fix(deps): update dependency react-router to v6.30.2 [security]#476

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-react-router-vulnerability

Contributor

renovate bot commented Jan 8, 2026

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	`6.21.3` → `6.30.2`

GitHub Vulnerability Alerts

CVE-2025-68470

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Release Notes

remix-run/react-router (react-router)

`v6.30.2`: v6.30.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

`v6.30.1`: v6.30.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

`v6.30.0`: v6.30.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

`v6.29.0`: v6.29.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

`v6.28.2`: v6.28.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

`v6.28.1`: v6.28.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

`v6.28.0`

Minor Changes

- Log deprecation warnings for v7 flags (#11750)
- Add deprecation warnings to json/defer in favor of returning raw objects
  - These methods will be removed in React Router v7

Patch Changes

Update JSDoc URLs for new website structure (add /v6/ segment) (#12141)
Updated dependencies:
- @remix-run/router@1.21.0

`v6.27.0`

Minor Changes

Stabilize unstable_patchRoutesOnNavigation (#11973)
- Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#11967)
Stabilize unstable_dataStrategy (#11974)
Stabilize the unstable_flushSync option for navigations and fetchers (#11989)
Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#11989)

Patch Changes

Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#12003)
Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#12003)
Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#11967)
Updated dependencies:
- @remix-run/router@1.20.0

`v6.26.2`

Patch Changes

Updated dependencies:
- @remix-run/router@1.19.2

`v6.26.1`

Patch Changes

Rename unstable_patchRoutesOnMiss to unstable_patchRoutesOnNavigation to match new behavior (#11888)
Updated dependencies:
- @remix-run/router@1.19.1

`v6.26.0`

Minor Changes

Add a new replace(url, init?) alternative to redirect(url, init?) that performs a history.replaceState instead of a history.pushState on client-side navigation redirects (#11811)

Patch Changes

Fix initial hydration behavior when using future.v7_partialHydration along with unstable_patchRoutesOnMiss (#11838)
- During initial hydration, router.state.matches will now include any partial matches so that we can render ancestor HydrateFallback components
Updated dependencies:
- @remix-run/router@1.19.0

`v6.25.1`

No significant changes to this package were made in this release. See the repo CHANGELOG.md for an overview of all changes in v6.25.1.

`v6.25.0`

Minor Changes

Stabilize future.unstable_skipActionErrorRevalidation as future.v7_skipActionErrorRevalidation (#11769)
- When this flag is enabled, actions will not automatically trigger a revalidation if they return/throw a Response with a 4xx/5xx status code
- You may still opt-into revalidation via shouldRevalidate
- This also changes shouldRevalidate's unstable_actionStatus parameter to actionStatus

Patch Changes

Fix regression and properly decode paths inside useMatch so matches/params reflect decoded params (#11789)
Updated dependencies:
- @remix-run/router@1.18.0

`v6.24.1`

Patch Changes

When using future.v7_relativeSplatPath, properly resolve relative paths in splat routes that are children of pathless routes (#11633)
Updated dependencies:
- @remix-run/router@1.17.1

`v6.24.0`

Minor Changes

Add support for Lazy Route Discovery (a.k.a. Fog of War) (#11626)
- RFC: https://redirect.github.com/remix-run/react-router/discussions/11113
- unstable_patchRoutesOnMiss docs: https://reactrouter.com/v6/routers/create-browser-router

Patch Changes

Updated dependencies:
- @remix-run/router@1.17.0

`v6.23.1`

Patch Changes

allow undefined to be resolved with <Await> (#11513)
Updated dependencies:
- @remix-run/router@1.16.1

`v6.23.0`

Minor Changes

Add a new unstable_dataStrategy configuration option (#11098)
- This option allows Data Router applications to take control over the approach for executing route loaders and actions
- The default implementation is today's behavior, to fetch all loaders in parallel, but this option allows users to implement more advanced data flows including Remix single-fetch, middleware/context APIs, automatic loader caching, and more

Patch Changes

Updated dependencies:
- @remix-run/router@1.16.0

`v6.22.3`

Patch Changes

Updated dependencies:
- @remix-run/router@1.15.3

`v6.22.2`

Patch Changes

Updated dependencies:
- @remix-run/router@1.15.2

`v6.22.1`

Patch Changes

Fix encoding/decoding issues with pre-encoded dynamic parameter values (#11199)
Updated dependencies:
- @remix-run/router@1.15.1

`v6.22.0`

Patch Changes

Updated dependencies:
- @remix-run/router@1.15.0

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot enabled auto-merge (squash)

January 8, 2026 22:53

codecov bot commented Jan 8, 2026 •

edited

Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (8a2c6aa) to head (14de8b8).

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #476   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          108       108           
  Lines         1099      1099           
  Branches       164       164           
=========================================
  Hits          1099      1099

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from ea9fe55 to 79c6540 Compare

February 2, 2026 19:31

renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from 79c6540 to 5239396 Compare

February 12, 2026 14:45


          fix(deps): update dependency react-router to v6.30.2 [security]

14de8b8

renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from 5239396 to 14de8b8 Compare

February 13, 2026 21:57

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet