Merge branch 'main' into lkostrowski/scan-app-changes-summary

Author: lkostrowski

.changeset/apps-app-deleted-handler.md

@@ -0,0 +1,8 @@
+---
+"saleor-app-cms": minor
+"saleor-app-products-feed": minor
+"saleor-app-search": minor
+"saleor-app-smtp": minor
+---
+
+Implemented APP_DELETED handler. On Saleor 3.23+ app will react to its own removal and prune APL data

.changeset/avatax-logs-date-range-validation.md

@@ -0,0 +1,13 @@
+---
+"saleor-app-avatax": patch
+"saleor-app-cms": patch
+"saleor-app-klaviyo": patch
+"saleor-app-payment-np-atobarai": patch
+"saleor-app-products-feed": patch
+"saleor-app-search": patch
+"saleor-app-segment": patch
+"saleor-app-smtp": patch
+"saleor-app-payment-stripe": patch
+---
+
+When environment variables fail validation at startup, the app now prints a readable error message and the offending fields, then exits with code 1 — instead of dumping a long stack trace. Before: a wall of webpack stack frames around `Invalid environment variables`. After: e.g. `Validation error: Required at "SECRET_KEY"` followed by a JSON list of the failing fields.

.changeset/env-validation-error-formatting.md

@@ -0,0 +1,5 @@
+---
+"@saleor/webhook-utils": minor
+---
+
+Added app-deleted-handler, shared webhook abstraction, that automatically runs apl.delete(). It additionally exposes hooks to run extra clean up, like DynamoDB pruning (this is per-app logic).

.changeset/jwt-verification-401-no-sentry.md

@@ -0,0 +1,5 @@
+---
+"saleor-app-klaviyo": minor
+---
+
+Implemented APP_DELETED handler. On Saleor 3.23+ app will react to its own removal and prune APL data

.changeset/loud-moles-mix.md

@@ -140,7 +140,7 @@ jobs:
         with:
           name: coverage-files
       - name: Upload coverage for ${{ matrix.name }}
-        uses: codecov/codecov-action@0da7aa657d958d32c117fc47e1f977e7524753c7 # v5.3.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: saleor/apps

.changeset/silent-items-thank.md

@@ -1,5 +1,28 @@
 # saleor-app-avatax
 
+## 1.22.10
+
+### Patch Changes
+
+- 9044c32: Upgraded protobufjs to v7.5.8 to fix the following CVEs: CVE-2026-41242,
+  CVE-2026-44290, CVE-2026-44291, CVE-2026-44292, CVE-2026-44293,
+  CVE-2026-44294, CVE-2026-44295, CVE-2026-45740.
+
+  This is only relevant for you if you use & enabled OpenTelemetry.
+
+## 1.22.9
+
+### Patch Changes
+
+- 2865a4f: Upgraded next.js to v15.5.18, more info: https://vercel.com/changelog/next-js-may-2026-security-release
+
+## 1.22.8
+
+### Patch Changes
+
+- 9265c47: Fixed Client Logs date filter showing an opaque error when the "From" date was after the "To" date. Before, the request was sent and DynamoDB rejected it with a generic validation error. Now the form skips the request and shows a clear inline message, and the API rejects inverted ranges with a 400 response.
+- 4af78c1: Failed JWT verification in tRPC procedures no longer reports to Sentry as an error. Before, an expired or invalid token raised a 500 (or 403) and produced an error in monitoring even though it was a normal client-side auth failure. Now it logs a warning and returns 401, so dashboards stay clean and the client can react to the auth state correctly.
+
 ## 1.22.7
 
 ### Patch Changes

.github/workflows/main.yml

@@ -4925,6 +4925,28 @@ export type CheckoutCustomerNoteUpdate = {
   errors: Array<CheckoutError>;
 };
 
+/**
+ * Deletes a checkout.
+ *
+ * Added in Saleor 3.23.
+ *
+ * Requires one of the following permissions: MANAGE_CHECKOUTS.
+ */
+export type CheckoutDelete = {
+  __typename?: 'CheckoutDelete';
+  errors: Array<CheckoutDeleteError>;
+};
+
+export type CheckoutDeleteError = {
+  __typename?: 'CheckoutDeleteError';
+  /** The error code. */
+  code: CheckoutErrorCode;
+  /** Name of a field that caused the error. A value of `null` indicates that the error isn't associated with a particular field. */
+  field?: Maybe<Scalars['String']['output']>;
+  /** The error message. */
+  message?: Maybe<Scalars['String']['output']>;
+};
+
 /**
  * Updates the delivery method (shipping method or pick up point) of the checkout. Updates the checkout shipping_address for click and collect delivery for a warehouse address.
  *
@@ -6935,6 +6957,25 @@ export type CustomerDelete = {
   user?: Maybe<User>;
 };
 
+/**
+ * Event sent when customer user is deleted.
+ *
+ * Added in Saleor 3.23.
+ */
+export type CustomerDeleted = Event & {
+  __typename?: 'CustomerDeleted';
+  /** Time of the event. */
+  issuedAt?: Maybe<Scalars['DateTime']['output']>;
+  /** The user or application that triggered the event. */
+  issuingPrincipal?: Maybe<IssuingPrincipal>;
+  /** The application receiving the webhook. */
+  recipient?: Maybe<App>;
+  /** The user the event relates to. */
+  user?: Maybe<User>;
+  /** Saleor version that triggered the event. */
+  version?: Maybe<Scalars['String']['output']>;
+};
+
 /** History log of the customer. */
 export type CustomerEvent = Node & {
   __typename?: 'CustomerEvent';
@@ -12597,6 +12638,14 @@ export type Mutation = {
    * - CHECKOUT_UPDATED (async): A checkout was updated.
    */
   checkoutCustomerNoteUpdate?: Maybe<CheckoutCustomerNoteUpdate>;
+  /**
+   * Deletes a checkout.
+   *
+   * Added in Saleor 3.23.
+   *
+   * Requires one of the following permissions: MANAGE_CHECKOUTS.
+   */
+  checkoutDelete?: Maybe<CheckoutDelete>;
   /**
    * Updates the delivery method (shipping method or pick up point) of the checkout. Updates the checkout shipping_address for click and collect delivery for a warehouse address.
    *
@@ -14840,6 +14889,11 @@ export type MutationCheckoutCustomerNoteUpdateArgs = {
 };
 
 
+export type MutationCheckoutDeleteArgs = {
+  id: Scalars['ID']['input'];
+};
+
+
 export type MutationCheckoutDeliveryMethodUpdateArgs = {
   deliveryMethodId?: InputMaybe<Scalars['ID']['input']>;
   id?: InputMaybe<Scalars['ID']['input']>;