Merge pull request from GHSA-h3fg-h5v3-vf8m

Protect `Spree::OrdersController#populate` against CSRF attacks

frontend/app/controllers/spree/orders_controller.rb

@@ -10,7 +10,6 @@ class OrdersController < Spree::StoreController
     before_action :assign_order, only: :update
     # note: do not lock the #edit action because that's where we redirect when we fail to acquire a lock
     around_action :lock_order, only: :update
-    skip_before_action :verify_authenticity_token, only: [:populate]
 
     def show
       @order = Spree::Order.find_by!(number: params[:id])