This Catalyst v1.3.5 release addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components.

Key Changes

• Next.js 15.5.7: Upgraded from Next.js 15.5.1-canary.4 to 15.5.7 (no more canary)

• React 19: Upgraded to React 19.1.2 and React DOM 19.1.2

• Partial Prerendering (PPR) Removed: Removed partial prerendering as it's unsupported in non-canary versions of Next.js 15.

Next.js 15.5.7 Upgrade

Catalyst has been upgraded to Next.js 15.5.7. This upgrade moves from the canary release to the stable release and requires migration steps for existing stores to fix a security vulnerability.

Critical Security Update

This upgrade addresses a critical security vulnerability (CVE-2025-55182) that affects React Server Components. The vulnerability allowed unauthenticated remote code execution on servers running React Server Components. This upgrade includes:

• Next.js 15.5.7 with the security patch

All users are strongly encouraged to upgrade immediately.

Partial Prerendering (PPR) Removed

Important: PPR (Partial Prerendering) has been removed in this release. PPR was only available in the Next.js 15.5.1-canary.4 release and is not supported in the stable 15.5.7 release.

• The ppr experimental flag has been removed from next.config.ts

• This may result in different performance characteristics compared to the Next.js 15.5.1-canary.4 + PPR setup

Migration Guide

Refer to the full migration guide in our developer release notes.

Getting Started

We have published new tags for the Core and Makeswift versions of Catalyst. Target these tags to pull the latest code:

• @bigcommerce/[email protected]

• @bigcommerce/[email protected]

And as always, you can pull the latest stable release with these tags:

• @bigcommerce/catalyst-core@latest

• @bigcommerce/catalyst-makeswift@latest