v3.18.0 (retail-react-app@10.0.0 and commerce-sdk-react@5.2.0)
·
34 commits
to release-3.18.x
since this release
PWA Kit 3.18 ships a security hardening release for the SLAS private-client proxy alongside two opt-in observability/storage features (HttpOnly session cookies, MRT Data Store), a memory-leak fix for warm Lambda invocations, and assorted Express Checkout, cookie-domain, and template polish.
Highlights
- 🔒 SLAS Proxy Security Hardening — The SLAS private-client proxy now enforces a path-and-method allow-list with iterative path normalization. The legacy
applySLASPrivateClientToEndpointsoption is replaced byslasPrivateClientAllowList, with additional logging and error handling for SLAS error scenarios. (#3802, #3812, #3750) - 🍪 HttpOnly Session Cookies (WIP, opt-in) — Opt-in support for HttpOnly session cookies to protect SLAS tokens. Disabled by default; enable via
enableHttpOnlySessionCookiesinssrParameters. (#3804, #3816) - 💾 MRT Data Store Integration — Opt-in support for resolving custom site and global preferences from the MRT Data Store during SSR. New
getCustomSitePreferences/getCustomGlobalPreferenceshelpers; local in-memory provider via@salesforce/mrt-utilitiesconditional exports for dev without DynamoDB. (#3787, #3811) - 🚀 SSR QueryClient Memory Fix — Fixes SSR QueryClient memory retention across warm Lambda invocations, reducing memory pressure in production. (#3795)
- 🍪 Configurable Auth Cookie Domain — Auth-related cookies domain can now be set via config to support shared-session scenarios across subdomains. (#3782, #3822)
- 💳 Express Checkout Per-Page Toggles + return_url — Per-page express checkout toggles (
expressOnCheckoutPagesEnabled) from Shopper Configurations API control express payment buttons on PDP, minicart, cart, and checkout individually. Addedreturn_urlfor express checkout payment confirmation, required by redirect-based payment methods like Amazon Pay. (#3775, #3803) - 🌐 Proxy User-Agent Preservation Flag — New option to preserve the original User Agent header in proxy requests. (#3798)
- 🎨 Alert Styling Fix — Fixed alert description text styling on subscribe form to not override default alert styles. (#3780)
Package Changes
@salesforce/pwa-kit-runtime@3.18.0
- Add option to keep original User Agent header in proxy requests #3798
- WIP: Add support for HttpOnly session cookies #3804
- Data Store Simplified: Removed internal provider pattern and dynamic loading. Now imports data store directly from
@salesforce/mrt-utilities@0.1.6+via conditional exports (dev-data-store). Local data store usesMRT_DATA_STORE_DEFAULTSandMRT_DATA_STORE_WARN_ON_MISSING(legacyPWAKIT_MRT_DATA_STORE_ENABLEDstill supported). #3811 - Add
isMrtDataStoreEnabled(config)opt-in gate for SSR Data Store bootstrap. Controlled byapp.mrtDataStore.enabledorPWAKIT_MRT_DATA_STORE_ENABLED. #3787 - Add
getCustomGlobalPreferences/getCustomSitePreferenceshelpers (server async fetch, client readswindow.__MRT_DATA_STORE__). #3787 - The SLAS private-client proxy now enforces a path-and-method allow-list with iterative path normalization. The legacy
applySLASPrivateClientToEndpointsoption is replaced byslasPrivateClientAllowList. #3802 - Add additional logging and error handling for SLAS error scenarios. #3750
- Refactor: Extract reusable SLAS proxy helpers. #3812
- Fix SSR QueryClient memory retention across warm Lambda invocations. #3795
@salesforce/pwa-kit-react-sdk@3.18.0
- Update
@salesforce/pwa-kit-runtimedependency for the simplified data store implementation. #3811 - Add configuration flag
enableHttpOnlySessionCookiestossrParameters(WIP, disabled by default). #3804 - Serialize custom site and global preferences into
#mobify-dataunder__MRT_DATA_STORE__during SSR when enabled. #3787 - Fix SSR QueryClient memory retention across warm Lambda invocations. #3795
@salesforce/pwa-kit-dev@3.18.0
- Add option to keep original User Agent header in proxy requests. #3798
- WIP: Add support for HttpOnly session cookies. #3804
- Removed
mrt-data-store-local-provider.jsand related code; local data store now lives in@salesforce/mrt-utilities@0.1.6+. #3811 - Webpack: added
dev-data-storetoconditionNamesin development mode. #3811
@salesforce/pwa-kit-create-app@3.18.0
- Add opt-in
app.mrtDataStore.enabledto generatedconfig/default.jstemplates (defaultfalse); local defaults documented viaMRT_DATA_STORE_DEFAULTS. #3787 #3811 #3823 - Allow auth related cookies domain to be set via config. #3782
- Update generated
app/ssr.jsguidance for the SLAS private-client proxy: replace deprecatedapplySLASPrivateClientToEndpointsexample with a pointer toslasPrivateClientAllowList. #3802 - WIP: Add support for HttpOnly session cookies. #3804
- Add Node 24 support to the extensible app template's generated
package.json. #3821
@salesforce/commerce-sdk-react@5.2.0
- Allow auth related cookies domain to be set via config. #3782
- WIP: Add support for HttpOnly session cookies. #3804
- Re-add
cookieDomainparameter to theAuthconstructor; previously dropped during a merge. #3822
@salesforce/retail-react-app@10.0.0
⚠️ Breaking changes
- Major bump from
9.x→10.0.0due to component-override breaking changes (express checkout hooks, alert styling, per-page checkout logic). #3818
Features
- Add opt-in
app.mrtDataStore.enabledtoconfig/default.js. Local defaults viaMRT_DATA_STORE_DEFAULTS. #3787 - Allow auth related cookies domain to be set via config. #3782
- WIP: Add support for HttpOnly session cookies. #3804
Bug fixes
- Fix per-page Express Checkout toggles using
expressOnCheckoutPagesEnabledfrom Shopper Configurations API. #3775 - Add
return_urlfor Express Checkout payment confirmation, required by redirect-based payment methods like Amazon Pay. #3803 - Fix alert description text styling on subscribe form to not override default alert styles. #3780
Documentation
- Update MRT Data Store config comments and README to use the unprefixed env vars actually consumed by
@salesforce/mrt-utilities. #3811 #3823 - Update
app/ssr.jsSLAS private-client proxy guidance: pointer toslasPrivateClientAllowList. #3802
Full Changelog: v3.17.1...v3.18.0