js-buy-sdk: addLineItems allows adding unavailable (quantity > stock) variants to cart
When adding line items to cart, the sdk allows adding a higher quantity of variant to the cart than the inventory is set to in admin. These are tracked in shopify and not set to sell negative stock.
Is there a way to retrieve whether a variant can have +1 quantity added to cart or not, either before or after adding a line item?
To Reproduce
- Create variant in shopify with 1 tracked stock inventory
- Run
await client.checkout.addLineItems(checkoutId, {variantId,quantity: 2}) - Item is added to cart/checkout successfully with a quantity of 2
Expected behavior On step 3, a response containing an error, or simply a cart with a quantity of 1
Environment (please complete the following information):
- shopify-buy 2.8.0
- node-fetch
Additional context Requests are being sent via isomorpic fetch
About this issue
- Original URL
- State: open
- Created 5 years ago
- Comments: 27 (4 by maintainers)
Hi, with Storefront API versions 2020-04 supporting inventory quantity for the product and variants when will the buy-sdk be updated to support version 2020-04?
It’s 2021 now.
To reiterate Mina’s comment above, this would leave our merchants vulnerable to bots and competitors who attempt to inspect their inventory through the cart. Basically, if I am a bot and I add quantity 5 to a cart and it says there isn’t enough inventory then there is clearly less than 5 of the item. If I then added quantity 4 to a cart and it lets me, then there are clearly 4 of an item left in stock. Even without explicitly sharing the exact inventory numbers, a bot could determine your inventory levels.
That being said, in 2020 we will support a separate permission for exposing inventory that will leave this decision (whether they are okay with the security tradeoff) in their hands.
Hi @joeswann ! We are already tracking an issue in our backlog to support a separate permission for exposing inventory. I’ll keep this ticket open until the support is added!
Came here looking for a solution.
I am getting the impression that Shopify doesn’t care to support this library. This and many other limitations makes it largely unusable in any real situation. 😦
@joeswann I updated the API version, but still the same error. Any ideas?
@rebeccajfriedman Thanks for replying. Maybe without exposing the stock inventory, the function
client.checkout.addLineItemsshould return an error when trying to add 2 quantities of an item that only have 1 left in inventory.I think the UX impact here is a very real concern for customers and for business owners looking to use the Buy SDK. Making it impossible to guess whether there is 1 or 1000 in stock until visiting checkout is conceivably a cause of considerable sale loss, particularly for stores that tend to sell 2+ of any given product.
In comparison for most smaller merchants having their inventory scraped is relatively hypothetical, although I can see it being an concern for competitive / larger stores.
In any case for the response containing an error solution - if a bot was adding to cart X times a second from one IP as the only way for it to scrape inventory that seems like a pattern that might be relatively easy to protect against? I understand this solution would be on Shopifies end though, not anything to do with this repo.
Isn’t this possible via the AJAX API, though?