vendure
Vendure is an open-source headless commerce platform built with TypeScript, NestJS, and GraphQL. It provides a self-hosted, extensible backend for D2C, B2B, marketplace, and omnichannel commerce without vendor lock-in.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | vendurehq/vendure |
| Owner | vendurehq |
| Primary language | TypeScript |
| License | Other — Requires review (not clearly OSI) |
| Stars | 8.2k |
| Forks | 1.4k |
| Open issues | 246 |
| Latest release | v3.7.0 (2026-07-01) |
| Last updated | 2026-07-07 |
| Source | https://github.com/vendurehq/vendure |
What vendure is
Node.js/NestJS backend with GraphQL API, React/TanStack admin dashboard, and plugin-first architecture. Supports PostgreSQL, MySQL, MariaDB, and SQLite; deployable on self-hosted, Docker, Kubernetes, or cloud infrastructure. Strong end-to-end TypeScript typing.
Get the vendure source
Clone the repository and explore it locally.
git clone https://github.com/vendurehq/vendure.gitcd vendure# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Node.js 20.19+ or 22.12+ and a SQL database (PostgreSQL, MySQL, MariaDB, or SQLite). Plan database schema and replication strategy for production.
- Plugin architecture is stable; build custom entities and workflows on top without core patches. Assess internal plugin development velocity and testing maturity.
- GraphQL API is introspectable but requires frontend framework alignment. Verify React/TanStack admin dashboard customization needs early.
- Production readiness proven at enterprise scale, but self-hosted deployments require monitoring, backup, and incident response planning.
- Monorepo structure for contributing; clone only to contribute to core. Use `npx @vendure/create` for new projects.
When to avoid it — and what to weigh
- SaaS-Only Preference — Vendure is self-hosted by default. Managed PaaS (Vendure Cloud) and enterprise licensing (Vendure Platform) available separately; not all-in-one SaaS out of the box.
- Proprietary Lock-In Expected — GPLv3 license and plugin exception allow community extensions, but source is copyleft. Teams requiring non-copyleft derivatives should review licensing FAQ or seek commercial license.
- Low DevOps Overhead Required — Requires Node.js runtime management and SQL database. Self-hosted deployments demand DevOps capability for production setup (Docker, Kubernetes, cloud provisioning).
- Out-of-Box Enterprise Features — Advanced features (SSO, approval workflows, B2B pricing parity) require Vendure Platform commercial subscription. Open-source core is feature-rich but not comprehensive for all enterprise use cases.
License & commercial use
Vendure is licensed under GPLv3. A plugin license exception allows custom plugins to be released under any license. Building against the GraphQL API does not make storefronts or services subject to GPLv3. Commercial licensing for Vendure Platform is available; review the licensing FAQ for derivative use cases.
GPLv3 core is free to use commercially if no modifications or forked versions are distributed. Building storefronts or services using the GraphQL API does not trigger copyleft obligations. If you modify core Vendure and distribute the result, GPLv3 requires source disclosure. Vendure Platform (SSO, approval workflows, B2B features) requires separate commercial license. Requires review if custom core modifications and redistribution are planned.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Strong |
| Assessment confidence | High |
GPLv3 code is publicly auditable. No security posture, penetration test reports, or formal vulnerability disclosure program stated in provided data. Self-hosted deployments require standard Node.js/SQL database hardening (authentication, TLS, WAF, rate-limiting, secrets management). Requires review: OWASP compliance, data encryption, and incident response SLAs for production use.
Alternatives to consider
Medusa
Open-source headless commerce on Node.js/TypeScript with modular plugin system. Similar tech stack; Medusa focuses on API-first developer experience. Compare extensibility, community size, and enterprise features.
Shopify Plus
Managed SaaS with extensive app ecosystem and enterprise support. Trade-off: vendor lock-in and higher cost vs. Vendure's self-hosted control and lower marginal cost.
WooCommerce + Headless CMS
PHP-based, mature WordPress ecosystem. Lighter overhead than Vendure but less tightly integrated. Consider if existing WordPress investment exists.
Build on vendure with DEV.co software developers
Vendure's plugin-first TypeScript stack and self-hosted model fit teams needing extensibility without vendor constraints. Discuss architecture, deployment strategy, and custom workflow needs with our team.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
vendure FAQ
Can I use Vendure in production?
Do I need to understand GraphQL to use Vendure?
Can I extend Vendure without modifying core?
What about copyleft concerns if I build on Vendure?
Custom software development services
Adopting vendure is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source ecommerce software in production.
Ready to Build Custom Commerce?
Vendure's plugin-first TypeScript stack and self-hosted model fit teams needing extensibility without vendor constraints. Discuss architecture, deployment strategy, and custom workflow needs with our team.