Skip to content

update feature branch with develop#3161

Closed
sf-shikhar-prasoon wants to merge 1641 commits into
feature/bonus-productsfrom
develop
Closed

update feature branch with develop#3161
sf-shikhar-prasoon wants to merge 1641 commits into
feature/bonus-productsfrom
develop

Conversation

@sf-shikhar-prasoon

@sf-shikhar-prasoon sf-shikhar-prasoon commented Aug 22, 2025

Copy link
Copy Markdown
Contributor

Description

Types of Changes

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Documentation update
  • Breaking change (could cause existing functionality to not work as expected)
  • Other changes (non-breaking changes that does not fit any of the above)

Breaking changes include:

  • Removing a public function or component or prop
  • Adding a required argument to a function
  • Changing the data type of a function parameter or return value
  • Adding a new peer dependency to package.json

Changes

  • (change1)

How to Test-Drive This PR

  • (step1)

Checklists

General

  • Changes are covered by test cases
  • CHANGELOG.md updated with a short description of changes (not required for documentation updates)

Accessibility Compliance

You must check off all items in one of the follow two lists:

  • There are no changes to UI

or...

Localization

  • Changes include a UI text update in the Retail React App (which requires translation)

@cc-prodsec

cc-prodsec commented Aug 22, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator

Snyk checks have failed. 25 issues have been found so far.

Status Scan Engine Critical High Medium Low Total (25)
Open Source Security 0 15 10 0 25 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@vcua-mobify vcua-mobify temporarily deployed to extra-features-e2e August 22, 2025 20:15 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 23, 2025 07:01 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 24, 2025 07:01 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 25, 2025 07:01 — with GitHub Actions Inactive
@vcua-mobify vcua-mobify temporarily deployed to extra-features-e2e August 25, 2025 23:02 — with GitHub Actions Inactive
@adamraya adamraya temporarily deployed to extra-features-e2e August 25, 2025 23:33 — with GitHub Actions Inactive
@shethj shethj temporarily deployed to extra-features-e2e August 26, 2025 15:38 — with GitHub Actions Inactive
@shethj shethj temporarily deployed to extra-features-e2e August 26, 2025 21:06 — with GitHub Actions Inactive
@vmarta vmarta temporarily deployed to extra-features-e2e August 26, 2025 21:26 — with GitHub Actions Inactive
@adamraya adamraya temporarily deployed to extra-features-e2e August 26, 2025 23:38 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 27, 2025 07:01 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 28, 2025 07:01 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 28, 2025 19:09 — with GitHub Actions Inactive
@vmarta vmarta temporarily deployed to extra-features-e2e August 28, 2025 22:07 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 29, 2025 07:02 — with GitHub Actions Inactive
@shethj shethj temporarily deployed to extra-features-e2e August 29, 2025 18:45 — with GitHub Actions Inactive
@vcua-mobify vcua-mobify temporarily deployed to extra-features-e2e August 29, 2025 22:30 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 30, 2025 07:01 — with GitHub Actions Inactive
@jeremy-jung1 jeremy-jung1 temporarily deployed to extra-features-e2e August 31, 2025 07:01 — with GitHub Actions Inactive
kevinxh and others added 30 commits May 22, 2026 13:25
@kevinxh
Merge pull request #3849 from SalesforceCommerceCloud/revert-3847-kev…
e73955a 
…inxh/revert-retail-app-version-bump

Revert "chore: revert retail-react-app version bump to unblock SDK release"
@kevinxh
Merge remote-tracking branch 'origin/release-3.18.x' into merge/relea…
21a7503 
…se-3.18.x-to-develop
@kevinxh
Merge remote-tracking branch 'origin/develop' into merge/release-3.18…
879fdf4 
….x-to-develop

# Conflicts:
#	packages/commerce-sdk-react/CHANGELOG.md
#	packages/commerce-sdk-react/package-lock.json
#	packages/commerce-sdk-react/package.json
#	packages/pwa-kit-create-app/CHANGELOG.md
#	packages/pwa-kit-dev/CHANGELOG.md
#	packages/pwa-kit-react-sdk/CHANGELOG.md
#	packages/pwa-kit-react-sdk/package-lock.json
#	packages/pwa-kit-runtime/CHANGELOG.md
#	packages/template-express-minimal/package-lock.json
#	packages/template-mrt-reference-app/package-lock.json
#	packages/template-retail-react-app/CHANGELOG.md
#	packages/template-retail-react-app/package-lock.json
#	packages/template-retail-react-app/package.json
#	packages/template-typescript-minimal/package-lock.json
#	packages/test-commerce-sdk-react/package-lock.json
@kevinxh
Merge pull request #3846 from SalesforceCommerceCloud/merge/release-3…
5de8772 
….18.x-to-develop

Merge release-3.18.x back to develop (v3.18.1 patch)
@adamraya
Merge remote-tracking branch 'origin/develop' into bendvc/W-22385616_…
50c2a60 
…dal-hooks

# Conflicts:
#	packages/pwa-kit-runtime/CHANGELOG.md
@adamraya
Bump retail-react-app vendor.js bundle budget to 397 kB
2299ae5 
PR's vendor.js is 395.33 KB gzip (was 394.78 KB on develop) — the new
MrtDataStoreProvider context, useCustomSitePreferences /
useCustomGlobalPreferences hooks, and the bootstrap-key wiring add ~0.55 KB
to the shipped client bundle. Raise the budget by 2 kB so compile variance
doesn't flake CI without giving up the guardrail.
@adamraya
Add CHANGELOG entry for vendor.js bundle-size budget bump
3b92a04
@adamraya
Merge pull request #3834 from SalesforceCommerceCloud/bendvc/W-223856…
2bb709f 
…16_dal-hooks

[DAL] Add MRT Data Store Context and Hooks for Template Usage
@kevinxh
Merge origin/develop into kevinxh/verify-pwa-kit-issue-3789
9f3efc7
@kevinxh
Address review: extract buildBabelExcludeRegex into testable module
cb6a34e 
- Extract regex builder into babel-exclude.js so it can be tested
  without importing the full webpack config (which has heavy deps)
- Update config.js to import from the new module
- Fix copyright year to 2026 in config.test.js
- Test now exercises the real production function

Re: EXT_EXTENDS_WIN — it IS used at config.js:337 for webpack chunk
splitting on Windows, so it's not dead code.
@kevinxh
Add JSDoc comment for buildBabelExcludeRegex
a3fefca
@kevinxh
Address review: remove dead constants, drop redundant test block
407f049 
- Remove ESCAPED_SEP and EXT_EXTENDS_REGEX (unused after extracting
  buildBabelExcludeRegex)
- Remove "on current platform" describe block that duplicated the
  explicit Windows/Unix test blocks
@kevinxh
Rename config.test.js to babel-exclude.test.js to match its module
8082cfd
@kevinxh
Trigger CI
b5bdd6e
@kevinxh
Add clarifying comment for EXT_EXTENDS_WIN usage (not a regex)
83a1976
@kevinxh
Merge pull request #3840 from SalesforceCommerceCloud/kevinxh/verify-…
d88a7c2 
…pwa-kit-issue-3789

Fix Windows babel-loader exclude regex bug (#3789)
@vcua-mobify
@W-22419797@ @W-22457820@ Docs for http-only (#3841)
ace0af9 
* Apply configurable domain to cookies created by slas proxy

* Lint

* Add initial docs for http-only

* Apply suggestions

* Apply suggestions
@vcua-mobify
@W-22476773@ Storefront Preview / HttpOnly - foundations for dynamic …
0cdb15b 
…SameSite (#3850)

* Apply configurable domain to cookies created by slas proxy

* Lint

* Add plumbing for supporting Storefront Preview with HttpOnly cookies

* Apply review adjustments

* Address comments and apply suggestions

* Update CSP to allow non-prod preview

* Add soak and dev MRT to preview trusted list

* Update CHANGELOG.md

---------

Signed-off-by: vcua-mobify <47404250+vcua-mobify@users.noreply.github.com>
@vcua-mobify
@W-22476773@ Storefront Preview / HttpOnly - dynamic SameSite for Htt…
5086c43 
…pOnly session cookies (#3851)

* Apply configurable domain to cookies created by slas proxy

* Lint

* Add plumbing for supporting Storefront Preview with HttpOnly cookies

* Apply review adjustments

* Add dynamic SameSite for Storefront Preview

* Update CHANGELOG.md

* Cleanup host scoped marker cookie if cookieDomain is set

* Address comments and apply suggestions

* Apply suggestions from PR 1

* Update CSP to allow non-prod preview

* Add soak and dev MRT to preview trusted list

* Update CHANGELOG.md

---------

Signed-off-by: vcua-mobify <47404250+vcua-mobify@users.noreply.github.com>
@vcua-mobify
@W-22661132@ Allow bearer tokens to pass through bff layer (#3852)
c4e2820 
* Apply configurable domain to cookies created by slas proxy

* Lint

* Add plumbing for supporting Storefront Preview with HttpOnly cookies

* Apply review adjustments

* Add dynamic SameSite for Storefront Preview

* Update CHANGELOG.md

* Cleanup host scoped marker cookie if cookieDomain is set

* Address comments and apply suggestions

* Apply suggestions from PR 1

* Update CSP to allow non-prod preview

* Add soak and dev MRT to preview trusted list

* Update CHANGELOG.md

* Allow for token passthrough if bearer token is valid

* Update CHANGELOG.md

* Remove empty if block

---------

Signed-off-by: vcua-mobify <47404250+vcua-mobify@users.noreply.github.com>
@joeluong-sfcc @claude
Fix: improve render stability of search refinements panel (@W-1900323…
5f211e9 
…9@) (#3855)

* Fix: improve render stability of the search refinements panel

The PLP rebuilds the productSearchResult.refinements array on every render,
so the refinements panel recomputed its accordion default-open indexes each
time and re-rendered unnecessarily. Memoize the effective (non-excluded)
filters and derive a stable comma-joined key of their attribute IDs, then key
the default-open index computation on that string so it only recomputes when
the filter set actually changes.

Adopts and cleans up the approach from the superseded community PR #2771
(drops a written-but-unread ref and an unused returned array), and adds the
regression test that PR lacked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Chore: link CHANGELOG entry to the opened PR

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Refactor: drop stale useLocalStorage TODO comments in refinements

Per review: the useLocalStorage migration isn't on the roadmap, so the two
TODO comments referencing it were stale stubs. Behavior unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@shethj
Use IPv4 loopback for Verdaccio in dev generator
9621a94 
The TCP readiness probe was already updated to dial 127.0.0.1
explicitly, but the npm_config_registry that lerna/npm child processes
inherit was still set to http://localhost:4873/. On Node 18+ Linux
runners with verbatim DNS, 'localhost' may resolve to ::1 first.
Verdaccio binds 127.0.0.1 only (per local-npm-repo/config.yaml), so
the request fails with 'ECONNREFUSED ::1:4873' and lerna publish
aborts.

Pin the registry URL to the same IPv4 loopback Verdaccio is bound to
so name resolution can't pick the wrong address family.
@shethj
Trigger CI
02f4e76
@shethj
Merge pull request #3857 from SalesforceCommerceCloud/js/fix-verdacci…
4bace8f 
…o-localhost-ipv6

Fix Verdaccio ECONNREFUSED ::1:4873 in dev generator
@vcua-mobify
@W-22828949@ Use access token expiry for customer_id and customer_typ…
6d10861 
…e HttpOnly cookies (#3858)

* @W-22828949@ Use access token expiry for customer_id and customer_type HttpOnly cookies

In HttpOnly session-cookie mode, the SLAS proxy set the non-HttpOnly customer_id and customer_type cookies to the refresh-token TTL (up to 30/90 days). Align them to the access-token JWT exp instead - matching cc-at, cc-at-expires, uido, and id_token - by writing them in the access-token block. usid and enc_user_id stay refresh-TTL-aligned.

This also keeps them in sync with the current access token on every access-token response (mirroring the client's handleTokenResponse), instead of only when a refresh token is present.

* @W-22828949@ Add CHANGELOG entry for customer_id/customer_type access-token expiry
@vcua-mobify @joeluong-sfcc
@W-22846335@ Normalize lowercase bearer scheme to canonical Bearer on…
1edc3e5 
… SCAPI proxy (#3859)

* @W-22846335@ Normalize lowercase bearer scheme to canonical Bearer on SCAPI proxy

The SCAPI proxy detected an incoming Authorization bearer case-insensitively
but forwarded it verbatim, so a lowercase `bearer <jwt>` reached SCAPI and
401'd on the scheme. Re-emit the canonical `Bearer <token>` (normalizing
scheme case and collapsing a tab/multi-space separator) whenever a
bearer-with-value is present; the token is forwarded unchanged so a fresh
SSR bearer still wins over a stale cookie.

Hardening/parity item — the SDK always sends canonical `Bearer`, so there is
no known live break. The same normalization must be mirrored in MRT's
CloudFront Lambda@Edge.

* Update packages/pwa-kit-runtime/src/utils/ssr-server/configure-proxy.basic.test.js

Co-authored-by: Joel Uong <88680517+joeluong-sfcc@users.noreply.github.com>
Signed-off-by: vcua-mobify <47404250+vcua-mobify@users.noreply.github.com>

---------

Signed-off-by: vcua-mobify <47404250+vcua-mobify@users.noreply.github.com>
Co-authored-by: Joel Uong <88680517+joeluong-sfcc@users.noreply.github.com>
@joeluong-sfcc @claude
Fix: Render search refinements panels open during SSR (@W-22819807@) (#…
f9e1bff 
…3856)

* Fix: Render search refinements panels open during SSR (@W-22819807@)

ChakraUI v2's Accordion gates each item's open state on a descendant index
that is -1 until a post-mount layout effect runs. renderToString runs no
effects, so every refinement panel rendered closed server-side regardless of
defaultIndex, then opened after hydration — a late relayout that could become
the PLP largest-contentful-paint element.

Replace the Accordion with a controlled RefinementDisclosure that applies its
open state through the panel's hidden attribute, so panels render open
server-side. Open state is lifted into Refinements (keyed by attributeId) and
seeded to the server-equal all-open set; saved localStorage state is applied
post-hydration to avoid a hydration mismatch for returning users. CategoryLinks
becomes a self-owned disclosure, which also removes a pre-existing bug where its
toggle corrupted a sibling filter's persisted state.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Style: Single-line the Categories
  FormattedMessage label (@W-22819807@)

* Fix: React to excludedFilters changes in refinements memo (@W-22819807@)

* Fix: Restore refinement section
  dividers lost in the disclosure swap (@W-22819807@)

* Style: Match refinement header
  weight and chevron padding to the Accordion (@W-22819807@)

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vcua-mobify
@W-22846346@ Refresh and retry on SCAPI 401 instead of a hard error p…
f1bcad5 
…age (#3860)

* @W-22846346@ Refresh and retry on SCAPI 401 instead of a hard error page

The commerce-sdk-react Auth layer decides whether to refresh purely from the
expiry indicator (the cc-at-expires cookie in HttpOnly mode, or the JWT exp in
localStorage mode), never from a 401 response. When the access token is
invalid-but-unexpired (server-revoked, tampered, or after a SLAS signing-key
rotation), the indicator still reads "valid", so ready() sends the bad token,
SCAPI returns 401, and the SSR render path throws an HTTPError that the PWA Kit
error boundary renders as a hard "This page isn't working - HTTPError 401" page
-- even though a still-valid refresh token (cc-nx) usually exists.

handleInvalidToken now adds 401-driven refresh-and-retry: for any 401 that
isn't the "Customer credentials changed after token was issued." case, it clears
the stale cc-at-expires indicator and refreshes, mirroring the existing 400
access_token_cookie_missing handler. Clearing the expiry first is required so
_refreshAccessToken() doesn't short-circuit on the still-"valid" indicator. The
caller (useAuthorizationHeader and the useQuery/useMutation custom-endpoint
paths) retries the request exactly once, so a repeat 401 still propagates. The
fix is mode-agnostic, covering both HttpOnly and localStorage; the gap was
confirmed to reproduce in both.

No MRT/proxy changes: the refresh round-trip, cookie rewrite, and bearer
injection this relies on are already deployed and exercised by the normal
expiry-driven refresh.

* @W-22846346@ Add CHANGELOG entry for 401 refresh-and-retry (#3860)
@sf-madhuri-uppu
@W-22806923 Cancel order UX aligned with storefront-next designs (#3861)
9c7bcfe 
* Port cancel order components from cancelOrderHook branch

Cherry-pick cancellation-specific files onto fresh branch from develop:
- cancel-order-modal (modal, constants, tests)
- product-list component (reusable for order items)
- use-order-products hook (fetches and merges product data with order items)

* @W-22806923@ Cancel order UX aligned with storefront-next designs

- Redesign cancel modal: dialog title with order number, native select
  dropdown for reason codes, "Keep order" / "Confirm cancellation" buttons
- Add ORDER ACTIONS section on order-detail page with cancel button
- Add cancel eligibility gating (OMS enabled, registered, status/shipping)
- Show inline feedback alert on successful cancellation
- Update status badge to Cancelled after cancel success
- Add oms.enabled config flag
- Fix shared/ui imports for product-list component
- Rewrite cancel-order-modal tests for new design

* Remove unused product-list and use-order-products

These were ported from the old branch but the new cancel modal
design does not display products inside the dialog.

* Address PR review feedback

- Add ownsOrder check to cancel eligibility
- Default oms.enabled to false (opt-in)
- Remove dead i18n messages from constants.js
- Add label association for reason select (a11y)
- Use red.700 for error feedback (matches storefront-next)
- Add showCancelSuccess/showCancelError helpers for API integration
- Badge shows × Cancelled on success, stays unchanged on error
- Move feedback alert above Order Details heading
- Move badge to far right of heading row
- Only allow cancel when shippingStatus is not_shipped (no empty fallback)

* Fix prettier formatting for CI lint

- Inline short prop lists in test file
- Inline ternary expressions in order-detail.jsx

* Add cancel order i18n messages to translation files

Extract and compile new message IDs for cancel order modal,
feedback alerts, and badge into en-US, en-GB, and en-XA.

* Fix a11y and UX issues from code review

- Replace hard-coded × glyph with CloseIcon + aria-hidden
- Reset selectedReason via useEffect on isOpen (covers all close paths)
- Use Chakra Alert with role="alert" for screen reader announcement
- Only disable cancel button on success, not error (allow retry)
- Clear feedback when modal reopens after error

* Fix a11y and UX issues from code review

- Replace hard-coded × glyph with CloseIcon + aria-hidden in badge
- Reset selectedReason via useEffect on isOpen (covers all close paths)
- Use role="alert" with aria-live="assertive" for screen reader announcement
- Delay feedback 300ms so screen readers finish modal close before alert
- Only disable cancel button on success, not error (allow retry)
- Clear feedback when modal reopens after error
- Add proper label element for reason select
- Add tests for reason reset and label association

* Fix CI lint: inline props for prettier, suppress unused-var for showCancelError
@sf-jie-dai
@W-22952388@ Sync payment-instrument amount before createOrder so OMS…
1826895 
… can ingest (#3866)

@W-22952388@ Sync payment-instrument amount before createOrder so OMS can ingest (#3866)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.