Skip to content

@bigcommerce/catalyst-core@1.8.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 Jun 13:39
@bigcommerce/catalyst-core@1.8.0
81b88df
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Minor Changes

  • #3024 3cec674 Thanks @mfaris9! - Honor the merchant's Tax Display setting (Inc., Ex., or Both) from the BigCommerce control panel across PDP, PLP, search, compare, and home. When set to Both, prices render stacked with (Inc. Tax) and (Ex. Tax) labels, including sale strike-throughs per line.

    Migration

    For forks that can't rebase cleanly: pricing was refactored end-to-end to support inc/ex tax variants and a Both mode (PricingFragment, pricesTransformer, Price types, page-data settings queries, analytics helpers). See PR #3024 for the full diff.

  • #3015 15e365a Thanks @mfaris9! - Consume merchant-configured per-locale URL subfolders from the BigCommerce Storefront GraphQL API (Locale.path). The locale that sits at the bare root URL (/) is derived from the CP configuration: if the default locale has no path, it sits at root; otherwise, if exactly one non-default locale has no path, that one sits at root; otherwise every locale gets a prefix. Locales with a path use it; locales without a path fall back to their locale code.

Patch Changes

  • #3031 874e332 Thanks @Tharaae! - Display backorder information for variants on PDP.

  • #3033 8bc379d Thanks @jorgemoya! - Fix broken images in WYSIWYG content (web pages, blog posts, product description and warranty). Images uploaded through the Control Panel editor are stored as store-root-relative WebDAV paths (/content/... and /product_images/...) that 404 on the headless storefront domain; they are now rewritten to absolute BigCommerce CDN URLs.

  • #3056 2c99731 Thanks @jorgemoya! - Add a catalyst field to core/package.json (catalyst.version and catalyst.ref) that tracks the true Catalyst version independently of the top-level version, which merchants may repurpose for their own deploy tagging. The backend user-agent now reports catalyst.version (falling back to version for projects created before the field existed), and the release pipeline keeps the field in sync on each version bump.

  • #3035 b4215f0 Thanks @jorgemoya! - Scope the consent manager cookie (c15t-consent) to the current host instead of the top-level domain. Previously crossSubdomain: true caused the cookie to be set on the root domain (e.g. .example.com) for stores running on a sub-domain, so it appeared on both the root domain and the sub-domain. Removing it makes the cookie host-only, so it now exists only on the sub-domain the store runs on.

  • #3046 5034ea3 Thanks @chanceaclark! - Gate catalyst.visitorId, catalyst.visitId, and currencyCode cookies behind shopper consent. The visitor and visit cookies now require measurement consent and the currency preference cookie requires functionality consent. When consent is absent, existing analytics cookies are deleted on the next request. When measurement consent is granted mid-session, a new startVisit server action sets the cookies and fires the server-side visitStartedEvent immediately rather than waiting for the next full-page navigation.

  • #3047 1ab2c82 Thanks @chanceaclark! - Make authjs.session-token and authjs.anonymous-session-token browser-session cookies (no Expires attribute) to satisfy Essential cookie classification requirements.

    What changed

    Anonymous session token: anonymousSignIn no longer sets maxAge on the cookie. Without it, Next.js omits Max-Age/Expires and the cookie becomes a session cookie that the browser drops when it closes.

    Auth session token: Auth.js v5 unconditionally writes Expires on the session token cookie and provides no config option to suppress it. Two post-processing steps strip the attribute:

    • proxies/with-auth.ts — strips Expires from Set-Cookie response headers on every page request.
    • auth/index.ts — wraps signIn and updateSession to re-set the cookie via cookies().set() without Expires immediately after Auth.js writes it, covering the sign-in and session-update paths that middleware cannot reach.

    Max-Age=0 (used by Auth.js for cookie deletion on sign-out) is intentionally left intact.

    Migration

    If you have a custom maxAge on anonymousSignIn: The default 7-day maxAge has been removed. If your app relies on anonymous sessions persisting across browser restarts, add it back in your own anonymousSignIn call:

    cookieJar.set(anonymousCookieName, jwt, {
  httpOnly: true,
  sameSite: 'lax',
  secure: useSecureCookies,
  maxAge: 60 * 60 * 24 * 7, // restore 7-day persistence if needed
});

    If you already have your own Expires-stripping workaround: Remove it. The middleware regex in with-auth.ts and the patchSessionTokenCookies wrapper in auth/index.ts now handle this centrally. Leaving both in place will cause redundant cookie writes.

    If you import signIn or updateSession directly from auth/index.ts: No change needed — the signatures are identical. The exports are now thin async wrappers that call the Auth.js originals and then patch any session token cookies written during the call.

  • #3058 94c503e Thanks @bc-svc-local! - Update translations.

  • #3048 226f2f3 Thanks @bc-svc-local! - Update translations.

Assets 2
Loading