[Snyk] Security upgrade react-router from 7.14.2 to 7.15.0

[kagan-agent]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• packages/web/package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-REACTROUTER-17138701	721

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[greptile-apps]

Greptile Summary

This PR updates the web app's React Router dependency. The main change is:

• Bumps react-router in packages/web/package.json from the previous range to ^7.15.0.

Confidence Score: 4/5

This should be fixed before merging.

• The package manifest and pnpm lockfile are out of sync.

• Frozen installs can fail during CI or deployment.

• Lockfile-based installs can continue resolving react-router to the old 7.14.2 version.

• pnpm-lock.yaml needs the matching react-router update.

Important Files Changed

Filename	Overview
packages/web/package.json	Updates the declared react-router dependency, but the matching pnpm lockfile entry was not changed.

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
packages/web/package.json:39
**Lockfile still pins old router** The manifest now asks for `react-router` `^7.15.0`, but the tracked `pnpm-lock.yaml` was not updated and still resolves the web package to `react-router` `7.14.2`. With frozen pnpm installs, this can fail because the manifest and lockfile disagree; without a frozen install, the deployed dependency still comes from an uncommitted lockfile update, so this PR does not reliably apply the security upgrade.

_{Reviews (1): Last reviewed commit: "fix: packages/web/package.json to reduce..." | Re-trigger Greptile}

[greptile-apps]

Lockfile still pins old router The manifest now asks for react-router ^7.15.0, but the tracked pnpm-lock.yaml was not updated and still resolves the web package to react-router 7.14.2. With frozen pnpm installs, this can fail because the manifest and lockfile disagree; without a frozen install, the deployed dependency still comes from an uncommitted lockfile update, so this PR does not reliably apply the security upgrade.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/web/package.json
Line: 39

Comment:
**Lockfile still pins old router** The manifest now asks for `react-router` `^7.15.0`, but the tracked `pnpm-lock.yaml` was not updated and still resolves the web package to `react-router` `7.14.2`. With frozen pnpm installs, this can fail because the manifest and lockfile disagree; without a frozen install, the deployed dependency still comes from an uncommitted lockfile update, so this PR does not reliably apply the security upgrade.

How can I resolve this? If you propose a fix, please make it concise.