chore(deps): update dependency react-router to v7.12.0 [security]#81
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): update dependency react-router to v7.12.0 [security]#81renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
fc66ad6 to
49e41cd
Compare
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
49e41cd to
712c2eb
Compare
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
712c2eb to
bd24a7f
Compare
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
bd24a7f to
cb92992
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
2 times, most recently
from
cb92992 to
ffead46
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.10.0→7.12.0GitHub Vulnerability Alerts
CVE-2026-21884
A XSS vulnerability exists in in React Router's
<ScrollRestoration>API in Framework Mode when using thegetKey/storageKeyprops during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.Note
This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).CVE-2026-22029
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
Note
This does not impact applications that use Declarative Mode (
<BrowserRouter>).CVE-2026-22030
React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route
actionhandlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.Note
This does not impact applications that use Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).Release Notes
remix-run/react-router (react-router)
v7.12.0Compare Source
Minor Changes
react-router.config.tsconfigallowedActionOriginsfield. (#14708)Patch Changes
Fix
generatePathwhen used with suffixed params (i.e., "/books/:id.json") (#14269)Export
UNSAFE_createMemoryHistoryandUNSAFE_createHashHistoryalongsideUNSAFE_createBrowserHistoryfor consistency. These are not intended to be used for new apps but intended to help apps usiongunstable_HistoryRoutermigrate from v6->v7 so they can adopt the newer APIs. (#14663)Escape HTML in scroll restoration keys (#14705)
Validate redirect locations (#14706)
[UNSTABLE] Pass
<Scripts nonce>value through to the underlyingimportmapscripttag when usingfuture.unstable_subResourceIntegrity(#14675)[UNSTABLE] Add a new
future.unstable_trailingSlashAwareDataRequestsflag to provide consistent behavior ofrequest.pathnameinsidemiddleware,loader, andactionfunctions on document and data requests when a trailing slash is present in the browser URL. (#14644)Currently, your HTTP and
requestpathnames would be as follows for/a/b/cand/a/b/c//a/b/crequestpathname`/a/b/c/a/b/c✅/a/b/c.data/a/b/c✅/a/b/c/requestpathname`/a/b/c//a/b/c/✅/a/b/c.data/a/b/cWith this flag enabled, these pathnames will be made consistent though a new
_.dataformat for client-side.datarequests:/a/b/crequestpathname`/a/b/c/a/b/c✅/a/b/c.data/a/b/c✅/a/b/c/requestpathname`/a/b/c//a/b/c/✅/a/b/c/_.data⬅️/a/b/c/✅This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.
Enabling this flag also changes the format of client side
.datarequests from/_root.datato/_.datawhen navigating to/to align with the new format. This does not impact therequestpathname which is still/in all cases.Preserve
clientLoader.hydrate=truewhen using<HydratedRouter unstable_instrumentations>(#14674)v7.11.0Compare Source
Minor Changes
<HydratedRouter onError>/<RouterProvider onError>(#14546)Patch Changes
add support for throwing redirect Response's at RSC render time (#14596)
Support for throwing
data()and Response from server component render phase. Response body is not serialized as async work is not allowed as error encoding phase. If you wish to transmit data to the boundary, throwdata()instead. (#14632)Fix
unstable_useTransitionsprop on<Router>component to permit omission for backewards compatibility (#14646)routeRSCServerRequestreplacefetchServerwithserverResponse(#14597)[UNSTABLE] Add a new
unstable_defaultShouldRevalidateflag to various APIs to allow opt-ing out of standard revalidation behaviors. (#14542)If active routes include a
shouldRevalidatefunction, then your value will be passed asdefaultShouldRevalidatein those function so that the route always has the final revalidation determination.<Form method="post" unstable_defaultShouldRevalidate={false}>submit(data, { method: "post", unstable_defaultShouldRevalidate: false })<fetcher.Form method="post" unstable_defaultShouldRevalidate={false}>fetcher.submit(data, { method: "post", unstable_defaultShouldRevalidate: false })This is also available on non-submission APIs that may trigger revalidations due to changing search params:
<Link to="/" unstable_defaultShouldRevalidate={false}>navigate("/?foo=bar", { unstable_defaultShouldRevalidate: false })setSearchParams(params, { unstable_defaultShouldRevalidate: false })Allow redirects to be returned from client side middleware (#14598)
Handle
dataStrategyimplementations that return insufficient result sets by adding errors for routes without any available result (#14627)v7.10.1Compare Source
Patch Changes
useOptimisticstub we provide for React 18 users to use a stable setter function to avoid potentialuseEffectloops - specifically when using<Link viewTransition>(#14628)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.