Vulnerability in EPiServer.Forms
Right now the EPiServer.Commerce package is depending on EPiServer.Commerce.UI this causes all the EPiServer UI packages to be installed when ever you need a dependency on anything in the EPiServer.Commerce package, would it be possible to make a clean break between the two packages some time in the future?
If you just want to have a dependency to the EPiServer Commerce assemblies, you should add the EPiServer.Commerce.Core package. The EPiServer.Commerce package has no content of it's own, it's just a container for the UI and Core packages. Our thought is that the EPiServer.Commerce package should contain everything needed for the site. If you want to make a tool or a plugin and just need references to the assemblies, use the Core package.
We have gotten the feedback that this is not clear enough, so we will update the descriptions of future releases of the packages, to hopefully make it easier to understand how they are related to each other.
Ahh thanks didn't spot the Core package :-)