Skip to content

fix(deps): bump react-router to 6.30.4 (open redirect GHSA-2j2x-hqr9-3h42)#116

Merged
telivity-otaip merged 1 commit into
mainfrom
fix/react-router-open-redirect
Jun 21, 2026
Merged

fix(deps): bump react-router to 6.30.4 (open redirect GHSA-2j2x-hqr9-3h42)#116
telivity-otaip merged 1 commit into
mainfrom
fix/react-router-open-redirect

Conversation

@telivity-otaip

Copy link
Copy Markdown
Collaborator

Patches GHSA-2j2x-hqr9-3h42 / CVE-2026-40181 — React Router open redirect via protocol-relative URL (a redirect() to a path starting with // is reinterpreted as //evil.com).

  • Affected 6.x range: >=6.7.0 <6.30.4; lockfile was on 6.30.3.
  • Bumped react-router + react-router-dom to 6.30.4 (min patched 6.x).
  • Floored the @otaip/platform-ui constraint to ^6.30.4.
  • Only consumer is the private @otaip/platform-ui example app.
  • tsc --noEmit passes.

🤖 Generated with Claude Code

…3h42)

Patches CVE-2026-40181: same-origin redirect to a path starting // is
reinterpreted as a protocol-relative URL, enabling open redirect.
Affected 6.x range: >=6.7.0 <6.30.4. Only consumer is the private
@otaip/platform-ui example app.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@telivity-otaip telivity-otaip force-pushed the fix/react-router-open-redirect branch from 271e811 to 25d5634 Compare June 21, 2026 16:58
@telivity-otaip telivity-otaip merged commit 3bd4cbc into main Jun 21, 2026
1 check passed
@telivity-otaip telivity-otaip deleted the fix/react-router-open-redirect branch June 21, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant