For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dev Portal
DocsAPI ReferenceLearnCommunityChangelog
DocsAPI ReferenceLearnCommunityChangelog
  • Overview
    • Quick Start
    • Sandboxes
    • Tools & SDKs
    • Support
  • Docs
      • Getting Started
        • Overview
          • 1.6.0
          • 1.5.0
          • 1.4.0
          • 1.3.7
          • 1.3.6
          • 1.3.5
          • 1.3.0
          • 1.2.0
    • Archive
    • Closed Beta Programs
Dev Portal
LogoLogo
On this page
  • Key Changes
  • Next.js 15.5.7 Upgrade
  • Critical Security Update
  • Partial Prerendering (PPR) Removed
  • Migration Guide
  • Step 1: Update Dependencies
  • Step 2: Update next.config.ts
  • Step 3: Remove experimental_ppr flag
  • Release Tags
DocsStorefrontCatalystRelease Notes

Catalyst version 1.3.5 Release Notes

Was this page helpful?
Previous

1.3.6

Next

1.3.0

Built with

This Catalyst v1.3.5 release addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components.

Key Changes

  • Next.js 15.5.7: Upgraded from Next.js 15.5.1-canary.4 to 15.5.7 (no more canary)
  • React 19: Upgraded to React 19.1.2 and React DOM 19.1.2
  • Partial Prerendering (PPR) Removed: Removed partial prerendering as it’s unsupported in non-canary versions of Next.js 15.

Next.js 15.5.7 Upgrade

Catalyst has been upgraded to Next.js 15.5.7. This upgrade moves from the canary release to the stable release and requires migration steps for existing stores to fix a security vulnerability.

Critical Security Update

This upgrade addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components. The vulnerability allowed unauthenticated remote code execution on servers running React Server Components. This upgrade includes:

  • Next.js 15.5.7 with the security patch

All users are strongly encouraged to upgrade immediately.

Partial Prerendering (PPR) Removed

Important: PPR (Partial Prerendering) has been removed in this release. PPR was only available in the Next.js 15.5.1-canary.4 release and is not supported in the stable 15.5.7 release.

  • The ppr experimental flag has been removed from next.config.ts
  • This may result in different performance characteristics compared to the Next.js 15.5.1-canary.4 + PPR setup

Migration Guide

Step 1: Update Dependencies

If you’re maintaining a custom Catalyst store, update your package.json:

{
	"dependencies": {
		"next": "15.5.7",
		"react": "^19.1.2",
		"react-dom": "^19.1.2"
	},
	"devDependencies": {
		"@next/bundle-analyzer": "15.5.7",
		"eslint-config-next": "15.5.7"
	}
}

Then run:

pnpm install

Note: next will automatically update your tsconfig.json file.

Step 2: Update next.config.ts

Remove or comment out PPR configuration:

// Remove or disable:
// experimental: {
//   ppr: 'incremental',
// }

Remove or comment out eslint config

// eslint: {
//     ignoreDuringBuilds: !!process.env.CI,
//     dirs: [
//     'app',
//     'auth',
//     'build-config',
//     'client',
//     'components',
//     'data-transformers',
//     'i18n',
//     'lib',
//     'middlewares',
//     'scripts',
//     'tests',
//     'vibes',
//     ],
// },

Step 3: Remove experimental_ppr flag

Remove all export const experimental_ppr declarations from your codebase, regardless of whether they are set to true or false.

Release Tags

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

  • @bigcommerce/catalyst-core@1.3.5
  • @bigcommerce/catalyst-makeswift@1.3.6

And as always, you can pull the latest stable release with these tags:

  • @bigcommerce/catalyst-core@latest
  • @bigcommerce/catalyst-makeswift@latest