Skip to content

Comments

chore(deps): update dependency react-router [security]#7604

Open
backstage-goalie[bot] wants to merge 1 commit intomainfrom
renovate/npm-react-router-vulnerability
Open

chore(deps): update dependency react-router [security]#7604
backstage-goalie[bot] wants to merge 1 commit intomainfrom
renovate/npm-react-router-vulnerability

Conversation

@backstage-goalie
Copy link
Contributor

@backstage-goalie backstage-goalie bot commented Feb 14, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 6.26.26.30.2 age confidence
react-router (source) 6.23.16.30.2 age confidence
react-router (source) 6.26.16.30.2 age confidence
react-router (source) 6.24.06.30.2 age confidence
react-router (source) 6.28.06.30.2 age confidence
react-router (source) 6.23.06.30.2 age confidence
react-router (source) 6.26.06.30.2 age confidence
react-router (source) 6.29.06.30.2 age confidence
react-router (source) 6.27.06.30.2 age confidence
react-router (source) 6.30.26.30.3 age confidence
react-router (source) 6.30.06.30.2 age confidence
react-router (source) 6.25.16.30.2 age confidence
react-router (source) 6.0.0-beta.0 || ^6.3.06.30.2 ^6.30.2 age confidence
react-router (source) 6.30.16.30.2 age confidence
react-router (source) 6.24.16.30.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

React Router has unexpected external redirect via untrusted paths

CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m

More information

Details

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

remix-run/react-router (react-router)

v6.30.2: v6.30.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

v6.30.1: v6.30.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

v6.30.0: v6.30.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

v6.29.0: v6.29.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

v6.28.2: v6.28.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

v6.28.1: v6.28.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

v6.28.0

Compare Source

Minor Changes
    • Log deprecation warnings for v7 flags (#​11750)
    • Add deprecation warnings to json/defer in favor of returning raw objects
      • These methods will be removed in React Router v7
Patch Changes
  • Update JSDoc URLs for new website structure (add /v6/ segment) (#​12141)
  • Updated dependencies:
    • @remix-run/router@1.21.0

v6.27.0

Compare Source

Minor Changes
  • Stabilize unstable_patchRoutesOnNavigation (#​11973)
    • Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#​11967)
  • Stabilize unstable_dataStrategy (#​11974)
  • Stabilize the unstable_flushSync option for navigations and fetchers (#​11989)
  • Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#​11989)
Patch Changes

  • Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#​12003)

  • Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#​12003)

  • Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#​11967)

  • Updated dependencies:

    • @remix-run/router@1.20.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@backstage-goalie backstage-goalie bot added dependencies Pull requests that update a dependency file security labels Feb 14, 2026
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 7ccc476 to 223558f Compare February 22, 2026 23:46
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 223558f to 3132e4c Compare February 23, 2026 00:56
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 3132e4c to 0013cf6 Compare February 23, 2026 00:56
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 0013cf6 to 6af100b Compare February 23, 2026 02:15
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 6af100b to 5408b69 Compare February 23, 2026 02:15
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 5408b69 to d4b10ec Compare February 23, 2026 03:41
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from d4b10ec to a9e19c5 Compare February 23, 2026 03:42
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from a9e19c5 to e192a7e Compare February 23, 2026 04:39
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from e192a7e to cc1ad06 Compare February 23, 2026 04:40
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from cc1ad06 to 9f39d75 Compare February 23, 2026 05:24
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 9f39d75 to c3da919 Compare February 23, 2026 05:24
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from c3da919 to 4d8b56c Compare February 23, 2026 06:12
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 4d8b56c to 4cfcf74 Compare February 23, 2026 06:12
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 4cfcf74 to 2ee6086 Compare February 23, 2026 07:10
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 2ee6086 to 4c2cc66 Compare February 23, 2026 07:11
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 4c2cc66 to 4e5e0ab Compare February 23, 2026 08:05
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 4e5e0ab to 8bbd6cd Compare February 23, 2026 08:05
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 8bbd6cd to 604fe1a Compare February 23, 2026 08:56
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 604fe1a to 8e62e3a Compare February 23, 2026 08:56
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 8e62e3a to 1600cb5 Compare February 23, 2026 09:59
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 1600cb5 to 4d6d3a1 Compare February 23, 2026 09:59
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 4d6d3a1 to 79aa8f7 Compare February 23, 2026 11:00
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 79aa8f7 to 27f06f1 Compare February 23, 2026 11:00
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 27f06f1 to 3abe362 Compare February 23, 2026 11:59
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 3abe362 to 49a3b78 Compare February 23, 2026 11:59
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 49a3b78 to 485e5e0 Compare February 23, 2026 12:54
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 485e5e0 to 64a7cb3 Compare February 23, 2026 12:54
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 64a7cb3 to 4974882 Compare February 23, 2026 14:21
@backstage-goalie
chore(deps): update dependency react-router [security]
e589fe6 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 4974882 to e589fe6 Compare February 23, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christoph-jerolimov christoph-jerolimov Awaiting requested review from christoph-jerolimov christoph-jerolimov is a code owner

@ciiay ciiay Awaiting requested review from ciiay ciiay is a code owner

@debsmita1 debsmita1 Awaiting requested review from debsmita1 debsmita1 is a code owner

@divyanshiGupta divyanshiGupta Awaiting requested review from divyanshiGupta divyanshiGupta is a code owner

@its-mitesh-kumar its-mitesh-kumar Awaiting requested review from its-mitesh-kumar its-mitesh-kumar is a code owner

@logonoff logonoff Awaiting requested review from logonoff logonoff is a code owner

@lokanandaprabhu lokanandaprabhu Awaiting requested review from lokanandaprabhu lokanandaprabhu is a code owner

@rohitkrai03 rohitkrai03 Awaiting requested review from rohitkrai03 rohitkrai03 is a code owner

@jrichter1 jrichter1 Awaiting requested review from jrichter1 jrichter1 is a code owner

@HusneShabbir HusneShabbir Awaiting requested review from HusneShabbir HusneShabbir is a code owner

@karthikjeeyar karthikjeeyar Awaiting requested review from karthikjeeyar karthikjeeyar is a code owner

@caugello caugello Awaiting requested review from caugello caugello is a code owner

@CryptoRodeo CryptoRodeo Awaiting requested review from CryptoRodeo CryptoRodeo is a code owner

@djanickova djanickova Awaiting requested review from djanickova djanickova is a code owner

@Eswaraiahsapram Eswaraiahsapram Awaiting requested review from Eswaraiahsapram Eswaraiahsapram is a code owner

@Xantier Xantier Awaiting requested review from Xantier Xantier is a code owner

@punkle punkle Awaiting requested review from punkle punkle is a code owner

@kurtaking kurtaking Awaiting requested review from kurtaking kurtaking is a code owner

@yashoswalyo yashoswalyo Awaiting requested review from yashoswalyo yashoswalyo is a code owner

@deshmukhmayur deshmukhmayur Awaiting requested review from deshmukhmayur deshmukhmayur is a code owner

@riginoommen riginoommen Awaiting requested review from riginoommen riginoommen is a code owner

@AndrienkoAleksandr AndrienkoAleksandr Awaiting requested review from AndrienkoAleksandr AndrienkoAleksandr is a code owner

@PatAKnight PatAKnight Awaiting requested review from PatAKnight PatAKnight is a code owner

@dzemanov dzemanov Awaiting requested review from dzemanov dzemanov is a code owner

@kuangp kuangp Awaiting requested review from kuangp kuangp is a code owner

@JessicaJHee JessicaJHee Awaiting requested review from JessicaJHee JessicaJHee is a code owner

@lholmquist lholmquist Awaiting requested review from lholmquist lholmquist is a code owner

@ibolton336 ibolton336 Awaiting requested review from ibolton336 ibolton336 is a code owner

@djzager djzager Awaiting requested review from djzager djzager is a code owner

@grantila grantila Awaiting requested review from grantila grantila is a code owner

@aljesusg aljesusg Awaiting requested review from aljesusg aljesusg is a code owner

@josunect josunect Awaiting requested review from josunect josunect is a code owner

@ScottGuymer ScottGuymer Awaiting requested review from ScottGuymer ScottGuymer is a code owner

@henrikedegrd henrikedegrd Awaiting requested review from henrikedegrd henrikedegrd is a code owner

@fjudith fjudith Awaiting requested review from fjudith fjudith is a code owner

@deepan10 deepan10 Awaiting requested review from deepan10 deepan10 is a code owner

@mbruhin mbruhin Awaiting requested review from mbruhin mbruhin is a code owner

@smymoon smymoon Awaiting requested review from smymoon smymoon is a code owner

@awanlin awanlin Awaiting requested review from awanlin awanlin is a code owner

@sachaudh sachaudh Awaiting requested review from sachaudh sachaudh is a code owner

@dvail dvail Awaiting requested review from dvail dvail is a code owner

@maknop maknop Awaiting requested review from maknop maknop is a code owner

@04kash 04kash Awaiting requested review from 04kash 04kash is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file owner/area-maintainers security workspace/acr workspace/acs workspace/azure-devops workspace/azure-storage-explorer workspace/bitbucket-pull-requests workspace/blackduck workspace/cicd-statistics workspace/confluence workspace/copilot workspace/entity-feedback workspace/github workspace/jenkins workspace/kiali workspace/linkerd workspace/manage workspace/mta workspace/multi-source-security-viewer workspace/npm workspace/ocm workspace/pingidentity workspace/playlist workspace/rbac workspace/report-portal workspace/sentry workspace/sonarqube workspace/tech-insights Used to tag tech-insights workspace issues and pull requests workspace/tekton workspace/topology workspace/3scale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@backstage-service