Picking a TypeScript OSS E-Commerce Platform in 2026 — Medusa v2, Vendure v3, and Where EverShop Fits
If you search for “TypeScript-centric OSS e-commerce platforms”, the list looks long. Filter it down to projects where the core itself is written in TypeScript and you can actually own and operate it long term, and the market is narrower than it feels. GitHub Topics lists about 100 public repositories tagged ecommerce-platform in TypeScript, and roughly 2,800 tagged ecommerce, but the majority are templates, UI libraries, admin dashboards, or storefronts targeting a specific SaaS backend.
This post takes a strict scope: the core API itself must be implemented in TypeScript, and self-hosted operation must be realistic. Under that lens, as of May 2026, the field condenses to three: Medusa v2, Vendure v3, and EverShop. Saleor (whose core is Python/Django) and Next.js Commerce (a storefront framework with no EC API of its own) fall outside this scope and are not covered here. The formerly prominent Reaction Commerce (later Mailchimp Open Commerce) is explicitly flagged “Project has been discontinued”, so it is off the new-adoption list.
This post lines up the three on technical stack, license, and architecture, then looks at how each handles AI / Agentic Commerce.
The 2026 Map — Two Leaders Plus a Lightweight Integrated Option
A quick map first.
flowchart LR
A[TypeScript-native OSS e-commerce] --> A1[Core platforms]
A --> A2[Integrated]
A1 --> M[Medusa v2<br/>MIT / Node.js]
A1 --> V[Vendure v3<br/>GPLv3 / NestJS / GraphQL]
A2 --> E[EverShop<br/>GPLv3 / Express + React]
A1 -.discontinued.-> R[Reaction / Open Commerce]
If the premise is “we want to own the heart of the product entirely in OSS” and “we want to keep authoring our own data model and business logic for years”, the TypeScript-native field really is this narrow today. The rest of the post walks through the three in order.
The Three at a Glance
| Project | Core language | API | ORM / DB | License | GitHub Stars (approx.) | Latest major |
|---|---|---|---|---|---|---|
| Medusa v2 | TypeScript / Node.js | REST + JS SDK (internally query.graph()) | MikroORM / PostgreSQL | MIT | 30,000+ | v2.0 GA on 2024-10-23, then near-monthly v2.x |
| Vendure v3 | TypeScript / NestJS | GraphQL (Shop / Admin) | TypeORM / PostgreSQL, MySQL, MariaDB, SQLite | GPLv3 | ~8,000 | v3.6 line (late 2025), continuing patches |
| EverShop | TypeScript / Express | REST + GraphQL | Custom + PostgreSQL | GPLv3 | ~10,000 | 2026-04-03 release, TypeScript 5.8.3 |
Numbers are early-2026 approximations and move month over month. The shape that matters: Medusa has the biggest momentum plus API-first flexibility, Vendure leads on type safety and enterprise rigor, and EverShop is the small lightweight integrated option.
Medusa v2 — A “Commerce OS” Rebuilt Around Decoupled Modules
Medusa, out of Copenhagen, has grown quickly as an OSS alternative to Shopify. It shipped v2.0 GA on October 23, 2024 as a full rewrite. The architectural core is the Decoupled Module Architecture: 17 commerce modules (Cart, Inventory, Payment, Product, Promotion, Region, Translation, and so on) sit on zero database dependencies between each other, and Link Modules plus a Remote Joiner stitch them together logically.
Concrete features worth highlighting:
- The Workflows SDK orchestrates multi-step flows with retries and compensating transactions (saga pattern within a single application)
- REST + JS SDK as the primary API;
@medusajs/js-sdklets clients call into the platform type-safely - The admin dashboard is
@medusajs/dashboard, a Vite-based app with HMR and dark mode - Validation via Zod (v2.14 introduced a breaking move to Zod v4); ORM is MikroORM
- Production infrastructure expects PostgreSQL + Redis, and the official guidance is to split server and worker
The license is MIT. Commercial embedding, SaaS hosting, and keeping derivative work closed are all permitted, which makes the legal review the lightest of the three. That alone is enough to put Medusa at the top of many agency and consultancy shortlists.
Where Medusa Hurts
Medusa is not very serverless-friendly out of the box; the architecture assumes long-lived workers. Redis is required, the Workflows queue adds operational surface area, and the runtime is heavier than something like a single-process emulator. There are growing community plugins for payment and shipping providers, but for region-specific payment processors without a first-party plugin, building a custom payment provider is the realistic path.
Vendure v3 — Riding NestJS and GraphQL Into Enterprise Territory
Vendure, founded in the UK and now stewarded by Elevantiq, is built on NestJS + GraphQL + TypeORM. Where Medusa picks “REST simplicity and agility”, Vendure picks type safety and the discipline that comes from dependency injection.
The relevant pieces:
- API is GraphQL only (Shop API + Admin API), with schema-first development as a strong house style
- The ORM is TypeORM, and Vendure supports PostgreSQL / MySQL / MariaDB / SQLite (a rare multi-DB profile among TypeScript commerce platforms)
- The plugin system extends NestJS modules directly, so third-party NestJS libraries drop in without ceremony
- In 2025 the dashboard was fully rewritten on React + TanStack + shadcn/ui
- Multi-channel, multi-currency, multi-language, multi-tax-zone, and RBAC are standard, with continuing enhancements like Asset translation and ProductOption sharing across products and channels
- An official Next.js storefront is on the public roadmap, with delivery underway; Remix / Qwik / Angular starters already exist
The license moved from MIT to GPLv3 during the 2.x line. SaaS-only deployments (the ASP boundary) typically do not trigger source disclosure, but distributing a modified core does propagate the copyleft. For organizations that want to avoid those constraints, the paid Vendure Commercial License (VCL) and the Vendure Platform (LTS / SLA tier) are positioned for exactly that situation.
Deployments Worth Looking At
Project Marlin inside IBM replaced a legacy stack with Vendure and reduced change lead time from weeks to hours. Hungary-based Munch runs a marketplace doing about 10,000 transactions/day and 350,000 monthly active users on Vendure, which sets a useful proof point that the same platform scales from startup to enterprise.
In 2025 Vendure shipped 5 minors (v3.2 through v3.6), 20+ patches, merged ~400 PRs, and added ~62 new contributors. The recent SQL Injection vulnerability against the languageCode query (via PostgreSQL tsquery) was disclosed responsibly and patched across v3.6 and several older lines; in other words, the monthly-update discipline that applies to Medusa also applies here.
EverShop — A TypeScript / Express / React Integrated Stack
EverShop is an OSS e-commerce platform built on TypeScript + Express + React + GraphQL + PostgreSQL, with a comparatively legible integrated architecture. The repository is at evershopcommerce/evershop, licensed under GPL-3.0, and the codebase runs on TypeScript 5.8.3.
Design highlights:
- Products, categories, collections, inventory display, cart / checkout, payment integrations, order management, themes, extensions, marketplace features, and the translation system are all covered in the core
- Provides both REST and GraphQL APIs; the frontend uses React + Tailwind CSS + Webpack
- Official deployment guides exist for major environments such as AWS; the documented minimum is Node.js 20+ / PostgreSQL 13+ / 2 cores / 2 GiB RAM / 10 GB disk
- The official docs cover Installation, REST/GraphQL API, Theme, Extension, Translation, and Deployment
Unlike Medusa and Vendure, EverShop ships the storefront, admin UI, and API in the same project. By skipping the “headless engine + separate storefront” split, it is the fastest of the three to stand up, and a good fit when a self-hosted D2C team needs to “just get something running” quickly.
The trade-off is that first-party documentation for multi-currency, large-scale multi-channel, and complex B2B is thinner than Vendure’s, and there is nothing equivalent to Medusa’s Workflows SDK or Module Isolation for deep customization. The ecosystem is also smaller than Medusa’s or Vendure’s, and as of May 2026 there is no clearly visible SECURITY.md in the public repository. For projects where future complexity is anticipated, mapping the depth carefully during a PoC is essential.
The GPL-3.0 license has the same considerations as Vendure: SaaS-only operation generally does not trigger disclosure obligations, but distribution of a modified core propagates copyleft. Map the legal review into the project plan up front.
License Is the First Filter
Before any technical comparison, license tends to decide whether a candidate even reaches the shortlist.
| License | Candidates | Implications for embedding / SaaS |
|---|---|---|
| MIT | Medusa | Closed-source derivatives are fine; legal review is the lightest |
| GPLv3 | Vendure, EverShop | Copyleft propagates on distribution of a modified core; SaaS-only typically does not trigger disclosure |
The classic edge case is running GPLv3 Vendure or EverShop inside a SaaS: whether that counts as “distribution” is the legal question. Map out the deployment shape (multi-tenant SaaS, single-tenant SaaS, on-prem delivery), the fork modification policy, and whether the commercial license is acceptable, before you pick a platform. That keeps the post-selection rework small.
Architecture and Extensibility Differ More Than the Marketing Suggests
All three claim “modular” or “extensible”, but the granularity and extension model differ meaningfully.
| Dimension | Medusa v2 | Vendure v3 | EverShop |
|---|---|---|---|
| Modularity | 17 modules with zero DB dependency; modules can run standalone | Traditional modular monolith via NestJS Plugin / Module | Integrated stack; Extensions provide the customization surface |
| Extension points | Modules / Workflows / Plugins / UI Widgets / API Routes | NestJS Plugin / Interceptor / Custom Field / Strategy Pattern | Extension / Theme / Translation |
| Event-driven primitive | Workflows SDK (retries and rollback) | OrderInterceptor API and other fine-grained hooks | Core-level extension surface is limited |
| i18n / multi-currency | Standard via Region / Currency / Translation Module (Translation is Beta) | Standard, including multi-tax-zone and Asset translation | Translation system exists; multi-currency needs additional validation |
| Serverless affinity | Low (long-lived workers expected) | Low (NestJS-shaped runtime) | Low (monolithic shape) |
If you want to own the very heart of the product, Medusa’s zero-DB-dependency module isolation is appealing. If you want to author type-safe, idiosyncratic business logic for years, Vendure’s DI and plugin system pays back. If you want to stand up a small team’s commerce quickly and operate it as a single deployable unit, EverShop’s integrated layout is the fastest to first revenue.
The Frontend Has Converged on Next.js App Router + RSC + PPR
The frontend story across the three has effectively converged.
- Medusa Next.js Starter: already on Next.js App Router, oriented toward stable production use; v2 launched alongside 5 new starters including a B2B template
- Vendure: official starters in Remix / Qwik / Angular today, with a Vendure-authored official Next.js storefront in the works
- EverShop: either use the bundled React + Tailwind storefront, or go headless by talking to the REST/GraphQL APIs from a separate Next.js project
In other words, Next.js App Router + React Server Components + Server Actions + Cache Components (Partial Prerendering) is the de facto industry baseline; Medusa is already there, and Vendure is converging shortly. Next.js 16’s stable Adapter API v16.2 also raises portability to Cloudflare, Netlify, and similar platforms outside Vercel.
AI / Agentic Commerce Is Becoming a Real Differentiator
The new axis showing up in 2026 selection criteria is Agentic Commerce: AI agents that compare products, validate stock, pick a payment method, and check out on behalf of a user. The OSS leaders have moved in step.
- Medusa positions itself as “Open-Source Commerce Platform for Agents and Developers”, and provides an MCP server, Development Agent, Cloud CLI, and Bloom assistant. AI-driven schema updates and data generation are easy to wire in
- Vendure leans on its strict GraphQL type system as the foundation for reliable AI agent calls. There is no dedicated Agentic feature set in core today, but the schema-first design plus the OrderInterceptor API give agents well-defined extension points
- EverShop does not have Agentic-specific features yet; integration is via the standard REST / GraphQL surfaces
API design (rigorous structure, machine readability, explicit state transitions) for agents is becoming part of the selection criteria. Today, Medusa is the most ready foundation for an Agentic Commerce roadmap.
What the Reaction Commerce Discontinuation Teaches
Reaction Commerce (later Mailchimp Open Commerce) is the cautionary tale that comes up in every OSS commerce discussion. The repository description now reads “Project has been discontinued”, and the satellite repositories have been frozen.
The failure factors are essentially three.
- It leaned hard on Meteor and MongoDB (modern at the time, off the main road later) and never quite caught up to the TypeScript / PostgreSQL ecosystem
- After Mailchimp acquired it in 2020 and rebranded it to Open Commerce, the parent company’s priorities shifted and active development was effectively frozen
- Medusa / Vendure and other newer projects moved into the gap with current practices (PostgreSQL, NestJS, GraphQL) and absorbed the developer attention
The practical lesson is to treat license, parent organization, funding posture, community size, and release cadence as first-class selection KPIs that get re-evaluated continuously, and to favor candidates where “vendor dependency” is low and “the underlying tech is close to the industry standard”. Medusa’s MIT license and Vendure’s NestJS foundation both raise the probability that “even if the steward changes, the community or another company can keep it alive”. EverShop lags Medusa and Vendure on team size and community depth, so a PoC that explicitly considers bus factor is wise.
Picking by Use Case
Here is the decision flow that comes out of the comparison.
flowchart TD
A[Requirements gathering] --> B{Is MIT required?}
B -- MIT required --> M1[Medusa v2]
B -- GPLv3 OK --> C{Enterprise needs<br/>B2B / multi-channel /<br/>strict typing?}
C -- Yes --> V[Vendure v3]
C -- No --> D{Fastest integrated launch?}
D -- Yes --> E[EverShop]
D -- No --> M2[Medusa v2]
A walk through the branches by use case.
A DTC Brand or Startup Optimizing for Speed and Optionality
Medusa v2 is the first pick. MIT licensing keeps the legal posture loose; the v2 Workflows SDK keeps complex orchestration safe; Decoupled Module Architecture supports incremental adoption; and the community momentum keeps pace high. Medusa Cloud (from $29/month with no GMV-linked fees) provides a managed path if you want one.
An Enterprise Targeting Quality, Discipline, and Long-Term Maintainability
Vendure v3 fits best. NestJS’s rigorous architecture, GraphQL with strict types, TypeORM’s multi-DB support, and proven scalability (IBM’s Project Marlin among others) all keep technical debt manageable across multi-year operation. If GPLv3 is not acceptable for the org, the Vendure Commercial License (VCL) and Vendure Platform put SLAs and enterprise features (SSO, audit logs) behind a paid tier, which is a sensible setup for a serious enterprise context.
Building Toward AI / Agentic Commerce
Medusa. It ships an MCP server, Development Agent, and Cloud CLI, which makes it the most ready foundation today for an Agentic Commerce roadmap. Vendure is evolving in the strict-GraphQL-types direction, but its dedicated Agentic feature set is still narrower.
Standing Up a Lightweight, Integrated D2C Quickly
EverShop. With TypeScript / Express / React / GraphQL / PostgreSQL and bundled products, orders, checkout, payments, themes, extensions, and translations, it gets a self-hosted D2C running quickly. Multi-currency and complex B2B documentation are thinner than Vendure’s, so confirm the depth via a PoC if you expect those requirements to grow.
Considering Reaction Commerce for a New Project
Do not adopt it. For existing installations, plan a migration to Medusa / Vendure / EverShop as a project of its own.
Pre-Adoption Checklist
Before a PoC or production decision, this is the minimum to cover.
- License compatibility: MIT required, or is GPLv3 acceptable? The weight changes for each delivery model (in-house product, agency build, OEM, SaaS embedding)
- Internationalization needs: multi-language, multi-currency, multi-warehouse, tax variance. Vendure leads on documentation depth; Medusa has Region / Currency / Translation Module (Translation is Beta)
- Order / inventory / payment complexity: heavy OMS or proprietary flows favor Medusa or Vendure; standard D2C may start fastest on EverShop
- Infrastructure responsibilities: Medusa expects PostgreSQL + Redis + worker separation; Vendure starts small and horizontally scales; EverShop runs as a single deployable on PostgreSQL
- Security operations: incident reporting channel, supported-version policy, production hardening, env / secrets management. EverShop’s public repository does not have a clearly visible SECURITY.md, so cover that gap with internal operational rules
- Load-test plan: official guidance favors server / worker separation and horizontal scaling; build the performance plan into the PoC, not after
- Exit strategy: will you converge to SaaS, run OSS long-term, or keep front and back separate? Decide that up front
Wrap-Up
The 2024–2026 stretch is when TypeScript-native OSS commerce found its place inside composable commerce, and with formerly serious candidates like Reaction Commerce going dark, treating project longevity (license, parent organization, funding, community size, release cadence) as a first-class technical KPI that gets re-evaluated continuously is more important than ever.
For startup and mid-market JS / TS teams, Medusa v2 is the natural first pick. For type-safe complex B2B with a legal team that can sign off on GPLv3, Vendure v3 is the durable choice. For a lightweight, integrated stack that goes live quickly, EverShop fits. On the frontend, Next.js App Router + React Server Components + Server Actions + Cache Components (PPR) is now the de facto baseline, and each backend either ships, is shipping, or will ship a storefront that lines up with it. The next axis of differentiation is Agentic Commerce readiness, with MCP integration, structured APIs, and agent-targeted skill bundles becoming part of the comparison.
That’s the 2026 map of TypeScript-native OSS e-commerce platforms. From the gemba.