fix changelog

unandyala · unandyala · commit 88427d971839 · 2026-02-19T21:47:00.000-06:00
diff --git a/packages/commerce-sdk-react/CHANGELOG.md b/packages/commerce-sdk-react/CHANGELOG.md
@@ -1,6 +1,8 @@
+## [Unreleased]
+- Add HttpOnly session cookies for SLAS private client proxy [#3680](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3680)
+
 ## v5.1.0-dev
 - Add Node 24 support. Drop Node 16 support. [#3652](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3652)
-- Add HttpOnly session cookies for SLAS private client proxy [#3680](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3680)
 
 ## v5.0.0 (Feb 12, 2026)
 - Upgrade to commerce-sdk-isomorphic v5.0.0 and introduce Payment Instrument SCAPI integration [#3552](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3552)
diff --git a/packages/commerce-sdk-react/src/auth/index.ts b/packages/commerce-sdk-react/src/auth/index.ts
@@ -54,7 +54,7 @@ interface AuthConfig extends ApiClientConfigParams {
     refreshTokenRegisteredCookieTTL?: number
     refreshTokenGuestCookieTTL?: number
     hybridAuthEnabled?: boolean
-    /** When true, token response may be sanitized (tokens in HttpOnly cookies); only set non-token fields and use access_token_expires_at for expiry. */
+    /** When true, session tokens are set as HttpOnly cookies */
     useHttpOnlySessionCookies?: boolean
 }
 
diff --git a/packages/commerce-sdk-react/src/provider.tsx b/packages/commerce-sdk-react/src/provider.tsx
@@ -155,7 +155,6 @@ const CommerceApiProvider = (props: CommerceApiProviderProps): ReactElement => {
     const configLogger = logger || console
 
     // When HttpOnly cookies are enabled, ensure fetch credentials allow cookies to be sent.
-    // Override 'omit' or unset to 'same-origin'; keep 'same-origin' or 'include' as-is.
     const effectiveFetchOptions =
         useHttpOnlySessionCookies &&
         (!fetchOptions?.credentials || fetchOptions.credentials === 'omit')
diff --git a/packages/pwa-kit-create-app/CHANGELOG.md b/packages/pwa-kit-create-app/CHANGELOG.md
@@ -1,4 +1,5 @@
 ## [Unreleased]
+- Add configuration flag `disableHttpOnlySessionCookies` to `ssrParameters` [#3635](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3635)
 
 ## v3.17.0-dev
 - Clear verdaccio npm cache during project generation [#3652](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3652)

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ interface AuthConfig extends ApiClientConfigParams {`
`54`	`54`	`refreshTokenRegisteredCookieTTL?: number`
`55`	`55`	`refreshTokenGuestCookieTTL?: number`
`56`	`56`	`hybridAuthEnabled?: boolean`
`57`		`- /** When true, token response may be sanitized (tokens in HttpOnly cookies); only set non-token fields and use access_token_expires_at for expiry. */`
	`57`	`+ /** When true, session tokens are set as HttpOnly cookies */`
`58`	`58`	`useHttpOnlySessionCookies?: boolean`
`59`	`59`	`}`
`60`	`60`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`## [Unreleased]`
	`2`	+- Add configuration flag `disableHttpOnlySessionCookies` to `ssrParameters` [#3635](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3635)
`2`	`3`
`3`	`4`	`## v3.17.0-dev`
`4`	`5`	`- Clear verdaccio npm cache during project generation [#3652](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3652)`