@shopify/hydrogen 2025.7.0 → 2025.7.2

package/dist/development/index.cjs

@@ -1,12 +1,10 @@
 'use strict';
 
-var url = require('url');
-var path = require('path');
-var promises = require('fs/promises');
 var react = require('react');
 var reactRouter = require('react-router');
 var jsxRuntime = require('react/jsx-runtime');
 var hydrogenReact = require('@shopify/hydrogen-react');
+var loadScript = require('@shopify/hydrogen-react/load-script');
 var graphqlClient = require('@shopify/graphql-client');
 var cookie = require('worktop/cookie');
 var cspBuilder = require('content-security-policy-builder');
@@ -14,7 +12,6 @@ var cspBuilder = require('content-security-policy-builder');
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
-var path__default = /*#__PURE__*/_interopDefault(path);
 var cspBuilder__default = /*#__PURE__*/_interopDefault(cspBuilder);
 
 var __defProp = Object.defineProperty;
@@ -30,13 +27,9 @@ var __export = (target, all) => {
 // src/vite/get-virtual-routes.ts
 var get_virtual_routes_exports = {};
 __export(get_virtual_routes_exports, {
-  VIRTUAL_ROOT: () => VIRTUAL_ROOT,
-  VIRTUAL_ROOT_ORIG: () => VIRTUAL_ROOT_ORIG,
   VIRTUAL_ROUTES_DIR: () => VIRTUAL_ROUTES_DIR,
-  VIRTUAL_ROUTES_DIR_ORIG: () => VIRTUAL_ROUTES_DIR_ORIG,
   VIRTUAL_ROUTES_DIR_PARTS: () => VIRTUAL_ROUTES_DIR_PARTS,
   VIRTUAL_ROUTES_ROUTES_DIR_PARTS: () => VIRTUAL_ROUTES_ROUTES_DIR_PARTS,
-  getVirtualRoutes: () => getVirtualRoutes,
   getVirtualRoutesV3: () => getVirtualRoutesV3
 });
 function getVirtualRoutesPath(pathParts, forFile) {
@@ -94,33 +87,7 @@ async function getVirtualRoutesV3() {
     }
   };
 }
-async function getVirtualRoutes() {
-  const distPath = path__default.default.dirname(url.fileURLToPath((typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href))));
-  const virtualRoutesPath = path__default.default.join(distPath, VIRTUAL_ROUTES_DIR_ORIG);
-  const routes = await promises.readdir(virtualRoutesPath, { recursive: true }).then(
-    (files) => files.map((relativeFilePath) => {
-      const absoluteFilePath = path__default.default.join(virtualRoutesPath, relativeFilePath);
-      const id = relativeFilePath.replace(/\.[jt]sx?$/, "").replaceAll("\\", "/");
-      const isIndex = /(^|\/)index$/.test(id);
-      const routePath = id.replace(/(^|\/)index$/, "");
-      return {
-        id: `${VIRTUAL_ROUTES_DIR_ORIG}/${id}`,
-        path: routePath,
-        file: absoluteFilePath,
-        index: isIndex
-      };
-    })
-  );
-  return {
-    routes,
-    root: {
-      id: VIRTUAL_ROOT_ORIG,
-      path: "",
-      file: path__default.default.join(distPath, VIRTUAL_ROOT_ORIG + ".jsx")
-    }
-  };
-}
-var VIRTUAL_ROUTES_DIR, VIRTUAL_ROUTES_ROUTES_DIR_PARTS, VIRTUAL_ROUTES_DIR_PARTS, VIRTUAL_ROOT, VIRTUAL_ROUTES_DIR_ORIG, VIRTUAL_ROOT_ORIG;
+var VIRTUAL_ROUTES_DIR, VIRTUAL_ROUTES_ROUTES_DIR_PARTS, VIRTUAL_ROUTES_DIR_PARTS;
 var init_get_virtual_routes = __esm({
   "src/vite/get-virtual-routes.ts"() {
     VIRTUAL_ROUTES_DIR = "vite/virtual-routes/routes";
@@ -130,9 +97,6 @@ var init_get_virtual_routes = __esm({
       "routes"
     ];
     VIRTUAL_ROUTES_DIR_PARTS = ["vite", "virtual-routes"];
-    VIRTUAL_ROOT = "vite/virtual-routes/virtual-root";
-    VIRTUAL_ROUTES_DIR_ORIG = "virtual-routes/routes";
-    VIRTUAL_ROOT_ORIG = "virtual-routes/virtual-root-with-layout";
   }
 });
 
@@ -281,7 +245,62 @@ var AnalyticsEvent = {
   // Custom
   CUSTOM_EVENT: `custom_`
 };
-var CONSENT_API = "https://cdn.shopify.com/shopifycloud/consent-tracking-api/v0.1/consent-tracking-api.js";
+
+// src/constants.ts
+var STOREFRONT_REQUEST_GROUP_ID_HEADER = "Custom-Storefront-Request-Group-ID";
+var STOREFRONT_ACCESS_TOKEN_HEADER = "X-Shopify-Storefront-Access-Token";
+var SDK_VARIANT_HEADER = "X-SDK-Variant";
+var SDK_VARIANT_SOURCE_HEADER = "X-SDK-Variant-Source";
+var SDK_VERSION_HEADER = "X-SDK-Version";
+var SHOPIFY_CLIENT_IP_HEADER = "X-Shopify-Client-IP";
+var SHOPIFY_CLIENT_IP_SIG_HEADER = "X-Shopify-Client-IP-Sig";
+var HYDROGEN_SFAPI_PROXY_KEY = "_sfapi_proxy";
+var HYDROGEN_SERVER_TRACKING_KEY = "_server_tracking";
+
+// src/utils/server-timing.ts
+function buildServerTimingHeader(values) {
+  return Object.entries(values).map(([key, value]) => value ? `${key};desc=${value}` : void 0).filter(Boolean).join(", ");
+}
+function appendServerTimingHeader(response, values) {
+  const header = typeof values === "string" ? values : buildServerTimingHeader(values);
+  if (header) {
+    response.headers.append("Server-Timing", header);
+  }
+}
+var trackedTimings = ["_y", "_s", "_cmp"];
+function extractServerTimingHeader(serverTimingHeader) {
+  const values = {};
+  if (!serverTimingHeader) return values;
+  const re = new RegExp(
+    `\\b(${trackedTimings.join("|")});desc="?([^",]+)"?`,
+    "g"
+  );
+  let match;
+  while ((match = re.exec(serverTimingHeader)) !== null) {
+    values[match[1]] = match[2];
+  }
+  return values;
+}
+function hasServerTimingInNavigationEntry(key) {
+  if (typeof window === "undefined") return false;
+  try {
+    const navigationEntry = window.performance.getEntriesByType(
+      "navigation"
+    )[0];
+    return !!navigationEntry?.serverTiming?.some((entry) => entry.name === key);
+  } catch (e) {
+    return false;
+  }
+}
+function isSfapiProxyEnabled() {
+  return hasServerTimingInNavigationEntry(HYDROGEN_SFAPI_PROXY_KEY);
+}
+function hasServerReturnedTrackingValues() {
+  return hasServerTimingInNavigationEntry(HYDROGEN_SERVER_TRACKING_KEY);
+}
+
+// src/customer-privacy/ShopifyCustomerPrivacy.tsx
+var CONSENT_API = "https://cdn.shopify.com/shopifycloud/consent-tracking-api/v0.2/consent-tracking-api.js";
 var CONSENT_API_WITH_BANNER = "https://cdn.shopify.com/shopifycloud/privacy-banner/storefront-banner.js";
 function logMissingConfig(fieldName) {
   console.error(
@@ -293,19 +312,34 @@ function useCustomerPrivacy(props) {
     withPrivacyBanner = false,
     onVisitorConsentCollected,
     onReady,
-    ...consentConfig
+    checkoutDomain,
+    storefrontAccessToken,
+    country,
+    locale,
+    sameDomainForStorefrontApi
   } = props;
-  hydrogenReact.useLoadScript(withPrivacyBanner ? CONSENT_API_WITH_BANNER : CONSENT_API, {
+  const hasSfapiProxy = react.useMemo(
+    () => sameDomainForStorefrontApi ?? isSfapiProxyEnabled(),
+    [sameDomainForStorefrontApi]
+  );
+  const fetchTrackingValuesFromBrowser = react.useMemo(
+    () => hasSfapiProxy && !hasServerReturnedTrackingValues(),
+    [hasSfapiProxy]
+  );
+  const cookiesReady = hydrogenReact.useShopifyCookies({
+    fetchTrackingValues: fetchTrackingValuesFromBrowser,
+    storefrontAccessToken,
+    ignoreDeprecatedCookies: true
+  });
+  const initialTrackingValues = react.useMemo(hydrogenReact.getTrackingValues, [cookiesReady]);
+  const { revalidate } = reactRouter.useRevalidator();
+  loadScript.useLoadScript(withPrivacyBanner ? CONSENT_API_WITH_BANNER : CONSENT_API, {
     attributes: {
       id: "customer-privacy-api"
     }
   });
-  const { observing, setLoaded } = useApisLoaded({
-    withPrivacyBanner,
-    onLoaded: onReady
-  });
+  const { observing, setLoaded, apisLoaded } = useApisLoaded({ withPrivacyBanner });
   const config = react.useMemo(() => {
-    const { checkoutDomain, storefrontAccessToken } = consentConfig;
     if (!checkoutDomain) logMissingConfig("checkoutDomain");
     if (!storefrontAccessToken) logMissingConfig("storefrontAccessToken");
     if (storefrontAccessToken.startsWith("shpat_") || storefrontAccessToken.length !== 32) {
@@ -313,18 +347,54 @@ function useCustomerPrivacy(props) {
         `[h2:error:useCustomerPrivacy] It looks like you passed a private access token, make sure to use the public token`
       );
     }
+    const commonAncestorDomain = parseStoreDomain(checkoutDomain);
+    const sfapiDomain = (
+      // Check if standard route proxy is enabled in Hydrogen server
+      // to use it instead of doing a cross-origin request to checkout.
+      hasSfapiProxy && typeof window !== "undefined" ? window.location.host : checkoutDomain
+    );
     const config2 = {
-      checkoutRootDomain: checkoutDomain,
+      // This domain is used to send requests to SFAPI for setting and getting consent.
+      checkoutRootDomain: sfapiDomain,
+      // Prefix with a dot to ensure this domain is different from checkoutRootDomain.
+      // This will ensure old cookies are set for a cross-subdomain checkout setup
+      // so that we keep backward compatibility until new cookies are rolled out.
+      // Once consent-tracking-api is updated to not rely on cookies anymore, we can remove this.
+      storefrontRootDomain: commonAncestorDomain ? "." + commonAncestorDomain : void 0,
       storefrontAccessToken,
-      storefrontRootDomain: parseStoreDomain(checkoutDomain),
-      country: consentConfig.country,
-      locale: consentConfig.locale
+      country,
+      locale
     };
     return config2;
-  }, [consentConfig, parseStoreDomain, logMissingConfig]);
+  }, [
+    logMissingConfig,
+    checkoutDomain,
+    storefrontAccessToken,
+    country,
+    locale
+  ]);
   react.useEffect(() => {
     const consentCollectedHandler = (event) => {
+      const latestTrackingValues = hydrogenReact.getTrackingValues();
+      if (initialTrackingValues.visitToken !== latestTrackingValues.visitToken || initialTrackingValues.uniqueToken !== latestTrackingValues.uniqueToken) {
+        revalidate().catch(() => {
+          console.warn(
+            "[h2:warn:useCustomerPrivacy] Revalidation failed after consent change."
+          );
+        });
+      }
       if (onVisitorConsentCollected) {
+        const customerPrivacy = getCustomerPrivacy();
+        if (customerPrivacy?.shouldShowBanner()) {
+          const consentValues = customerPrivacy.currentVisitorConsent();
+          if (consentValues) {
+            const NO_VALUE = "";
+            const noInteraction = consentValues.marketing === NO_VALUE && consentValues.analytics === NO_VALUE && consentValues.preferences === NO_VALUE;
+            if (noInteraction) {
+              return;
+            }
+          }
+        }
         onVisitorConsentCollected(event.detail);
       }
     };
@@ -350,14 +420,11 @@ function useCustomerPrivacy(props) {
       },
       set(value) {
         if (typeof value === "object" && value !== null && "showPreferences" in value && "loadBanner" in value) {
-          const privacyBanner = value;
-          privacyBanner.loadBanner(config);
           customPrivacyBanner = overridePrivacyBannerMethods({
-            privacyBanner,
+            privacyBanner: value,
             config
           });
           setLoaded.privacyBanner();
-          emitCustomerPrivacyApiLoaded();
         }
       }
     };
@@ -391,6 +458,8 @@ function useCustomerPrivacy(props) {
                 const customerPrivacy = value2;
                 customCustomerPrivacy = {
                   ...customerPrivacy,
+                  // Note: this method is not used by the privacy-banner,
+                  // it bundles its own setTrackingConsent.
                   setTrackingConsent: overrideCustomerPrivacySetTrackingConsent(
                     { customerPrivacy, config }
                   )
@@ -400,7 +469,6 @@ function useCustomerPrivacy(props) {
                   customerPrivacy: customCustomerPrivacy
                 };
                 setLoaded.customerPrivacy();
-                emitCustomerPrivacyApiLoaded();
               }
             }
           });
@@ -412,6 +480,24 @@ function useCustomerPrivacy(props) {
     overrideCustomerPrivacySetTrackingConsent,
     setLoaded.customerPrivacy
   ]);
+  react.useEffect(() => {
+    if (!apisLoaded || !cookiesReady) return;
+    const customerPrivacy = getCustomerPrivacy();
+    if (customerPrivacy && !customerPrivacy.cachedConsent) {
+      const trackingValues = hydrogenReact.getTrackingValues();
+      if (trackingValues.consent) {
+        customerPrivacy.cachedConsent = trackingValues.consent;
+      }
+    }
+    if (withPrivacyBanner) {
+      const privacyBanner = getPrivacyBanner();
+      if (privacyBanner) {
+        privacyBanner.loadBanner(config);
+      }
+    }
+    emitCustomerPrivacyApiLoaded();
+    onReady?.();
+  }, [apisLoaded, cookiesReady]);
   const result = {
     customerPrivacy: getCustomerPrivacy()
   };
@@ -427,15 +513,12 @@ function emitCustomerPrivacyApiLoaded() {
   const event = new CustomEvent("shopifyCustomerPrivacyApiLoaded");
   document.dispatchEvent(event);
 }
-function useApisLoaded({
-  withPrivacyBanner,
-  onLoaded
-}) {
+function useApisLoaded({ withPrivacyBanner }) {
   const observing = react.useRef({ customerPrivacy: false, privacyBanner: false });
-  const [apisLoaded, setApisLoaded] = react.useState(
+  const [apisLoadedArray, setApisLoaded] = react.useState(
     withPrivacyBanner ? [false, false] : [false]
   );
-  const loaded = apisLoaded.every(Boolean);
+  const apisLoaded = apisLoadedArray.every(Boolean);
   const setLoaded = {
     customerPrivacy: () => {
       if (withPrivacyBanner) {
@@ -451,16 +534,11 @@ function useApisLoaded({
       setApisLoaded((prev) => [prev[0], true]);
     }
   };
-  react.useEffect(() => {
-    if (loaded && onLoaded) {
-      onLoaded();
-    }
-  }, [loaded, onLoaded]);
-  return { observing, setLoaded };
+  return { observing, setLoaded, apisLoaded };
 }
 function parseStoreDomain(checkoutDomain) {
   if (typeof window === "undefined") return;
-  const host = window.document.location.host;
+  const host = window.location.host;
   const checkoutDomainParts = checkoutDomain.split(".").reverse();
   const currentDomainParts = host.split(".").reverse();
   const sameDomainParts = [];
@@ -469,7 +547,7 @@ function parseStoreDomain(checkoutDomain) {
       sameDomainParts.push(part);
     }
   });
-  return sameDomainParts.reverse().join(".");
+  return sameDomainParts.reverse().join(".") || void 0;
 }
 function overrideCustomerPrivacySetTrackingConsent({
   customerPrivacy,
@@ -527,7 +605,7 @@ function getPrivacyBanner() {
 }
 
 // package.json
-var version = "2025.7.0";
+var version = "2025.7.2";
 
 // src/analytics-manager/ShopifyAnalytics.tsx
 function getCustomerPrivacyRequired() {
@@ -547,6 +625,7 @@ function ShopifyAnalytics({
   const { subscribe: subscribe2, register: register2, canTrack } = useAnalytics();
   const [shopifyReady, setShopifyReady] = react.useState(false);
   const [privacyReady, setPrivacyReady] = react.useState(false);
+  const [collectedConsent, setCollectedConsent] = react.useState("");
   const init = react.useRef(false);
   const { checkoutDomain, storefrontAccessToken, language } = consent;
   const { ready: shopifyAnalyticsReady } = register2("Internal_Shopify_Analytics");
@@ -555,14 +634,31 @@ function ShopifyAnalytics({
     locale: language,
     checkoutDomain: !checkoutDomain ? "mock.shop" : checkoutDomain,
     storefrontAccessToken: !storefrontAccessToken ? "abcdefghijklmnopqrstuvwxyz123456" : storefrontAccessToken,
-    onVisitorConsentCollected: () => setPrivacyReady(true),
-    onReady: () => setPrivacyReady(true)
+    // If we use privacy banner, we should wait until consent is collected.
+    // Otherwise, we can consider privacy ready immediately:
+    onReady: () => !consent.withPrivacyBanner && setPrivacyReady(true),
+    onVisitorConsentCollected: (consent2) => {
+      try {
+        setCollectedConsent(JSON.stringify(consent2));
+      } catch (e) {
+      }
+      setPrivacyReady(true);
+    }
   });
+  const hasUserConsent = react.useMemo(
+    // must be initialized with true to avoid removing cookies too early
+    () => privacyReady ? canTrack() : true,
+    // Make this value depend on collectedConsent to re-run `canTrack()` when consent changes
+    [privacyReady, canTrack, collectedConsent]
+  );
   hydrogenReact.useShopifyCookies({
-    hasUserConsent: privacyReady ? canTrack() : true,
-    // must be initialized with true
+    hasUserConsent,
     domain,
-    checkoutDomain
+    checkoutDomain,
+    // Already done inside useCustomerPrivacy
+    fetchTrackingValues: false,
+    // Avoid creating local cookies too early
+    ignoreDeprecatedCookies: !privacyReady
   });
   react.useEffect(() => {
     if (init.current) return;
@@ -612,11 +708,11 @@ function prepareBasePageViewPayload(payload) {
     ...payload.shop,
     hasUserConsent,
     ...hydrogenReact.getClientBrowserParameters(),
-    ccpaEnforced: !customerPrivacy.saleOfDataAllowed(),
-    gdprEnforced: !(customerPrivacy.marketingAllowed() && customerPrivacy.analyticsProcessingAllowed()),
     analyticsAllowed: customerPrivacy.analyticsProcessingAllowed(),
     marketingAllowed: customerPrivacy.marketingAllowed(),
-    saleOfDataAllowed: customerPrivacy.saleOfDataAllowed()
+    saleOfDataAllowed: customerPrivacy.saleOfDataAllowed(),
+    ccpaEnforced: !customerPrivacy.saleOfDataAllowed(),
+    gdprEnforced: !(customerPrivacy.marketingAllowed() && customerPrivacy.analyticsProcessingAllowed())
   };
   return eventPayload;
 }
@@ -1049,11 +1145,11 @@ function AnalyticsProvider({
   shop: shopProp = null,
   cookieDomain
 }) {
-  const listenerSet = react.useRef(false);
   const { shop } = useShopAnalytics(shopProp);
   const [analyticsLoaded, setAnalyticsLoaded] = react.useState(
     customCanTrack ? true : false
   );
+  const [consentCollected, setConsentCollected] = react.useState(false);
   const [carts, setCarts] = react.useState({ cart: null, prevCart: null });
   const [canTrack, setCanTrack] = react.useState(
     customCanTrack ? () => customCanTrack : () => shopifyCanTrack
@@ -1121,21 +1217,21 @@ function AnalyticsProvider({
     children,
     !!shop && /* @__PURE__ */ jsxRuntime.jsx(AnalyticsPageView, {}),
     !!shop && !!currentCart && /* @__PURE__ */ jsxRuntime.jsx(CartAnalytics, { cart: currentCart, setCarts }),
-    !!shop && consent.checkoutDomain && /* @__PURE__ */ jsxRuntime.jsx(
+    !!shop && /* @__PURE__ */ jsxRuntime.jsx(
       ShopifyAnalytics,
       {
         consent,
         onReady: () => {
-          listenerSet.current = true;
           setAnalyticsLoaded(true);
           setCanTrack(
             customCanTrack ? () => customCanTrack : () => shopifyCanTrack
           );
+          setConsentCollected(true);
         },
         domain: cookieDomain
       }
     ),
-    !!shop && /* @__PURE__ */ jsxRuntime.jsx(PerfKit, { shop })
+    !!shop && consentCollected && /* @__PURE__ */ jsxRuntime.jsx(PerfKit, { shop })
   ] });
 }
 function useAnalytics() {
@@ -1214,6 +1310,31 @@ function getDebugHeaders(request) {
     purpose: request ? getHeader(request, "purpose") : void 0
   };
 }
+function getStorefrontHeaders(request) {
+  return {
+    requestGroupId: getHeader(request, "request-id"),
+    buyerIp: getHeader(request, "oxygen-buyer-ip"),
+    buyerIpSig: getHeader(request, SHOPIFY_CLIENT_IP_SIG_HEADER),
+    cookie: getHeader(request, "cookie"),
+    // sec-purpose is added by browsers automatically when using link/prefetch or Speculation Rules
+    purpose: getHeader(request, "sec-purpose") || getHeader(request, "purpose")
+  };
+}
+var SFAPI_RE = /^\/api\/(unstable|2\d{3}-\d{2})\/graphql\.json$/;
+var getSafePathname = (url) => {
+  try {
+    return new URL(url, "http://e.c").pathname;
+  } catch {
+    return "/";
+  }
+};
+function extractHeaders(extract, keys) {
+  return keys.reduce((acc, key) => {
+    const forwardedValue = extract(key);
+    if (forwardedValue) acc.push([key, forwardedValue]);
+    return acc;
+  }, []);
+}
 
 // src/utils/callsites.ts
 function withSyncStack(promise, options = {}) {
@@ -1581,13 +1702,16 @@ async function runWithCache(cacheKey, actionFn, {
   }
   return result;
 }
+var excludedHeaders = ["set-cookie", "server-timing"];
 function toSerializableResponse(body, response) {
   return [
     body,
     {
       status: response.status,
       statusText: response.statusText,
-      headers: Array.from(response.headers.entries())
+      headers: [...response.headers].filter(
+        ([key]) => !excludedHeaders.includes(key.toLowerCase())
+      )
     }
   ];
 }
@@ -1601,7 +1725,8 @@ async function fetchWithServerCache(url, requestInit, {
   shouldCacheResponse,
   waitUntil,
   debugInfo,
-  streamConfig
+  streamConfig,
+  onRawHeaders
 }) {
   if (!cacheOptions && (!requestInit.method || requestInit.method === "GET")) {
     cacheOptions = CacheShort();
@@ -1615,6 +1740,7 @@ async function fetchWithServerCache(url, requestInit, {
           url,
           customFetchApi: async (url2, options) => {
             rawResponse = await fetch(url2, options);
+            onRawHeaders?.(rawResponse.headers);
             return rawResponse;
           },
           headers: requestInit.headers
@@ -1638,6 +1764,7 @@ async function fetchWithServerCache(url, requestInit, {
         );
       }
       const response = await fetch(url, requestInit);
+      onRawHeaders?.(response.headers);
       if (!response.ok) {
         return response;
       }
@@ -1861,13 +1988,6 @@ var cartSetIdDefault = (cookieOptions) => {
   };
 };
 
-// src/constants.ts
-var STOREFRONT_REQUEST_GROUP_ID_HEADER = "Custom-Storefront-Request-Group-ID";
-var STOREFRONT_ACCESS_TOKEN_HEADER = "X-Shopify-Storefront-Access-Token";
-var SDK_VARIANT_HEADER = "X-SDK-Variant";
-var SDK_VARIANT_SOURCE_HEADER = "X-SDK-Variant-Source";
-var SDK_VERSION_HEADER = "X-SDK-Version";
-
 // src/utils/uuid.ts
 function generateUUID() {
   if (typeof crypto !== "undefined" && !!crypto.randomUUID) {
@@ -1878,7 +1998,7 @@ function generateUUID() {
 }
 
 // src/version.ts
-var LIB_VERSION = "2025.7.0";
+var LIB_VERSION = "2025.7.2";
 
 // src/utils/graphql.ts
 function minifyQuery(string) {
@@ -2042,16 +2162,34 @@ function createStorefrontClient(options) {
     contentType: "json",
     buyerIp: storefrontHeaders?.buyerIp || ""
   });
+  if (storefrontHeaders?.buyerIp) {
+    defaultHeaders[SHOPIFY_CLIENT_IP_HEADER] = storefrontHeaders.buyerIp;
+  }
+  if (storefrontHeaders?.buyerIpSig) {
+    defaultHeaders[SHOPIFY_CLIENT_IP_SIG_HEADER] = storefrontHeaders.buyerIpSig;
+  }
   defaultHeaders[STOREFRONT_REQUEST_GROUP_ID_HEADER] = storefrontHeaders?.requestGroupId || generateUUID();
   if (storefrontId) defaultHeaders[hydrogenReact.SHOPIFY_STOREFRONT_ID_HEADER] = storefrontId;
   defaultHeaders["user-agent"] = `Hydrogen ${LIB_VERSION}`;
-  if (storefrontHeaders && storefrontHeaders.cookie) {
-    const cookies = hydrogenReact.getShopifyCookies(storefrontHeaders.cookie ?? "");
-    if (cookies[hydrogenReact.SHOPIFY_Y])
-      defaultHeaders[hydrogenReact.SHOPIFY_STOREFRONT_Y_HEADER] = cookies[hydrogenReact.SHOPIFY_Y];
-    if (cookies[hydrogenReact.SHOPIFY_S])
-      defaultHeaders[hydrogenReact.SHOPIFY_STOREFRONT_S_HEADER] = cookies[hydrogenReact.SHOPIFY_S];
-  }
+  const requestCookie = storefrontHeaders?.cookie ?? "";
+  if (requestCookie) defaultHeaders["cookie"] = requestCookie;
+  let uniqueToken;
+  let visitToken;
+  if (!/\b_shopify_(analytics|marketing)=/.test(requestCookie)) {
+    const legacyUniqueToken = requestCookie.match(/\b_shopify_y=([^;]+)/)?.[1];
+    const legacyVisitToken = requestCookie.match(/\b_shopify_s=([^;]+)/)?.[1];
+    if (legacyUniqueToken) {
+      defaultHeaders[hydrogenReact.SHOPIFY_STOREFRONT_Y_HEADER] = legacyUniqueToken;
+    }
+    if (legacyVisitToken) {
+      defaultHeaders[hydrogenReact.SHOPIFY_STOREFRONT_S_HEADER] = legacyVisitToken;
+    }
+    uniqueToken = legacyUniqueToken ?? generateUUID();
+    visitToken = legacyVisitToken ?? generateUUID();
+    defaultHeaders[hydrogenReact.SHOPIFY_UNIQUE_TOKEN_HEADER] = uniqueToken;
+    defaultHeaders[hydrogenReact.SHOPIFY_VISIT_TOKEN_HEADER] = visitToken;
+  }
+  let collectedSubrequestHeaders;
   const cacheKeyHeader = JSON.stringify({
     "content-type": defaultHeaders["content-type"],
     "user-agent": defaultHeaders["user-agent"],
@@ -2118,7 +2256,13 @@ function createStorefrontClient(options) {
         graphql: graphqlData,
         purpose: storefrontHeaders?.purpose
       },
-      streamConfig
+      streamConfig,
+      onRawHeaders: (headers2) => {
+        collectedSubrequestHeaders ??= {
+          setCookie: headers2.getSetCookie(),
+          serverTiming: headers2.get("server-timing") ?? ""
+        };
+      }
     });
     const errorOptions = {
       url,
@@ -2217,9 +2361,90 @@ function createStorefrontClient(options) {
       generateCacheControlHeader,
       getPublicTokenHeaders,
       getPrivateTokenHeaders,
+      getHeaders: () => ({ ...defaultHeaders }),
       getShopifyDomain,
       getApiUrl: getStorefrontApiUrl,
-      i18n: i18n ?? defaultI18n
+      i18n: i18n ?? defaultI18n,
+      /**
+       * Checks if the request is targeting the Storefront API endpoint.
+       */
+      isStorefrontApiUrl(request) {
+        return SFAPI_RE.test(getSafePathname(request.url ?? ""));
+      },
+      /**
+       * Forwards the request to the Storefront API.
+       */
+      async forward(request, options2) {
+        const forwardedHeaders = new Headers([
+          // Forward only a selected set of headers to the Storefront API
+          // to avoid getting 403 errors due to unexpected headers.
+          ...extractHeaders(
+            (key) => request.headers.get(key),
+            [
+              "accept",
+              "accept-encoding",
+              "accept-language",
+              // Access-Control headers are used for CORS preflight requests.
+              "access-control-request-headers",
+              "access-control-request-method",
+              "content-type",
+              "content-length",
+              "cookie",
+              "origin",
+              "referer",
+              "user-agent",
+              STOREFRONT_ACCESS_TOKEN_HEADER,
+              hydrogenReact.SHOPIFY_UNIQUE_TOKEN_HEADER,
+              hydrogenReact.SHOPIFY_VISIT_TOKEN_HEADER
+            ]
+          ),
+          // Add some headers to help with geolocalization and debugging
+          ...extractHeaders(
+            (key) => defaultHeaders[key],
+            [
+              SHOPIFY_CLIENT_IP_HEADER,
+              SHOPIFY_CLIENT_IP_SIG_HEADER,
+              hydrogenReact.SHOPIFY_STOREFRONT_ID_HEADER,
+              STOREFRONT_REQUEST_GROUP_ID_HEADER
+            ]
+          )
+        ]);
+        if (storefrontHeaders?.buyerIp) {
+          forwardedHeaders.set("x-forwarded-for", storefrontHeaders.buyerIp);
+        }
+        const storefrontApiVersion = options2?.storefrontApiVersion ?? getSafePathname(request.url).match(SFAPI_RE)?.[1];
+        const sfapiResponse = await fetch(
+          getStorefrontApiUrl({ storefrontApiVersion }),
+          {
+            method: request.method,
+            body: request.body,
+            headers: forwardedHeaders
+          }
+        );
+        return new Response(sfapiResponse.body, sfapiResponse);
+      },
+      setCollectedSubrequestHeaders: (response) => {
+        if (collectedSubrequestHeaders) {
+          for (const value of collectedSubrequestHeaders.setCookie) {
+            response.headers.append("Set-Cookie", value);
+          }
+        }
+        const serverTiming = extractServerTimingHeader(
+          collectedSubrequestHeaders?.serverTiming
+        );
+        const isDocumentResponse = response.headers.get("content-type")?.startsWith("text/html");
+        const fallbackValues = isDocumentResponse ? { _y: uniqueToken, _s: visitToken } : void 0;
+        appendServerTimingHeader(response, {
+          ...fallbackValues,
+          ...serverTiming
+        });
+        if (isDocumentResponse && collectedSubrequestHeaders && // _shopify_essential cookie is always set, but we need more than that
+        collectedSubrequestHeaders.setCookie.length > 1 && serverTiming?._y && serverTiming?._s && serverTiming?._cmp) {
+          appendServerTimingHeader(response, {
+            [HYDROGEN_SERVER_TRACKING_KEY]: "1"
+          });
+        }
+      }
     }
   };
 }
@@ -3305,9 +3530,9 @@ var logSubRequestEvent = ({
     }
   });
 } ;
-function redirect(path2, options = {}) {
+function redirect(path, options = {}) {
   const headers = options.headers ? new Headers(options.headers) : new Headers({});
-  headers.set("location", path2);
+  headers.set("location", path);
   return new Response(null, { status: options.status || 302, headers });
 }
 async function refreshToken({
@@ -3815,6 +4040,12 @@ function createCustomerAccountClient({
       if (options?.countryCode) {
         loginUrl.searchParams.append("region_country", options.countryCode);
       }
+      if (options?.acrValues) {
+        loginUrl.searchParams.append("acr_values", options.acrValues);
+      }
+      if (options?.loginHint) {
+        loginUrl.searchParams.append("login_hint", options.loginHint);
+      }
       const verifier = generateCodeVerifier();
       const challenge = await generateCodeChallenge(verifier);
       session.set(CUSTOMER_ACCOUNT_SESSION_KEY, {
@@ -4145,12 +4376,58 @@ function createHydrogenContext(options, additionalContext) {
   });
   return hybridProvider;
 }
-function getStorefrontHeaders(request) {
-  return {
-    requestGroupId: getHeader(request, "request-id"),
-    buyerIp: getHeader(request, "oxygen-buyer-ip"),
-    cookie: getHeader(request, "cookie"),
-    purpose: getHeader(request, "purpose")
+function createRequestHandler({
+  build,
+  mode,
+  poweredByHeader = true,
+  getLoadContext,
+  collectTrackingInformation = true,
+  proxyStandardRoutes = true
+}) {
+  const handleRequest = reactRouter.createRequestHandler(build, mode);
+  const appendPoweredByHeader = poweredByHeader ? (response) => response.headers.append("powered-by", "Shopify, Hydrogen") : void 0;
+  return async (request) => {
+    const method = request.method;
+    if ((method === "GET" || method === "HEAD") && request.body) {
+      return new Response(`${method} requests cannot have a body`, {
+        status: 400
+      });
+    }
+    const url = new URL(request.url);
+    if (url.pathname.includes("//")) {
+      return new Response(null, {
+        status: 301,
+        headers: {
+          location: url.pathname.replace(/\/+/g, "/")
+        }
+      });
+    }
+    const context = await getLoadContext?.(request);
+    const storefront = context?.storefront || context?.get?.(storefrontContext);
+    if (proxyStandardRoutes) {
+      if (!storefront) {
+        warnOnce(
+          "[h2:createRequestHandler] Storefront instance is required to proxy standard routes."
+        );
+      }
+      if (storefront?.isStorefrontApiUrl(request)) {
+        const response2 = await storefront.forward(request);
+        appendPoweredByHeader?.(response2);
+        return response2;
+      }
+    }
+    const response = await handleRequest(request, context);
+    if (storefront && proxyStandardRoutes) {
+      if (collectTrackingInformation) {
+        storefront.setCollectedSubrequestHeaders(response);
+      }
+      const fetchDest = request.headers.get("sec-fetch-dest");
+      if (fetchDest && fetchDest === "document" || request.headers.get("accept")?.includes("text/html")) {
+        appendServerTimingHeader(response, { [HYDROGEN_SFAPI_PROXY_KEY]: "1" });
+      }
+    }
+    appendPoweredByHeader?.(response);
+    return response;
   };
 }
 var NonceContext = react.createContext(void 0);
@@ -4279,12 +4556,12 @@ function LazyScript({
 async function hydrogenRoutes(currentRoutes) {
   const { getVirtualRoutesV3: getVirtualRoutesV32 } = await Promise.resolve().then(() => (init_get_virtual_routes(), get_virtual_routes_exports));
   const { layout, routes: virtualRoutes } = await getVirtualRoutesV32();
-  const childVirtualRoutes = virtualRoutes.map(({ path: path2, file, index, id }) => {
+  const childVirtualRoutes = virtualRoutes.map(({ path, file, index, id }) => {
     return {
       file,
       id,
       index,
-      path: path2
+      path
     };
   });
   const virtualLayout = {
@@ -4645,7 +4922,7 @@ function VariantSelector({
     }
   }
   const variants = _variants instanceof Array ? _variants : hydrogenReact.flattenConnection(_variants);
-  const { searchParams, path: path2, alreadyOnProductPage } = useVariantPath(
+  const { searchParams, path, alreadyOnProductPage } = useVariantPath(
     handle,
     productPath,
     waitForNavigation
@@ -4701,7 +4978,7 @@ function VariantSelector({
             value: value.name,
             optionValue: value,
             isAvailable: variant ? variant.availableForSale : true,
-            to: path2 + searchString,
+            to: path + searchString,
             search: searchString,
             isActive: calculatedActiveValue,
             variant
@@ -4735,7 +5012,7 @@ function useVariantPath(handle, productPath, waitForNavigation) {
     const match = /(\/[a-zA-Z]{2}-[a-zA-Z]{2}\/)/g.exec(pathname);
     const isLocalePathname = match && match.length > 0;
     productPath = productPath.startsWith("/") ? productPath.substring(1) : productPath;
-    const path2 = isLocalePathname ? `${match[0]}${productPath}/${handle}` : `/${productPath}/${handle}`;
+    const path = isLocalePathname ? `${match[0]}${productPath}/${handle}` : `/${productPath}/${handle}`;
     const searchParams = new URLSearchParams(
       // Remix doesn't update the location until pending loaders complete.
       // By default we use the destination search params to make selecting a variant
@@ -4748,8 +5025,8 @@ function useVariantPath(handle, productPath, waitForNavigation) {
       // If the current pathname matches the product page, we need to make sure
       // that we append to the current search params. Otherwise all the search
       // params can be generated new.
-      alreadyOnProductPage: path2 === pathname,
-      path: path2
+      alreadyOnProductPage: path === pathname,
+      path
     };
   }, [pathname, search, waitForNavigation, handle, productPath, navigation]);
 }
@@ -4764,10 +5041,10 @@ function hydrogenPreset() {
       ssr: true,
       future: {
         v8_middleware: true,
+        v8_splitRouteModules: true,
+        v8_viteEnvironmentApi: false,
         unstable_optimizeDeps: true,
-        unstable_splitRouteModules: true,
-        unstable_subResourceIntegrity: false,
-        unstable_viteEnvironmentApi: false
+        unstable_subResourceIntegrity: false
       }
     }),
     reactRouterConfigResolved: ({ reactRouterConfig }) => {
@@ -4783,7 +5060,7 @@ function hydrogenPreset() {
       }
       if (reactRouterConfig.serverBundles) {
         throw new Error(
-          "[Hydrogen Preset] serverBundles is not supported in Hydrogen 2025.7.0.\nReason: React Router plugin manifest incompatibility with Hydrogen CLI.\nAlternative: Route-level code splitting via unstable_splitRouteModules is enabled."
+          "[Hydrogen Preset] serverBundles is not supported in Hydrogen 2025.7.0.\nReason: React Router plugin manifest incompatibility with Hydrogen CLI.\nAlternative: Route-level code splitting via v8_splitRouteModules is enabled."
         );
       }
       if (reactRouterConfig.buildEnd) {
@@ -5298,10 +5575,10 @@ var schema = {
       if (typeof value !== "string") {
         throw new Error(ERROR_PREFIX.concat("`title` should be a string"));
       }
-      if (typeof value === "string" && value.length > 120) {
+      if (typeof value === "string" && value.length > 70) {
         throw new Error(
           ERROR_PREFIX.concat(
-            "`title` should not be longer than 120 characters"
+            "`title` should not be longer than 70 characters"
           )
         );
       }
@@ -5318,7 +5595,7 @@ var schema = {
       if (typeof value === "string" && value.length > 155) {
         throw new Error(
           ERROR_PREFIX.concat(
-            "`description` should not be longer than 155 characters"
+            "`description` should not be longer than 160 characters"
           )
         );
       }
@@ -6262,6 +6539,10 @@ Object.defineProperty(exports, "getShopifyCookies", {
   enumerable: true,
   get: function () { return hydrogenReact.getShopifyCookies; }
 });
+Object.defineProperty(exports, "getTrackingValues", {
+  enumerable: true,
+  get: function () { return hydrogenReact.getTrackingValues; }
+});
 Object.defineProperty(exports, "isOptionValueCombinationInEncodedVariant", {
   enumerable: true,
   get: function () { return hydrogenReact.isOptionValueCombinationInEncodedVariant; }
@@ -6339,6 +6620,7 @@ exports.createCartHandler = createCartHandler;
 exports.createContentSecurityPolicy = createContentSecurityPolicy;
 exports.createCustomerAccountClient = createCustomerAccountClient;
 exports.createHydrogenContext = createHydrogenContext;
+exports.createRequestHandler = createRequestHandler;
 exports.createStorefrontClient = createStorefrontClient;
 exports.createWithCache = createWithCache;
 exports.formatAPIResult = formatAPIResult;