This update includes improvements across our core APIs, integrations, B2B tooling, and Catalyst storefront experience. On the API side, we’ve improved catalog accuracy, expanded translation support for product filters and options via GraphQL, clarified tax rounding strategies, and updated Store Information docs to the v3 endpoint. For integrations, we’ve added clearer guidance on generating secure JWT tokens and navigating the app submission review process. B2B developers get new Storefront GraphQL docs, clearer behavior for the B2B Orders API and order migration, plus new Buyer Portal setup guides. And for Catalyst, we’ve introduced a deployment overview and a new beta experience for syncing products to Makeswift and surfacing them as routes.

API

• Add POST to price list records

  Introduced faster, batch-capable record creation in Price List API docs

• Updated product option value parameters in catalog API

  Improved product options API docs for accuracy

• Add rounding strategy to tax settings

  Added rounding strategy option for tax providers

• Updated App Extention Documentation

  Added  missing product_description model

• Store Information v3 updated spec

  Update store information metafields documentation to use v3 API endpoint

• Product Filter Translations

  Product filters are now able to be translated with the GraphQL Admin API

• Product Option Translations

  GraphQL Translations API now supports Product Options

Integrations

• Added clarification for creating JWT Token

  Documented how to generate secure JWT tokens for integrations

• App Submission Review Process

  Adding additional details of the app review submission process

B2B

• GraphQL Storefront API - Overview

  Added documentation for B2B Storefront GraphQL API

• B2B Orders API

  This update discloses the default filtering behaviour of the B2B "Get All Orders" API, which returns only the last year of orders if no filter parameters are provided

• Prevent Order Migration

  The Create a Company User S2S endpoint information now indicates what happens to existing orders from previous B2C customers converted to B2B Company users

• Buyer Portal Guides

  We've created new guides for setting up Buyer Portal covering native Stencil, Headless, and Catalyst deployment with the default build when possible and custom Buyer Portal in any case

Catalyst

• Catalyst Deployment Overview

  Added a deployment overview doc for a catalyst storefront

• OCC Updated with Product Syncing to Makeswift

  Now in beta, you can sync your products to your Makeswift Site and view them as routes in your Makeswift Pages Tab

• Add POST to price list records:

  Introduced faster, batch-capable record creation in Price List API docs

• Updated product option value parameters in catalog API

  Improved product options API docs for accuracy

• Add rounding strategy to tax settings

  Added rounding strategy option for tax providers

• Updated App Extention Documentation

  Added  missing product_description model

• Store Information v3 updated spec

  Update store information metafields documentation to use v3 API endpoint

• Product Filter Translations

  Product filters are now able to be translated with the GraphQL Admin API

• Product Option Translations

  GraphQL Translations API now supports Product Options

Integrations

• Added clarification for creating JWT Token

  Documented how to generate secure JWT tokens for integrations

• App Submission Review Process

  Added additional details of the app review submission process

B2B

• GraphQL Storefront API - Overview

  Added documentation for B2B Storefront GraphQL API

• B2B Orders API

  This update discloses the default filtering behaviour of the B2B "Get All Orders" API, which returns only the last year of orders if no filter parameters are provided

• Prevent Order Migration

  The Create a Company User S2S endpoint information now indicates what happens to existing orders from previous B2C customers converted to B2B Company users

• Buyer Portal Guides

  We've created new guides for setting up Buyer Portal covering native Stencil, Headless, and Catalyst deployment with the default build when possible and custom Buyer Portal in any case

Catalyst

• Catalyst Deployment Overview

  Added a deployment overview doc for a catalyst storefront

• OCC Updated with Product Syncing to Makeswift

  Now in beta, you can sync your products to your Makeswift Site and view them as routes in your Makeswift Pages Tab

A high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183) related to React Server Components have been disclosed affecting React versions 19.0. This includes Next.js which is used for internal applications at Commerce as well as customers building storefronts using Catalyst and Makeswift. To avoid exposure, Next.js and React need to be updated to their latest patched versions. 

The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.

Important: This release provides an additional security patch for the same CVEs addressed in Catalyst 1.3.6. If you upgraded to 1.3.6, you should upgrade to 1.3.7 to receive the latest security fixes.

Catalyst v1.3.7 release addresses these security vulnerabilities, including the additional CVE-2025-67779.

Key Changes

• Next.js 15.5.9: Upgraded from Next.js 15.5.8 to 15.5.9

• React 19: Upgraded to React 19.1.4 and React DOM 19.1.4

Migration Guide

Refer to the full migration guide in our developer release notes.

Release Tags

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/[email protected]

• @bigcommerce/[email protected]

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

Catalyst v1.3.6 release addresses a security vulnerability (CVE-2025-55184, CVE-2025-55183) that affects React Server Components.

Key Changes

• Next.js 15.5.8: Upgraded from Next.js 15.5.7 to 15.5.8

• React 19: Upgraded to React 19.1.3 and React DOM 19.1.3

Migration Guide

Refer to the full migration guide in our developer release notes.

Release Tags

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/[email protected]

• @bigcommerce/[email protected]

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

This Catalyst v1.3.5 release addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components.

Key Changes

• Next.js 15.5.7: Upgraded from Next.js 15.5.1-canary.4 to 15.5.7 (no more canary)

• React 19: Upgraded to React 19.1.2 and React DOM 19.1.2

• Partial Prerendering (PPR) Removed: Removed partial prerendering as it's unsupported in non-canary versions of Next.js 15.

Next.js 15.5.7 Upgrade

Catalyst has been upgraded to Next.js 15.5.7. This upgrade moves from the canary release to the stable release and requires migration steps for existing stores to fix a security vulnerability.

Critical Security Update

This upgrade addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components. The vulnerability allowed unauthenticated remote code execution on servers running React Server Components. This upgrade includes:

• Next.js 15.5.7 with the security patch

All users are strongly encouraged to upgrade immediately.

Partial Prerendering (PPR) Removed

Important: PPR (Partial Prerendering) has been removed in this release. PPR was only available in the Next.js 15.5.1-canary.4 release and is not supported in the stable 15.5.7 release.

• The ppr experimental flag has been removed from next.config.ts

• This may result in different performance characteristics compared to the Next.js 15.5.1-canary.4 + PPR setup

Migration Guide

Refer to the full migration guide in our developer release notes.

Getting Started

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/[email protected]

• @bigcommerce/[email protected]

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

We’re excited to announce several impactful updates to our platform and its documentation aimed at improving developer workflow and feature clarity. Notable enhancements include new support for coupon code parameters in the single coupon codes API, a major increase in the maximum customer segments per store, and expanded product API endpoints with additional include fields. We’ve also clarified best practices for escaping double quotes in GraphQL queries and improved the organization of our app documentation by moving Draft Apps into a dedicated section under Apps > Develop.

API

• Coupon Code API Parameters
  Documents new support for coupon code parameters in the get and delete coupon codes single API endpoints.

• Segment Limit Update in API
  Increased the max segments per store that can be created from 100 to 1000.

• Product Include Fields Clarification
   We've added some previously missing fields to the include parameter for Get a Product, Get All Products, and Update a Product.

• GraphQL Queries - Escaping Double Quotes
  Clarifies best practices for escaping double quotes within GraphQL queries

Other Improvements

• Draft Apps Documentation
  We moved Draft Apps into a new section.  They are now in Apps > Develop

We are excited to announce the release of Catalyst v1.3, which brings new features including a cookie consent manager and gift certificate functionality, and additional improvements.

Consent Manager

We have added a cookie consent manager to Catalyst that utilizes the c15t.com consent management library under the hood to manage shopper privacy preferences when it comes to cookies and data collection. This provides a comprehensive solution for General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulation compliance.

Once you enable cookie tracking in your storefront settings, shoppers will see a consent banner that allows them to manage their privacy preferences for different types of cookies and data collection activities.

The consent manager is fully integrated with BigCommerce's Script Manager, ensuring that all analytics and marketing scripts respect shopper consent preferences. When cookie consent is enabled in your channel storefront settings, Catalyst will automatically manage which scripts load based on the shopper's selections—essential and unknown scripts always load, while analytics, functional, and targeting scripts only run once consent is granted.

This integration ensures a consistent privacy experience across Catalyst and Stencil storefronts, maintaining feature parity in how consent-aware scripts are loaded and categorized.

BigCommerce's consent categories are automatically mapped to c15t's standardized ones, so existing Storefront Script configurations continue to work without modification. We're collaborating closely with the c15t team to extend support for additional features such as footer script placement.

If your storefront relies on specific script placement or privacy handling use cases, we'd love to hear your feedback as we refine this integration further.

Gift Certificates

We have implemented Gift Certificate functionality in Catalyst to mirror what is already available in Stencil. This includes:

• Enabling shoppers to purchase gift certificates (respecting merchant-defined configurations such as fixed vs. variable amounts, expiration durations, and available templates)

  

• Previewing certificates before purchase

  

• Redeeming them in the cart and checkout (API already exists)

  

• Checking balances directly from the storefront

  

To support these experiences, we also are introducing foundational GraphQL Storefront API operations for gift certificates, laying the groundwork for future extensibility.

Improvements and Bug Fixes

Translation Updates

This release includes translation updates across multiple language files to improve accuracy and completeness. These updates correct translation errors, add missing strings for new features (including the cookie consent manager and gift certificates functionality), and refine existing translations to better match the intended meaning and context for international shoppers.

Migration Notes

Please refer to 1.3.0 changelog for more details and migration notes on this release.

Getting Started

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/[email protected]

• @bigcommerce/[email protected]

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest

This release sharpens documentation and streamlines integrations across our API and B2B features. Highlights include support for additional checkout URLs (buybutton, mcp), clearer field definitions and examples (e.g., order_id as a string, updated_at behavior), and refined guidance for tax provider workflows and product custom fields. On the B2B side, we’ve updated authentication to include the Store Hash in the payload for affected endpoints and shipped targeted fixes to the Catalyst/B2B guides to speed up setup.

API

• Add buybutton and mcp as valid checkout urls

  Updated the documentation to include "buybutton" and "mcp" as valid checkout URLs.

• Improved Automated Test Documentation and Refined Test Execution Sequence

  Enhanced descriptions and clarified the testing workflow for tax provider integrations.

• Update order_id field type to string in Transaction Created Webhook

  Revised the Payments API webhook specification, ensuring the order_id is documented as a string.

• Updated Example Value in Orders API Documentation

  Improved example values in the Orders API documentation.

• Update API Documentation for Product Custom Fields Parameters

  Refined API docs to improve accuracy for custom field parameters for products.

• Clarified Override Amount Field in Order API Documentation

  Added separate definition for "override amount" in orders documentation for greater clarity.

• Clarify 'updated_at' Field Description in v3 Customers API Documentation

  Clarified the usage and meaning of the updated_at field in responses.

• Update Invoice Email Data Structure

  Refreshed invoice email documentation to match new data structure.

• Modified section about configuring tax provider settings to streamline it for integrators

  Streamlined tax provider API configuration docs for easier integrator onboarding.

B2B

• Short-term fixes for the Catalyst/B2B guide

  Various improvements and content fixes for the Catalyst and B2B setup guides.

• Improved B2B Authentication Documentation

  Streamlined and updated B2B authentication documentation for improved clarity and accuracy, reflecting recent changes to authentication processes.

• Clarified Store Hash requirement for new authentication process.

  • Moved Store Hash into authentication variables instead of parameters

  • Removed Store Hash from requirements on authentication endpoints for generating tokens

  • Affected API Endpoints

    • POST /api/v2/auth/token

    • GET /api/v2/orders

    • POST /api/v2/products

    • Any other endpoints requiring Store Hash as part of authentication

What’s New

Cleaner APIs (refund quote simplification, shipping cost comparisons, Cart image_url, batch metafield filters), tighter webhook/tax requirements, and an updated Payments Postman collection.

B2B docs clarify authentication and pending-company behavior, Stencil guidance aligns to INP, and Catalyst onboarding details redirected checkout + MSF.

Dive into the notes below for the full rundown.

API

• Removed unsupported field from Refund Quote endpoint

  The merchant_calculated_override field was eliminated from the POST /refund_quote request to reduce confusion. It is only applicable when submitting the final refund (POST /refunds).

• Added new shipping cost comparison fields

  Introduced comparisonShippingCost and shippingCostBeforeDiscount within order.consignments.shipping to enable clearer pre/post discount shipping cost visibility.

• Cart API enhancement

  image_url is now documented in the V3 Cart POST response, aligning POST with existing GET behavior.

• Metafields batch filtering

  Products and Product Variants batch metafields endpoints now support the resource_id:in query parameter for more precise bulk retrieval.

• Webhooks specification context

  Opening section refined to better direct users to in-depth guides and clarify usage patterns.

• HTTPS enforcement note for tax provider API

  Added explicit requirement that tax provider API URLs must use HTTPS.

• Postman collection update

  Payments API “Run in Postman” link now points to a shared collection including an example for stored bank accounts.

• Webhook lifecycle clarity

  Documentation updated to state webhooks no longer persist after API account deletion, preventing orphaned integrations.

B2B

• Hosted storefront authentication maintenance

  All authentication reference links updated to target correct endpoint sections

• Pending Company account behavior

  Documented storefront experience and restrictions for customers whose Company applications are pending after using the Create Company endpoint.

Stencil

• Core Web Vitals update

  Replaced references to First Input Delay (FID) with Interaction to Next Paint (INP) in Stencil theme creation guidance to reflect new performance standards.

Catalyst

• Catalyst onboarding clarity

  Expanded guidance around redirected checkout and Multi-Storefront (MSF) requirements to reduce setup confusion.

Storefront

• Wishlist Feature Documentation
  Introduces comprehensive Wishlists documentation for storefront adoption and developer reference.

• Session Syncing (Headless ↔ Checkout)
  Adds guide for maintaining session continuity across headless and checkout flows.

• Coupon API Response Code Accuracy
  Corrects coupon creation response code (201 instead of 200) for client accuracy.

B2B

• B2B Edition Token Modernization & Alignment
  Documents migration to X-Auth-Token and unifies token style across B2B and core; integration teams should review custom header implementations and token exchange assumptions.

• B2B Quotes – userEmail & Modifiers
  Clarifies field semantics for userEmail and modifier date formatting to reduce parsing errors.

• B2B Storefront GraphQL – Account Registration Workflows
  Introduces end-to-end GraphQL account registration flows, reducing REST dependencies.

API / GraphQL

• Product & Catalog Translation Enablement
  Adds localized product and custom field translations for full catalog coverage.

• Translations - Product Custom Fields
  Clarifies translation scope for product data and custom fields.

• Gift Certificate API Sorting
  Adds sort and direction parameters to enhance administrative flexibility.

• Product Condition Exposure Control (GraphQL)
  Ensures GraphQL respects merchant setting—returns null when product condition is hidden.

• Unified Billing Documentation Iteration
  Refines field descriptions and guidance for consistent billing API integration.

• V2 Orders - Date & Time Precision
  Clarifies date_created is UTC to avoid analytics/reporting misalignment.

Stencil

• File System Constraints (Stencil Themes)
  Adds alert about maximum directory depth to prevent build/runtime issues for theme developers.

6.17.0 (10-01-2025)

• Add net-new "order.pickup_addresses" to unify objects used on Order Details and Order Invoice pages #2557

• Removed banner widget configuration and related translations #2561

• Add support for shipping discounts in "order.total_rows" for use on the Order Details and Order Invoice pages #2568

• Updates eslint to v8 #2570