## Upgrade Requiremements

### Database Upgrade

Supermarket 5 includes a large upgrade of the underlying PostgreSQL database. An automated upgrade will need to be run post package install. See https://docs.chef.io/supermarket/supermarket_upgrade/ for details.

### Allowed Host Attribute

In order to prevent potential host header attacks, users will need to specify the FQDN of the Supermarket with the `node['supermarket']['allowed_host']` attribute. For example, the public supermarket at `https://supermarket.chef.io` would set this value to `supermarket.chef.io`.

## Bug Fixes

- Updated links to the Chef Blog to use the latest URL.
- Updated links to the Chef Documentation to use the latest URL.
- Removed unused attributes for New Relic monitoring.

## Enhancements

### PostgreSQL 13.4

The embedded PostgreSQL 9.3 installation used by Supermarket to store cookbook information has been upgraded to 13.4. This new release of PostgreSQL improves performance, includes new functionality that will be utilized in future Supermarket releases, and resolves multiple security vulnerabilities. See https://docs.chef.io/supermarket/supermarket_upgrade/ for more information on completing this upgrade.

### Cookstyle Cookbook Quality Metrics

The Cookbook Quality Metrics evaluation in Supermarket now uses our Cookstyle engine to evaluate cookbook quality. This greatly improves the breadth of evaluation we provide with ~250 Cookstyle cops being used for each cookbook. This also aligns the quality metrics with the same tools used in local development and CI processes. Stay tuned for exciting new improvements to the Cookbook Quality Metrics using these new capabilities.

### Log Directory Permissions

Users can now set the permissions of the Supermarket log directory with a new `default['supermarket']['log_mode']` configuration option. This configuration option defaults to the previous directory default of `0700`.

### Versioned Universe API Endpoint

The `universe` API endpoint is now available under the v1 API endpoint. There are no current plans to introduce breaking changes to the existing `universe` API endpoint, but we highly recommend using the new versioned API endpoint for future compatibility.

## Security

### HTTP Headers

Supermarket now includes a more secure `Permissions-Policy` HTTP header by default.

### Puma 5.6.2

Puma upgraded from 5.6.1 to 5.6.2 to resolve CVE-2022-23633

### Sidekiq 6.4.1

The Sidekiq job processing system used by Supermarket has been updated from 6.3.1 to 6.4.1 to resolve CVE-2021-30151.

### Ruby on Rails 6.1.4.6

The Ruby on Rails framework used by Supermarket has been updated from 6.1.4.4 to 6.1.4.6 to resolve CVE-2021-22904.