Skip to content

Comments

chore(deps): update dependency react-router [security]#7604

Open
backstage-goalie[bot] wants to merge 1 commit intomainfrom
renovate/npm-react-router-vulnerability
Open

chore(deps): update dependency react-router [security]#7604
backstage-goalie[bot] wants to merge 1 commit intomainfrom
renovate/npm-react-router-vulnerability

Conversation

@backstage-goalie
Copy link
Contributor

@backstage-goalie backstage-goalie bot commented Feb 14, 2026

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 6.26.26.30.2 age confidence
react-router (source) 6.23.16.30.2 age confidence
react-router (source) 6.26.16.30.2 age confidence
react-router (source) 6.24.06.30.2 age confidence
react-router (source) 6.28.06.30.2 age confidence
react-router (source) 6.23.06.30.2 age confidence
react-router (source) 6.26.06.30.2 age confidence
react-router (source) 6.29.06.30.2 age confidence
react-router (source) 6.27.06.30.2 age confidence
react-router (source) 6.30.26.30.3 age confidence
react-router (source) 6.30.06.30.2 age confidence
react-router (source) 6.25.16.30.2 age confidence
react-router (source) 6.0.0-beta.0 || ^6.3.06.30.2 ^6.30.2 age confidence
react-router (source) 6.30.16.30.2 age confidence
react-router (source) 6.24.16.30.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


React Router has unexpected external redirect via untrusted paths

CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m

More information

Details

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

remix-run/react-router (react-router)

v6.30.2: v6.30.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

v6.30.1: v6.30.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

v6.30.0: v6.30.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

v6.29.0: v6.29.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

v6.28.2: v6.28.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

v6.28.1: v6.28.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

v6.28.0

Compare Source

Minor Changes
    • Log deprecation warnings for v7 flags (#​11750)
    • Add deprecation warnings to json/defer in favor of returning raw objects
      • These methods will be removed in React Router v7
Patch Changes
  • Update JSDoc URLs for new website structure (add /v6/ segment) (#​12141)
  • Updated dependencies:
    • @remix-run/router@1.21.0

v6.27.0

Compare Source

Minor Changes
  • Stabilize unstable_patchRoutesOnNavigation (#​11973)
    • Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#​11967)
  • Stabilize unstable_dataStrategy (#​11974)
  • Stabilize the unstable_flushSync option for navigations and fetchers (#​11989)
  • Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#​11989)
Patch Changes
  • Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#​12003)

  • Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#​12003)

  • Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#​11967)

  • Updated dependencies:

    • @remix-run/router@1.20.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 7ccc476 to 223558f Compare February 22, 2026 23:46
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 223558f to 3132e4c Compare February 23, 2026 00:56
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 3132e4c to 0013cf6 Compare February 23, 2026 00:56
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 0013cf6 to 6af100b Compare February 23, 2026 02:15
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 6af100b to 5408b69 Compare February 23, 2026 02:15
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 5408b69 to d4b10ec Compare February 23, 2026 03:41
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from d4b10ec to a9e19c5 Compare February 23, 2026 03:42
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from a9e19c5 to e192a7e Compare February 23, 2026 04:39
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from e192a7e to cc1ad06 Compare February 23, 2026 04:40
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from cc1ad06 to 9f39d75 Compare February 23, 2026 05:24
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 9f39d75 to c3da919 Compare February 23, 2026 05:24
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from c3da919 to 4d8b56c Compare February 23, 2026 06:12
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 4d8b56c to 4cfcf74 Compare February 23, 2026 06:12
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 4cfcf74 to 2ee6086 Compare February 23, 2026 07:10
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 2ee6086 to 4c2cc66 Compare February 23, 2026 07:11
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 4c2cc66 to 4e5e0ab Compare February 23, 2026 08:05
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 4e5e0ab to 8bbd6cd Compare February 23, 2026 08:05
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 8bbd6cd to 604fe1a Compare February 23, 2026 08:56
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 604fe1a to 8e62e3a Compare February 23, 2026 08:56
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 8e62e3a to 1600cb5 Compare February 23, 2026 09:59
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 1600cb5 to 4d6d3a1 Compare February 23, 2026 09:59
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 4d6d3a1 to 79aa8f7 Compare February 23, 2026 11:00
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 79aa8f7 to 27f06f1 Compare February 23, 2026 11:00
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 27f06f1 to 3abe362 Compare February 23, 2026 11:59
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 3abe362 to 49a3b78 Compare February 23, 2026 11:59
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 49a3b78 to 485e5e0 Compare February 23, 2026 12:54
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 485e5e0 to 64a7cb3 Compare February 23, 2026 12:54
@backstage-goalie backstage-goalie bot force-pushed the renovate/npm-react-router-vulnerability branch from 64a7cb3 to 4974882 Compare February 23, 2026 14:21
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@backstage-service backstage-service force-pushed the renovate/npm-react-router-vulnerability branch from 4974882 to e589fe6 Compare February 23, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant