Skip to content

Update dependency react-router to v7.12.0 [SECURITY] #11159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nbudin merged 1 commit into from
Jan 14, 2026
Merged

Update dependency react-router to v7.12.0 [SECURITY] #11159

nbudin merged 1 commit into from
Jan 14, 2026

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 11, 2026

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 7.9.67.12.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-21884

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

Note

This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

CVE-2026-22029

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>).

CVE-2026-22030

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Release Notes

remix-run/react-router (react-router)

v7.12.0

Compare Source

Minor Changes
  • Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#​14708)
Patch Changes

  • Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#​14269)

  • Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#​14663)

  • Escape HTML in scroll restoration keys (#​14705)

  • Validate redirect locations (#​14706)

  • [UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#​14675)

  • [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

    Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c.data /a/b/c ⚠️

    With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

    URL /a/b/c HTTP pathname request pathname`
    Document /a/b/c /a/b/c
    Data /a/b/c.data /a/b/c
    URL /a/b/c/ HTTP pathname request pathname`
    Document /a/b/c/ /a/b/c/
    Data /a/b/c/_.data ⬅️ /a/b/c/

    This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

    Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

  • Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#​14674)

v7.11.0

Compare Source

Minor Changes
  • Stabilize <HydratedRouter onError>/<RouterProvider onError> (#​14546)
Patch Changes

  • add support for throwing redirect Response's at RSC render time (#​14596)

  • Support for throwing data() and Response from server component render phase. Response body is not serialized as async work is not allowed as error encoding phase. If you wish to transmit data to the boundary, throw data() instead. (#​14632)

  • Fix unstable_useTransitions prop on <Router> component to permit omission for backewards compatibility (#​14646)

  • routeRSCServerRequest replace fetchServer with serverResponse (#​14597)

  • [UNSTABLE] Add a new unstable_defaultShouldRevalidate flag to various APIs to allow opt-ing out of standard revalidation behaviors. (#​14542)

    If active routes include a shouldRevalidate function, then your value will be passed as defaultShouldRevalidate in those function so that the route always has the final revalidation determination.

    • <Form method="post" unstable_defaultShouldRevalidate={false}>
    • submit(data, { method: "post", unstable_defaultShouldRevalidate: false })
    • <fetcher.Form method="post" unstable_defaultShouldRevalidate={false}>
    • fetcher.submit(data, { method: "post", unstable_defaultShouldRevalidate: false })

    This is also available on non-submission APIs that may trigger revalidations due to changing search params:

    • <Link to="/" unstable_defaultShouldRevalidate={false}>
    • navigate("/?foo=bar", { unstable_defaultShouldRevalidate: false })
    • setSearchParams(params, { unstable_defaultShouldRevalidate: false })

  • Allow redirects to be returned from client side middleware (#​14598)

  • Handle dataStrategy implementations that return insufficient result sets by adding errors for routes without any available result (#​14627)

v7.10.1

Compare Source

Patch Changes
  • Update the useOptimistic stub we provide for React 18 users to use a stable setter function to avoid potential useEffect loops - specifically when using <Link viewTransition> (#​14628)

v7.10.0

Compare Source

Minor Changes

  • Stabilize fetcher.reset() (#​14545)

    • ⚠️ This is a breaking change if you have begun using fetcher.unstable_reset()

  • Stabilize the dataStrategy match.shouldRevalidateArgs/match.shouldCallHandler() APIs. (#​14592)

    • The match.shouldLoad API is now marked deprecated in favor of these more powerful alternatives

    • If you're using this API in a custom dataStrategy today, you can swap to the new API at your convenience:

      // Before
const matchesToLoad = matches.filter((m) => m.shouldLoad);

// After
const matchesToLoad = matches.filter((m) => m.shouldCallHandler());

    • match.shouldRevalidateArgs is the argument that will be passed to the route shouldRevaliate function

    • Combined with the parameter accepted by match.shouldCallHandler, you can define a custom revalidation behavior for your dataStrategy:

    const matchesToLoad = matches.filter((m) => {
  const defaultShouldRevalidate = customRevalidationBehavior(
    match.shouldRevalidateArgs,
  );
  return m.shouldCallHandler(defaultShouldRevalidate);
  // The argument here will override the internal `defaultShouldRevalidate` value
});
Patch Changes

  • Fix a Framework Mode bug where the defaultShouldRevalidate parameter to shouldRevalidate would not be correct after action returned a 4xx/5xx response (true when it should have been false) (#​14592)

    • If your shouldRevalidate function relied on that parameter, you may have seen unintended revalidations

  • Fix fetcher.submit failing with plain objects containing a tagName property (#​14534)

  • [UNSTABLE] Add unstable_pattern to the parameters for client side unstable_onError, refactor how it's called by RouterProvider to avoid potential strict mode issues (#​14573)

  • Add new unstable_useTransitions flag to routers to give users control over the usage of React.startTransition and React.useOptimistic. (#​14524)

    • Framework Mode + Data Mode:
      • <HydratedRouter unstable_transition>/<RouterProvider unstable_transition>
      • When left unset (current default behavior)
        • Router state updates are wrapped in React.startTransition
        • ⚠️ This can lead to buggy behaviors if you are wrapping your own navigations/fetchers in React.startTransition
        • You should set the flag to true if you run into this scenario to get the enhanced useOptimistic behavior (requires React 19)
      • When set to true
        • Router state updates remain wrapped in React.startTransition (as they are without the flag)
        • Link/Form navigations will be wrapped in React.startTransition
        • A subset of router state info will be surfaced to the UI during navigations via React.useOptimistic (i.e., useNavigation(), useFetchers(), etc.)
          • ⚠️ This is a React 19 API so you must also be React 19 to opt into this flag for Framework/Data Mode
      • When set to false
        • The router will not leverage React.startTransition or React.useOptimistic on any navigations or state changes
    • Declarative Mode
      • <BrowserRouter unstable_useTransitions>
      • When left unset
        • Router state updates are wrapped in React.startTransition
      • When set to true
        • Router state updates remain wrapped in React.startTransition (as they are without the flag)
        • Link/Form navigations will be wrapped in React.startTransition
      • When set to false
        • the router will not leverage React.startTransition on any navigations or state changes

  • Fix the promise returned from useNavigate in Framework/Data Mode so that it properly tracks the duration of popstate navigations (i.e., navigate(-1)) (#​14524)

  • Fix internal type error in useRoute types that surfaces when skipLibCheck is disabled (#​14577)

  • Preserve statusText on the ErrorResponse instance when throwing data() from a route handler (#​14555)

  • Optimize href() to avoid backtracking regex on splat (#​14329)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 11, 2026

Code Coverage Report: Only Changed Files listed

Package Coverage
Overall Coverage 🟢 56.46%

Minimum allowed coverage is 0%, this run produced 56.46%

@nbudin nbudin merged commit 651c734 into main Jan 14, 2026
18 checks passed
@nbudin nbudin deleted the renovate/npm-react-router-vulnerability branch January 14, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nbudin