# Changelog All notable changes to the Fat Zebra JS SDK will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [2.1.0] - 2026-06-03 > **Upgrade recommended.** This release fixes a critical issue where the React SDK could silently fall back to the legacy 3DS API, which is being decommissioned. Merchants should upgrade to avoid potential production failures. ### Changed - Removed feature flag to conditionally enable the new ThreeDSecure flow. The ThreeDSecure flow is now always used for authenticating 3DS transactions. ### Fixed - Fixed the ThreeDSecure flow failing silently when `accessToken` is supplied via config rather than stored in `localStorage` - Fixed an issue where 3DS processing could silently fall back to the legacy 3DS API, which would cause failures once the legacy API is decommissioned ## [2.0.6] - 2026-05-27 ### Added - Improved reliability of the ThreeDSecure flow to prevent duplicate processing when a payment is retried or initiated more than once ### Changed - React SDK ThreeDSecure flow brought to parity with the core SDK ## [2.0.5] - 2026-05-21 ### Fixed - Fixed an issue where the device profiling step in the ThreeDSecure flow could trigger card enrollment multiple times if the device profile event fired more than once ## [2.0.4] - 2026-05-20 ### Fixed - Fixed an issue where triggering the ThreeDSecure flow multiple times (e.g. in a single-page application) could register duplicate event listeners, leading to multiple enrollment attempts ## [2.0.3] - 2026-05-19 ### Fixed - Fixed an issue in SPA environments where the Cardinal SCA `payments.validated` handler could accumulate across payment flows, causing stale callbacks to fire on subsequent transactions ## [2.0.2] - 2026-05-14 ### Changed - Default ThreeDSecure challenge window size changed from full-page to 500×600px ### Fixed - ThreeDSecure challenge window iframe errors are now correctly reported rather than silently ignored ## [2.0.1] - 2026-05-11 ### Fixed - Resolved an issue causing delayed rendering of the payment form in `renderPaymentsPage` - Payment source is now correctly included in SDK tokenisation request events ### Security - Bumped axios from 1.13.5 to 1.16.0 to address known vulnerabilities ## [2.0.0] - 2026-04-02 ### Changed - **Upgraded 3DS2 authentication flow** — replaced the previous CyberSource Cardinal/Songbird library with a new SDK-native implementation backed directly by Fat Zebra's infrastructure. The new flow supports a configurable challenge window (250×400, 390×400, 500×600, 600×400, or full-page) and handles device fingerprinting internally. No changes are required to existing integrations; the correct flow is selected automatically. ### Security - Bumped handlebars from 4.7.8 to 4.7.9 to address known vulnerabilities - Bumped axios to 1.15.0 ## [1.5.14] - 2026-03-10 ### Security - Addressed known vulnerabilities in transitive dependencies (axios, minimatch, glob) ## [1.5.12] - 2025-10-14 ## Updated - Bump to react-dom and react 19 from react 18 - Bump husky from 8.0.3 to 9.1.7 - Bump jest-environment-jsdom from 29.6.1 to 30.2.0 - Bump nock from 12.0.3 to 13.5.6 - Bump brace-expansion from 1.1.11 to 1.1.12 - Bump @testing-library/user-event from 14.5.2 to 14.6.1 ## Improved - Replace webpack with esbuild ## [1.5.11] - 2025-09-25 ## Updated - Bump ts-loader from 9.4.4 to 9.5.4 ## Improved - added method decorator logging ## [1.5.10] - 2025-08-11 ## Updated - bumped jsdom from ^16.2.1 to jsdom 26.1.0 - bumped axios from ^1.6.4 to 1.11.0 ## [1.5.9] - 2025-07-09 ## Changed - VerifyExistingCard component will now always perform 3DS action. Previously, the VerifyExistingCard would only check if the card had been previously tokenized, unless sca_enabled: true was passed as an option. This update will run SCA regardless. ## [1.5.8] – 2025-05-27 ### Changed - removed yarn.lock in favour of package-lock.json ## [1.5.7] – 2025-03-31 ### Changed Support for 3-D Secure 2.x PARes Status: CHALLENGED - Introduced a new PARes.CHALLENGED enumeration value to represent a "challenge" status in 3-D Secure (3DS) 2.x authentication flows. This is a required change from Cybersouce as it will now explicitly handle challenged events. For more information: https://developer.cybersource.com/library/documentation/dev_guides/Payer_Authentication_SCMP_API/html/Topics/Response_FieldsTable23Response_Fields_Field_NameDescriptionReturned_ByData_Type_Lengthauthorizatio-6wc.htm ### Fixed - Pass through economic commerce indicator: https://developer.cybersource.com/docs/cybs/en-us/payments/developer/vital/sa/payments/payments-processing-pa-process-intro/payments-processing-pa-eci.html ### Security - Patched routine package updates