Skip to content

fix(deps): update dependency react-router to v6.30.2 [security] #473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(deps): update dependency react-router to v6.30.2 [security] #473

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 9, 2026

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 6.15.06.30.2 age confidence

GitHub Vulnerability Alerts

CVE-2025-68470

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Release Notes

remix-run/react-router (react-router)

v6.30.2: v6.30.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

v6.30.1: v6.30.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

v6.30.0: v6.30.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

v6.29.0: v6.29.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

v6.28.2: v6.28.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

v6.28.1: v6.28.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

v6.28.0

Compare Source

Minor Changes
    • Log deprecation warnings for v7 flags (#​11750)
    • Add deprecation warnings to json/defer in favor of returning raw objects
      • These methods will be removed in React Router v7
Patch Changes
  • Update JSDoc URLs for new website structure (add /v6/ segment) (#​12141)
  • Updated dependencies:
    • @remix-run/router@1.21.0

v6.27.0

Compare Source

Minor Changes
  • Stabilize unstable_patchRoutesOnNavigation (#​11973)
    • Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#​11967)
  • Stabilize unstable_dataStrategy (#​11974)
  • Stabilize the unstable_flushSync option for navigations and fetchers (#​11989)
  • Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#​11989)
Patch Changes

  • Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#​12003)

  • Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#​12003)

  • Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#​11967)

  • Updated dependencies:

    • @remix-run/router@1.20.0

v6.26.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.19.2

v6.26.1

Compare Source

Patch Changes
  • Rename unstable_patchRoutesOnMiss to unstable_patchRoutesOnNavigation to match new behavior (#​11888)
  • Updated dependencies:
    • @remix-run/router@1.19.1

v6.26.0

Compare Source

Minor Changes
  • Add a new replace(url, init?) alternative to redirect(url, init?) that performs a history.replaceState instead of a history.pushState on client-side navigation redirects (#​11811)
Patch Changes
  • Fix initial hydration behavior when using future.v7_partialHydration along with unstable_patchRoutesOnMiss (#​11838)
    • During initial hydration, router.state.matches will now include any partial matches so that we can render ancestor HydrateFallback components
  • Updated dependencies:
    • @remix-run/router@1.19.0

v6.25.1

Compare Source

No significant changes to this package were made in this release. See the repo CHANGELOG.md for an overview of all changes in v6.25.1.

v6.25.0

Compare Source

Minor Changes
  • Stabilize future.unstable_skipActionErrorRevalidation as future.v7_skipActionErrorRevalidation (#​11769)
    • When this flag is enabled, actions will not automatically trigger a revalidation if they return/throw a Response with a 4xx/5xx status code
    • You may still opt-into revalidation via shouldRevalidate
    • This also changes shouldRevalidate's unstable_actionStatus parameter to actionStatus
Patch Changes
  • Fix regression and properly decode paths inside useMatch so matches/params reflect decoded params (#​11789)
  • Updated dependencies:
    • @remix-run/router@1.18.0

v6.24.1

Compare Source

Patch Changes
  • When using future.v7_relativeSplatPath, properly resolve relative paths in splat routes that are children of pathless routes (#​11633)
  • Updated dependencies:
    • @remix-run/router@1.17.1

v6.24.0

Compare Source

Minor Changes
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.17.0

v6.23.1

Compare Source

Patch Changes
  • allow undefined to be resolved with <Await> (#​11513)
  • Updated dependencies:
    • @remix-run/router@1.16.1

v6.23.0

Compare Source

Minor Changes
  • Add a new unstable_dataStrategy configuration option (#​11098)
    • This option allows Data Router applications to take control over the approach for executing route loaders and actions
    • The default implementation is today's behavior, to fetch all loaders in parallel, but this option allows users to implement more advanced data flows including Remix single-fetch, middleware/context APIs, automatic loader caching, and more
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.16.0

v6.22.3

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.15.3

v6.22.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.15.2

v6.22.1

Compare Source

Patch Changes
  • Fix encoding/decoding issues with pre-encoded dynamic parameter values (#​11199)
  • Updated dependencies:
    • @remix-run/router@1.15.1

v6.22.0

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.15.0

v6.21.3

Compare Source

Patch Changes
  • Remove leftover unstable_ prefix from Blocker/BlockerFunction types (#​11187)

v6.21.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.14.2

v6.21.1

Compare Source

Patch Changes
  • Fix bug with route.lazy not working correctly on initial SPA load when v7_partialHydration is specified (#​11121)
  • Updated dependencies:
    • @remix-run/router@1.14.1

v6.21.0

Compare Source

Minor Changes

  • Add a new future.v7_relativeSplatPath flag to implement a breaking bug fix to relative routing when inside a splat route. (#​11087)

    This fix was originally added in #​10983 and was later reverted in #​11078 because it was determined that a large number of existing applications were relying on the buggy behavior (see #​11052)

    The Bug
    The buggy behavior is that without this flag, the default behavior when resolving relative paths is to ignore any splat (*) portion of the current route path.

    The Background
    This decision was originally made thinking that it would make the concept of nested different sections of your apps in <Routes> easier if relative routing would replace the current splat:

    <BrowserRouter>
  <Routes>
    <Route path="/" element={<Home />} />
    <Route path="dashboard/*" element={<Dashboard />} />
  </Routes>
</BrowserRouter>

    Any paths like /dashboard, /dashboard/team, /dashboard/projects will match the Dashboard route. The dashboard component itself can then render nested <Routes>:

    function Dashboard() {
  return (
    <div>
      <h2>Dashboard</h2>
      <nav>
        <Link to="/">Dashboard Home</Link>
        <Link to="team">Team</Link>
        <Link to="projects">Projects</Link>
      </nav>

      <Routes>
        <Route path="/" element={<DashboardHome />} />
        <Route path="team" element={<DashboardTeam />} />
        <Route path="projects" element={<DashboardProjects />} />
      </Routes>
    </div>
  );
}

    Now, all links and route paths are relative to the router above them. This makes code splitting and compartmentalizing your app really easy. You could render the Dashboard as its own independent app, or embed it into your large app without making any changes to it.

    The Problem

    The problem is that this concept of ignoring part of a path breaks a lot of other assumptions in React Router - namely that "." always means the current location pathname for that route. When we ignore the splat portion, we start getting invalid paths when using ".":

    // If we are on URL /dashboard/team, and we want to link to /dashboard/team:
function DashboardTeam() {
  // ❌ This is broken and results in <a href="/dashboard">
  return <Link to=".">A broken link to the Current URL</Link>;

  // ✅ This is fixed but super unintuitive since we're already at /dashboard/team!
  return <Link to="./team">A broken link to the Current URL</Link>;
}

    We've also introduced an issue that we can no longer move our DashboardTeam component around our route hierarchy easily - since it behaves differently if we're underneath a non-splat route, such as /dashboard/:widget. Now, our "." links will, properly point to ourself inclusive of the dynamic param value so behavior will break from it's corresponding usage in a /dashboard/* route.

    Even worse, consider a nested splat route configuration:

    <BrowserRouter>
  <Routes>
    <Route path="dashboard">
      <Route path="*" element={<Dashboard />} />
    </Route>
  </Routes>
</BrowserRouter>

    Now, a <Link to="."> and a <Link to=".."> inside the Dashboard component go to the same place! That is definitely not correct!

    Another common issue arose in Data Routers (and Remix) where any <Form> should post to it's own route action if you the user doesn't specify a form action:

    let router = createBrowserRouter({
  path: "/dashboard",
  children: [
    {
      path: "*",
      action: dashboardAction,
      Component() {
        // ❌ This form is broken!  It throws a 405 error when it submits because
        // it tries to submit to /dashboard (without the splat value) and the parent
        // `/dashboard` route doesn't have an action
        return <Form method="post">...</Form>;
      },
    },
  ],
});

    This is just a compounded issue from the above because the default location for a Form to submit to is itself (".") - and if we ignore the splat portion, that now resolves to the parent route.

    The Solution
    If you are leveraging this behavior, it's recommended to enable the future flag, move your splat to it's own route, and leverage ../ for any links to "sibling" pages:

    <BrowserRouter>
  <Routes>
    <Route path="dashboard">
      <Route index path="*" element={<Dashboard />} />
    </Route>
  </Routes>
</BrowserRouter>

function Dashboard() {
  return (
    <div>
      <h2>Dashboard</h2>
      <nav>
        <Link to="..">Dashboard Home</Link>
        <Link to="../team">Team</Link>
        <Link to="../projects">Projects</Link>
      </nav>

      <Routes>
        <Route path="/" element={<DashboardHome />} />
        <Route path="team" element={<DashboardTeam />} />
        <Route path="projects" element={<DashboardProjects />} />
      </Router>
    </div>
  );
}

    This way, . means "the full current pathname for my route" in all cases (including static, dynamic, and splat routes) and .. always means "my parents pathname".

Patch Changes
  • Properly handle falsy error values in ErrorBoundary's (#​11071)
  • Updated dependencies:
    • @remix-run/router@1.14.0

v6.20.1

Compare Source

Patch Changes
  • Revert the useResolvedPath fix for splat routes due to a large number of applications that were relying on the buggy behavior (see #​11052 (comment)). We plan to re-introduce this fix behind a future flag in the next minor version. (#​11078)
  • Updated dependencies:
    • @remix-run/router@1.13.1

v6.20.0

Compare Source

Minor Changes
  • Export the PathParam type from the public API (#​10719)
Patch Changes
  • Fix bug with resolveTo in splat routes (#​11045)
    • This is a follow up to #​10983 to handle the few other code paths using getPathContributingMatches
    • This removes the UNSAFE_getPathContributingMatches export from @remix-run/router since we no longer need this in the react-router/react-router-dom layers
  • Updated dependencies:
    • @remix-run/router@1.13.0

v6.19.0

Compare Source

Minor Changes
  • Add unstable_flushSync option to useNavigate/useSumbit/fetcher.load/fetcher.submit to opt-out of React.startTransition and into ReactDOM.flushSync for state updates (#​11005)
  • Remove the unstable_ prefix from the useBlocker hook as it's been in use for enough time that we are confident in the API. We do not plan to remove the prefix from unstable_usePrompt due to differences in how browsers handle window.confirm that prevent React Router from guaranteeing consistent/correct behavior. (#​10991)
Patch Changes

  • Fix useActionData so it returns proper contextual action data and not any action data in the tree (#​11023)

  • Fix bug in useResolvedPath that would cause useResolvedPath(".") in a splat route to lose the splat portion of the URL path. (#​10983)

    • ⚠️ This fixes a quite long-standing bug specifically for "." paths inside a splat route which incorrectly dropped the splat portion of the URL. If you are relative routing via "." inside a splat route in your application you should double check that your logic is not relying on this buggy behavior and update accordingly.

  • Updated dependencies:

    • @remix-run/router@1.12.0

v6.18.0

Compare Source

Patch Changes
  • Fix the future prop on BrowserRouter, HashRouter and MemoryRouter so that it accepts a Partial<FutureConfig> instead of requiring all flags to be included. (#​10962)
  • Updated dependencies:
    • @remix-run/router@1.11.0

v6.17.0

Compare Source

Patch Changes
  • Fix RouterProvider future prop type to be a Partial<FutureConfig> so that not all flags must be specified (#​10900)
  • Updated dependencies:
    • @remix-run/router@1.10.0

v6.16.0

Compare Source

Minor Changes
  • In order to move towards stricter TypeScript support in the future, we're aiming to replace current usages of any with unknown on exposed typings for user-provided data. To do this in Remix v2 without introducing breaking changes in React Router v6, we have added generics to a number of shared types. These continue to default to any in React Router and are overridden with unknown in Remix. In React Router v7 we plan to move these to unknown as a breaking change. (#​10843)
    • Location now accepts a generic for the location.state value
    • ActionFunctionArgs/ActionFunction/LoaderFunctionArgs/LoaderFunction now accept a generic for the context parameter (only used in SSR usages via createStaticHandler)
    • The return type of useMatches (now exported as UIMatch) accepts generics for match.data and match.handle - both of which were already set to unknown
  • Move the @private class export ErrorResponse to an UNSAFE_ErrorResponseImpl export since it is an implementation detail and there should be no construction of ErrorResponse instances in userland. This frees us up to export a type ErrorResponse which correlates to an instance of the class via InstanceType. Userland code should only ever be using ErrorResponse as a type and should be type-narrowing via isRouteErrorResponse. (#​10811)
  • Export ShouldRevalidateFunctionArgs interface (#​10797)
  • Removed private/internal APIs only required for the Remix v1 backwards compatibility layer and no longer needed in Remix v2 (_isFetchActionRedirect, _hasFetcherDoneAnything) (#​10715)
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.9.0

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot enabled auto-merge (squash) January 9, 2026 04:50
@codecov
Copy link

codecov bot commented Jan 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.94%. Comparing base (13e4b71) to head (b7ec8be).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #473   +/-   ##
=======================================
  Coverage   85.94%   85.94%           
=======================================
  Files         185      185           
  Lines        3879     3879           
  Branches      962      959    -3     
=======================================
  Hits         3334     3334           
  Misses        527      527           
  Partials       18       18

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant