Skip to content

chore(deps): update dependency react-router to v7.12.0 [security] #898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency react-router to v7.12.0 [security] #898

renovate wants to merge 1 commit into from
+9 −1

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 9, 2026

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 7.11.07.12.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-21884

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

Note

This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

CVE-2026-22029

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>).

CVE-2026-22030

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Release Notes

remix-run/react-router (react-router)

v7.12.0

Compare Source

Minor Changes
  • Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#​14708)
Patch Changes

  • Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#​14269)

  • Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#​14663)

  • Escape HTML in scroll restoration keys (#​14705)

  • Validate redirect locations (#​14706)

  • [UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#​14675)

  • [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

    Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c.data /a/b/c ⚠️

    With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c/_.data ⬅️ /a/b/c/

    This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

    Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

  • Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#​14674)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jan 9, 2026
@renovate renovate bot requested a review from a team as a code owner January 9, 2026 01:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant