chore: Update the Vendure ElasticSearch plugin to use ElasticSearch v9.1.0

[LeftoversTodayAppAdmin]

Description

Vendure has had a limitation on the version of ElasticSearch that can be used because of a licensing issue in v7.11 which has since been resolved. Therefore we can now use v9.1.0 as long as the plugin and the Vendure project use the new ES deployment and matching library.

Breaking changes

Does this PR include any breaking changes we should be aware of?
YES - Breaking change - ElasticSearch must be updated to v9.1.0, using the new client and plugin with the older v7 version of ES will FAIL.

Upgrading ElasticSearch is a one-way process, migrating the DB schema from v7.10.2 to v9.1.0 with no option to downgrade.

The ES instance and the client library in both the plugin and Vendure project package.json must match the upgraded ES instance version (v9.1.0).

Screenshots

You can add screenshots here if applicable.

Checklist

📌 Always:

• I have set a clear title
• My PR is small and contains a single feature
• I have checked my own PR

👍 Most of the time:

• I have added or updated test cases
• I have updated the README if needed

Summary by CodeRabbit

• New Features

  • Updated Elasticsearch support to version 9.1.0 across all configurations and documentation.
  • Enhanced Docker Compose and GitHub Actions setups for Elasticsearch, including improved environment settings, memory limits, and security configuration.

• Bug Fixes

  • Corrected port mapping for Elasticsearch in Docker Compose templates.
  • Made end-to-end tests for search results order-insensitive.

• Documentation

  • Expanded plugin documentation with detailed version compatibility and updated security configuration notes.

• Refactor

  • Updated Elasticsearch client usage to align with the latest API response formats and improved error handling.
  • Adjusted Elasticsearch request payload structures and added safety checks for index operations.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	Aug 6, 2025 8:09am

[coderabbitai]

Walkthrough

The updates upgrade Elasticsearch dependencies and configurations from version 7.x to 9.1.0 across GitHub Actions workflows, Docker Compose files, and templates. Corresponding code changes adapt to the new Elasticsearch client API, particularly the { meta: true } response format. Documentation is updated for compatibility and security notes. Minor test and assertion adjustments ensure compatibility with the new version.

Changes

Cohort / File(s)	Change Summary
CI & Docker Configurations .github/workflows/build_and_test.yml, docker-compose.yml, packages/create/templates/docker-compose.hbs	Upgraded Elasticsearch image from 7.x to 9.1.0. Expanded environment variables to configure node/cluster names, disable xpack security features, and set license type. Updated JVM options formatting, added memory limit, and improved port mappings and volume names. Template and workflow configurations were aligned accordingly.
Elasticsearch Client API Adaptation packages/elasticsearch-plugin/src/elasticsearch.service.ts, packages/elasticsearch-plugin/src/indexing/indexer.controller.ts, packages/elasticsearch-plugin/src/indexing/indexing-utils.ts	Updated all Elasticsearch client calls to include the { meta: true } option and adapted code to safely access .body properties. Adjusted request payload structures to match the new client API. Added safety checks and improved error handling for index operations. Refactored method signatures for clarity.
Dependency Update packages/elasticsearch-plugin/package.json	Upgraded @elastic/elasticsearch dependency from ~7.9.1 to 9.1.0.
Documentation Update packages/elasticsearch-plugin/src/plugin.ts	Updated plugin documentation to reflect support for Elasticsearch 9.1.0, added a compatibility matrix, security notes, and configuration guidance for newer Elasticsearch versions.
Test Adjustment packages/elasticsearch-plugin/e2e/e2e-helpers.ts	Modified test assertion to sort product names before comparison, making the test order-insensitive and compatible with potential changes in Elasticsearch result ordering.

Sequence Diagram(s)

sequenceDiagram
    participant App as Application Code
    participant ESClient as Elasticsearch JS Client (v9.1.0)
    participant ES as Elasticsearch Server

    App->>ESClient: search(params, { meta: true })
    ESClient->>ES: HTTP request (search)
    ES-->>ESClient: HTTP response (body + metadata)
    ESClient-->>App: { body, meta }
    App->>App: Access response.body safely

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d5610d and a56f10c.

📒 Files selected for processing (1)

• packages/create/templates/docker-compose.hbs (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/create/templates/docker-compose.hbs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/elasticsearch-plugin/src/elasticsearch.service.ts (1)

596-600: Improved method signature formatting for better readability.

The method signature reformatting with proper parameter alignment enhances code readability without changing functionality.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 46a12b7 and 1d5610d.

📒 Files selected for processing (9)

• .github/workflows/build_and_test.yml (1 hunks)
• docker-compose.yml (1 hunks)
• packages/create/templates/docker-compose.hbs (1 hunks)
• packages/elasticsearch-plugin/e2e/e2e-helpers.ts (1 hunks)
• packages/elasticsearch-plugin/package.json (1 hunks)
• packages/elasticsearch-plugin/src/elasticsearch.service.ts (13 hunks)
• packages/elasticsearch-plugin/src/indexing/indexer.controller.ts (6 hunks)
• packages/elasticsearch-plugin/src/indexing/indexing-utils.ts (5 hunks)
• packages/elasticsearch-plugin/src/plugin.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

packages/elasticsearch-plugin/src/indexing/indexer.controller.ts (1)

packages/elasticsearch-plugin/src/indexing/indexing-utils.ts (1)

• getIndexNameByAlias (144-155)

🔇 Additional comments (18)

packages/elasticsearch-plugin/package.json (1)

28-28: Elasticsearch client dependency verified: @elastic/elasticsearch@9.1.0 is current and secure

• Confirmed 9.1.0 is the latest published version of the Node.js client
• No known security vulnerabilities reported for the 9.x series (per npm, Elastic release notes, Snyk)

No further changes needed—this upgrade is safe. Continue to monitor Elastic’s official security announcements for future advisories.

packages/elasticsearch-plugin/e2e/e2e-helpers.ts (1)

79-79: LGTM! Improved test reliability.

Adding .sort() makes the test order-insensitive, which is appropriate when upgrading Elasticsearch versions as search result ordering may differ between versions. This improves test stability.

.github/workflows/build_and_test.yml (1)

109-116: Elasticsearch upgrade and security configuration look correct.

The upgrade to Elasticsearch 9.1.0 and the added environment variables appropriately disable security features for CI/testing. The configuration includes:

• Security features disabled (appropriate for testing)
• Basic license type (suitable for development)
• Explicit node and cluster naming

Note: Ensure production deployments use appropriate security configurations instead of disabling these features.

docker-compose.yml (1)

82-94: Elasticsearch configuration updated correctly for development.

The upgrade to 9.1.0 with expanded environment variables is appropriate for local development. Key improvements:

• Memory limit prevents resource exhaustion
• Security features disabled (suitable for local dev)
• Consistent configuration with CI environment

Important: Ensure production deployments use proper security configurations instead of the disabled settings used here.

packages/create/templates/docker-compose.hbs (2)

99-99: Port mapping correction looks good.

The port mapping has been corrected from 9300:9200 to 9200:9200, which properly exposes the Elasticsearch HTTP API port.

---

79-91: Elasticsearch configuration updated appropriately.

The upgrade to 9.1.0 with comprehensive environment configuration is well-structured. The security features are appropriately disabled for development templates.

packages/elasticsearch-plugin/src/plugin.ts (1)

66-84: Excellent documentation update for ElasticSearch v9.1.0 compatibility.

The updated documentation clearly communicates the version upgrade and provides essential information about:

• Version compatibility requirements across all components
• Important security changes introduced in ElasticSearch v8+
• Configuration guidance for development vs production environments
• Reference to updated Docker Compose examples

This comprehensive documentation will help users understand the breaking changes and configure their environments correctly.

packages/elasticsearch-plugin/src/indexing/indexing-utils.ts (4)

73-76: Correct API adaptation for Elasticsearch client v9.1.0.

The changes properly remove the deprecated body wrapper and place mappings and settings at the top level of the request parameters, aligning with the updated Elasticsearch client API format.

Also applies to: 86-89

---

107-110: Good addition of safety checks before index deletion.

The conditional check ensures that the index name is valid before attempting deletion, which prevents potential errors and improves robustness.

---

121-123: Consistent API update for deleteByQuery operation.

The query parameter is correctly moved to the top level, maintaining consistency with other Elasticsearch client API updates throughout the codebase.

---

145-152: Proper handling of new response format with metadata.

The addition of { meta: true } and the updated response handling correctly adapt to the new Elasticsearch client response structure. The safe property access with optional chaining is well implemented.

packages/elasticsearch-plugin/src/indexing/indexer.controller.ts (3)

379-421: Comprehensive API updates with improved error handling.

The updateByQuery calls are correctly updated to use the new Elasticsearch client signature with { meta: true }. The enhanced error handling with conditional checks for result.body.failures and proper array iteration is a significant improvement that prevents potential runtime errors.

---

430-502: Robust alias switching logic with enhanced safety guards.

The switchAlias method is thoroughly updated with:

• Proper use of { meta: true } for all index operations
• Additional guards before deletion operations
• Consistent handling of the new response format
• Safe property access patterns throughout

The enhanced safety checks reduce the risk of errors during index operations.

---

861-868: Correct bulk operation API adaptation.

The bulk operation is properly updated to use the new client signature, spreading the request parameters and including { meta: true } for consistent metadata handling.

packages/elasticsearch-plugin/src/elasticsearch.service.ts (4)

72-73: Correct ping operation update for new client API.

The ping call is properly updated with { meta: true } while maintaining the existing timeout configuration and response handling logic.

---

98-98: Comprehensive indices operations updates with safe property access.

The index existence checks and settings retrieval operations are correctly updated to use { meta: true }. The safe property access patterns with optional chaining and conditional checks prevent potential runtime errors when accessing nested response properties.

Also applies to: 111-121

---

221-227: Consistent search API updates with proper request spreading.

Both search operations correctly spread the elasticsearch body into the first argument and pass { meta: true } as the second parameter, maintaining consistency with the new client API while preserving all existing functionality.

Also applies to: 258-264

---

315-321: Proper totalHits aggregation query update.

The aggregation query is correctly updated with the new API format, and the response handling properly accesses the aggregation results from the updated response structure.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[kamil-maslowski]

Bump: plan to merge this anytime soon?

[michaelbromley]

Hi @LeftoversTodayAppAdmin could you make this PR against the minor branch, due to the requirement to upgrade the ES version.

[LeftoversTodayAppAdmin]

@michaelbromley Done!