Bump react-router to v7.12.0 [SECURITY] #47588
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
added
dependencies
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
0e66b01 to
da67af8
Compare
Netlify deploy previewhttps://deploy-preview-47588--material-ui.netlify.app/ Bundle size report
|
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
da67af8 to
72a3b59
Compare
renovate
bot
force-pushed
the
renovate/npm-react-router-vulnerability
branch
from
72a3b59 to
6be1d81
Compare
ZeeshanTamboli
approved these changes
Jan 12, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
7.11.0→7.12.0GitHub Vulnerability Alerts
CVE-2026-21884
A XSS vulnerability exists in in React Router's
<ScrollRestoration>API in Framework Mode when using thegetKey/storageKeyprops during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.Note
This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).CVE-2026-22029
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
Note
This does not impact applications that use Declarative Mode (
<BrowserRouter>).CVE-2026-22030
React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route
actionhandlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.Note
This does not impact applications that use Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).Release Notes
remix-run/react-router (react-router)
v7.12.0Compare Source
Minor Changes
react-router.config.tsconfigallowedActionOriginsfield. (#14708)Patch Changes
Fix
generatePathwhen used with suffixed params (i.e., "/books/:id.json") (#14269)Export
UNSAFE_createMemoryHistoryandUNSAFE_createHashHistoryalongsideUNSAFE_createBrowserHistoryfor consistency. These are not intended to be used for new apps but intended to help apps usiongunstable_HistoryRoutermigrate from v6->v7 so they can adopt the newer APIs. (#14663)Escape HTML in scroll restoration keys (#14705)
Validate redirect locations (#14706)
[UNSTABLE] Pass
<Scripts nonce>value through to the underlyingimportmapscripttag when usingfuture.unstable_subResourceIntegrity(#14675)[UNSTABLE] Add a new
future.unstable_trailingSlashAwareDataRequestsflag to provide consistent behavior ofrequest.pathnameinsidemiddleware,loader, andactionfunctions on document and data requests when a trailing slash is present in the browser URL. (#14644)Currently, your HTTP and
requestpathnames would be as follows for/a/b/cand/a/b/c//a/b/crequestpathname`/a/b/c/a/b/c✅/a/b/c.data/a/b/c✅/a/b/c/requestpathname`/a/b/c//a/b/c/✅/a/b/c.data/a/b/cWith this flag enabled, these pathnames will be made consistent though a new
_.dataformat for client-side.datarequests:/a/b/crequestpathname`/a/b/c/a/b/c✅/a/b/c.data/a/b/c✅/a/b/c/requestpathname`/a/b/c//a/b/c/✅/a/b/c/_.data⬅️/a/b/c/✅This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.
Enabling this flag also changes the format of client side
.datarequests from/_root.datato/_.datawhen navigating to/to align with the new format. This does not impact therequestpathname which is still/in all cases.Preserve
clientLoader.hydrate=truewhen using<HydratedRouter unstable_instrumentations>(#14674)Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.