provided, uses AI_CONFIGURATION_DEFAULT
structuredMessage (object, optional): A Transfer object that defines the expected response structure for structured responses
toolSetName (string[], optional): Array of tool set names to make available to the AI. For details, see Use AI tools with the AiFoundation module
maxRetries (int, optional): Maximum number of retry attempts for failed requests. Default is 0

PromptMessage

This transfer represents a message in the conversation:

content (string): The text content of the message
contentData (array, optional): Additional structured data
attachments (Attachment[], optional): File or image attachments

PromptResponse

This transfer contains the AI response:

message (PromptMessage): The AI’s response message
isSuccessful (bool): Whether the request was successful
errors (array, optional): Array of error messages if the request failed
toolInvocations (ToolInvocation[], optional): Array of tool invocations made by the AI during response generation

Attachment

This transfer represents a file or image attachment:

type (string): Type of attachment (use AiFoundationConstants::ATTACHMENT_TYPE_IMAGE or ATTACHMENT_TYPE_DOCUMENT)
content (string): The content (URL or Base64-encoded data)
contentType (string): Content type format (use AiFoundationConstants::ATTACHMENT_CONTENT_TYPE_URL or ATTACHMENT_CONTENT_TYPE_BASE64)
mediaType (string): MIME type (for example, image/png, application/pdf)

ToolInvocation

This transfer contains information about a tool invocation made by the AI:

name (string): The name of the tool that was invoked
arguments (array): The arguments passed to the tool
result (string): The result returned by the tool execution

Roadmap

The following capabilities are planned for future releases of the AiFoundation module:

Chat history capabilities

Support for maintaining conversation context across multiple interactions. This will enable multi-turn conversations where the AI can reference previous messages, maintain state, and provide more contextually relevant responses throughout an extended dialogue.

About NeuronAI framework

The AiFoundation module uses the NeuronAI PHP agentic framework under the hood. NeuronAI provides the foundational infrastructure for AI provider integrations.

The Spryker AiFoundation client is designed for simple use cases where you need to send prompts to AI providers and receive responses. This covers most common AI integration scenarios in e-commerce applications.

For advanced agentic solutions that require complex workflows, multi-agent systems, or custom AI behaviors, you can use the NeuronAI framework directly in your project code. However, note that Spryker does not officially support direct usage of NeuronAI APIs outside of the AiFoundation module. If you choose to use NeuronAI directly, you are responsible for maintenance and compatibility with future versions.

Release notes for spryker-php image

Fri, 06 Feb 2026 15:12:52 +0000

This document describes the changes that have been recently released. For additional support with this content, contact our support. If you found a new security vulnerability, contact us at **security@spryker.com**. ## Release notes for spryker-php 20260206.0 ### Improvements - Added support for Alpine 3.23 - Upgraded Composer to 2.9.3 - Upgraded Tideways to 5.32.0 - Upgraded NewRelic to the latest ## Security fixes by image This section details security vulnerabilities that have been addressed in specific Docker images. ### spryker/php:8.4-alpine3.22 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-61730**: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. - **CVE-2025-11187**: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. - **CVE-2025-15469**: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. - **CVE-2026-24515**: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. ### spryker/php:8.3-alpine3.22 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2026-24515**: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-61730**: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. - **CVE-2025-11187**: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. - **CVE-2025-15469**: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. ### spryker/php:8.2-alpine3.22 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-11187**: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. - **CVE-2025-15469**: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. ### spryker/php:8.4-alpine3.21 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-14178**: A heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-61726**: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-14177**: The getimagesize() function may leak uninitialized heap memory into the APPn segments (for example, APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. - **CVE-2025-14180**: Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges ### spryker/php:8.3-alpine3.21 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. ### spryker/php:8.2-alpine3.21 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-61728**: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-14178**: A heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-61726**: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-61730**: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. - **CVE-2025-14177**: The getimagesize() function may leak uninitialized heap memory into the APPn segments (for example, APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. ### spryker/php:8.4-alpine3.20 - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-61728**: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2025-6491**: When parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2025-1220**: NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-1735**: A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. - **CVE-2025-14177**: The getimagesize() function may leak uninitialized heap memory into the APPn segments (for example, APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. ### spryker/php:8.3-alpine3.20 - **CVE-2025-14178**: A heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-61726**: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. - **CVE-2025-61730**: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. - **CVE-2025-14180**: Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2025-1220**: NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-1734**: In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle. - **CVE-2025-1861**: When parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location. - **CVE-2025-1219**: When requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This may cause the resulting document to be parsed incorrectly or bypass validations. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-1217**: When http request module parses HTTP response obtained from a server, folded headers are parsed incorrectly, which may lead to misinterpreting the response and using incorrect headers, MIME types, etc. - **CVE-2025-1735**: A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. - **CVE-2025-14177**: The getimagesize() function may leak uninitialized heap memory into the APPn segments (for example, APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. ### spryker/php:8.2-alpine3.20 - **CVE-2025-14178**: A heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-61726**: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. - **CVE-2025-61730**: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. - **CVE-2025-14180**: Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges - **CVE-2025-61728**: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2025-6491**: When parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2025-1220**: NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. - **CVE-2025-1735**: A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. - **CVE-2025-14177**: The getimagesize() function may leak uninitialized heap memory into the APPn segments (for example, APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. ### spryker/php:8.1-alpine3.20 - **CVE-2025-14178**: A heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. - **CVE-2025-15468**: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. - **CVE-2025-69421**: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. - **CVE-2026-22796**: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. - **CVE-2026-15467**: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. - **CVE-2025-61726**: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. - **CVE-2025-61730**: During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. - **CVE-2025-14180**: Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges - **CVE-2025-61728**: archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. - **CVE-2025-69420**: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. - **CVE-2025-69418**: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. - **CVE-2025-6491**: When parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server. - **CVE-2026-22801**: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. - **CVE-2025-1220**: NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017. - **CVE-2026-22695**: A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible. - **CVE-2025-66199**: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. - **CVE-2025-68160**: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. - **CVE-2025-69419**: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. - **CVE-2026-22795**: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.

Configure Elasticsearch

Thu, 05 Feb 2026 14:24:44 +0000

Elasticsearch is a NoSQL data store that lets you predefine the structure of the data you store in it.

Because the data structure is static, you need to define it in advance. The definitions of the indexes and mappings are written in JSON. For more information, see the official Elasticsearch documentation.

The content of the configuration files must follow the conventions listed in the Create index API document of the official Elasticsearch documentation.

Note

The current search installer supports only settings and mappings. However, if you need more, you can extend it on the project level.

Schema example: For the main index called page, you can find the default schema configuration in vendor/spryker/search-elasticsearch/src/Spryker/Shared/SearchElasticsearch/Schema/page.json.

OpenSearch compatibility

Spryker PaaS uses OpenSearch, an AWS-maintained fork of Elasticsearch. The configuration principles in this guide apply to both. For OpenSearch-specific features and version information, see the OpenSearch documentation.

Index naming convention

Each configured store has its index, which is installed automatically. An index name consists of the following parts:

An optional prefix, which is defined by the SearchElasticsearchConstants::INDEX_PREFIX configuration option.
A store name.
A configuration file name.

Index name components are delimited with an underscore—for example, spryker_de_page.

Schema configuration approaches

Spryker supports two approaches for defining Elasticsearch index schemas. Understanding the difference helps you choose the right approach for your project.

Modern approach: Schema directory (Recommended)

The modern and recommended approach uses JSON files in the Schema directory:

Location: */Shared/*/Schema/
File naming: {index-name}.json (for example, page.json, myindex.json)
Configuration method: SearchElasticsearchConfig::getJsonSchemaDefinitionDirectories()
Use case: Creating new indexes or extending existing ones

Examples:

Core schema: vendor/spryker/search-elasticsearch/src/Spryker/Shared/SearchElasticsearch/Schema/page.json
Project-level customization: src/Pyz/Shared/Search/Schema/page.json

This approach offers flexibility through modular schema definitions. Files can contain complete index definitions or only the parts you want to extend or override.

Legacy approach: IndexMap directory (Deprecated)

The older approach uses JSON files in the IndexMap directory:

Location: */Shared/*/IndexMap/
File naming: search.json
Configuration method: SearchConfig::getJsonIndexDefinitionDirectories() (deprecated)
Status: Maintained for backward compatibility but not recommended for new implementations

Deprecation notice

The IndexMap approach is deprecated. For new projects or when extending existing schemas, use the modern Schema directory approach instead.

Schema merging and customization

Spryker automatically merges all JSON files with the same name across different modules, enabling you to customize schemas without modifying core files.

How merging works

The SchemaDefinitionFinder locates all JSON files in configured Schema directories
The IndexDefinitionLoader loads each file
The IndexDefinitionMerger merges files with matching names using array_replace_recursive()

Merging order:

Core vendor schemas (from vendor/spryker/*/src/*/Shared/*/Schema/)
Project-level schemas (from src/*/Shared/*/Schema/)

Project-level definitions override core definitions for matching keys.

Merging example

Core schema (vendor/spryker/search-elasticsearch/src/Spryker/Shared/SearchElasticsearch/Schema/page.json):

{
    "settings": {
        "analysis": {
            "analyzer": {
                "suggestion_analyzer": {
                    "tokenizer": "standard",
                    "filter": ["lowercase"]
                }
            }
        }
    },
    "mappings": {
        "page": {
            "properties": {
                "full-text": {
                    "type": "text"
                }
            }
        }
    }
}

Project-level schema (src/Pyz/Shared/Search/Schema/page.json):

{
    "settings": {
        "analysis": {
            "analyzer": {
                "fulltext_index_analyzer": {
                    "tokenizer": "keyword",
                    "filter": ["lowercase", "fulltext_index_ngram_filter"]
                }
            }
        }
    },
    "mappings": {
        "page": {
            "properties": {
                "full-text": {
                    "analyzer": "fulltext_index_analyzer"
                }
            }
        }
    }
}

Resulting merged schema:

{
    "settings": {
        "analysis": {
            "analyzer": {
                "suggestion_analyzer": {
                    "tokenizer": "standard",
                    "filter": ["lowercase"]
                },
                "fulltext_index_analyzer": {
                    "tokenizer": "keyword",
                    "filter": ["lowercase", "fulltext_index_ngram_filter"]
                }
            }
        }
    },
    "mappings": {
        "page": {
            "properties": {
                "full-text": {
                    "type": "text",
                    "analyzer": "fulltext_index_analyzer"
                }
            }
        }
    }
}

Store-specific schemas

To create store-specific schema overrides, prefix the filename with the store code:

de_page.json - Applies only to the DE store
us_page.json - Applies only to the US store
page.json - Applies to all stores (unless overridden by store-specific files)

This is useful when different stores require different analyzers, language-specific tokenizers, or other locale-specific configurations.

Source identifier management

Spryker uses an allowlist mechanism to control which index schema files are processed during installation. This prevents accidental or unauthorized index creation.

How source identifiers work

The source identifier is derived from the JSON filename:

page.json → source identifier: page
product-review.json → source identifier: product-review
myindex.json → source identifier: myindex

Spryker loads and installs only files whose source identifiers are listed in SearchElasticsearchConfig::getSupportedSourceIdentifiers(). Files with unlisted source identifiers are skipped.

Code reference: The filtering happens in IndexDefinitionLoader::load() at src/Spryker/SearchElasticsearch/src/Spryker/Zed/SearchElasticsearch/Business/Definition/Loader/IndexDefinitionLoader.php:60-62:

if (!$this->sourceIdentifier->isSupported($sourceIdentifier, $storeName)) {
    continue;
}

Configure supported source identifiers

To add support for new indexes, override SUPPORTED_SOURCE_IDENTIFIERS in your project-level configuration:

src/Pyz/Shared/SearchElasticsearch/SearchElasticsearchConfig.php

<?php

namespace Pyz\Shared\SearchElasticsearch;

use Spryker\Shared\SearchElasticsearch\SearchElasticsearchConfig as SprykerSearchElasticsearchConfig;

class SearchElasticsearchConfig extends SprykerSearchElasticsearchConfig
{
    protected const SUPPORTED_SOURCE_IDENTIFIERS = [
        'page',
        'product-review',
        'return_reason',
        'merchant',
        'myindex', // Add your custom index here
    ];
}

Security consideration

The SUPPORTED_SOURCE_IDENTIFIERS configuration acts as a security allowlist. Always review and explicitly add source identifiers rather than allowing all indexes. This prevents unauthorized or test indexes from being created in production environments.

Example workflow

Create a new schema file: src/Pyz/Shared/MyModule/Schema/myindex.json
Add the source identifier to the configuration: 'myindex' in SUPPORTED_SOURCE_IDENTIFIERS

Run the installation commands:

vendor/bin/console search:setup:sources
vendor/bin/console search:setup:source-map

The new index is created and a MyindexIndexMap helper class is generated

Without step 2, the myindex.json file is discovered but skipped during installation, and no index is created.

Store-prefixed source identifiers

Store-prefixed files like de_page.json work with the base source identifier page. You do not need to add de_page to SUPPORTED_SOURCE_IDENTIFIERS. The system automatically recognizes de_page as a store-specific variant of the page source identifier.

Working with indexes and mappings

Create new indexes

To define new indexes and mappings, under the Shared namespace of any module, create new configuration files—for example, src/Pyz/Shared/MyModuleName/Schema/myindex.json.

The file can contain a complete index definition with settings and mappings. When the search installer runs, it reads all available configuration files and merges them by index name per store.

Modify existing indexes

To extend or overwrite existing configurations, create a new file with the same name you want to modify and provide only the differences compared to the original one. The merging process automatically combines your changes with the core schema.

For store-specific modifications, create a configuration file with the store’s name prefix—for example, de_page.json. This is useful when you have different analyzing strategies for different stores.

Example: Custom tokenizer configuration

The following example shows how to modify the default schema configuration for the main index page to allow searching for keywords containing the special character & (ampersand). The configuration switches from a standard tokenizer to a combination of keyword tokenizer and token filter of the word_delimiter_graph type.

src/Pyz/Shared/Search/Schema/page.json

{
    "settings": {
        "analysis": {
            "analyzer": {
                "fulltext_index_analyzer": {
                    "tokenizer": "keyword",
                    "filter": ["my_custom_word_delimiter_graph_filter", "lowercase", "fulltext_index_ngram_filter"]
                },
                "fulltext_search_analyzer": {
                    "tokenizer": "keyword",
                    "filter": ["custom_word_delimiter_graph_filter", "lowercase"]
                }
            },
            "filter": {
                "fulltext_index_ngram_filter": {
                    "type": "edge_ngram",
                    "min_gram": 2,
                    "max_gram": 20
                },
                "custom_word_delimiter_graph_filter": {
                    "type": "word_delimiter_graph",
                    "type_table": [ "& => ALPHA" ],
                    "split_on_case_change": false,
                    "split_on_numerics": false
                }
            }
        }
    },
    "mappings": {
        "page": {
            "properties": {
                "full-text": {
                    "analyzer": "fulltext_index_analyzer",
                    "search_analyzer": "fulltext_search_analyzer"
                },
                "full-text-boosted": {
                    "analyzer": "fulltext_index_analyzer",
                    "search_analyzer": "fulltext_search_analyzer"
                }
            }
        }
    }
}

After creating or modifying schema files, follow the installation steps in the Install indexes and mappings section.

Install indexes and mappings

To install or update indexes and mappings, run the following commands:

vendor/bin/console search:setup:sources
vendor/bin/console search:setup:source-map

The first command installs indexes that do not exist and updates the mappings based on the JSON configurations.

If an index is created with the given settings, those settings cannot be changed by running this process again, but the mapping can be modified.

In the development environment, to create new analyzers or change the index settings, you must delete the index and run the installation process again.

Populate indexes with data

After installation, populate the newly created index with data:

vendor/bin/console publish:trigger-events

Generated helper classes

After running the search:setup:source-map command, a helper class is autogenerated for every installed index. You can find these classes under the \Generated\Shared\Search namespace. The name of the generated class starts with the name of the index and is followed by the suffix IndexMap.

For the default page index, the class is \Generated\Shared\Search\PageIndexMap.

These classes provide information from the mapping, such as fields and metadata. Use these classes for references to program against something related to that mapping schema.

If you change the mapping and run the installer, autogenerated classes change accordingly.

Update indexes with existing data

Elasticsearch has limitations when updating indexes that contain data. If any issues occur, the errors provided by Elasticsearch can be confusing.

To ensure an index is correct when updating schemas, follow these steps:

Drop and recreate the index:

APPLICATION_STORE=DE console search:index:delete
APPLICATION_STORE=DE console search:setup:sources

If the previous command introduced or may have introduced any changes to searchable data, rewrite the data:

APPLICATION_STORE=DE console publish:trigger-events

Sync the data to Elasticsearch:

APPLICATION_STORE=DE console sync:data

For help with more specific cases, engage with the Spryker community or contact support.

Advanced configuration

Disable default mapping installation

To disable the default mapping installation, override the core configuration defined in Spryker\Zed\SearchElasticsearch\SearchElasticsearchConfig::getJsonSchemaDefinitionDirectories() by implementing it on the project level—for example, in Pyz\Zed\SearchElasticsearch\SearchElasticsearchConfig.

Warning

Disabling default mappings means you must provide all necessary schema configurations at the project level. This is an advanced configuration option and should only be used when you have specific requirements that cannot be met by extending the default schemas.

Enable the Zero State Component for Empty Data

Tue, 03 Feb 2026 13:23:35 +0000

This guide explains how to enable the Zero State component in Spryker Cloud Commerce OS Yves so you can display user-friendly messages and visuals when no data is available.

To add the Zero State component to your project, include the molecule('empty-state') in the relevant Twig file.

vendor/spryker-shop/shop-ui/src/SprykerShop/Yves/ShopUi/Theme/default/components/molecules/empty-state/empty-state.twig

Example:

{% include molecule('empty-state') with {
    data: {
        title: 'title.glossary.key' | trans,
        description: 'description.glossary.key' | trans,
        iconName: 'icon-name',
        actionButton: {
            text: 'button.glossary.key' | trans,
            link: url('url-key'),
            qa: 'qa-key',
            icon: {
                name: 'icon-name',
            },
        },
    },
} only %}

Steps to Enable the Zero State Component

1. Update `SprykerShop` modules

Update the following modules to the specified versions or higher:

spryker-shop/shop-ui: 1.101.0
spryker-shop/customer-page: 2.73.0
spryker-shop/sales-return-page: 1.11.0

composer update spryker-shop/shop-ui:"^1.101.0" spryker-shop/customer-page:"^2.73.0" spryker-shop/sales-return-page:"^1.11.0"

2. Add icons to the icon sprite

Add new icons into icon-sprite atom:

src/Pyz/Yves/ShopUi/Theme/default/components/atoms/icon-sprite/icon-sprite.twig

<symbol id=":flash-message-alert" viewBox="0 -960 960 960" fill="currentColor"><path d="M480-80q-83 0-156-31.5T197-197q-54-54-85.5-127T80-480q0-83 31.5-156T197-763q54-54 127-85.5T480-880q83 0 156 31.5T763-763q54 54 85.5 127T880-480q0 83-31.5 156T763-197q-54 54-127 85.5T480-80Zm0-80q54 0 104-17.5t92-50.5L228-676q-33 42-50.5 92T160-480q0 134 93 227t227 93Zm252-124q33-42 50.5-92T800-480q0-134-93-227t-227-93q-54 0-104 17.5T284-732l448 448Z"/></symbol>   
<symbol id=":local-mall" viewBox="0 -960 960 960" fill="currentColor">
    <title id=":local-mall">Local Mall</title>
    <path d="M200-80q-33 0-56.5-23.5T120-160v-480q0-33 23.5-56.5T200-720h80q0-83 58.5-141.5T480-920q83 0 141.5 58.5T680-720h80q33 0 56.5 23.5T840-640v480q0 33-23.5 56.5T760-80H200Zm0-80h560v-480H200v480Zm280-240q83 0 141.5-58.5T680-600h-80q0 50-35 85t-85 35q-50 0-85-35t-35-85h-80q0 83 58.5 141.5T480-400ZM360-720h240q0-50-35-85t-85-35q-50 0-85 35t-35 85ZM200-160v-480 480Z"/>
</symbol>
<symbol id=":globe-location-pin" viewBox="0 -960 960 960" fill="currentColor">
    <title id=":globe-location-pin">Globe Location Pin</title>
    <path d="M480-80q-83 0-156-31.5T197-197q-54-54-85.5-127T80-480q0-83 31.5-156T197-763q54-54 127-85.5T480-880q152 0 263.5 98T876-538q-20-10-41.5-15.5T790-560q-19-73-68.5-130T600-776v16q0 33-23.5 56.5T520-680h-80v80q0 17-11.5 28.5T400-560h-80v80h240q11 0 20.5 5.5T595-459q-17 27-26 57t-9 62q0 63 32.5 117T659-122q-41 20-86 31t-93 11Zm-40-82v-78q-33 0-56.5-23.5T360-320v-40L168-552q-3 18-5.5 36t-2.5 36q0 121 79.5 212T440-162Zm340 82q-7 0-12-4t-7-10q-11-35-31-65t-43-59q-21-26-34-57t-13-65q0-58 41-99t99-41q58 0 99 41t41 99q0 34-13.5 64.5T873-218q-23 29-43 59t-31 65q-2 6-7 10t-12 4Zm0-113q10-17 22-31.5t23-29.5q14-19 24.5-40.5T860-340q0-33-23.5-56.5T780-420q-33 0-56.5 23.5T700-340q0 24 10.5 45.5T735-254q12 15 23.5 29.5T780-193Zm0-97q-21 0-35.5-14.5T730-340q0-21 14.5-35.5T780-390q21 0 35.5 14.5T830-340q0 21-14.5 35.5T780-290Z"/>
</symbol>
<symbol id=":add" viewBox="0 -960 960 960" fill="currentColor">
    <title id=":add">Add</title>
    <path d="M440-440H200v-80h240v-240h80v240h240v80H520v240h-80v-240Z"/>
</symbol>
<symbol id=":shopping-bag-speed" viewBox="0 -960 960 960" fill="currentColor">
    <title id=":shopping-bag-speed">Shopping Bag Speed</title>
    <path d="m40-240 20-80h220l-20 80H40Zm80-160 20-80h260l-20 80H120Zm623 240 20-160 29-240 10-79-59 479ZM240-80q-33 0-56.5-23.5T160-160h583l59-479H692l-11 85q-2 17-15 26.5t-30 7.5q-17-2-26.5-14.5T602-564l9-75H452l-11 84q-2 17-15 27t-30 8q-17-2-27-15t-8-30l9-74H220q4-34 26-57.5t54-23.5h80q8-75 51.5-117.5T550-880q64 0 106.5 47.5T698-720h102q36 1 60 28t19 63l-60 480q-4 30-26.5 49.5T740-80H240Zm220-640h159q1-33-22.5-56.5T540-800q-35 0-55.5 21.5T460-720Z"/>
</symbol>

3. Glossary keys

Add glossary keys for the empty state component (for example, Customer pages – Addresses, Order History, and Returns):

data/import/common/common/glossary.csv

>customer.account.address.no-addresses,Noch keine Adressen hinzugefügt!,de_DE
customer.account.address.no-addresses-description,"This is where you'll find and manage addresses once it's available.",en_US
customer.account.address.no-addresses-description,"Hier können Sie Ihre Adressen sehen und verwalten, sobald sie verfügbar sind.",de_DE
customer.order.no_orders,No order history available!,en_US
customer.order.no_orders,Keine Bestellungen gefunden!,de_DE
customer.order.no_orders_description,"This is where you'll find and manage order history once it's available.",en_US
customer.order.no_orders_description,"Hier können Sie Ihre Bestellhistorie sehen und verwalten, sobald sie verfügbar ist.",de_DE
return_page.account.no_return,No returns found!,en_US
return_page.account.no_return,Keine Retouren gefunden!,de_DE
return_page.account.no_return_description,"This is where you'll find and manage returns once it's available.",en_US
return_page.account.no_return_description,"Hier können Sie Ihre Retouren sehen und verwalten, sobald sie verfügbar sind.",de_DE

4. Update Twig files to enable the new `Zero State` component

src/Pyz/Yves/CustomerPage/Theme/default/components/molecules/order-table/order-table.twig

{% if data.orders is empty %}
    {% block noOrder %}
        {{ parent() }}
    {% endblock %}
{% else %}

src/Pyz/Yves/CustomerPage/Theme/default/views/address/address.twig

{% for address in data.addresses %}
    ...
{% else %}
    {% block emptyState %}
        {% include molecule('empty-state') with {
            data: {
                title: 'customer.account.address.no-addresses' | trans,
                description: 'customer.account.address.no-addresses-description' | trans,
                iconName: 'globe-location-pin',
                actionButton: {
                    text: 'customer.account.button.add_new_address' | trans,
                    link: url('customer/address/new'),
                    qa: 'customer-add-new-address',
                    icon: {
                        name: 'add',
                    },
                },
            },
        } only %}
    {% endblock %}
{% endfor %}

Tip

To prevent the newly created `Zero State` component from rendering on the `Customer/Overview` page, adjust the `order-table` molecule include by replacing the content of the `noOrder` block.

src/Pyz/Yves/CustomerPage/Theme/default/views/overview/overview.twig

{% embed molecule('order-table', 'CustomerPage') with {
    data: {
        orders: data.orders,
        ordersAggregatedItemStateDisplayNames: data.ordersAggregatedItemStateDisplayNames,
    },
} only %}
    {% block noOrder %}
        <p>{{ 'customer.account.no_order' | trans }}</p>
    {% endblock %}
{% endembed %}

Upgrade to Angular 20

Fri, 30 Jan 2026 15:15:25 +0000

This document explains how you can upgrade Angular to version 20 in your Spryker project. Spryker currently uses Angular version 18. According to the [Angular Support policy and schedule](https://angular.dev/reference/releases#actively-supported-versions), Angular 18 is deprecated. The current stable Angular version is 20. We recommend that you upgrade to the latest major Angular version to receive the most recent bug fixes, security updates, and improvements to runtime performance and tooling. Upgrading to Angular v20 introduces incompatibilities with earlier Angular versions. As a result, the following modules require a major release: - `AgentDashboardMerchantPortalGui` - `AgentSecurityMerchantPortalGui` - `CommentMerchantPortalGui` - `DashboardMerchantPortalGui` - `DataImportMerchantPortalGui` - `GuiTable` - `MerchantAppMerchantPortalGui` - `MerchantProfileMerchantPortalGui` - `MerchantRelationRequestMerchantPortalGui` - `MerchantRelationshipMerchantPortalGui` - `MultiFactorAuthMerchantPortal` - `PriceProductMerchantRelationshipMerchantPortalGui` - `ProductMerchantPortalGui` - `ProductOfferMerchantPortalGui` - `ProductOfferServicePointMerchantPortalGui` - `ProductOfferShipmentTypeMerchantPortalGui` - `SalesMerchantPortalGui` - `SecurityMerchantPortalGui` - `UserMerchantPortalGui` - `ZedUi` *Estimated migration time: 2h* To upgrade to Angular v20, follow these steps. ## 1) Update modules 1. Check if the following Marketplace modules in your project have the new versions: | NAME | VERSION | |--------------------------------------------------|-----------| | AgentDashboardMerchantPortalGui | >= 2.0.0 | | AgentSecurityMerchantPortalGui | >= 2.0.0 | | CommentMerchantPortalGui | >= 2.0.0 | | DashboardMerchantPortalGui | >= 4.0.0 | | DataImportMerchantPortalGui | >= 2.0.0 | | GuiTable | >= 4.0.0 | | MerchantAppMerchantPortalGui | >= 2.0.0 | | MerchantProfileMerchantPortalGui | >= 4.0.0 | | MerchantRelationRequestMerchantPortalGui | >= 2.0.0 | | MerchantRelationshipMerchantPortalGui | >= 2.0.0 | | MultiFactorAuthMerchantPortal | >= 2.0.0 | | PriceProductMerchantRelationshipMerchantPortalGui| >= 3.0.0 | | ProductMerchantPortalGui | >= 5.0.0 | | ProductOfferMerchantPortalGui | >= 4.0.0 | | ProductOfferServicePointMerchantPortalGui | >= 3.0.0 | | ProductOfferShipmentTypeMerchantPortalGui | >= 3.0.0 | | SalesMerchantPortalGui | >= 4.0.0 | | SecurityMerchantPortalGui | >= 4.0.0 | | UserMerchantPortalGui | >= 4.0.0 | | ZedUi | >= 4.0.0 | If they don't, update the module versions manually or by using the following command: ```bash composer require spryker-feature/marketplace-comments spryker-feature/marketplace-merchant-contract-requests spryker-feature/marketplace-merchant-contracts spryker-feature/marketplace-merchant-custom-prices spryker-feature/marketplace-merchant-portal-product-management spryker-feature/marketplace-merchant-portal-product-offer-management spryker-feature/marketplace-merchant-portal-product-offer-service-points spryker-feature/marketplace-merchantportal-core spryker-feature/merchant-portal-data-import spryker/agent-dashboard-merchant-portal-gui:"^2.0.0" spryker/agent-security-merchant-portal-gui:"^2.0.0" spryker/dashboard-merchant-portal-gui:"^4.0.0" spryker/merchant-app-merchant-portal-gui:"^2.0.0" spryker/merchant-profile-merchant-portal-gui:"^4.0.0" spryker/sales-merchant-portal-gui:"^4.0.0" --update-with-dependencies ``` 2. Regenerate the data transfer object: ```bash console transfer:generate ``` ## 2) Update npm dependencies In `package.json`, do the following: 1. Adjust the npm scripts and engines: ```json { "scripts": { "mp:build": "ng build", "mp:build:watch": "ng build --watch", "mp:build:production": "ng build --configuration production", "mp:stylelint": "node ./frontend/merchant-portal/stylelint.mjs", "mp:lint": "ng lint", "mp:test": "ng test", }, "engines": { "node": ">=20.19.0", "npm": ">=10.0.0" }, } ``` 2. Update or add the following dependencies: ```json { "dependencies": { "@angular/animations": "~20.3.16", "@angular/cdk": "~20.2.14", "@angular/common": "~20.3.16", "@angular/compiler": "~20.3.16", "@angular/core": "~20.3.16", "@angular/elements": "~20.3.16", "@angular/forms": "~20.3.16", "@angular/platform-browser": "~20.3.16", "@angular/platform-browser-dynamic": "~20.3.16", "@angular/router": "~20.3.16", "ng-zorro-antd": "~20.4.4", "rxjs": "~7.8.2", "zone.js": "~0.15.1" } } ``` 3. Update or add the following dev dependencies: ```json { "devDependencies": { "@angular-builders/custom-webpack": "~20.0.0", "@angular-builders/jest": "~20.0.0", "@angular-devkit/build-angular": "~20.3.14", "@angular-eslint/builder": "~20.7.0", "@angular-eslint/eslint-plugin": "~20.7.0", "@angular-eslint/eslint-plugin-template": "~20.7.0", "@angular-eslint/template-parser": "~20.7.0", "@angular/cli": "~20.3.14", "@angular/compiler-cli": "~20.3.16", "@angular/language-service": "~20.3.16", "@babel/plugin-transform-class-properties": "~7.25.9", "@babel/plugin-transform-runtime": "~7.28.5", "@babel/preset-env": "~7.28.6", "@babel/preset-typescript": "~7.28.5", "@eslint/js": "^9.39.2", "@types/jest": "~30.0.0", "@types/node": "~25.0.9", "@types/webpack": "~5.28.5", "@typescript-eslint/eslint-plugin": "~8.53.0", "@typescript-eslint/parser": "~8.53.0", "angular-eslint": "^21.1.0", "eslint": "~9.39.2", "eslint-plugin-deprecation": "^3.0.0", "fast-glob": "~3.3.3", "jest": "~30.2.0", "jest-environment-jsdom": "~30.2.0", "jest-preset-angular": "~16.0.0", "typescript": "~5.9.3", "typescript-eslint": "^8.53.0", } } ``` 4. Remove the following dependencies: ```json { "devDependencies": { "@nx/angular": "~18.1.1", "@nx/eslint": "~18.1.2", "@nx/eslint-plugin": "~18.1.2", "@nx/jest": "~18.1.2", } } ``` 5. Update and install the package dependencies: ```bash rm -rf node_modules npm install ``` {% info_block warningBox "Verification" %} Ensure that you update both the `package-lock.json` file and the `node_modules` directory. {% endinfo_block %} ## 3) Update the Angular configuration 1. In the `frontend/merchant-portal` folder, do the following: 1. In `jest.config.ts`, change the paths for configuration: ```ts export default { displayName: 'merchant-portal', preset: 'jest-preset-angular', setupFilesAfterEnv: ['/frontend/merchant-portal/test-setup.ts'], roots: ['/src/Pyz'], testMatch: ['**/+(*.)+(spec|test).+(ts|js)?(x)'], moduleFileExtensions: ['ts', 'js', 'html'], passWithNoTests: true, globals: { 'ts-jest': { tsconfig: '/frontend/merchant-portal/tsconfig.spec.json', stringifyContentPathRegex: '\\.(html|svg)$', }, }, } ``` 2. In `test-setup.ts`, replace `jest-preset-angular/setup-jest` import to `jest-preset-angular/setup-env/zone`: ```ts import 'jest-preset-angular/setup-env/zone'; import 'reflect-metadata/lite'; ``` 2. In the root of the project, do the following: 1. Add `**/.angular/` to `.gitignore` and `.prettierignore`. ```text **/.angular/ ``` 2. Delete `project.json`, `nx.json`, `eslintrc.mp.json`. 3. Add the `eslint.config.mjs` with the following configuration: ```js import typescriptEslint from '@typescript-eslint/eslint-plugin'; import typescriptParser from '@typescript-eslint/parser'; import deprecationPlugin from 'eslint-plugin-deprecation'; import angularEslint from 'angular-eslint'; import { createRequire } from 'module'; const require = createRequire(import.meta.url); const sprykerConfig = require('@spryker/frontend-config.eslint/.eslintrc.js'); export default [ { ignores: [ 'docker/', 'public/*/assets/', '**/dist/', '**/node_modules/', 'vendor/', '**/.angular/', ], }, // Configuration for regular JS files { files: ['**/*.js'], languageOptions: { ecmaVersion: 2020, sourceType: 'module', globals: { ...sprykerConfig.globals, }, }, rules: { ...sprykerConfig.rules, 'accessor-pairs': [ 'error', { setWithoutGet: true, enforceForClassMembers: false, }, ], }, }, // Configuration for Yves TypeScript files { files: ['src/{Pyz,SprykerShop,SprykerFeature}/*/src/{Pyz,SprykerShop,SprykerFeature}/Yves/**/*.ts'], languageOptions: { parser: typescriptParser, parserOptions: { ecmaVersion: 2020, sourceType: 'module', project: ['./tsconfig.yves.json'], }, globals: { ...sprykerConfig.globals, }, }, plugins: { '@typescript-eslint': typescriptEslint, deprecation: deprecationPlugin, }, rules: { ...sprykerConfig.rules, 'no-undef': 'off', 'no-unused-vars': 'off', 'accessor-pairs': [ 'error', { setWithoutGet: true, enforceForClassMembers: false, }, ], '@typescript-eslint/no-unused-vars': [ 'error', { args: 'none', ignoreRestSiblings: true, }, ], '@typescript-eslint/no-empty-function': [ 'error', { allow: ['methods'], }, ], '@typescript-eslint/no-magic-numbers': [ 'error', { ignore: [-1, 0, 1], ignoreDefaultValues: true, ignoreClassFieldInitialValues: true, ignoreArrayIndexes: true, ignoreEnums: true, ignoreReadonlyClassProperties: true, }, ], }, }, // Configuration for Merchant Portal TypeScript files { files: ['src/Pyz/Zed/*/Presentation/Components/**/*.ts'], languageOptions: { parser: typescriptParser, parserOptions: { ecmaVersion: 2020, sourceType: 'module', project: ['./tsconfig.mp.json'], }, }, plugins: { '@typescript-eslint': typescriptEslint, '@angular-eslint': angularEslint.tsPlugin, }, processor: angularEslint.processInlineTemplates, rules: { ...sprykerConfig.rules, 'no-undef': 'off', 'no-unused-vars': 'off', 'no-console': [ 'warn', { allow: ['warn', 'error'], }, ], 'no-empty': 'error', 'no-use-before-define': 'off', 'max-classes-per-file': 'off', 'max-lines': 'off', 'handle-callback-err': 'off', '@typescript-eslint/array-type': 'off', '@typescript-eslint/no-restricted-imports': ['error', 'rxjs/Rx'], '@typescript-eslint/no-unused-vars': 'error', '@typescript-eslint/no-inferrable-types': [ 'error', { ignoreParameters: true, }, ], '@typescript-eslint/no-non-null-assertion': 'error', '@typescript-eslint/no-var-requires': 'off', '@typescript-eslint/no-explicit-any': 'error', '@typescript-eslint/member-ordering': [ 'error', { default: ['instance-field', 'instance-method', 'static-field', 'static-method'], }, ], '@angular-eslint/directive-selector': [ 'error', { type: 'attribute', prefix: 'mp', style: 'camelCase', }, ], '@angular-eslint/component-selector': [ 'error', { type: 'element', prefix: 'mp', style: 'kebab-case', }, ], '@angular-eslint/no-host-metadata-property': 'off', }, }, // Configuration for Merchant Portal HTML templates { files: ['src/Pyz/Zed/*/Presentation/Components/**/*.html'], languageOptions: { parser: angularEslint.templateParser, }, plugins: { '@angular-eslint': angularEslint.templatePlugin, }, rules: { '@typescript-eslint/ban-types': 'off', '@typescript-eslint/ban-ts-comment': 'off', '@typescript-eslint/no-empty-interface': 'off', '@typescript-eslint/no-explicit-any': 'off', '@typescript-eslint/no-unused-vars': 'off', '@angular-eslint/no-host-metadata-property': 'off', '@angular-eslint/directive-class-suffix': 'off', 'no-prototype-builtins': 'off', }, }, ]; ``` 4. Add `angular.json`, with the following configuration: ```json { "$schema": "./node_modules/@angular/cli/lib/config/schema.json", "version": 1, "newProjectRoot": "src", "projects": { "merchant-portal": { "projectType": "application", "schematics": {}, "root": "", "sourceRoot": ".", "prefix": "mp", "architect": { "build": { "builder": "@angular-builders/custom-webpack:browser", "options": { "customWebpackConfig": { "path": "./frontend/merchant-portal/webpack.config.ts", "mergeRules": {} }, "indexTransform": "./frontend/merchant-portal/html-transform.js", "outputPath": "public/MerchantPortal/assets/js", "baseHref": "/assets/js/", "index": "src/Pyz/Zed/ZedUi/Presentation/Components/index.html", "main": "src/Pyz/Zed/ZedUi/Presentation/Components/main.ts", "polyfills": "src/Pyz/Zed/ZedUi/Presentation/Components/polyfills.ts", "tsConfig": "tsconfig.mp.json", "assets": [ { "glob": "*/src/Spryker/Zed/*/Presentation/Components/assets/**/*", "input": "vendor/spryker", "output": "/assets/", "ignore": ["**/.gitkeep"] }, { "glob": "*/Presentation/Components/assets/**/*", "input": "src/Pyz/Zed", "output": "/assets/", "ignore": ["**/.gitkeep"] }, { "glob": "*/data/files/**/*", "input": "vendor/spryker", "output": "/static/", "ignore": ["**/.gitkeep"] }, { "glob": "*/data/files/**/*", "input": "src/Pyz/Zed", "output": "/static/", "ignore": ["**/.gitkeep"] } ], "styles": [ "vendor/spryker/zed-ui/src/Spryker/Zed/ZedUi/Presentation/Components/styles.less", "src/Pyz/Zed/ZedUi/Presentation/Components/styles.less" ], "scripts": [] }, "configurations": { "development": { "buildOptimizer": false, "optimization": false, "vendorChunk": true, "extractLicenses": false, "sourceMap": true, "namedChunks": true }, "production": { "fileReplacements": [ { "replace": "src/Pyz/Zed/ZedUi/Presentation/Components/environments/environment.ts", "with": "src/Pyz/Zed/ZedUi/Presentation/Components/environments/environment.prod.ts" } ], "optimization": { "scripts": true, "styles": { "minify": true, "inlineCritical": false } }, "outputHashing": "none", "sourceMap": false, "namedChunks": false, "extractLicenses": true, "vendorChunk": true, "buildOptimizer": true, "budgets": [ { "type": "bundle", "maximumWarning": "2mb", "maximumError": "5mb" } ] } }, "defaultConfiguration": "development" }, "lint": { "builder": "@angular-eslint/builder:lint", "options": { "lintFilePatterns": [ "src/Pyz/Zed/*/Presentation/Components/**/*.ts", "src/Pyz/Zed/*/Presentation/Components/**/*.html" ] } }, "test": { "builder": "@angular-builders/jest:run", "options": { "tsConfig": "frontend/merchant-portal/tsconfig.spec.json", "configPath": "frontend/merchant-portal/jest.config.ts" } } } } }, "cli": { "analytics": false } } ``` 5. Update the `node` and `npm` versions in all deploy YAML files. ```yaml ... node: version: 20 npm: 10 ... ``` ## 4) Component breaking changes Below is a checklist of component-related breaking changes to review when upgrading from Angular 18 to Angular 20 in a Spryker Merchant Portal (NgModule-based architecture). 1. **Explicitly set `standalone: false` for NgModule-based components** - **What to do:** For all `@Component()`, `@Directive()`, and `@Pipe()` declarations that are registered via `NgModule.declarations`, explicitly add `standalone: false`. - **Why:** Starting with newer Angular major versions v19+, Angular shifts toward standalone-first behavior. Without an explicit flag, components may be treated as standalone, resulting in build errors. 2. **Ensure standalone components do not implicitly require `imports`** - **What to do:** If any component unintentionally becomes standalone, verify that it does not break template features such as `*ngIf`, `*ngFor`, or `*ngSwitch` due to missing `CommonModule`. - **Why:** Standalone components must explicitly declare dependencies via `imports`. In the Merchant Portal setup, it is safer to keep components NgModule-based and enforce `standalone: false`. 3. **Review `NgModule` metadata (declarations, imports, exports)** - **What to do:** Verify that: - All externally used components are listed in `exports`. - All required modules are included in `imports`. - No standalone components are incorrectly declared. - **Why:** Angular v20 applies stricter validation to module metadata, and previously tolerated misconfigurations may now fail at build time. 4. **Validate dynamic component creation** - **What to do:** For components created dynamically (for example via `createComponent`, `NgComponentOutlet`, CDK portals, or legacy `ComponentFactoryResolver` usage), ensure: - A valid `Injector` or `EnvironmentInjector` is provided - Required providers are available in the component context - **Why:** Angular enforces stricter DI and runtime checks, and misconfigured dynamic rendering can cause runtime errors. 5. **Enforce migration to the new template control flow syntax** - **What to do:** Actively migrate all templates to the new Angular control flow syntax (`@if`, `@for`, `@switch`) and avoid mixing it with legacy structural directives (`*ngIf`, `*ngFor`, `*ngSwitch`). New or modified templates must use the new syntax only. - **Why:** Legacy structural directives are considered deprecated. Mixing old and new syntaxes within the same module increases cognitive load, complicates reviews, and leads to subtle and hard-to-debug template regressions. Enforcing a single, modern control flow standard improves consistency, readability, and long-term maintainability. ## Reference Pull Request As a practical example of upgrading Angular to v20 in a real project, you can review the following Pull Request: {% info_block warningBox "Important" %} This Pull Request contains **additional changes that are not required for the Angular upgrade**, including: - Stylelint configuration updates - Prettier configuration changes - Other formatting and linting-related adjustments When using this Pull Request as a reference, **do not blindly apply all changes**. Focus only on the Angular-related modifications. The Stylelint and Prettier updates are optional and can be safely ignored for the purpose of upgrading Angular to v20. {% endinfo_block %}

Preparation for going live

Fri, 30 Jan 2026 12:42:51 +0000

{% info_block warningBox "Don't risk your go-live" %} The preparation steps listed here are mandatory because they're crucial for the success of your go-live. We strongly encourage you, customer or partner, to complete these steps where applicable because we won't be able to resolve issues related to steps not completed in time. Make sure that your project plan contains the tasks related to the go-live checklist and allocates enough time for their completion. {% endinfo_block %} This document describes how to prepare a Spryker project for going live. We've divided the preparation into approximate timeframes. Feel free to copy this to your project management software and adjust to your needs. Make sure that all of the following tasks are completed at least one week before going live. ## Eight weeks before go-live | ID | CATEGORY | NAME | DESCRIPTION | NOTE | |--------|----------------------------------------------------------|--------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | GEN-01 | General | Share go-live plan | Inform your Partner or Customer Success Manager about your go-live date and time.
Create a Go Live Announcement case in [Support Portal](https://support.spryker.com/s/).
Update them if plans change. | This is critical for Domain Name System (DNS) switching and the hypercare phase we provide before and after go-live. | | CLO-01 | Cloud | Ensure a network diagram | Ensure a network diagram is available for quick reference to explain the setup if needed. | Sample of the [diagram](https://docs.spryker.com/docs/dg/dev/sdks/the-docker-sdk/docker-environment-infrastructure.html). | | CLO-02 | Cloud | Third-party systems integration | Double-check that all Virtual Private Cloud (VPC) peering and Site-to-Site Virtual Private Network (VPN) connections are monitored and secure. | We don't monitor connections with external parties. For more details, see [site-to-site VPN](/docs/ca/dev/environment-provisioning.html#optional-site-to-site-vpn). | | CLO-03 | Cloud | Third-party systems integration | Make sure that routing works as expected and no internal resources are accidentally exposed via the site-to-site VPN or VPC peering setup. | | | CLO-04 | Cloud | Evaluate DOS and DDOS prevention (frontend) | Check your concepts for denial-of-service (DOS) and distributed denial-of-service (DDOS) prevention or mitigation, and check with relevant vendors for products that fit your needs and are compatible with SCCOS. | | | CLO-05 | Cloud | Evaluate DOS and DDOS prevention (backend / Merchant Portal) | Check your concepts for DOS and DDOS prevention in the Back office and Merchant portal. Add basic auth if applicable. | For instructions on implementing basic auth, see [Configure basic .htaccess authentication](/docs/pbc/all/identity-access-management/{{site.version}}/configure-basic-htaccess-authentication.html) | | CLO-06 | Cloud | Define a DNS strategy | Define how you want to handle the DNS of the shop's domain. | If you delegate DNS to Spryker, let us know the date on which to point the domain to your project. | | CLO-07 | Cloud | Set up whitelisting (security) | IPs of Web Application Firewalls (WAF), proxies, and other security and traffic filtering systems used to route traffic to Spryker are whitelisted. | This prevents these systems to be accidentally blocked by Spryker's security systems. You can request IPs to be whitelisted via an Infrastructure Change Request on the [Support Portal](https://support.spryker.com/s/). | | APP-01 | Application | Activate IP tracking | [Activating IP tracking](https://github.com/spryker/docker-sdk/blob/master/docs/07-deploy-file/02-deploy.file.reference.v1.md#cloud-define-gateway-ip-addresses) significantly increases chances to mitigate or spot malicious activities such as DOS attacks. You might need to evaluate this from a data protection policy perspective. | | | APP-02 | Application | Upgrade codebase | Upgrade the project's codebase to the [latest Demo Shop release](/docs/about/all/releases/product-and-code-releases.html) or at least to 202009.0 release. | | | APP-03 | Application | Upgrade Twig | Update `spryker/twig` to version 3.15.2 or later. | This version introduces important stability improvements. | | APP-04 | Application | Migrate to MariaDB | Migrate the project's database to MariaDB if applicable. | | | APP-05 | Application | Migrate endpoints | Split Zed endpoints as described in [Integrating separate endpoint bootstraps](/docs/dg/dev/integrate-and-configure/integrate-separate-endpoint-bootstraps.html) if applicable. | | | APP-06 | Application | Check service naming | Verify that the service naming scheme exactly matches the examples in the [sample deploy-spryker-b2c-staging.yml file](https://github.com/spryker-shop/b2c-demo-shop/blob/202204.0-p2/deploy.spryker-b2c-staging.yml). | | | APP-07 | Application | Create a deploy file | Create [deploy files](/docs/dg/dev/sdks/the-docker-sdk/deploy-file/deploy-file.html) for each of your environments. File names must follow the naming convention: `deploy.(project)-(environment).yml`. For example, `deploy.example-staging.yml`. | | | APP-08 | Application | Define Docker SDK version | [Define a Docker SDK version](/docs/dg/dev/sdks/the-docker-sdk/choosing-a-docker-sdk-version.html). | | | APP-09 | Application | Integrate FlySystem | Configure the project to use S3 buckets for storage using [FlySystem](/docs/ca/dev/configure-data-import-from-an-s3-bucket.html). | | | APP-10 | Application | Check S3 bucket import | If you're using CSV imports, make sure they're imported from S3 buckets. | | | APP-11 | Application | Set up S3 bucket (staging) | Connect Staging S3 bucket to the staging environment. | | | APP-12 | Application | Set up S3 bucket (production) | Connect Production S3 bucket to the production environment. | | | APP-13 | Application | Implement performance guidelines | Implement [performance guidelines](/docs/dg/dev/guidelines/performance-guidelines/performance-guidelines.html). | | | APP-14 | Application | Implement Jenkins guidelines | Implement [Jenkins operational best practices](/docs/ca/dev/best-practices/jenkins-operational-best-practices.html). | | | APP-15 | Application | Implement publish and sync guidelines | Implement applicable [Publish and Sync stability best practices](/docs/ca/dev/best-practices/best-practises-jenkins-stability.html). | | | APP-16 | Application | Implement general security guidelines | Apply [security guidelines](/docs/dg/dev/guidelines/security-guidelines.html). | | | APP-17 | Application | Implement password security guidelines | Make sure that you don't have any plain-text passwords, private keys, or API secrets in config files or Git repositories. | | | APP-18 | Application | Implement credentials security guidelines | Minimize the use of personal credentials and use separate work-specific accounts per envrironemnt. We highly recommend employing Centralized Credential Management to securely store and manage these credentials. | | | APP-19 | Application | Implement secrets rotations | Secrets, like API tokens, should be rotated regularly. Outline and test rotation strategies to prevent issues during live operation. | | | APP-20 | Application | Install internal security updates | Install all the [security updates](/docs/about/all/releases/product-and-code-releases.html) from all Spryker packages. | | | APP-21 | Application | Install external security updates | Install all the security updates from all the external packages. | To check if your project modules require security updates, you can use the [security checker](/docs/dg/dev/guidelines/keeping-a-project-upgradable/upgradability-guidelines/spryker-security-checker.html). | | APP-22 | Application | Perform compliance and legal checks. | To ensure the platform complies with relevant legal and regulatory requirements, especially for international operations, consult with your legal team. Make sure to check [guidelines for GDPR compliance](/docs/about/all/support/gdpr-compliance-guidelines.html). | | | APP-23 | Application | Set up Access Control List (ACL) | Prepare the Back Office ACL setup for users to be able to access and manage the shop during live operation. | For instructions on how to configure ACL, see [Users and rights overview](/docs/pbc/all/user-management/{{site.version}}/base-shop/user-and-rights-overview.html). | | APP-24 | Application | Set up DB logs strategy | If the application is writing logs into the DB, develop a strategy on regularly rotating or [truncating](/docs/dg/dev/troubleshooting/troubleshooting-general-technical-issues/database-tables-take-up-too-much-space-or-have-id-overflow.html) these logs to avoid large table sizes that can affect the application's performance. | `spy_oms_transition_log` is used to log state machine transitions by default. | | APP-25 | Application | Evaluate and implement payment tips | Check if you can implement redundant payment options so that the payment system keeps working even if one of the options fail. | | | TES-01 | Testing | Test deployment | Run deployment tests locally to ensure the application can be installed and configured as expected. For instructions on deploying locally, see [Simulating deployments locally](/docs/dg/dev/miscellaneous-guides/simulating-deployments-locally.html). | Criteria: Deployment executes without errors, and the application operates as expected in a test environment. | | TES-02 | Testing | Test payment | Before deploying payment options, test payment end-to-end flows locally. For more information, see [HowTo: Debug payment integrations locally](/docs/pbc/all/payment-service-provider/{{site.version}}/base-shop/debug-payment-integrations-locally.html). | Criteria: All payment methods process payments without errors. Test both positive and negative cases such as handling a rejected payment. | | TES-03 | Testing | Perform UAT | Perform User Acceptance Testing (UAT) to validate the functionality and user experience from an end-user perspective. Collaborate with stakeholders to create UAT scenarios for main business flows, execute tests, and gather feedback. Verify that the platform application works properly on supported devices and browsers. | | | SEO-01 | SEO | Set up redirects | If you're migrating from another shop or project to Spryker, and the domain is already point to a live shop, prepare a migration plan to phase out the old project and phase in the new one. Check with your SEO experts on the strategy for your content and search engine results. | | | SEO-02 | SEO | Implement SEO best practices | Review and implement the best practices per [Basic SEO techniques to use in your project](/docs/dg/dev/best-practices/basic-seo-techniques-to-use-in-your-project.html). | | | TR-01 | Training | Prepare internal training | Prepare role-specific enablement training for all internal users of the platform. | These may include: Back Office administrators, support assistants and agents, marketplace operators, merchant portal users. | | TR-02 | Training | Prepare external training | Prepare trainings for external users, such as those interacting with the platform via APIs and third-party systems. | These may include API documentation. | | TR-03 | Training | Prepare customer training | Make sure your customers are aware of the changes that are to be introduced. Besides striving for good user experience and transparency, consult with your legal team about any obligations in that regard. | | ## Four weeks before go-live | ID | CATEGORY | NAME | DESCRIPTION | NOTE | |--------|-------------|--------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | GEN-02 | General | Prepare a rollback strategy | Prepare everything for recovering from unforeseen issues after deploying the project. | | | CLO-08 | Cloud | Set up APM | We highly recommend setting up an Application Performance Monitoring (APM) system. | APM tools help you identify performance bottlenecks in your application. | | CLO-09 | Cloud | Establish a post-launch monitoring plan | To watch the system's performance and configure alerting mechanisms, establish a robust post-launch monitoring plan. To ensure effective investigation in case of security incidents, we recommend configuring logs to gather in a centralized SIEM system. | | | CLO-10 | Cloud | Set up deploy file | Verify that your deploy file is set up correctly and aligns with your project needs. Verify that your project works and operates the production endpoints. You can set both testing and production endpoints in your deploy file. Your developers need to mock a "live" operation of the project with its production endpoints by adjusting their local host entries. | | | CLO-11 | Cloud | Deploy production environment | Deploy the production environment regularly. This lets you detect potential issues early enough to fix them before going live. For instructions, see [Deploying in a production environment](/docs/ca/dev/deploy-in-a-production-environment.html). Make sure to test all [recipes](/docs/dg/dev/sdks/the-docker-sdk/installation-recipes-of-deployment-pipelines.html#staging-and-production-environment-recipes). | | | CLO-12 | Cloud | Prepare a DNS strategy | Decide how you want customers to access your shop and verify that you control access and can manage the DNS. For example, the domain of your shop is `spryker.com`, but you want customers to access the Storefront at `www.spryker.com`. For details on how to set up DNS, see [Set up DNS](/docs/ca/dev/set-up-dns.html).
- Optional: Delegate DNS to Spryker.
- Make sure Transport Layer security (TLS) certificates are provisioned. If you delegate DNS to Spryker, TLS certificates for your endpoints are created automatically. If you want us to create TLS certificates for your endpoints but don't want to delegate your DNS, request the verification of DNS records through the [Support Portal](https://support.spryker.com). | | | CLO-13 | Cloud | Choose an email service | You can use Spryker's native mail service or integrate a third-party provider. If you choose the native service, provide the sender email address so we can lift sending restrictions and assist with DNS validation. For more information about the default email service and its restrictions, see [Email service](/docs/ca/dev/email-service/email-service.html). | | | APP-26 | Application | Prepare and communicate technical debt mitigation plan | Develop a comprehensive plan to identify, address, and communicate strategies for managing technical debt before the system goes live. Make sure that all the stakeholders are aware of missing or incomplete features and agree on the mitigation plan. | | | APP-27 | Application | Check environment variables | Make sure all the required environment variables and parameter store values are set up. | | | APP-28 | Application | Prepare DB creation in production | Prepare and implement database creation in production. For example, commit Propel migration for production and update the deploy file to install the database from the committed migration files. | | | TES-04 | Testing | Test third-party integrations on production | - Collect instructions and requirements from the third-party providers for using services in production mode.
- Update integrations and plugins to use production credentials.
- Test all functionalities of the integrations and plugins to ensure they work as expected.
- Conduct load testing: Simulate real-world traffic on your application to assess its performance under load. This helps identify any bottlenecks that could cause performance issues during peak traffic times. | In some cases, you may need to comply with specific additional security measures, such as IP whitelisting or port configuration. | | TES-05 | Testing | Conduct load tests | Test how the platform performs under real-life circumstances. Define the performance acceptance criteria - the sample testing data should be comparable to the size and complexity of the production data. Monitor the application's performance metrics, such as response times or resource usage, during the tests.
*Inform us about your load and performance test plans via the [Support Portal](https://support.spryker.com/s/) at least three days in advance and share the results so that we can fine-tune the environment to your requirements.* | Some options to define key metrics:
- Historical data: if you have existing traffic data–for example, from Google Analytics
- [Industry benchmarks](https://databox.com/website-traffic-benchmarks-by-industry): research typical traffic volumes for similar e-commerce sites in your industry
- Business goals: Consider target sales, conversion rates, and marketing campaigns to estimate expected traffic. | | TES-06 | Testing | Conduct stress and performance tests | Test your production environment and assess its performance. Because production environments typically employ horizontal auto-scaling, it's essential to test under expected average and peak loads. These tests enable our team to optimize the environment's vertical scaling in advance, ensuring that it can seamlessly handle the expected loads from the get-go without any potential delays caused by auto-scaling mechanisms. This proactive approach eliminates the need for post-launch adjustments. For more information, see [Environment scaling](https://docs.spryker.com/docs/ca/dev/environment-scaling.html).
*Inform us about your load and performance test plans via the [Support Portal](https://support.spryker.com/s/) at least three days in advance and share the results so that we can fine-tune the environment to your requirements.* | Maintain active communication with us. Inform us about your load and performance test plans and share the results so that we can fine-tune the environment to meet your requirements. | | TES-07 | Testing | Conduct penetration testing | We highly recommend having the project penetration-tested by an independent third-party provider and addressing the identified vulnerabilities. Before conducting a penetration test, inform us at least two weeks in advance by filling out [this form](https://docs.google.com/forms/d/e/1FAIpQLSfunn1HY-nsqueP6sRQSLmScUWlmmQyQJk9cscIVIP_5BmuOw/viewform?usp=sf_link). | | | TES-08 | Testing | Import real data | After importing real data to production, double-check the completeness and accuracy of the migrated data, especially if transitioning from another platform. | Start working with data of realistic size and quality as early as possible. At this point, you must be importing data regularly to all your environments. We recommend working with the same import data across all environments. This significantly simplifies troubleshooting and helps you estimate import performance, leading up to your go-live and helping us with environment sizing considerations. | | TES-09 | Testing | Test checkout and OMS | Validate the checkout and OMS process: general checkout steps, shipment, payment, OMS. Test all checkout steps, including adding different items to the cart, entering shipping and billing information, selecting a payment method, and placing an order. Also, test the order fulfillment process to ensure that orders are processed and shipped correctly. | | | TES-10 | Testing | Test payment | WAF and firewall settings in production environments are different from those in non-production ones. Therefore, make sure that all your requests have valid headers. Also, test the functionality of payment integrations that use call-backs or depend on API calls to your application in your production environment.| Criteria:
- Make sure the headers of all API requests contain the production mode information to avoid security issues.
- Thoroughly test payment integrations that rely on external systems, such as callbacks or APIs, specifically in production. | | DAT-01 | Data | Prepare a data migration plan | Include all the data that needs to be migrated. | | | SEO-03 | SEO | Generate sitemap | Generate a sitemap. | | | SEO-04 | SEO | Prepare and set `robots.txt` | Prepare and set the `robots.txt` file. | | | SEO-05 | SEO | Prepare and set static content | Prepare and set all the CMS pages and other content, such as meta tags or links. | | | SEO-06 | SEO | Set up favicon | Set up [favicon](https://en.wikipedia.org/wiki/Favicon). | | ## Two weeks before go-live | ID | CATEGORY | NAME | DESCRIPTION | NOTE | |--------|----------|---------------------------------------------------|-----------------------------------------------|------------------------------------------------------------------------------| | CLO-14 | Cloud | Set up DNS | [Set up DNS](/docs/ca/dev/set-up-dns.html). | | | CLO-15 | Cloud | Configure email | Configure email boxes and DMARC policy. | | | GEN-03 | General | Implement code freeze | We recommend having a code freeze at least two weeks before going live. | | | GEN-04 | General | Evaluate go-live date and preceding tasks | If any of the preceding tasks aren't complete, postpone your go-live or discuss with us how to complete them in time. DNS changes are especially sensitive to deadlines. Because of the way the DNS system works, any DNS changes take time to take effect. | | | GEN-05 | General | Set up third-party systems in production mode | Make sure that the third-party systems have been switched to production mode. Set up production configuration for all third-party systems (in environment variables). Make sure not to expose secrets in the codebase. | | | GEN-06 | General | Set up BI and analytics tools in production mode | BI and analytics integrations should not be connected to your production database but rather to the provided read replica. Make sure no external system is interacting with your production database. | | | GEN-07 | General | Establish a go-live support team | Establish a team that can monitor your go-live process, react quickly to any issues, and work with the Spryker Support or Operations teams. | | | GEN-08 | General | Define the exact plan for the go-live day | Define the time of deployment. Define the exact steps to be performed, including running Jenkins or other scripts if needed. Prepare a go-live communication plan to inform stakeholders, customers, and support teams about the launch date and any changes or updates. | | | TES-11 | Testing | Perform end-to-end testing on production | Test the customer journey with all the third-party systems switched to production mode. Make sure to cover all important flows:
- Customer registration, account management
- Main e-commerce flow: search, navigation, checkout, and OMS process
- Back Office and Merchant user flows | | | DAT-02 | Data | Remove demo data | Remove all demo data from the environment. The project should only use real data that will be used after go-live. Remove all demo data that comes with the Spryker repository, which includes demo and admin users. Demo users in a live shop pose a significant security risk. | | | DAT-03 | Data | Import real data | Import real data to the production environment:
- Categories
- Product data, such as prices, offers, or attributes
- Customers, companies, users, merchants
- Taxes
- Discounts
- CMS pages: homepage, CMS blocks, terms & conditions
- Custom data
- Other data | Criteria: user journeys run as expected. No blockers or unaddressed high-priority bugs. All prepared test cases and checklists pass or don't block release. | | DAT-04 | Data | Set up translations | Double-check that all the required languages are available. | | | DAT-05 | Data | Define a glossary update strategy | Define the glossary update strategy. For example, exclude glossary updates during normal deployment. | | | DAT-06 | Data | Check emails | Make sure that all emails are correct. Double-check that all required data and translations are available. | | | SEO-07 | SEO | Optional: Set up redirects | Set up redirects. | | ## Go-live | ID | CATEGORY | NAME | DESCRIPTION | NOTE | |--------|----------------------------------------------|----------------------------------------------|--------------------------------------------------------------------------------|------------------------------------------------------------------------------| | TES-12 | Testing | Perform end-to-end testing on production | Perform smoke testing on production. Because its final the stage, test the main business flows and third-party integrations. | | | CLO-16 | Cloud | Disable email sending restrictions | Disable email sending restrictions. | | | CLO-17 | Cloud | Remove basic auth | Remove basic authentication from the frontend part and deploy the change. | | | GEN-9 | General | Run the go-live communication plan | Run the go-live communication plan. | | | CLO-18 | Cloud | Disable destructive pipeline | Disable the destructive pipeline after a successful go-live. | | | GEN-10 | General | Disable old system after 72 hours | After pointing the domain name to your Spryker project, some of your customers may still see your old project until the DNS propagation is completed. So, keep it live for at least 72 hours after the migration. | | {% info_block infoBox "Don't hesitate to contact us" %} If your go-live date is near and you need help with any of the tasks described, contact us via your Customer Success Manager *right away*. If you're a Spryker partner and unsure who the Customer Success Manager is for our joint customer, reach out to Partner Success Management via the [Partner Portal](https://partners.spryker.com/). They will connect you with the right contact for your project. {% endinfo_block %}

Twig performance best practices

Fri, 30 Jan 2026 12:11:44 +0000

Twig is a popular templating engine for PHP projects. Spryker built a sophisticated library of components on top of it. But with rich features, it also sometimes leads to performance degradation, caused by inefficient practices. It is important to follow best practices related to Twig performance optimisations. ## Activate Twig compiler Twig files can be precompiled into PHP classes to speed the performance up. This behavior can be activated in the configuration. We highly recommend using the `FORCE_BYTECODE_INVALIDATION` option. Otherwise, Opcache may contain outdated content, as the files are modified during runtime. ```php ---//--- use Twig\Cache\FilesystemCache; ---//--- $currentStore = Store::getInstance()->getStoreName(); $config[TwigConstants::ZED_TWIG_OPTIONS] = [ 'cache' => new FilesystemCache( sprintf( '%s/src/Generated/Zed/Twig/codeBucket%s', APPLICATION_ROOT_DIR, $currentStore, ), FilesystemCache::FORCE_BYTECODE_INVALIDATION, ), ]; $config[TwigConstants::YVES_TWIG_OPTIONS] = [ 'cache' => new FilesystemCache( sprintf( '%s/src/Generated/Yves/Twig/codeBucket%s', APPLICATION_ROOT_DIR, $currentStore, ), FilesystemCache::FORCE_BYTECODE_INVALIDATION, ), ]; ``` ## Activate Twig path cache Twig files can be in many places. To avoid time-consuming searches, we recommend activating the path cache (active by default). If you need to change this configuration, see `\Spryker\Yves\Twig\TwigConfig::getCacheFilePath()`. ## Twig template warmup during deployment Precompiling Twig templates can improve the performance of the first request, especially in production environments. This is helpful when scaling across multiple containers, where the first request may be slow due to on-demand compilation of all Twig templates. It compiles Twig template files to PHP code during deployment. Allows each Yves container to start in a ready-to-use state, without the need to compile those templates in the scope of web requests. It is important to ensure that this feature is enabled on a project level inside a build recipe. To activate the warmup, follow the steps: 1. Add the following commands to your deployment script, such as `config/install/docker.yml`: ```yaml build-production: twig-template-warmup-zed: command: 'vendor/bin/console twig:template:warmer' twig-template-warmup-yves: command: 'vendor/bin/yves twig:template:warmer' ``` {% info_block warningBox "" %} Make sure that the command is executed after the `vendor/bin/console twig:cache:warmer` command. {% endinfo_block %} 2. Register the following classes for the Zed command: **\Spryker\Zed\Console\ConsoleDependencyProvider** ```php ... use Spryker\Zed\Form\Communication\Plugin\Application\FormApplicationPlugin; use Spryker\Zed\Security\Communication\Plugin\Application\ConsoleSecurityApplicationPlugin; use Spryker\Zed\Twig\Communication\Console\TwigTemplateWarmerConsole; ... protected function getConsoleCommands(Container $container): array { return [ // other commands new TwigTemplateWarmerConsole(), ]; } public function getApplicationPlugins(Container $container): array { // other application plugins $applicationPlugins[] = new ConsoleLocaleApplicationPlugin(); $applicationPlugins[] = new ConsoleSecurityApplicationPlugin(); $applicationPlugins[] = new TwigApplicationPlugin(); $applicationPlugins[] = new FormApplicationPlugin(); return $applicationPlugins; } ``` 3. Register the following classes for the Yves console context to allow Twig properly compile templates. **\Spryker\Yves\Console\ConsoleDependencyProvider** ```php ... use Spryker\Yves\Form\Plugin\Application\FormApplicationPlugin; use Spryker\Yves\Locale\Plugin\Application\ConsoleLocaleApplicationPlugin; use Spryker\Yves\Security\Plugin\Application\ConsoleSecurityApplicationPlugin; use Spryker\Yves\Session\Plugin\Application\ConsoleSessionApplicationPlugin; use Spryker\Yves\Twig\Plugin\Application\TwigApplicationPlugin; use Spryker\Yves\Twig\Plugin\Console\TwigTemplateWarmerConsole; use Spryker\Yves\Twig\Plugin\Console\TwigTemplateWarmingModeEventSubscriberPlugin; ... protected function getConsoleCommands(Container $container): array { return [ // other commands new TwigTemplateWarmerConsole(), ]; } public function getApplicationPlugins(Container $container): array { // other application plugins $applicationPlugins[] = new ConsoleLocaleApplicationPlugin(); $applicationPlugins[] = new ConsoleSecurityApplicationPlugin(); $applicationPlugins[] = new ConsoleSessionApplicationPlugin(); $applicationPlugins[] = new TwigApplicationPlugin(); $applicationPlugins[] = new FormApplicationPlugin(); return $applicationPlugins; } protected function getEventSubscriber(Container $container): array { return [ // other event subscribers new TwigTemplateWarmingModeEventSubscriberPlugin(), ]; } ``` ### Twig templates compiled cache Twig template engine Spryker uses for Yves and some other background features like PDF invoice generation and email rendering has multiple ways to load templates: - **Templates from files** - regular and most popular option, Twig templates are loaded and referenced by file name, for example `add-to-cart-form.twig`, etc. Cache based on a file name. - **Templates from strings** - in case a template content was compiled "on the fly" and retrieved from the external system or database, Twig has a standard string loader. Cache based on a string content, a hash from the content. - **Custom loaders** - make it possible to implement retrieval and caching logic in accordance to a project's needs. Cache implemented based on custom logic. Twig compiles (preprocesses) templates written in its language (`.twig` files) into PHP code (known as compiled templates) and stores it as a cache to improve performance, and only a template is compiled once. **The problem:** When loading a template from a string - Twig will use template content (its hash) as a cache key, which means that each time content changes due to a change by a user, or a change due to dynamic nature of a template (for example template compiled from other pre-processed strings) - the hash will be different and a new version of the same template will be saved under the different hash key on disk. Yves containers are running on AWS EC2 virtual nodes. Spryker configuration limits disk space per EC2 node to 50 GB (as of Mar 18, 2025), even in production environments. Because of application customizations, those templates created with `createTemplate` change often, almost with each request or by integration with external CMS. As a result - EC2 space was depleted and all Yves containers running on it could not serve requests anymore, as those are trying to write more templates and there's no space left. {% info_block warningBox "Warning" %} There's no cache cleanup mechanism baked into Yves containers for Twig templates. {% endinfo_block %} #### Key factors that affect the problem Those factors affect the frequency and likelihood of the problem: - **Frequency of deployments**: Each deployment shuts down old Yves containers and spawns new, effectively removing all accumulated cache. - **Frequency of auto-scaling events**: For similar reasons - containers replacement. - **AWS or Spryker-led maintenance**: That leads to containers replacement - resets the accumulated cache. - **Frequency of changes in the external CMS**: If any, the more changes - the higher the rate of cache growth. - **Number of Yves containers per EC2 instance**: More instances per container - higher disk space consumption. - **Structure and hierarchy of Twig blocks and templates**: If there's one small template that is used across all the pages and is changed frequently - it'll likely lead to all other templates (created from string using `createTemplate`) that use it - will also lead to a new cache file, because their hash will change. #### Solution and recommendations - Avoid using `\Twig\Environment::createTemplate`, instead - use templates from `.twig` files - Avoid using dynamic content as a source for the Twig template (for `\Twig\Environment::createTemplate`), instead, use Twig originally supported constructs, such as: - [inheritance](https://twig.symfony.com/doc/3.x/tags/extends.html) - [blocks](https://twig.symfony.com/doc/3.x/tags/block.html) - [macros](https://twig.symfony.com/doc/3.x/tags/macro.html) **Bad example:** - A translation string that is passed to Twig using `createTemplate` to render a small piece of HTML - Then it is translated and additionally pre-processed - Then it is again passed to `createTemplate` **Good example:** - Use Twig `extends` functions for inheritance and `trans` (or custom) filter for translations ## SVG icons in Twig templates Older versions of Spryker had SVG icons embedded into Twig templates, which led to each page having a **significant portion** (up to 50% of a page) of HTML that is static by nature, but couldn't be cached by browsers. The problem was fixed by moving SVG icons into separate files (allowing browser cache), and only referencing those in Twig and HTML. For more information, see [Integrate automated SVG sprite extraction](/docs/dg/dev/integrate-and-configure/integrate-automated-svg-sprite-extraction.html). ## Dynamic templates Avoid using `createTemplate`. This is a standard Twig feature that allows creating dynamic Twig templates from strings. The problem is - it creates a cached/compiled PHP template based on a string hash (content), in comparison to the standard file-based templates, which are cached based on the original `.twig` file name. Using this feature in context with dynamically/frequently changing templates leads to fast disk consumption by compiled Twig templates. Neither Twig nor Spryker provides a solution for this OOTB, as this is an advanced technique and is up to the development team to implement in a project-specific way. ## Cache Twig blocks For many cases, Atomic Frontend Twig can be a bottleneck for performance. The solution is to use [Twig block cache](https://twig.symfony.com/doc/3.x/tags/cache.html). Given the right key and TTL configuration, it can significantly improve the performance of the Yves application. In practice, cached pages can take 20 ms (compared to 60-200 ms before caching), but there are important considerations. ### How it works Twig cache makes a wrapper around the code and stores generated HTML. For example, if you add the full product details page to the cache, all product pages will be the same because you use one compiled HTML. ### Cache usage guidelines When using cache, it is crucial to correctly understand and design two ideas: #### Cache key It should uniquely identify cached entity/object, but at the same time to be useful, so that subsequent requests would use it. For cache usage, be very careful not to store any sensitive data, and use combined keys, like: ```twig {% raw %}{% cache "cache_key" ~ product.id ttl(300) %}{% endraw %} ``` - **Good cache key** - `"product_" + id`, unique for a product, ID never changes, IDs are limited - **Bad cache key** - `"product_" + id + time` (or some random string), the key is still unique, but it will be that each time, it'll be impossible to reuse such a key #### Cache invalidation/expiration logic Time-based, or condition/event-based, it is easy to fall into a trap of using outdated cache, because the logic of invalidation is not aligned with the logic of cached object update. ### Possible problems - Cache some customer-related data - Store CSRF token to the form (it will work for one user, but all other users will have a problem) - Store some frequently changed data (prices, stock, etc.) ### How to install 1. Install the Twig cache extension: ```bash composer require twig/cache-extra ``` 2. Create `TwigCachePlugin` in `Pyz\Shared\Twig\Plugin`: ```php addExtension(new CacheExtension()); $twig->addRuntimeLoader(new class implements RuntimeLoaderInterface { public function load($class) { if (CacheRuntime::class === $class) { return new CacheRuntime(new TagAwareAdapter(new FilesystemAdapter())); } } }); return $twig; } } ``` 3. Add this plugin to `src/Pyz/Yves/Twig/TwigDependencyProvider::getTwigPlugins()`. 4. It's ready to use. For usage instructions, see [Twig cache documentation](https://twig.symfony.com/doc/3.x/tags/cache.html). ## Reduce the granularity of Twig templates Reduce the granularity of Twig templates where possible: Twig is not efficient when there is a big nested tree of hundreds of components inheriting from each other. **Recommendations**: - prefer fewer bigger components, instead of many small - use fewer levels of inheritance (`extends`), organise templates in a flat structure (using `include`) ## General Twig optimizations Twig, together with [Atomic Frontend](/docs/dg/dev/frontend-development/{{site.version}}/yves/atomic-frontend/atomic-frontend.html), is an extremely flexible approach but at the same time not the fastest one. Check if you can reduce or optimize things there. For example, the `{% raw %}{{{% endraw %} data.foo.bar.firstName {% raw %}}}{% endraw %}` `{% raw %}{{{% endraw %} data.foo.bar.lastName {% raw %}}}{% endraw %}` trigger many calls to the `Template::getAttribute()` method which is very slow. Making calculations on the PHP side can help here a lot, as well as using `{% raw %}{{{% endraw %} set customer = data.foo.bar {% raw %}}}{% endraw %}` + `{% raw %}{{{% endraw %} customer.firstName {% raw %}}}{% endraw %}` `{% raw %}{{{% endraw %} customer.lastName {% raw %}}}{% endraw %}`. ## Prepare data in PHP classes Prepare data in PHP classes - controllers, data mappers, before Twig, to avoid moving application logic to Twig Widgets and functions if possible, as it makes rendering heavier and harder to troubleshoot or optimise.

Create standalone modules

Fri, 30 Jan 2026 08:07:16 +0000

This document describes how to create standalone modules.

Enable a custom namespace

To enable a custom namespace, adjust config/Shared/config_default.php:

$config[KernelConstants::CORE_NAMESPACES] = [ 'YourCompanyName', 'SprykerShop', 'SprykerEco', 'Spryker', 'SprykerSdk', ];

Extend Spryker functionality from a module

You can extend Spryker functionality from a module using one of the following options:

Introduce an extension point in an existing module. For an example, see How to use a plugin from another module.
Use an existing extension point in a module.

Extend functionality using an existing extension point

Extend the product table with a Categories column that shows the list of categories, which a product is added to. For this, use the following extension points in the existing modules:

ProductTableConfigurationExpanderPluginInterface: to extend table headers with Categories column.
ProductTableDataBulkExpanderPluginInterface: to extend table content with the corresponding column

Create a module. Spryker provides a development tool in the spryker/development module as a console command \Spryker\Zed\Development\Communication\Console\ModuleCreateConsole. When module is installed and command is enabled, run the following command:

vendor/bin/console dev:module:create your-company-name.product-category

Alternatively, you can create default module structure yourself.

Verification

Make sure the `vendor/your-company-name/product-category` folder with module data has been created.

Validate and update, where necessary, created composer.json file and make sure that namespace is correct, for example if you pick YourCompanyName:

    "autoload": {
        "psr-4": {
            "YourCompanyName\\": "src/YourCompanyName/"
        }
    },
    "autoload-dev": {
        "psr-4": {
            "YourCompanyNameTest\\": "tests/YourCompanyNameTest/"
        }
    },

Update composer configuration on the project level update repositories section adding:

        {
            "type": "path",
            "url": "./vendor/your-company-name/product-category"
        }

Include the newly module into composer, execute inside docker cli container:

composer require your-company-name/product-category

Now, your module is created and is ready for further development. Let’s add some executable code as well.

Create a plugin to extend the product table the with a Categories column:

vendor/your-company-name/product-category/src/YourCompanyName/Zed/ProductCategory/Communication/Plugin/ProductManagement/ProductCategoryProductTableConfigurationExpanderPlugin.php

<?php

/**
 * Copyright © 2016-present Spryker Systems GmbH. All rights reserved.
 * Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
 */

namespace YourCompanyName\Zed\ProductCategory\Communication\Plugin\ProductManagement;

use Spryker\Zed\Gui\Communication\Table\TableConfiguration;
use Spryker\Zed\Kernel\Communication\AbstractPlugin;
use Spryker\Zed\ProductManagementExtension\Dependency\Plugin\ProductTableConfigurationExpanderPluginInterface;

class ProductCategoryProductTableConfigurationExpanderPlugin extends AbstractPlugin implements ProductTableConfigurationExpanderPluginInterface
{
    /**
     * {@inheritDoc}
     * - Expands `ProductTable` configuration with categories column.
     *
     * @param \Spryker\Zed\Gui\Communication\Table\TableConfiguration $config
     *
     * @return \Spryker\Zed\Gui\Communication\Table\TableConfiguration
     */
    public function expandTableConfiguration(TableConfiguration $config): TableConfiguration
    {
         // Let's insert `Categories` column right after the first column header (product ID)
        $headers = $config->getHeader();
        $firstColumnHeader = array_shift($headers);
        array_unshift($headers, 'Categories');
        array_unshift($headers, $firstColumnHeader);

        $config->setHeader($headers);

        return $config;
    }
}

Wire the plugin in the \Pyz\Zed\ProductManagement\ProductManagementDependencyProvider::getProductTableConfigurationExpanderPlugins() method.

Verification

In the Back Office, go to **Catalog**>**Products**. Make sure the **Categories** column is displayed in the table.

Create a plugin to provide data for the Categories column:

vendor/your-company-name/product-category/src/YourCompanyName/Zed/ProductCategory/Communication/Plugin/ProductManagement/ProductCategoryProductTableDataBulkExpanderPlugin.php

<?php

/**
 * Copyright © 2016-present Spryker Systems GmbH. All rights reserved.
 * Use of this software requires acceptance of the Evaluation License Agreement. See LICENSE file.
 */

namespace YourCompanyName\Zed\ProductCategory\Communication\Plugin\ProductManagement;

use Generated\Shared\Transfer\ProductCategoryConditionsTransfer;
use Generated\Shared\Transfer\ProductCategoryCriteriaTransfer;
use Spryker\Zed\Kernel\Communication\AbstractPlugin;
use Spryker\Zed\ProductManagementExtension\Dependency\Plugin\ProductTableDataBulkExpanderPluginInterface;

class ProductCategoryProductTableDataBulkExpanderPlugin extends AbstractPlugin implements ProductTableDataBulkExpanderPluginInterface
{
    /**
     * {@inheritDoc}
     * - Expands product table items with abstract product approval status.
     *
     * @param array<array<string, mixed>> $items
     * @param array<array<string, mixed>> $productData
     *
     * @return array<array<string, mixed>>
     */
    public function expandTableData(array $items, array $productData): array
    {
        // The code below is code sample that just works. (Learn how to make it fancy in https://docs.spryker.com/docs/dg/dev/architecture/architectural-convention.html)
        $productAbstractIds = array_map(function ($item){
            return $item['id_product_abstract'];
        }, $items);

        $productCategoryCollection = $this->getFacade()
            ->getProductCategoryCollection(
                (new ProductCategoryCriteriaTransfer())
                    ->setProductCategoryConditions(
                        (new ProductCategoryConditionsTransfer())
                            ->setProductAbstractIds($productAbstractIds)
                    )
            );

        foreach ($items as $key => $item) {
            $productCategoryNames = [];

            foreach ($productCategoryCollection->getProductCategories() as $productCategory) {
                if ($productCategory->getFkProductAbstract() !== $item['id_product_abstract']) {
                    continue;
                }

                $productCategoryNames[] = $productCategory->getCategory()->getName();
            }

            $items[$key]['categories'] = implode(', ', $productCategoryNames);
        }

        return $items;
    }
}

Wire the plugin in the \Pyz\Zed\ProductManagement\ProductManagementDependencyProvider::getProductTableDataBulkExpanderPlugins() method.

Verification

In the Back Office, go to **Catalog**>**Products**. Make sure relevant data is displayed in **Categories** column.

Next step

Ensuring quality in standalone modules

Troubleshooting Dependency Injection

Thu, 29 Jan 2026 12:07:47 +0000

This document describes common issues and solutions when working with Symfony's Dependency Injection component in Spryker. ## Container compilation failures ### Unknown classes from core **Problem:** The container compilation fails with an error about an unknown class from a Spryker core module. **Example error:** ```php The service "Spryker\Zed\Product\Business\ProductFacade" has a dependency on a non-existent service "Spryker\Zed\Product\Business\SomeInternalService". ``` **Cause:** You're trying to autowire a class from a core module that doesn't have a pre-compiled container or isn't configured in your `ApplicationServices.php`. **Solution 1 - Register the service manually:** Add the missing service to your `config/Zed/ApplicationServices.php`: ```php services() ->defaults() ->autowire() ->public() ->autoconfigure(); // Register the missing core service $services->set(ProductFacadeInterface::class, ProductFacade::class); }; ``` **Solution 2 - Create a project-level extension:** Create your own class that extends the core service and register it: ```php set(CustomerFacadeInterface::class, \Pyz\Zed\Customer\Business\CustomerFacade::class); ``` ### Scalar constructor arguments **Problem:** Container compilation fails when a service constructor has scalar type hints (int, string, bool, float). **Example error:** ```php Cannot autowire service "Pyz\Zed\MyModule\MyService": argument "$timeout" of method "__construct()" is type-hinted "int", you should configure its value explicitly. ``` **Cause:** Autowiring cannot determine what value to inject for scalar types. The container needs explicit configuration. **Solution 1 - Configure the argument explicitly:** ```php services() ->defaults() ->autowire() ->public() ->autoconfigure(); $services->set(MyService::class) ->arg('$timeout', 30); }; ``` **Solution 2 - Use a configuration object (recommended):** Instead of scalar arguments, create a value object: ```php true, // Often uses many transfer objects 'ProductPageSearch' => true, 'ProductStorage' => true, ]; foreach ($projectModules as $moduleTransfer) { if (isset($excludedModuleConfiguration[$moduleTransfer->getName()])) { continue; // Skip this module } // ... load module services } ``` ### Argument is type-hinted "array" **Problem:** The container compilation fails with an error about configuring values explicitly. **Example error:** ```php Cannot autowire service "Spryker\Glue\AuthRestApi\Processor\AccessTokens\AccessTokenUserFinder": argument "$restUserExpanderPlugins" of method "__construct()" is type-hinted "array", you should configure its value explicitly. ``` **Cause:** Symfony can't automatically detect which classes it should inject as dependency for array's. There is a type-hint to an array of interfaces but which ones should be added here can't be automatically detected. **Solution - Use the Stack Attribute:** ```php $restUserExpanderPlugins */ #[Stack( dependencyProvider: AuthRestApiDependencyProvider::class, dependencyProviderMethod: 'getRestUserExpanderPlugins', provideToArgument: '$restUserExpanderPlugins', )] public function __construct( protected array $restUserExpanderPlugins ) {} } ``` During compilation the `\Spryker\Service\Container\Pass\StackResolverPass` understands this configuration and will inject the array dependency through this configuration. When the class is requested from the container, the container knows that it has to pass the returned array from the `AuthRestApiDependencyProvider::getRestUserExpanderPlugins()` method to the argument `$restUserExpanderPlugins`. Multiple Stack attributes can be used on a class constructor. ## Debugging When you need to understand how the container resolves services or troubleshoot issues, debug into these key classes: ### ContainerDelegator - Service resolution **Location:** `Spryker\Service\Container\ContainerDelegator` **Purpose:** Tracks which service from which container gets resolved. **Key methods to debug:** - `get(string $id)`: Main entry point for service resolution (line 94) - `findInProjectContainer(string $id)`: Searches for services in project container (line 226) - `getPartsFromId(string $id)`: Extracts namespace, application, module from service ID (line 430) **What to look for:** - Check `$this->resolvedServices` to see already resolved services - Inspect `$this->containers` to see attached containers (project_container, application_container) - Review `$this->checkedContainer` for which containers were searched **Debug example:** ```php // Add breakpoint in ContainerDelegator::get() public function get(string $id, int $invalidBehavior = self::EXCEPTION_ON_INVALID_REFERENCE): ?object { // Check here what $id is being requested // Inspect $this->containers to see available containers // Step through to see resolution logic } ``` ### ControllerResolver - Controller discovery **Location:** `Spryker\Shared\Router\Resolver\ControllerResolver` **Purpose:** Resolves controller classes from route definitions and injects dependencies. **Key methods to debug:** - `getController(Request $request)`: Main entry point for controller resolution (line 37) - `getControllerFromString()`: Handles string-based controller definitions (line 66) - `injectContainerAndInitialize()`: Injects dependencies into controller (line 170) **What to look for:** - Check how the controller string is parsed - See if controller is found in ContainerDelegator via `$globalContainer->has($controller)` (line 75) - Verify if controller is being instantiated via DI or traditionally **Debug example:** ```php // Add breakpoint in ControllerResolver::getController() public function getController(Request $request): callable|false { $controller = $request->attributes->get('_controller'); // Check $controller value // Step through to see if it's resolved from container } ``` ### Kernel - Application setup **Location:** `Spryker\Shared\Application\Kernel` **Purpose:** Sets up the application, manages ApplicationPlugins, and boots the container. **Extends:** `Symfony\Component\HttpKernel\Kernel` **Uses:** `Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait` **Key methods to debug:** - `__construct()`: Initial setup, attaches containers to ContainerDelegator (line 44) - `boot()`: Boots Symfony container and ApplicationPlugins (line 130) - `build()`: Registers compiler passes (line 248) - `configureContainer()`: Loads service configuration files (line 209) **Important Symfony base class methods:** Refer to Symfony documentation for these methods: - [Symfony HttpKernel Component](https://symfony.com/doc/current/components/http_kernel.html) - [MicroKernelTrait](https://symfony.com/doc/current/configuration/micro_kernel_trait.html) **What to look for:** - Check which ApplicationPlugins are registered - Inspect `$this->container` to see if it's ContainerDelegator or Symfony container - Review which compiler passes are added - Verify service configuration file loading **Debug example:** ```php // Add breakpoint in Kernel::boot() public function boot(): void { // Check if container is already compiled // See which ApplicationPlugins are being booted // Inspect ContainerDelegator attachments } ``` ### Application - Request handling **Location:** `Spryker\Shared\Application\Application` **Purpose:** Sets up and boots ApplicationPlugins, selects the correct Kernel, and handles requests via HttpKernel. **Key methods to debug:** - `handle()`: Main request handling entry point (line 180) - `registerPlugins()`: Registers all ApplicationPlugins (line 100) - `registerPluginsAndBoot()`: Registers and boots ApplicationPlugins (line 131) **What to look for:** - Check which ApplicationPlugins are registered - See when the Kernel is created and booted - Verify container setup and switching **Debug example:** ```php // Add breakpoint in Application::handle() public function handle(Request $request, int $type = self::MASTER_REQUEST, bool $catch = true): Response { // Check if kernel exists in container // See how container is set up // Verify plugin registration timing } ``` ### Common debugging workflow 1. **Start with ContainerDelegator** - Check if the service is being requested and from which container 2. **Move to ControllerResolver** - If controller-related, see how it's being resolved 3. **Check Kernel setup** - Verify ApplicationPlugins and container configuration 4. **Review Application flow** - Understand the complete request lifecycle ### Enabling debug output To see detailed container compilation information, set the debug flag to true: In your `config/Shared/config_default.php`: ```php $config[ApplicationConstants::ENABLE_APPLICATION_DEBUG] = true; ``` This enables: - Container cache verification - Detailed compiler pass output - Service resolution logging ## Additional tips ### Clear application cache If you encounter container compilation issues or suspect the cache is stale, clear the cache for the affected application. **Clear cache for Zed:** ```bash docker/sdk cli vendor/bin/console cache:clear ``` **Clear cache for Glue API:** ```bash docker/sdk cli vendor/bin/glue cache:clear ``` **Clear cache for Glue Storefront API:** ```bash docker/sdk cli GLUE_APPLICATION=GLUE_STOREFRONT vendor/bin/glue cache:clear ``` **Clear cache for Glue Backend API:** ```bash docker/sdk cli GLUE_APPLICATION=GLUE_BACKEND vendor/bin/glue cache:clear ``` These commands clear the compiled container cache and force a fresh compilation on the next request. ### Verify container cache If you need to manually inspect or remove specific container cache files: ```bash # Clear the container cache rm -rf data/cache/Zed/*/appSpryker_Shared_Application_Kernel* # Rebuild the container console container:build ``` ### Check service availability To verify if a service is available in the container, check the compiled container file: ```bash # Location of compiled container data/cache/Zed/{environment}/appSpryker_Shared_Application_Kernel_{Application}_{Environment}Container.php ``` Search for your service ID in this file to see if it was registered correctly. ### Module compilation check If a core module doesn't have a container, check if it exists: ```bash # Core module container location vendor/spryker/{module-name}/src/Spryker/Zed/{ModuleName}/Service/Container/{ModuleName}ServiceContainer.php ``` ## Next steps - [Implementation and usage](/docs/dg/dev/architecture/dependency-injection/implementation-and-usage.html) - [Best practices for Dependency Injection](/docs/dg/dev/architecture/dependency-injection/best-practices.html) - [Dependency injection](/docs/dg/dev/architecture/dependency-injection.html)

Troubleshooting installation

Thu, 29 Jan 2026 12:07:47 +0000

This section describes common issues and solutions related to installing Spryker locally. ## Clear application cache If you encounter compilation errors during installation or after setup, clear the cache for the affected application. **Clear cache for Zed:** ```bash docker/sdk cli vendor/bin/console cache:clear ``` **Clear cache for Glue API:** ```bash docker/sdk cli vendor/bin/glue cache:clear ``` **Clear cache for Glue Storefront API:** ```bash docker/sdk cli GLUE_APPLICATION=GLUE_STOREFRONT vendor/bin/glue cache:clear ``` **Clear cache for Glue Backend API:** ```bash docker/sdk cli GLUE_APPLICATION=GLUE_BACKEND vendor/bin/glue cache:clear ``` These commands clear the compiled container cache and resolve most cache-related installation issues. ## Topics - [Clear application cache](#clear-application-cache) - [An error during front end setup](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/an-error-during-front-end-setup.html) - [Demo data was imported incorrectly](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/demo-data-was-imported-incorrectly.html) - [Docker daemon is not running](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/docker-daemon-is-not-running.html) - [docker-sync cannot start](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/docker-sync-cannot-start.html) - [Error 403 No valid crumb was included in the request](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/error-403-no-valid-crumb-was-included-in-the-request.html) - [Node Sass does not yet support your current environment](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/node-saas-does-not-yet-support-your-current-environment.html) - [Setup of new indexes throws an exception](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/setup-of-new-indexes-throws-an-exception.html) - [Unable to bring up Mutagen Compose sidecar service](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/unable-to-bring-up-mutagen-compose-sidecar-service.html) - [Vendor folder synchronization error](/docs/dg/dev/set-up-spryker-locally/troubleshooting-installation/vendor-folder-synchronization-error.html)

Spryker Documentation

AiFoundation module Overview

Install the AiFoundation module

Configure AI providers

Configuration structure

Default configuration

Provider configuration examples

OpenAI

Anthropic Claude

AWS Bedrock

Ollama (local/self-hosted)

Run Ollama with Docker SDK

Google Gemini

Deepseek

HuggingFace

Mistral AI

xAI Grok

Azure OpenAI

Use the AiFoundation client

Basic usage

Using a specific configuration

Multiple configurations example

Available provider constants

Transfer objects

PromptRequest

PromptMessage

PromptResponse

Attachment

ToolInvocation

Roadmap

Chat history capabilities

About NeuronAI framework

Release notes for spryker-php image

Configure Elasticsearch

Index naming convention

Schema configuration approaches

Modern approach: Schema directory (Recommended)

Legacy approach: IndexMap directory (Deprecated)

Schema merging and customization

How merging works

Merging example

Store-specific schemas

Source identifier management

How source identifiers work

Configure supported source identifiers

Example workflow

Store-prefixed source identifiers

Working with indexes and mappings

Create new indexes

Modify existing indexes

Example: Custom tokenizer configuration

Install indexes and mappings

Populate indexes with data

Generated helper classes

Update indexes with existing data

Advanced configuration

Disable default mapping installation

Enable the Zero State Component for Empty Data

Steps to Enable the Zero State Component

1. Update SprykerShop modules

2. Add icons to the icon sprite

3. Glossary keys

4. Update Twig files to enable the new Zero State component

Upgrade to Angular 20

Preparation for going live

Twig performance best practices

Create standalone modules

Enable a custom namespace

Extend Spryker functionality from a module

Extend functionality using an existing extension point

Next step

Troubleshooting Dependency Injection

Troubleshooting installation

1. Update `SprykerShop` modules

4. Update Twig files to enable the new `Zero State` component