DEVDOCS-6653 - Catalyst 1.3.5 Release Notes

docs/storefront/catalyst/release-notes/1-3-5.mdx

@@ -0,0 +1,114 @@
+# Catalyst version 1.3.5 Release Notes
+
+This Catalyst v1.3.5 release addresses a **critical security vulnerability ([CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components))** that affects React Server Components.
+
+## Key Changes
+
+- **Next.js 15.5.7**: Upgraded from Next.js 15.5.1-canary.4 to 15.5.7 (no more canary)
+- **React 19**: Upgraded to React 19.1.2 and React DOM 19.1.2
+- **Partial Prerendering (PPR) Removed**: Removed partial prerendering as it's unsupported in non-canary versions of Next.js 15.
+
+## Next.js 15.5.7 Upgrade
+
+Catalyst has been upgraded to Next.js 15.5.7. This upgrade moves from the canary release to the stable release and requires [migration steps](#migration-guide) for existing stores to fix a security vulnerability.
+
+## Critical Security Update
+
+**This upgrade addresses a critical security vulnerability ([CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components))** that affects React Server Components. The vulnerability allowed unauthenticated remote code execution on servers running React Server Components. This upgrade includes:
+
+- Next.js 15.5.7 with the security patch
+- React 19.1.2 and React DOM 19.1.2 with the security patch
+
+<Callout type='warning'>
+	All users are strongly encouraged to upgrade immediately.
+</Callout>
+
+## Partial Prerendering (PPR) Removed
+
+<Callout type='warning'>
+	**Important**: PPR (Partial Prerendering) has been **removed** in this
+	release. PPR was only available in the Next.js 15.5.1-canary.4 release and is
+	not supported in the stable 15.5.7 release.
+</Callout>
+
+- The `ppr` experimental flag has been removed from `next.config.ts`
+- This may result in different performance characteristics compared to the Next.js 15.5.1-canary.4 + PPR setup
+
+## Migration Guide
+
+### Step 1: Update Dependencies
+
+If you're maintaining a custom Catalyst store, update your `package.json`:
+
+```json
+{
+	"dependencies": {
+		"next": "15.5.7",
+		"react": "^19.1.2",
+		"react-dom": "^19.1.2"
+	},
+	"devDependencies": {
+		"@next/bundle-analyzer": "15.5.7",
+		"eslint-config-next": "15.5.7"
+	}
+}
+```
+
+Then run:
+
+```bash
+pnpm install
+```
+
+<Callout type='info'>
+	**Note**: `next` will automatically update your `tsconfig.json` file.
+</Callout>
+
+### Step 2: Update next.config.ts
+
+Remove or comment out PPR configuration:
+
+```typescript
+// Remove or disable:
+// experimental: {
+//   ppr: 'incremental',
+// }
+```
+
+Remove or comment out eslint config
+
+```typescript
+// eslint: {
+//     ignoreDuringBuilds: !!process.env.CI,
+//     dirs: [
+//     'app',
+//     'auth',
+//     'build-config',
+//     'client',
+//     'components',
+//     'data-transformers',
+//     'i18n',
+//     'lib',
+//     'middlewares',
+//     'scripts',
+//     'tests',
+//     'vibes',
+//     ],
+// },
+```
+
+### Step 3: Remove `experimental_ppr` flag
+
+Remove all `export const experimental_ppr` declarations from your codebase, regardless of whether they are set to `true` or `false`.
+
+## Getting Started
+
+We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:
+
+- [**@bigcommerce/catalyst-core@1.3.5**](https://github.com/bigcommerce/catalyst/releases/tag/%40bigcommerce%2Fcatalyst-core%401.3.5)
+- [**@bigcommerce/catalyst-makeswift@1.3.6**](https://github.com/bigcommerce/catalyst/releases/tag/%40bigcommerce%2Fcatalyst-makeswift%401.3.6)
+
+And as always, you can pull the latest stable release with these tags:
+
+- [**@bigcommerce/catalyst-core@latest**](https://github.com/bigcommerce/catalyst/releases/tag/%40bigcommerce%2Fcatalyst-core%40latest)
+- [**@bigcommerce/catalyst-makeswift@latest**](https://github.com/bigcommerce/catalyst/releases/tag/%40bigcommerce%2Fcatalyst-makeswift%40latest)