SuiteCommerce 2023.1.x Minor Releases: GA4 Event Tracking, SSP Security Headers, 3DS2 Fixes, and Library Updates

Overview

Oracle shipped three minor releases under the 2023.1 branch for SuiteCommerce, SuiteCommerce MyAccount, and SuiteCommerce Advanced. The most impactful changes are GA4 event integration through the Google Tag Manager Commerce extension (2023.1.2), a new configuration surface for injecting security headers into SSP responses (2023.1.2), and several 3DS2/payment-related bug fixes (2023.1.1).

2023.1.3 — Sass Addition and Background Processing

• Sass 1.62.1 added — A new third-party dependency. If you maintain a custom SuiteCommerce Advanced theme build pipeline or CI job, confirm your toolchain accommodates this library and pins the expected version.
• Additional background-processing updates were made with no stated end-user or developer impact. Oracle provides no specifics; monitor logs if you observe unexpected behavior in asynchronous processing after this patch.

2023.1.2 — GA4 Events, SSP Security Headers, Translation Updates

Google Analytics 4 event integration

Six GA4 e-commerce events are now natively tracked through the Google Tag Manager Commerce extension:

1. add_payment_info — fires when a user submits payment information.
2. add_shipping_info — fires when a user submits shipping information.
3. refund — fires when a refund is issued.
4. remove_from_cart — fires when an item is removed from the cart.
5. search — fires on search operations, enabling content-popularity analysis.
6. share — fires when a user shares content.

If you previously pushed these events via custom JavaScript in your theme or a GTM custom HTML tag, you should remove or disable the duplicate tracking to avoid inflated event counts in your GA4 property.

SSP security-header configuration

A new property, Add Headers to SSP Responses, appears under Advanced > Security subtab in the SuiteCommerce configuration record. This provides a field to enter custom security headers (e.g., Content-Security-Policy, X-Frame-Options, Strict-Transport-Security) that will be injected into SSP responses.

Previously, adding security headers to SSP responses required custom SuiteScript or web-server-level configuration. This setting centralizes it in the SuiteCommerce config UI.

Translation updates

Text strings and translation-context notes were updated to comply with Oracle translatability requirements. If you override default SuiteCommerce translations in a custom module, verify your overrides still key to the correct source strings after updating.

2023.1.1 — Library Upgrades and Payment/3DS2 Fixes

Library upgrades

• Underscore.js upgraded to 1.13.1 (from the previously bundled version). Review any custom code that depends on deprecated Underscore APIs removed between your prior version and 1.13.1.
• Handlebars upgraded to 4.7.7. This version includes security patches. Custom Handlebars helpers should be retested.
• VM2 (oraclesuitecloud-cli) upgraded to 1.7.2. This affects local development via the SuiteCommerce CLI (gulp tasks). Update your local node_modules accordingly.

Bug fixes

• 3DS2 CSC tokenization — The Cardholder Authentication event raw request was sending null for the security code instead of the tokenized CSC value. Fixed. If you had a workaround injecting the CSC value manually, remove it.
• 3DS2 enablement for Make A Payment, Quotes, Reorder — Customers were unable to enable the 3DS2 feature on these flows. Fixed. Re-check your payment-processing configuration if you previously disabled 3DS2 in these flows due to this bug.
• CUR parameter null — Under the Shopping domain, the CUR parameter was null instead of being set to ShoppingUserEnvironment.Service.ss. This could cause multi-currency storefronts to default to the wrong currency. Fixed.
• Invoice $0.00 display — Invoices were showing $0.00 under Payment Summary. Fixed.
• Transaction History visibility — Shoppers could not view the Transaction History section. The fix involved updates to ActivationContext and SuiteScript2 services. If you have custom overrides on the Transaction History view or its backing service, retest after the update.

What to Do

1. Audit GA4 event duplication. If you manually tracked any of the six newly integrated GA4 events via custom GTM tags or theme JS, disable the custom implementation to prevent double-counting.
2. Configure SSP security headers. Navigate to SuiteCommerce Configuration > Advanced > Security and populate the new Add Headers to SSP Responses field with your required headers (CSP, HSTS, X-Frame-Options, etc.).
3. Rebuild SCA themes. If you run SuiteCommerce Advanced with a custom build pipeline, pull the latest source and rebuild to pick up the Sass 1.62.1, Underscore.js 1.13.1, and Handlebars 4.7.7 dependencies. Run npm install or yarn install to update oraclesuitecloud-cli (VM2 1.7.2).
4. Re-enable 3DS2. If you disabled 3DS2 on Make A Payment, Quotes, or Reorder flows due to the enablement bug, re-enable it now.
5. Remove CSC workarounds. If you implemented a custom workaround for the null CSC value in the Cardholder Authentication event, remove it.
6. Test multi-currency storefronts. Verify currency selection works correctly on the Shopping domain after the CUR parameter fix.
7. Retest Transaction History customizations. If you override ActivationContext or the SuiteScript2-backed Transaction History service, confirm your customizations still function correctly.