Skip to content

chore(deps): update dependency react-router to v7.12.0 [security] #798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
renovate merged 1 commit into from
Jan 10, 2026
Merged

chore(deps): update dependency react-router to v7.12.0 [security] #798

renovate merged 1 commit into from
Jan 10, 2026

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 10, 2026

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 7.10.07.12.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-21884

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

Note

This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

CVE-2026-22029

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>).

CVE-2026-22030

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Release Notes

remix-run/react-router (react-router)

v7.12.0

Compare Source

Minor Changes
  • Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#​14708)
Patch Changes

  • Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#​14269)

  • Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#​14663)

  • Escape HTML in scroll restoration keys (#​14705)

  • Validate redirect locations (#​14706)

  • [UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#​14675)

  • [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

    Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c.data /a/b/c ⚠️

    With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c/_.data ⬅️ /a/b/c/

    This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

    Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

  • Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#​14674)

v7.11.0

Compare Source

Minor Changes
  • Stabilize <HydratedRouter onError>/<RouterProvider onError> (#​14546)
Patch Changes

  • add support for throwing redirect Response's at RSC render time (#​14596)

  • Support for throwing data() and Response from server component render phase. Response body is not serialized as async work is not allowed as error encoding phase. If you wish to transmit data to the boundary, throw data() instead. (#​14632)

  • Fix unstable_useTransitions prop on <Router> component to permit omission for backewards compatibility (#​14646)

  • routeRSCServerRequest replace fetchServer with serverResponse (#​14597)

  • [UNSTABLE] Add a new unstable_defaultShouldRevalidate flag to various APIs to allow opt-ing out of standard revalidation behaviors. (#​14542)

    If active routes include a shouldRevalidate function, then your value will be passed as defaultShouldRevalidate in those function so that the route always has the final revalidation determination.

    • <Form method="post" unstable_defaultShouldRevalidate={false}>
    • submit(data, { method: "post", unstable_defaultShouldRevalidate: false })
    • <fetcher.Form method="post" unstable_defaultShouldRevalidate={false}>
    • fetcher.submit(data, { method: "post", unstable_defaultShouldRevalidate: false })

    This is also available on non-submission APIs that may trigger revalidations due to changing search params:

    • <Link to="/" unstable_defaultShouldRevalidate={false}>
    • navigate("/?foo=bar", { unstable_defaultShouldRevalidate: false })
    • setSearchParams(params, { unstable_defaultShouldRevalidate: false })

  • Allow redirects to be returned from client side middleware (#​14598)

  • Handle dataStrategy implementations that return insufficient result sets by adding errors for routes without any available result (#​14627)

v7.10.1

Compare Source

Patch Changes
  • Update the useOptimistic stub we provide for React 18 users to use a stable setter function to avoid potential useEffect loops - specifically when using <Link viewTransition> (#​14628)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Jan 10, 2026
@renovate renovate bot enabled auto-merge (squash) January 10, 2026 05:40
@renovate renovate bot merged commit 4d5d83f into main Jan 10, 2026
7 checks passed
@renovate renovate bot deleted the renovate/npm-react-router-vulnerability branch January 10, 2026 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@renovate-approve-2 renovate-approve-2[bot] renovate-approve-2[bot] approved these changes

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant