@commercetools-frontend/mc-scripts 27.4.2 → 27.5.0

package/dist/{deployment-previews-set-add2d9c6.esm.js → deployment-previews-set-6ceff6a3.esm.js}

@@ -6,7 +6,7 @@ import chalk from 'chalk';
 import prompts from 'prompts';
 import { processConfig } from '@commercetools-frontend/application-config';
 import { C as CredentialsStorage } from './credentials-storage-67deadc3.esm.js';
-import { d as fetchCustomApplication, g as updateCustomApplicationDeploymentPreview, h as createCustomApplicationDeploymentPreview } from './graphql-requests-c07e7b8f.esm.js';
+import { d as fetchCustomApplication, g as updateCustomApplicationDeploymentPreview, h as createCustomApplicationDeploymentPreview } from './graphql-requests-53a1f5dd.esm.js';
 import '@babel/runtime-corejs3/helpers/classCallCheck';
 import '@babel/runtime-corejs3/helpers/createClass';
 import '@babel/runtime-corejs3/core-js-stable/json/stringify';
@@ -28,7 +28,7 @@ import 'graphql';
 import 'graphql-request';
 import '@commercetools-frontend/constants';
 import '@commercetools/http-user-agent';
-import './package-14789720.esm.js';
+import './package-02f0532d.esm.js';
 
 const credentialsStorage = new CredentialsStorage();
 const validateUrl = function () {

package/dist/{deployment-previews-set-6dd7e367.cjs.prod.js → deployment-previews-set-beeaeb6d.cjs.prod.js}

@@ -8,7 +8,7 @@ var chalk = require('chalk');
 var prompts = require('prompts');
 var applicationConfig = require('@commercetools-frontend/application-config');
 var credentialsStorage$1 = require('./credentials-storage-ea1c16dc.cjs.prod.js');
-var graphqlRequests = require('./graphql-requests-5e31d639.cjs.prod.js');
+var graphqlRequests = require('./graphql-requests-4c97fe92.cjs.prod.js');
 require('@babel/runtime-corejs3/helpers/classCallCheck');
 require('@babel/runtime-corejs3/helpers/createClass');
 require('@babel/runtime-corejs3/core-js-stable/json/stringify');
@@ -30,7 +30,7 @@ require('graphql');
 require('graphql-request');
 require('@commercetools-frontend/constants');
 require('@commercetools/http-user-agent');
-require('./package-d75d6b9f.cjs.prod.js');
+require('./package-dfc9c56b.cjs.prod.js');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
 

package/dist/{deployment-previews-set-68c37d9d.cjs.dev.js → deployment-previews-set-c4f8a461.cjs.dev.js}

@@ -8,7 +8,7 @@ var chalk = require('chalk');
 var prompts = require('prompts');
 var applicationConfig = require('@commercetools-frontend/application-config');
 var credentialsStorage$1 = require('./credentials-storage-fd195144.cjs.dev.js');
-var graphqlRequests = require('./graphql-requests-24e04c13.cjs.dev.js');
+var graphqlRequests = require('./graphql-requests-86c87041.cjs.dev.js');
 require('@babel/runtime-corejs3/helpers/classCallCheck');
 require('@babel/runtime-corejs3/helpers/createClass');
 require('@babel/runtime-corejs3/core-js-stable/json/stringify');
@@ -30,7 +30,7 @@ require('graphql');
 require('graphql-request');
 require('@commercetools-frontend/constants');
 require('@commercetools/http-user-agent');
-require('./package-6dcc2c4f.cjs.dev.js');
+require('./package-c8f39856.cjs.dev.js');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
 

package/dist/{graphql-requests-5e31d639.cjs.prod.js → graphql-requests-4c97fe92.cjs.prod.js}

@@ -16,7 +16,7 @@ var graphqlRequest = require('graphql-request');
 var constants = require('@commercetools-frontend/constants');
 var credentialsStorage$1 = require('./credentials-storage-ea1c16dc.cjs.prod.js');
 var createHttpUserAgent = require('@commercetools/http-user-agent');
-var _package = require('./package-d75d6b9f.cjs.prod.js');
+var _package = require('./package-dfc9c56b.cjs.prod.js');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
 

package/dist/{graphql-requests-c07e7b8f.esm.js → graphql-requests-53a1f5dd.esm.js}

@@ -14,7 +14,7 @@ import { GraphQLClient, ClientError } from 'graphql-request';
 import { GRAPHQL_TARGETS, SUPPORTED_HEADERS } from '@commercetools-frontend/constants';
 import { C as CredentialsStorage } from './credentials-storage-67deadc3.esm.js';
 import createHttpUserAgent from '@commercetools/http-user-agent';
-import { p as pkgJson } from './package-14789720.esm.js';
+import { p as pkgJson } from './package-02f0532d.esm.js';
 
 const userAgent = createHttpUserAgent({
   name: 'graphql-request',

package/dist/{graphql-requests-24e04c13.cjs.dev.js → graphql-requests-86c87041.cjs.dev.js}

@@ -16,7 +16,7 @@ var graphqlRequest = require('graphql-request');
 var constants = require('@commercetools-frontend/constants');
 var credentialsStorage$1 = require('./credentials-storage-fd195144.cjs.dev.js');
 var createHttpUserAgent = require('@commercetools/http-user-agent');
-var _package = require('./package-6dcc2c4f.cjs.dev.js');
+var _package = require('./package-c8f39856.cjs.dev.js');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { 'default': e }; }
 

package/dist/{login-af2522fd.esm.js → login-1e4ddcda.esm.js}

@@ -13,7 +13,7 @@ import crypto from 'node:crypto';
 import process, { exit } from 'node:process';
 import chalk from 'chalk';
 import { processConfig } from '@commercetools-frontend/application-config';
-import { p as pkgJson } from './package-14789720.esm.js';
+import { p as pkgJson } from './package-02f0532d.esm.js';
 import http from 'node:http';
 import jwtDecode from 'jwt-decode';
 import { C as CredentialsStorage } from './credentials-storage-67deadc3.esm.js';

package/dist/{login-a1ad5f07.cjs.dev.js → login-382b51ea.cjs.dev.js}

@@ -15,7 +15,7 @@ var crypto = require('node:crypto');
 var process = require('node:process');
 var chalk = require('chalk');
 var applicationConfig = require('@commercetools-frontend/application-config');
-var _package = require('./package-6dcc2c4f.cjs.dev.js');
+var _package = require('./package-c8f39856.cjs.dev.js');
 var http = require('node:http');
 var jwtDecode = require('jwt-decode');
 var credentialsStorage$1 = require('./credentials-storage-fd195144.cjs.dev.js');

package/dist/{login-c05816f1.cjs.prod.js → login-c151a059.cjs.prod.js}

@@ -15,7 +15,7 @@ var crypto = require('node:crypto');
 var process = require('node:process');
 var chalk = require('chalk');
 var applicationConfig = require('@commercetools-frontend/application-config');
-var _package = require('./package-d75d6b9f.cjs.prod.js');
+var _package = require('./package-dfc9c56b.cjs.prod.js');
 var http = require('node:http');
 var jwtDecode = require('jwt-decode');
 var credentialsStorage$1 = require('./credentials-storage-ea1c16dc.cjs.prod.js');

package/dist/{package-14789720.esm.js → package-02f0532d.esm.js}

@@ -1,6 +1,6 @@
 var pkgJson = {
 	name: "@commercetools-frontend/mc-scripts",
-	version: "27.4.2",
+	version: "27.5.0",
 	description: "Configuration and scripts for developing a MC application",
 	bugs: "https://github.com/commercetools/merchant-center-application-kit/issues",
 	repository: {
@@ -61,13 +61,13 @@ var pkgJson = {
 		"@babel/plugin-proposal-do-expressions": "^7.22.5",
 		"@babel/runtime": "^7.22.15",
 		"@babel/runtime-corejs3": "^7.22.15",
-		"@commercetools-frontend/application-components": "27.4.2",
-		"@commercetools-frontend/application-config": "27.4.2",
-		"@commercetools-frontend/assets": "27.4.2",
-		"@commercetools-frontend/babel-preset-mc-app": "27.4.2",
-		"@commercetools-frontend/constants": "27.4.2",
-		"@commercetools-frontend/mc-dev-authentication": "27.4.2",
-		"@commercetools-frontend/mc-html-template": "27.4.2",
+		"@commercetools-frontend/application-components": "27.5.0",
+		"@commercetools-frontend/application-config": "27.5.0",
+		"@commercetools-frontend/assets": "27.5.0",
+		"@commercetools-frontend/babel-preset-mc-app": "27.5.0",
+		"@commercetools-frontend/constants": "27.5.0",
+		"@commercetools-frontend/mc-dev-authentication": "27.5.0",
+		"@commercetools-frontend/mc-html-template": "27.5.0",
 		"@commercetools/http-user-agent": "3.0.0",
 		"@emotion/babel-plugin": "^11.13.5",
 		"@formatjs/cli-lib": "^6.3.8",
@@ -91,7 +91,7 @@ var pkgJson = {
 		commander: "^13.1.0",
 		"core-js": "^3.32.2",
 		"css-loader": "6.11.0",
-		"css-minimizer-webpack-plugin": "3.4.1",
+		"css-minimizer-webpack-plugin": "^8.0.0",
 		dotenv: "16.6.1",
 		"dotenv-expand": "8.0.3",
 		"fs-extra": "10.1.0",
@@ -108,7 +108,7 @@ var pkgJson = {
 		"moment-locales-webpack-plugin": "1.2.0",
 		"node-fetch": "2.7.0",
 		open: "^10.1.0",
-		postcss: "8.5.6",
+		postcss: "^8.5.12",
 		"postcss-custom-media": "8.0.2",
 		"postcss-custom-properties": "12.1.4",
 		"postcss-import": "14.1.0",
@@ -125,7 +125,7 @@ var pkgJson = {
 		sirv: "^3.0.2",
 		"style-loader": "3.3.4",
 		"svg-url-loader": "7.1.1",
-		"terser-webpack-plugin": "5.3.14",
+		"terser-webpack-plugin": "^5.5.0",
 		"thread-loader": "3.0.4",
 		url: "^0.11.0",
 		vite: "~6.4.2",
@@ -150,7 +150,7 @@ var pkgJson = {
 		rimraf: "6.0.1"
 	},
 	engines: {
-		node: "18.x || 20.x || >=22.0.0"
+		node: "20.x || >=22.0.0"
 	},
 	peerDependencies: {
 		puppeteer: ">=20.0.0"

package/dist/{package-d75d6b9f.cjs.prod.js → package-c8f39856.cjs.dev.js}

@@ -2,7 +2,7 @@
 
 var pkgJson = {
 	name: "@commercetools-frontend/mc-scripts",
-	version: "27.4.2",
+	version: "27.5.0",
 	description: "Configuration and scripts for developing a MC application",
 	bugs: "https://github.com/commercetools/merchant-center-application-kit/issues",
 	repository: {
@@ -63,13 +63,13 @@ var pkgJson = {
 		"@babel/plugin-proposal-do-expressions": "^7.22.5",
 		"@babel/runtime": "^7.22.15",
 		"@babel/runtime-corejs3": "^7.22.15",
-		"@commercetools-frontend/application-components": "27.4.2",
-		"@commercetools-frontend/application-config": "27.4.2",
-		"@commercetools-frontend/assets": "27.4.2",
-		"@commercetools-frontend/babel-preset-mc-app": "27.4.2",
-		"@commercetools-frontend/constants": "27.4.2",
-		"@commercetools-frontend/mc-dev-authentication": "27.4.2",
-		"@commercetools-frontend/mc-html-template": "27.4.2",
+		"@commercetools-frontend/application-components": "27.5.0",
+		"@commercetools-frontend/application-config": "27.5.0",
+		"@commercetools-frontend/assets": "27.5.0",
+		"@commercetools-frontend/babel-preset-mc-app": "27.5.0",
+		"@commercetools-frontend/constants": "27.5.0",
+		"@commercetools-frontend/mc-dev-authentication": "27.5.0",
+		"@commercetools-frontend/mc-html-template": "27.5.0",
 		"@commercetools/http-user-agent": "3.0.0",
 		"@emotion/babel-plugin": "^11.13.5",
 		"@formatjs/cli-lib": "^6.3.8",
@@ -93,7 +93,7 @@ var pkgJson = {
 		commander: "^13.1.0",
 		"core-js": "^3.32.2",
 		"css-loader": "6.11.0",
-		"css-minimizer-webpack-plugin": "3.4.1",
+		"css-minimizer-webpack-plugin": "^8.0.0",
 		dotenv: "16.6.1",
 		"dotenv-expand": "8.0.3",
 		"fs-extra": "10.1.0",
@@ -110,7 +110,7 @@ var pkgJson = {
 		"moment-locales-webpack-plugin": "1.2.0",
 		"node-fetch": "2.7.0",
 		open: "^10.1.0",
-		postcss: "8.5.6",
+		postcss: "^8.5.12",
 		"postcss-custom-media": "8.0.2",
 		"postcss-custom-properties": "12.1.4",
 		"postcss-import": "14.1.0",
@@ -127,7 +127,7 @@ var pkgJson = {
 		sirv: "^3.0.2",
 		"style-loader": "3.3.4",
 		"svg-url-loader": "7.1.1",
-		"terser-webpack-plugin": "5.3.14",
+		"terser-webpack-plugin": "^5.5.0",
 		"thread-loader": "3.0.4",
 		url: "^0.11.0",
 		vite: "~6.4.2",
@@ -152,7 +152,7 @@ var pkgJson = {
 		rimraf: "6.0.1"
 	},
 	engines: {
-		node: "18.x || 20.x || >=22.0.0"
+		node: "20.x || >=22.0.0"
 	},
 	peerDependencies: {
 		puppeteer: ">=20.0.0"

package/dist/{package-6dcc2c4f.cjs.dev.js → package-dfc9c56b.cjs.prod.js}

@@ -2,7 +2,7 @@
 
 var pkgJson = {
 	name: "@commercetools-frontend/mc-scripts",
-	version: "27.4.2",
+	version: "27.5.0",
 	description: "Configuration and scripts for developing a MC application",
 	bugs: "https://github.com/commercetools/merchant-center-application-kit/issues",
 	repository: {
@@ -63,13 +63,13 @@ var pkgJson = {
 		"@babel/plugin-proposal-do-expressions": "^7.22.5",
 		"@babel/runtime": "^7.22.15",
 		"@babel/runtime-corejs3": "^7.22.15",
-		"@commercetools-frontend/application-components": "27.4.2",
-		"@commercetools-frontend/application-config": "27.4.2",
-		"@commercetools-frontend/assets": "27.4.2",
-		"@commercetools-frontend/babel-preset-mc-app": "27.4.2",
-		"@commercetools-frontend/constants": "27.4.2",
-		"@commercetools-frontend/mc-dev-authentication": "27.4.2",
-		"@commercetools-frontend/mc-html-template": "27.4.2",
+		"@commercetools-frontend/application-components": "27.5.0",
+		"@commercetools-frontend/application-config": "27.5.0",
+		"@commercetools-frontend/assets": "27.5.0",
+		"@commercetools-frontend/babel-preset-mc-app": "27.5.0",
+		"@commercetools-frontend/constants": "27.5.0",
+		"@commercetools-frontend/mc-dev-authentication": "27.5.0",
+		"@commercetools-frontend/mc-html-template": "27.5.0",
 		"@commercetools/http-user-agent": "3.0.0",
 		"@emotion/babel-plugin": "^11.13.5",
 		"@formatjs/cli-lib": "^6.3.8",
@@ -93,7 +93,7 @@ var pkgJson = {
 		commander: "^13.1.0",
 		"core-js": "^3.32.2",
 		"css-loader": "6.11.0",
-		"css-minimizer-webpack-plugin": "3.4.1",
+		"css-minimizer-webpack-plugin": "^8.0.0",
 		dotenv: "16.6.1",
 		"dotenv-expand": "8.0.3",
 		"fs-extra": "10.1.0",
@@ -110,7 +110,7 @@ var pkgJson = {
 		"moment-locales-webpack-plugin": "1.2.0",
 		"node-fetch": "2.7.0",
 		open: "^10.1.0",
-		postcss: "8.5.6",
+		postcss: "^8.5.12",
 		"postcss-custom-media": "8.0.2",
 		"postcss-custom-properties": "12.1.4",
 		"postcss-import": "14.1.0",
@@ -127,7 +127,7 @@ var pkgJson = {
 		sirv: "^3.0.2",
 		"style-loader": "3.3.4",
 		"svg-url-loader": "7.1.1",
-		"terser-webpack-plugin": "5.3.14",
+		"terser-webpack-plugin": "^5.5.0",
 		"thread-loader": "3.0.4",
 		url: "^0.11.0",
 		vite: "~6.4.2",
@@ -152,7 +152,7 @@ var pkgJson = {
 		rimraf: "6.0.1"
 	},
 	engines: {
-		node: "18.x || 20.x || >=22.0.0"
+		node: "20.x || >=22.0.0"
 	},
 	peerDependencies: {
 		puppeteer: ">=20.0.0"

package/dist/{serve-4062385a.esm.js → serve-00294d34.esm.js}

@@ -19,6 +19,7 @@ async function run() {
   const port = options.port ?? DEFAULT_PORT;
   const publicPath = options.publicPath ?? paths.appBuild;
   const applicationConfig = options.applicationConfig ?? (await processConfig());
+  const handleAuthRoutes = options.handleAuthRoutes ?? true;
   const isLocalMcApi = _startsWithInstanceProperty(_context = applicationConfig.env.mcApiUrl).call(_context, 'http://localhost');
 
   // `single: true` gives us the SPA fallback — any unmatched path is served as
@@ -29,28 +30,34 @@ async function run() {
     etag: true
   });
   const server = http.createServer((request, response) => {
-    var _context2, _context3, _context4, _context5, _context6, _context7, _context8, _context9, _context0, _context1;
-    // Localhost-only: inline replacement for the login/logout UI that
-    // `mc-dev-authentication` used to ship as static HTML (#3734).
-    if (isLocalMcApi && ((_context2 = request.url) == null ? void 0 : _bindInstanceProperty(_context3 = Function.call).call(_context3, _startsWithInstanceProperty(_context2), _context2))?.('/login/authorize')) {
-      const redirectTo = new _URL(request.url, applicationConfig.env.mcApiUrl);
-      response.writeHead(301, {
-        Location: redirectTo.toString()
-      }).end();
-      return;
-    }
-    if (isLocalMcApi && ((_context4 = request.url) == null ? void 0 : _bindInstanceProperty(_context5 = Function.call).call(_context5, _startsWithInstanceProperty(_context4), _context4))?.('/logout')) {
-      response.end('Please clear your session storage.');
-      return;
-    }
+    var _context0, _context1;
+    // Apps that own the `/login*` / `/logout*` routes themselves (e.g.
+    // `application-authentication`) opt out via `handleAuthRoutes: false` so
+    // those paths flow through to the SPA fallback like any other route.
+    if (handleAuthRoutes) {
+      var _context2, _context3, _context4, _context5, _context6, _context7, _context8, _context9;
+      // Localhost-only: inline replacement for the login/logout UI that
+      // `mc-dev-authentication` used to ship as static HTML (#3734).
+      if (isLocalMcApi && ((_context2 = request.url) == null ? void 0 : _bindInstanceProperty(_context3 = Function.call).call(_context3, _startsWithInstanceProperty(_context2), _context2))?.('/login/authorize')) {
+        const redirectTo = new _URL(request.url, applicationConfig.env.mcApiUrl);
+        response.writeHead(301, {
+          Location: redirectTo.toString()
+        }).end();
+        return;
+      }
+      if (isLocalMcApi && ((_context4 = request.url) == null ? void 0 : _bindInstanceProperty(_context5 = Function.call).call(_context5, _startsWithInstanceProperty(_context4), _context4))?.('/logout')) {
+        response.end('Please clear your session storage.');
+        return;
+      }
 
-    // Preserve the pre-swap contract: any other `/login*` or `/logout*`
-    // request (bare `/login`, non-localhost auth callbacks, etc.) must NOT
-    // fall back to the SPA — that would mask OAuth callback
-    // misconfigurations by rendering the app on a URL the backend owns.
-    if (((_context6 = request.url) == null ? void 0 : _bindInstanceProperty(_context7 = Function.call).call(_context7, _startsWithInstanceProperty(_context6), _context6))?.('/login') || ((_context8 = request.url) == null ? void 0 : _bindInstanceProperty(_context9 = Function.call).call(_context9, _startsWithInstanceProperty(_context8), _context8))?.('/logout')) {
-      response.writeHead(404).end();
-      return;
+      // Preserve the pre-swap contract: any other `/login*` or `/logout*`
+      // request (bare `/login`, non-localhost auth callbacks, etc.) must NOT
+      // fall back to the SPA — that would mask OAuth callback
+      // misconfigurations by rendering the app on a URL the backend owns.
+      if (((_context6 = request.url) == null ? void 0 : _bindInstanceProperty(_context7 = Function.call).call(_context7, _startsWithInstanceProperty(_context6), _context6))?.('/login') || ((_context8 = request.url) == null ? void 0 : _bindInstanceProperty(_context9 = Function.call).call(_context9, _startsWithInstanceProperty(_context8), _context8))?.('/logout')) {
+        response.writeHead(404).end();
+        return;
+      }
     }
 
     // Absorb `/favicon*` variants (e.g. `/favicon.ico`, `/favicon-32x32.png`)

package/dist/{serve-b9ac0b0c.cjs.dev.js → serve-81db9f2e.cjs.dev.js}

@@ -30,6 +30,7 @@ async function run() {
   const port = options.port ?? DEFAULT_PORT;
   const publicPath = options.publicPath ?? paths.paths.appBuild;
   const applicationConfig$1 = options.applicationConfig ?? (await applicationConfig.processConfig());
+  const handleAuthRoutes = options.handleAuthRoutes ?? true;
   const isLocalMcApi = _startsWithInstanceProperty__default["default"](_context = applicationConfig$1.env.mcApiUrl).call(_context, 'http://localhost');
 
   // `single: true` gives us the SPA fallback — any unmatched path is served as
@@ -40,28 +41,34 @@ async function run() {
     etag: true
   });
   const server = http__default["default"].createServer((request, response) => {
-    var _context2, _context3, _context4, _context5, _context6, _context7, _context8, _context9, _context0, _context1;
-    // Localhost-only: inline replacement for the login/logout UI that
-    // `mc-dev-authentication` used to ship as static HTML (#3734).
-    if (isLocalMcApi && ((_context2 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context3 = Function.call).call(_context3, _startsWithInstanceProperty__default["default"](_context2), _context2))?.('/login/authorize')) {
-      const redirectTo = new _URL__default["default"](request.url, applicationConfig$1.env.mcApiUrl);
-      response.writeHead(301, {
-        Location: redirectTo.toString()
-      }).end();
-      return;
-    }
-    if (isLocalMcApi && ((_context4 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context5 = Function.call).call(_context5, _startsWithInstanceProperty__default["default"](_context4), _context4))?.('/logout')) {
-      response.end('Please clear your session storage.');
-      return;
-    }
+    var _context0, _context1;
+    // Apps that own the `/login*` / `/logout*` routes themselves (e.g.
+    // `application-authentication`) opt out via `handleAuthRoutes: false` so
+    // those paths flow through to the SPA fallback like any other route.
+    if (handleAuthRoutes) {
+      var _context2, _context3, _context4, _context5, _context6, _context7, _context8, _context9;
+      // Localhost-only: inline replacement for the login/logout UI that
+      // `mc-dev-authentication` used to ship as static HTML (#3734).
+      if (isLocalMcApi && ((_context2 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context3 = Function.call).call(_context3, _startsWithInstanceProperty__default["default"](_context2), _context2))?.('/login/authorize')) {
+        const redirectTo = new _URL__default["default"](request.url, applicationConfig$1.env.mcApiUrl);
+        response.writeHead(301, {
+          Location: redirectTo.toString()
+        }).end();
+        return;
+      }
+      if (isLocalMcApi && ((_context4 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context5 = Function.call).call(_context5, _startsWithInstanceProperty__default["default"](_context4), _context4))?.('/logout')) {
+        response.end('Please clear your session storage.');
+        return;
+      }
 
-    // Preserve the pre-swap contract: any other `/login*` or `/logout*`
-    // request (bare `/login`, non-localhost auth callbacks, etc.) must NOT
-    // fall back to the SPA — that would mask OAuth callback
-    // misconfigurations by rendering the app on a URL the backend owns.
-    if (((_context6 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context7 = Function.call).call(_context7, _startsWithInstanceProperty__default["default"](_context6), _context6))?.('/login') || ((_context8 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context9 = Function.call).call(_context9, _startsWithInstanceProperty__default["default"](_context8), _context8))?.('/logout')) {
-      response.writeHead(404).end();
-      return;
+      // Preserve the pre-swap contract: any other `/login*` or `/logout*`
+      // request (bare `/login`, non-localhost auth callbacks, etc.) must NOT
+      // fall back to the SPA — that would mask OAuth callback
+      // misconfigurations by rendering the app on a URL the backend owns.
+      if (((_context6 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context7 = Function.call).call(_context7, _startsWithInstanceProperty__default["default"](_context6), _context6))?.('/login') || ((_context8 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context9 = Function.call).call(_context9, _startsWithInstanceProperty__default["default"](_context8), _context8))?.('/logout')) {
+        response.writeHead(404).end();
+        return;
+      }
     }
 
     // Absorb `/favicon*` variants (e.g. `/favicon.ico`, `/favicon-32x32.png`)

package/dist/{serve-5a455e72.cjs.prod.js → serve-d62433a1.cjs.prod.js}

@@ -30,6 +30,7 @@ async function run() {
   const port = options.port ?? DEFAULT_PORT;
   const publicPath = options.publicPath ?? paths.paths.appBuild;
   const applicationConfig$1 = options.applicationConfig ?? (await applicationConfig.processConfig());
+  const handleAuthRoutes = options.handleAuthRoutes ?? true;
   const isLocalMcApi = _startsWithInstanceProperty__default["default"](_context = applicationConfig$1.env.mcApiUrl).call(_context, 'http://localhost');
 
   // `single: true` gives us the SPA fallback — any unmatched path is served as
@@ -40,28 +41,34 @@ async function run() {
     etag: true
   });
   const server = http__default["default"].createServer((request, response) => {
-    var _context2, _context3, _context4, _context5, _context6, _context7, _context8, _context9, _context0, _context1;
-    // Localhost-only: inline replacement for the login/logout UI that
-    // `mc-dev-authentication` used to ship as static HTML (#3734).
-    if (isLocalMcApi && ((_context2 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context3 = Function.call).call(_context3, _startsWithInstanceProperty__default["default"](_context2), _context2))?.('/login/authorize')) {
-      const redirectTo = new _URL__default["default"](request.url, applicationConfig$1.env.mcApiUrl);
-      response.writeHead(301, {
-        Location: redirectTo.toString()
-      }).end();
-      return;
-    }
-    if (isLocalMcApi && ((_context4 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context5 = Function.call).call(_context5, _startsWithInstanceProperty__default["default"](_context4), _context4))?.('/logout')) {
-      response.end('Please clear your session storage.');
-      return;
-    }
+    var _context0, _context1;
+    // Apps that own the `/login*` / `/logout*` routes themselves (e.g.
+    // `application-authentication`) opt out via `handleAuthRoutes: false` so
+    // those paths flow through to the SPA fallback like any other route.
+    if (handleAuthRoutes) {
+      var _context2, _context3, _context4, _context5, _context6, _context7, _context8, _context9;
+      // Localhost-only: inline replacement for the login/logout UI that
+      // `mc-dev-authentication` used to ship as static HTML (#3734).
+      if (isLocalMcApi && ((_context2 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context3 = Function.call).call(_context3, _startsWithInstanceProperty__default["default"](_context2), _context2))?.('/login/authorize')) {
+        const redirectTo = new _URL__default["default"](request.url, applicationConfig$1.env.mcApiUrl);
+        response.writeHead(301, {
+          Location: redirectTo.toString()
+        }).end();
+        return;
+      }
+      if (isLocalMcApi && ((_context4 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context5 = Function.call).call(_context5, _startsWithInstanceProperty__default["default"](_context4), _context4))?.('/logout')) {
+        response.end('Please clear your session storage.');
+        return;
+      }
 
-    // Preserve the pre-swap contract: any other `/login*` or `/logout*`
-    // request (bare `/login`, non-localhost auth callbacks, etc.) must NOT
-    // fall back to the SPA — that would mask OAuth callback
-    // misconfigurations by rendering the app on a URL the backend owns.
-    if (((_context6 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context7 = Function.call).call(_context7, _startsWithInstanceProperty__default["default"](_context6), _context6))?.('/login') || ((_context8 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context9 = Function.call).call(_context9, _startsWithInstanceProperty__default["default"](_context8), _context8))?.('/logout')) {
-      response.writeHead(404).end();
-      return;
+      // Preserve the pre-swap contract: any other `/login*` or `/logout*`
+      // request (bare `/login`, non-localhost auth callbacks, etc.) must NOT
+      // fall back to the SPA — that would mask OAuth callback
+      // misconfigurations by rendering the app on a URL the backend owns.
+      if (((_context6 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context7 = Function.call).call(_context7, _startsWithInstanceProperty__default["default"](_context6), _context6))?.('/login') || ((_context8 = request.url) == null ? void 0 : _bindInstanceProperty__default["default"](_context9 = Function.call).call(_context9, _startsWithInstanceProperty__default["default"](_context8), _context8))?.('/logout')) {
+        response.writeHead(404).end();
+        return;
+      }
     }
 
     // Absorb `/favicon*` variants (e.g. `/favicon.ico`, `/favicon-32x32.png`)

package/dist/{start-f93cb36f.cjs.dev.js → start-32bc9eca.cjs.dev.js}

@@ -9,7 +9,7 @@ var openBrowser = require('react-dev-utils/openBrowser');
 var WebpackDevServerUtils = require('react-dev-utils/WebpackDevServerUtils');
 var webpack = require('webpack');
 var WebpackDevServer = require('webpack-dev-server');
-var createWebpackConfigForDevelopment = require('./create-webpack-config-for-development-835be72f.cjs.dev.js');
+var createWebpackConfigForDevelopment = require('./create-webpack-config-for-development-65abeb3f.cjs.dev.js');
 var paths = require('./paths-b76fc753.cjs.dev.js');
 var applicationConfig = require('@commercetools-frontend/application-config');
 var mcDevAuthentication = require('@commercetools-frontend/mc-dev-authentication');
@@ -36,9 +36,9 @@ require('webpackbar');
 require('@babel/runtime-corejs3/helpers/classCallCheck');
 require('@babel/runtime-corejs3/helpers/createClass');
 require('@babel/runtime-corejs3/core-js-stable/object/assign');
-require('./create-postcss-config-7cebb3e2.cjs.dev.js');
+require('./create-postcss-config-1b021fb2.cjs.dev.js');
 require('@babel/runtime-corejs3/helpers/slicedToArray');
-require('./package-6dcc2c4f.cjs.dev.js');
+require('./package-c8f39856.cjs.dev.js');
 require('./optimizations-56be74d6.cjs.dev.js');
 require('@babel/runtime-corejs3/core-js-stable/instance/reduce');
 require('@babel/runtime-corejs3/core-js-stable/object/entries');

package/dist/{start-f52d8e68.cjs.prod.js → start-5eb60c74.cjs.prod.js}

@@ -9,7 +9,7 @@ var openBrowser = require('react-dev-utils/openBrowser');
 var WebpackDevServerUtils = require('react-dev-utils/WebpackDevServerUtils');
 var webpack = require('webpack');
 var WebpackDevServer = require('webpack-dev-server');
-var createWebpackConfigForDevelopment = require('./create-webpack-config-for-development-9d0b5ccd.cjs.prod.js');
+var createWebpackConfigForDevelopment = require('./create-webpack-config-for-development-1db101e2.cjs.prod.js');
 var paths = require('./paths-7768b440.cjs.prod.js');
 var applicationConfig = require('@commercetools-frontend/application-config');
 var mcDevAuthentication = require('@commercetools-frontend/mc-dev-authentication');
@@ -36,9 +36,9 @@ require('webpackbar');
 require('@babel/runtime-corejs3/helpers/classCallCheck');
 require('@babel/runtime-corejs3/helpers/createClass');
 require('@babel/runtime-corejs3/core-js-stable/object/assign');
-require('./create-postcss-config-82c6d99e.cjs.prod.js');
+require('./create-postcss-config-434fe673.cjs.prod.js');
 require('@babel/runtime-corejs3/helpers/slicedToArray');
-require('./package-d75d6b9f.cjs.prod.js');
+require('./package-dfc9c56b.cjs.prod.js');
 require('./optimizations-da5a0cfa.cjs.prod.js');
 require('@babel/runtime-corejs3/core-js-stable/instance/reduce');
 require('@babel/runtime-corejs3/core-js-stable/object/entries');

package/dist/{start-c9b32028.esm.js → start-6fc3b235.esm.js}

@@ -7,7 +7,7 @@ import openBrowser from 'react-dev-utils/openBrowser';
 import { choosePort, prepareUrls, createCompiler } from 'react-dev-utils/WebpackDevServerUtils';
 import webpack from 'webpack';
 import WebpackDevServer from 'webpack-dev-server';
-import { c as createWebpackConfigForDevelopment } from './create-webpack-config-for-development-5fba3c63.esm.js';
+import { c as createWebpackConfigForDevelopment } from './create-webpack-config-for-development-fd981a20.esm.js';
 import { p as paths } from './paths-39f22b8b.esm.js';
 import { processConfig } from '@commercetools-frontend/application-config';
 import { createMcDevAuthenticationMiddleware } from '@commercetools-frontend/mc-dev-authentication';
@@ -34,9 +34,9 @@ import 'webpackbar';
 import '@babel/runtime-corejs3/helpers/classCallCheck';
 import '@babel/runtime-corejs3/helpers/createClass';
 import '@babel/runtime-corejs3/core-js-stable/object/assign';
-import './create-postcss-config-040fa794.esm.js';
+import './create-postcss-config-505c5a4e.esm.js';
 import '@babel/runtime-corejs3/helpers/slicedToArray';
-import './package-14789720.esm.js';
+import './package-02f0532d.esm.js';
 import './optimizations-54382f7b.esm.js';
 import '@babel/runtime-corejs3/core-js-stable/instance/reduce';
 import '@babel/runtime-corejs3/core-js-stable/object/entries';