We’re updating Storefront GraphQL authentication to better align token types with how they’re used in modern headless/server-rendered storefronts.

If you use Storefront tokens for server-side Storefront GraphQL calls (SSR, middleware, proxies, or any backend service), you need to migrate to private tokens.

• Storefront tokens created after June 30, 2026 will not support server-to-server requests

• Storefront tokens created on or before June 30, 2026 will continue supporting server-to-server requests until March 31, 2027

Storefront tokens used for browser-based storefronts with allowed_cors_origins are unaffected.

You can check out more in the relevant documentation here.

The Cornerstone 6.19.0 release introduces improvements to cart messaging and shipping price display, enhances localization support, and includes multiple bug fixes to improve storefront stability and user experience.

This release also includes the new feature - Language Selector component, which is fully implemented and will be enabled soon as part of the multi-language rollout.

Major Updates

Cart & Checkout Improvements

• Added messaging on the cart page to clearly indicate when the maximum discount limit has been reached

• Introduced strikethrough styling for discounted shipping methods to improve visibility of savings

Localization & Language Enhancements

• Improved Language Selector to use real storefront data instead of static configuration

• Language names are now displayed in their native format (e.g., “English”, “Français”)

• Added backend-based translations for account edit form fields to improve localization coverage

Bug Fixes & Improvements

Cart & Product Page

• Fixed an issue where Add to Cart and quantity controls could be disabled when product data was not fully loaded

• Resolved duplicate “Out of Stock” messages overlapping Add to Cart button on product pages

Stability & Error Handling

• Improved initialization logic to prevent errors during storefront load

• Fixed edge cases where missing data could cause crashes in cart edit modal

• Added safeguards to prevent secondary errors masking the original issue

Media & Browser Compatibility

• Fixed YouTube video playback issues in Safari by ensuring proper request parameters are applied

The Cornerstone 6.18.2 release introduces enhanced cart and checkout functionality with improved multi-coupon support, fixes critical address validation issues for international customers, and includes accessibility improvements.

Major Updates

Enhanced Coupon Management

• New dedicated coupon management section on the cart page

• Separate display of promotions, manual discounts, and coupon codes

• Improved visual organization with coupon codes shown under line items

• Added discount details section with expandable view of all applied discounts

• Total savings displayed prominently at checkout

Dynamic Address Validation

• Postal code and state fields now validate dynamically based on country requirements

• Fixed validation errors when changing countries during checkout

• Proper handling of optional vs required state fields by country

• Improved support for international address formats

Bug Fixes & Improvements

Cart and Checkout

• Fixed cart page not refreshing when products added via Quick View

• Resolved state/zip validation errors on country change

• Fixed issues with optional state dropdown visibility

Accessibility

• Fixed keyboard navigation on product swatch options

• Arrow key navigation now works correctly for radio button groups

• Improved screen reader support for dynamic form validation

Form Validation

• Enhanced validation system to check country-specific requirements

• State and postal code fields update validation rules dynamically

• Improved validator status checks throughout forms

• Applied consistent validation behavior across account, payment, and shipping forms

UI Components

• Added new SVG icons for gifts and promotions

• Refactored discount display with collapsible sections

• Separated actionable links from price calculations for clarity

We are excited to announce the release of Catalyst v1.4, which brings new features including:

• Product reviews

• Newsletter subscriptions

• Store-aware inventory messaging

• OpenTelemetry observability

Catalyst v1.4 also includes updates to consent management as well as a bug fix for displaying product level discounts.

For full details, refer to the 1.4 release notes.

This update includes improvements across our core APIs, integrations, B2B tooling, and Catalyst storefront experience. On the API side, we’ve improved catalog accuracy, expanded translation support for product filters and options via GraphQL, clarified tax rounding strategies, and updated Store Information docs to the v3 endpoint. For integrations, we’ve added clearer guidance on generating secure JWT tokens and navigating the app submission review process. B2B developers get new Storefront GraphQL docs, clearer behavior for the B2B Orders API and order migration, plus new Buyer Portal setup guides. And for Catalyst, we’ve introduced a deployment overview and a new beta experience for syncing products to Makeswift and surfacing them as routes.

API

• Add POST to price list records

  Introduced faster, batch-capable record creation in Price List API docs

• Updated product option value parameters in catalog API

  Improved product options API docs for accuracy

• Add rounding strategy to tax settings

  Added rounding strategy option for tax providers

• Updated App Extention Documentation

  Added  missing product_description model

• Store Information v3 updated spec

  Update store information metafields documentation to use v3 API endpoint

• Product Filter Translations

  Product filters are now able to be translated with the GraphQL Admin API

• Product Option Translations

  GraphQL Translations API now supports Product Options

Integrations

• Added clarification for creating JWT Token

  Documented how to generate secure JWT tokens for integrations

• App Submission Review Process

  Adding additional details of the app review submission process

B2B

• GraphQL Storefront API - Overview

  Added documentation for B2B Storefront GraphQL API

• B2B Orders API

  This update discloses the default filtering behaviour of the B2B "Get All Orders" API, which returns only the last year of orders if no filter parameters are provided

• Prevent Order Migration

  The Create a Company User S2S endpoint information now indicates what happens to existing orders from previous B2C customers converted to B2B Company users

• Buyer Portal Guides

  We've created new guides for setting up Buyer Portal covering native Stencil, Headless, and Catalyst deployment with the default build when possible and custom Buyer Portal in any case

Catalyst

• Catalyst Deployment Overview

  Added a deployment overview doc for a catalyst storefront

• OCC Updated with Product Syncing to Makeswift

  Now in beta, you can sync your products to your Makeswift Site and view them as routes in your Makeswift Pages Tab

• Add POST to price list records:

  Introduced faster, batch-capable record creation in Price List API docs

• Updated product option value parameters in catalog API

  Improved product options API docs for accuracy

• Add rounding strategy to tax settings

  Added rounding strategy option for tax providers

• Updated App Extention Documentation

  Added  missing product_description model

• Store Information v3 updated spec

  Update store information metafields documentation to use v3 API endpoint

• Product Filter Translations

  Product filters are now able to be translated with the GraphQL Admin API

• Product Option Translations

  GraphQL Translations API now supports Product Options

Integrations

• Added clarification for creating JWT Token

  Documented how to generate secure JWT tokens for integrations

• App Submission Review Process

  Added additional details of the app review submission process

B2B

• GraphQL Storefront API - Overview

  Added documentation for B2B Storefront GraphQL API

• B2B Orders API

  This update discloses the default filtering behaviour of the B2B "Get All Orders" API, which returns only the last year of orders if no filter parameters are provided

• Prevent Order Migration

  The Create a Company User S2S endpoint information now indicates what happens to existing orders from previous B2C customers converted to B2B Company users

• Buyer Portal Guides

  We've created new guides for setting up Buyer Portal covering native Stencil, Headless, and Catalyst deployment with the default build when possible and custom Buyer Portal in any case

Catalyst

• Catalyst Deployment Overview

  Added a deployment overview doc for a catalyst storefront

• OCC Updated with Product Syncing to Makeswift

  Now in beta, you can sync your products to your Makeswift Site and view them as routes in your Makeswift Pages Tab

A high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183) related to React Server Components have been disclosed affecting React versions 19.0. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. To avoid exposure, Next.js and React need to be updated to their latest patched versions. 

The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.

Important: This release provides an additional security patch for the same CVEs addressed in Catalyst 1.3.6. If you upgraded to 1.3.6, you should upgrade to 1.3.7 to receive the latest security fixes.

Catalyst v1.3.7 release addresses these security vulnerabilities, including the additional CVE-2025-67779.

Key Changes

• Next.js 15.5.9: Upgraded from Next.js 15.5.8 to 15.5.9

• React 19: Upgraded to React 19.1.4 and React DOM 19.1.4

Migration Guide

Refer to the full migration guide in our developer release notes.

Release Tags

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/catalyst-core@1.3.7

• @bigcommerce/catalyst-makeswift@1.3.8

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

Catalyst v1.3.6 release addresses a security vulnerability (CVE-2025-55184, CVE-2025-55183) that affects React Server Components.

Key Changes

• Next.js 15.5.8: Upgraded from Next.js 15.5.7 to 15.5.8

• React 19: Upgraded to React 19.1.3 and React DOM 19.1.3

Migration Guide

Refer to the full migration guide in our developer release notes.

Release Tags

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/catalyst-core@1.3.6

• @bigcommerce/catalyst-makeswift@1.3.7

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

This Catalyst v1.3.5 release addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components.

Key Changes

• Next.js 15.5.7: Upgraded from Next.js 15.5.1-canary.4 to 15.5.7 (no more canary)

• React 19: Upgraded to React 19.1.2 and React DOM 19.1.2

• Partial Prerendering (PPR) Removed: Removed partial prerendering as it's unsupported in non-canary versions of Next.js 15.

Next.js 15.5.7 Upgrade

Catalyst has been upgraded to Next.js 15.5.7. This upgrade moves from the canary release to the stable release and requires migration steps for existing stores to fix a security vulnerability.

Critical Security Update

This upgrade addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components. The vulnerability allowed unauthenticated remote code execution on servers running React Server Components. This upgrade includes:

• Next.js 15.5.7 with the security patch

All users are strongly encouraged to upgrade immediately.

Partial Prerendering (PPR) Removed

Important: PPR (Partial Prerendering) has been removed in this release. PPR was only available in the Next.js 15.5.1-canary.4 release and is not supported in the stable 15.5.7 release.

• The ppr experimental flag has been removed from next.config.ts

• This may result in different performance characteristics compared to the Next.js 15.5.1-canary.4 + PPR setup

Migration Guide

Refer to the full migration guide in our developer release notes.

Getting Started

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/catalyst-core@1.3.5

• @bigcommerce/catalyst-makeswift@1.3.6

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

We’re excited to announce several impactful updates to our platform and its documentation aimed at improving developer workflow and feature clarity. Notable enhancements include new support for coupon code parameters in the single coupon codes API, a major increase in the maximum customer segments per store, and expanded product API endpoints with additional include fields. We’ve also clarified best practices for escaping double quotes in GraphQL queries and improved the organization of our app documentation by moving Draft Apps into a dedicated section under Apps > Develop.

API

• Coupon Code API Parameters
  Documents new support for coupon code parameters in the get and delete coupon codes single API endpoints.

• Segment Limit Update in API
  Increased the max segments per store that can be created from 100 to 1000.

• Product Include Fields Clarification
   We've added some previously missing fields to the include parameter for Get a Product, Get All Products, and Update a Product.

• GraphQL Queries - Escaping Double Quotes
  Clarifies best practices for escaping double quotes within GraphQL queries

Other Improvements

• Draft Apps Documentation
  We moved Draft Apps into a new section.  They are now in Apps > Develop

We are excited to announce the release of Catalyst v1.3, which brings new features including a cookie consent manager and gift certificate functionality, and additional improvements.

Consent Manager

We have added a cookie consent manager to Catalyst that utilizes the c15t.com consent management library under the hood to manage shopper privacy preferences when it comes to cookies and data collection. This provides a comprehensive solution for General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulation compliance.

Once you enable cookie tracking in your storefront settings, shoppers will see a consent banner that allows them to manage their privacy preferences for different types of cookies and data collection activities.

The consent manager is fully integrated with BigCommerce's Script Manager, ensuring that all analytics and marketing scripts respect shopper consent preferences. When cookie consent is enabled in your channel storefront settings, Catalyst will automatically manage which scripts load based on the shopper's selections—essential and unknown scripts always load, while analytics, functional, and targeting scripts only run once consent is granted.

This integration ensures a consistent privacy experience across Catalyst and Stencil storefronts, maintaining feature parity in how consent-aware scripts are loaded and categorized.

BigCommerce's consent categories are automatically mapped to c15t's standardized ones, so existing Storefront Script configurations continue to work without modification. We're collaborating closely with the c15t team to extend support for additional features such as footer script placement.

If your storefront relies on specific script placement or privacy handling use cases, we'd love to hear your feedback as we refine this integration further.

Gift Certificates

We have implemented Gift Certificate functionality in Catalyst to mirror what is already available in Stencil. This includes:

• Enabling shoppers to purchase gift certificates (respecting merchant-defined configurations such as fixed vs. variable amounts, expiration durations, and available templates)

  

• Previewing certificates before purchase

  

• Redeeming them in the cart and checkout (API already exists)

  

• Checking balances directly from the storefront

  

To support these experiences, we also are introducing foundational GraphQL Storefront API operations for gift certificates, laying the groundwork for future extensibility.

Improvements and Bug Fixes

Translation Updates

This release includes translation updates across multiple language files to improve accuracy and completeness. These updates correct translation errors, add missing strings for new features (including the cookie consent manager and gift certificates functionality), and refine existing translations to better match the intended meaning and context for international shoppers.

Migration Notes

Please refer to 1.3.0 changelog for more details and migration notes on this release.

Getting Started

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/catalyst-core@1.3.0

• @bigcommerce/catalyst-makeswift@1.3.0

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest