chore: bump react-router-dom, eslint, vite

[mdaniels5757]

• react-router-dom: 7.2.0 -> 7.10.1
• eslint, @eslint/js: 9.20.1 -> 9.39.1
• vite: 6.1.1 -> 6.4.1

Fixes CVE-2025-43865, CVE-2025-43864, GHSA-67mh-4wv8-2f99, GHSA-xffm-g5w8-qvg7.

Updating the lockfile also fixes CVE-2025-64756 and CVE-2025-64718.

Summary by CodeRabbit

• Chores
  • Updated routing and development/build tool dependencies to improve stability, performance, and developer experience.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

package.json dependency bumps: react-router-dom updated 7.2.0 → 7.10.1 and devDependency vite updated 6.1.1 → 6.4.1. No other files, code, or project structure changed.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json	Version bumps: react-router-dom (7.2.0 → 7.10.1), vite (6.1.1 → 6.4.1). No functional code or structural changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🐰 I hopped through package.json with care,
Updated routes and builds with flair,
Small bumps, no fuss, no tangled vine,
A tidy hop — the tree looks fine! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions three dependencies (react-router-dom, eslint, vite) but the raw summary shows only react-router-dom and vite were updated in package.json, with no eslint changes documented.	Update the title to accurately reflect only the dependencies that were actually changed, or add eslint updates to package.json if they were intended but missing from the summary.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a8313ca and 6bf8b38.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9aa83c1 and a8313ca.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json (1 hunks)

🔇 Additional comments (3)

package.json (3)

14-73: Confirm lockfile updates are included in this PR.

The AI summary indicates that lockfile updates additionally address CVE-2025-64756 and CVE-2025-64718. Verify that the corresponding lockfile (package-lock.json or yarn.lock) has been updated and committed alongside these package.json changes to ensure the security fixes take effect.

---

58-58: No new breaking changes introduced in this update.

The eslint and @eslint/js bump from 9.20.x to 9.39.1 contains only minor releases and bug fixes within the v9 major version. ESLint v9.39.1 is a patch release that restores previous visitor call behavior without introducing any new breaking changes. The project's ESLint config remains compatible with this update.

---

72-72: The vite 6.1.1 → 6.4.1 update is safe. The project's vite configuration uses only stable APIs (resolve.alias, standard plugins, rollupOptions) that have no breaking changes in this range. The @vitejs/plugin-react-swc@3.8.0 dependency explicitly supports vite ^6, and the build/dev/preview scripts will continue to work without modifications.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

react-router-dom 7.10.1 breaking changes release notes

💡 Result:

Short answer: There are no breaking changes listed for react-router-dom/react-router v7.10.1 — it’s a patch release. See the official changelog (v7.10.0 notes) and package metadata showing v7.10.1 as the latest patch. [1][2]

Sources:

• Official React Router changelog (v7.10.0 notes). [1]
• Package/version metadata showing latest v7.10.1 (Snyk/npm). [2]

---

🌐 Web query:

react-router-dom 7.2.0 to 7.10.1 migration guide

💡 Result:

Below is a concise migration checklist and important changes to review when moving from react-router(-dom) 7.2.0 → 7.10.1.

Quick note: the official changelog (React Router) lists all releases and the items below — see it for full details and version-by-version notes. [1]

1. Upgrade plan (safe path)

• Upgrade incrementally (7.2.0 → 7.3.x → 7.4.x → 7.5.x → … → 7.10.1). Run tests and smoke the app after each minor/patch bump. [1]
• Install command example: npm/yarn upgrade to 7.10.1 (or pin): npm install react-router@7.10.1 react-router-dom@7.10.1. (v7 still publishes react-router-dom as a re-export; confirm your imports after the upgrade). [1]

2. Major/important changes between 7.2.0 and 7.10.x to check

• Type-safe href utility (7.2.0): new href(...) helper for type-safe path/param building in framework mode — update code if you want to adopt it and check any TypeScript callers. [1]
• route.lazy object API (7.5.0): route.lazy() gained an object-based form (loader/action/Component) — and some unstable lazy middleware APIs moved (route.unstable_lazyMiddleware → route.lazy.unstable_middleware). If you used unstable lazy middleware, update to the new API. This can be breaking if you adopted the old unstable API. [1]
• Security patch (7.4.1): fixed Host / X-Forwarded-Host port sanitization vulnerability (CVE). If your app relies on proxy headers or server-side host handling, ensure you test any server adaptor behavior after upgrade. [1]
• Unstable / feature flags stabilized (around 7.10.0 / 7.7.x): some previously-unstable APIs / future flags were stabilized — if you had adopted unstable flags, review the changelog entries in case the API surface or flags changed. [1]

3. Code-level items to scan & update

• Imports: verify any direct imports from other packages (Remix adapters, runtime adapters) — v7 consolidated packages into react-router in v7.0.0; you should still be using react-router / react-router-dom imports consistently. [1]
• route.lazy usage: convert any usages of unstable lazy middleware to the new route.lazy object shape if applicable. [1]
• href usage: audit places constructing paths/links; adopt href() if you want type-safety (TypeScript). [1]
• Server / proxy behavior: run end-to-end tests for SSR / framework mode and any code that uses Host/X-Forwarded-Host headers to confirm the security fix did not change behavior you depended on. [1]

4. Testing & verification

• Run the full test suite and automated E2E tests.
• Manually test navigation, lazy-loaded routes, link generation, redirects, and any server-rendered routes.
• If you use unstable/experimental APIs (RSC, middleware, lazy internals), read the “Unstable Changes” notes for each release in the changelog and adjust accordingly. [1]

5. Where to read details / reference

• Official React Router changelog (search for each version from 7.2.0 → 7.10.x). This single changelog page contains the per-version notes referenced above. [1]

If you want, I can:

• produce a version-by-version diff (7.2.0 → 7.3.0 → … → 7.10.1) with the exact changelog lines and code examples for any specific breaking items you use (e.g., route.lazy or href).

Sources
[1] React Router changelog (versions v7.0.0 → v7.10.x).

---

Verify for route.lazy unstable API usage before merging react-router-dom 7.10.1.

The update from 7.2.0 to 7.10.1 includes potential breaking changes: the route.lazy unstable middleware API changed between 7.5.0–7.10.0 (route.unstable_lazyMiddleware → route.lazy.unstable_middleware), and various unstable APIs were stabilized. These are only breaking if your codebase uses those unstable APIs. Audit your code for:

• Any usage of route.unstable_lazyMiddleware
• Unstable lazy loading patterns or experimental flags
• Run full test suite and E2E tests after upgrade to catch any breaking behavior

🤖 Prompt for AI Agents

In package.json at line 51 (react-router-dom: 7.10.1) verify that upgrading from
7.2.0 won’t break code that uses the unstable route.lazy API: search the repo
for any usage of route.unstable_lazyMiddleware (and other unstable lazy APIs)
and, if found, change them to the new name route.lazy.unstable_middleware or the
stabilized API as per the 7.5.0–7.10.0 migration notes, update imports/usages
accordingly, remove or replace any experimental flags/patterns, then run the
full unit and E2E test suite to confirm no regressions before merging.