Update dependency react-router to v7.12.0 [SECURITY]

[oxide-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	7.9.2 -> 7.12.0

GitHub Vulnerability Alerts

CVE-2025-68470

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

CVE-2026-21884

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

Note

This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

CVE-2026-22029

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>).

CVE-2026-22030

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

---

Release Notes

remix-run/react-router (react-router)

v7.12.0

Compare Source

Minor Changes

• Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the react-router.config.ts config allowedActionOrigins field. (#​14708)

Patch Changes

• Fix generatePath when used with suffixed params (i.e., "/books/:id.json") (#​14269)

• Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency. These are not intended to be used for new apps but intended to help apps usiong unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs. (#​14663)

• Escape HTML in scroll restoration keys (#​14705)

• Validate redirect locations (#​14706)

• [UNSTABLE] Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#​14675)

• [UNSTABLE] Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

  Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

  URL /a/b/c	HTTP pathname	request pathname`
  Document	/a/b/c	/a/b/c ✅
  Data	/a/b/c.data	/a/b/c ✅

  URL /a/b/c/	HTTP pathname	request pathname`
  Document	/a/b/c/	/a/b/c/ ✅
  Data	/a/b/c.data	/a/b/c ⚠️

  With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

  URL /a/b/c	HTTP pathname	request pathname`
  Document	/a/b/c	/a/b/c ✅
  Data	/a/b/c.data	/a/b/c ✅

  URL /a/b/c/	HTTP pathname	request pathname`
  Document	/a/b/c/	/a/b/c/ ✅
  Data	/a/b/c/_.data ⬅️	/a/b/c/ ✅

  This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.

  Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format. This does not impact the request pathname which is still / in all cases.

• Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#​14674)

v7.11.0

Compare Source

Minor Changes

• Stabilize <HydratedRouter onError>/<RouterProvider onError> (#​14546)

Patch Changes

• add support for throwing redirect Response's at RSC render time (#​14596)

• Support for throwing data() and Response from server component render phase. Response body is not serialized as async work is not allowed as error encoding phase. If you wish to transmit data to the boundary, throw data() instead. (#​14632)

• Fix unstable_useTransitions prop on <Router> component to permit omission for backewards compatibility (#​14646)

• routeRSCServerRequest replace fetchServer with serverResponse (#​14597)

• [UNSTABLE] Add a new unstable_defaultShouldRevalidate flag to various APIs to allow opt-ing out of standard revalidation behaviors. (#​14542)

  If active routes include a shouldRevalidate function, then your value will be passed as defaultShouldRevalidate in those function so that the route always has the final revalidation determination.

  • <Form method="post" unstable_defaultShouldRevalidate={false}>
  • submit(data, { method: "post", unstable_defaultShouldRevalidate: false })
  • <fetcher.Form method="post" unstable_defaultShouldRevalidate={false}>
  • fetcher.submit(data, { method: "post", unstable_defaultShouldRevalidate: false })

  This is also available on non-submission APIs that may trigger revalidations due to changing search params:

  • <Link to="/" unstable_defaultShouldRevalidate={false}>
  • navigate("/?foo=bar", { unstable_defaultShouldRevalidate: false })
  • setSearchParams(params, { unstable_defaultShouldRevalidate: false })

• Allow redirects to be returned from client side middleware (#​14598)

• Handle dataStrategy implementations that return insufficient result sets by adding errors for routes without any available result (#​14627)

v7.10.1

Compare Source

Patch Changes

• Update the useOptimistic stub we provide for React 18 users to use a stable setter function to avoid potential useEffect loops - specifically when using <Link viewTransition> (#​14628)

v7.10.0

Compare Source

Minor Changes

• Stabilize fetcher.reset() (#​14545)

  • ⚠️ This is a breaking change if you have begun using fetcher.unstable_reset()

• Stabilize the dataStrategy match.shouldRevalidateArgs/match.shouldCallHandler() APIs. (#​14592)

  • The match.shouldLoad API is now marked deprecated in favor of these more powerful alternatives

  • If you're using this API in a custom dataStrategy today, you can swap to the new API at your convenience:

    // Before
    const matchesToLoad = matches.filter((m) => m.shouldLoad);
    
    // After
    const matchesToLoad = matches.filter((m) => m.shouldCallHandler());

  • match.shouldRevalidateArgs is the argument that will be passed to the route shouldRevaliate function

  • Combined with the parameter accepted by match.shouldCallHandler, you can define a custom revalidation behavior for your dataStrategy:

  const matchesToLoad = matches.filter((m) => {
    const defaultShouldRevalidate = customRevalidationBehavior(
      match.shouldRevalidateArgs,
    );
    return m.shouldCallHandler(defaultShouldRevalidate);
    // The argument here will override the internal `defaultShouldRevalidate` value
  });

Patch Changes

• Fix a Framework Mode bug where the defaultShouldRevalidate parameter to shouldRevalidate would not be correct after action returned a 4xx/5xx response (true when it should have been false) (#​14592)

  • If your shouldRevalidate function relied on that parameter, you may have seen unintended revalidations

• Fix fetcher.submit failing with plain objects containing a tagName property (#​14534)

• [UNSTABLE] Add unstable_pattern to the parameters for client side unstable_onError, refactor how it's called by RouterProvider to avoid potential strict mode issues (#​14573)

• Add new unstable_useTransitions flag to routers to give users control over the usage of React.startTransition and React.useOptimistic. (#​14524)

  • Framework Mode + Data Mode:
    • <HydratedRouter unstable_transition>/<RouterProvider unstable_transition>
    • When left unset (current default behavior)
      • Router state updates are wrapped in React.startTransition
      • ⚠️ This can lead to buggy behaviors if you are wrapping your own navigations/fetchers in React.startTransition
      • You should set the flag to true if you run into this scenario to get the enhanced useOptimistic behavior (requires React 19)
    • When set to true
      • Router state updates remain wrapped in React.startTransition (as they are without the flag)
      • Link/Form navigations will be wrapped in React.startTransition
      • A subset of router state info will be surfaced to the UI during navigations via React.useOptimistic (i.e., useNavigation(), useFetchers(), etc.)
        • ⚠️ This is a React 19 API so you must also be React 19 to opt into this flag for Framework/Data Mode
    • When set to false
      • The router will not leverage React.startTransition or React.useOptimistic on any navigations or state changes
  • Declarative Mode
    • <BrowserRouter unstable_useTransitions>
    • When left unset
      • Router state updates are wrapped in React.startTransition
    • When set to true
      • Router state updates remain wrapped in React.startTransition (as they are without the flag)
      • Link/Form navigations will be wrapped in React.startTransition
    • When set to false
      • the router will not leverage React.startTransition on any navigations or state changes

• Fix the promise returned from useNavigate in Framework/Data Mode so that it properly tracks the duration of popstate navigations (i.e., navigate(-1)) (#​14524)

• Fix internal type error in useRoute types that surfaces when skipLibCheck is disabled (#​14577)

• Preserve statusText on the ErrorResponse instance when throwing data() from a route handler (#​14555)

• Optimize href() to avoid backtracking regex on splat (#​14329)

v7.9.6

Compare Source

Patch Changes

• [UNSTABLE] Add location/params as arguments to client-side unstable_onError to permit enhanced error reporting. (#​14509)

  ⚠️ This is a breaking change if you've already adopted unstable_onError. The second errorInfo parameter is now an object with location and params:

  // Before
  function errorHandler(error: unknown, errorInfo?: React.errorInfo) {
    /*...*/
  }
  
  // After
  function errorHandler(
    error: unknown,
    info: {
      location: Location;
      params: Params;
      errorInfo?: React.ErrorInfo;
    },
  ) {
    /*...*/
  }

• Properly handle ancestor thrown middleware errors before next() on fetcher submissions (#​14517)

• Fix issue with splat routes interfering with multiple calls to patchRoutesOnNavigation (#​14487)

• Normalize double-slashes in resolvePath (#​14529)

v7.9.5

Compare Source

Patch Changes

• Move RSCHydratedRouter and utils to /dom export. (#​14457)

• useRoute: return type-safe handle (#​14462)

  For example:

  // app/routes/admin.tsx
  const handle = { hello: "world" };

  // app/routes/some-other-route.tsx
  export default function Component() {
    const admin = useRoute("routes/admin");
    if (!admin) throw new Error("Not nested within 'routes/admin'");
    console.log(admin.handle);
    //                ^? { hello: string }
  }

• Ensure action handlers run for routes with middleware even if no loader is present (#​14443)

• Add unstable_instrumentations API to allow users to add observablity to their apps by instrumenting route loaders, actions, middlewares, lazy, as well as server-side request handlers and client side navigations/fetches (#​14412)

  • Framework Mode:
    • entry.server.tsx: export const unstable_instrumentations = [...]
    • entry.client.tsx: <HydratedRouter unstable_instrumentations={[...]} />
  • Data Mode
    • createBrowserRouter(routes, { unstable_instrumentations: [...] })

  This also adds a new unstable_pattern parameter to loaders/actions/middleware which contains the un-interpolated route pattern (i.e., /blog/:slug) which is useful for aggregating performance metrics by route

v7.9.4

Compare Source

Patch Changes

• handle external redirects in from server actions (#​14400)

• New (unstable) useRoute hook for accessing data from specific routes (#​14407)

  For example, let's say you have an admin route somewhere in your app and you want any child routes of admin to all have access to the loaderData and actionData from admin.

  // app/routes/admin.tsx
  import { Outlet } from "react-router";
  
  export const loader = () => ({ message: "Hello, loader!" });
  
  export const action = () => ({ count: 1 });
  
  export default function Component() {
    return (
      <div>
        {/* ... */}
        <Outlet />
        {/* ... */}
      </div>
    );
  }

  You might even want to create a reusable widget that all of the routes nested under admin could use:

  import { unstable_useRoute as useRoute } from "react-router";
  
  export function AdminWidget() {
    // How to get `message` and `count` from `admin` route?
  }

  In framework mode, useRoute knows all your app's routes and gives you TS errors when invalid route IDs are passed in:

  export function AdminWidget() {
    const admin = useRoute("routes/dmin");
    //                      ^^^^^^^^^^^
  }

  useRoute returns undefined if the route is not part of the current page:

  export function AdminWidget() {
    const admin = useRoute("routes/admin");
    if (!admin) {
      throw new Error(`AdminWidget used outside of "routes/admin"`);
    }
  }

  Note: the root route is the exception since it is guaranteed to be part of the current page.
  As a result, useRoute never returns undefined for root.

  loaderData and actionData are marked as optional since they could be accessed before the action is triggered or after the loader threw an error:

  export function AdminWidget() {
    const admin = useRoute("routes/admin");
    if (!admin) {
      throw new Error(`AdminWidget used outside of "routes/admin"`);
    }
    const { loaderData, actionData } = admin;
    console.log(loaderData);
    //          ^? { message: string } | undefined
    console.log(actionData);
    //          ^? { count: number } | undefined
  }

  If instead of a specific route, you wanted access to the current route's loaderData and actionData, you can call useRoute without arguments:

  export function AdminWidget() {
    const currentRoute = useRoute();
    currentRoute.loaderData;
    currentRoute.actionData;
  }

  This usage is equivalent to calling useLoaderData and useActionData, but consolidates all route data access into one hook: useRoute.

  Note: when calling useRoute() (without a route ID), TS has no way to know which route is the current route.
  As a result, loaderData and actionData are typed as unknown.
  If you want more type-safety, you can either narrow the type yourself with something like zod or you can refactor your app to pass down typed props to your AdminWidget:

  export function AdminWidget({
    message,
    count,
  }: {
    message: string;
    count: number;
  }) {
    /* ... */
  }

v7.9.3

Compare Source

Patch Changes

• Do not try to use turbo-stream to decode CDN errors that never reached the server (#​14385)

  • We used to do this but lost this check with the adoption of single fetch

• Fix Data Mode regression causing a 404 during initial load in when middleware exists without any loader functions (#​14393)

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.