chore(deps): update dependency react-router to v6.30.2#33
chore(deps): update dependency react-router to v6.30.2#33mend-on-mend[bot] wants to merge 1 commit intomainfrom
Conversation
Signed-off-by: mend-on-mend[bot] <mend-on-mend[bot]@users.noreply.github.com>
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "react": "^16.13.1 || ^17.0.0 || ^18.0.0", | ||
| "react-dom": "^16.13.1 || ^17.0.0 || ^18.0.0", | ||
| "react-router": "6.0.0-beta.0 || ^6.3.0" | ||
| "react-router": "6.30.2 ^6.30.2" |
There was a problem hiding this comment.
Malformed semver range in peerDependencies breaks version matching
High Severity
The react-router peerDependency has been changed from a valid semver range "6.0.0-beta.0 || ^6.3.0" to "6.30.2 ^6.30.2", which is malformed. In semver, a space between version specifiers means intersection (AND), not union (OR), making this range confusing and likely unintended. This will cause peer dependency resolution issues for consumers of this package who may have valid react-router versions installed. The range appears to be a typo and should likely be "^6.30.2" instead.
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This PR contains the following updates:
6.26.2->6.30.26.30.1->6.30.26.23.1->6.30.26.26.1->6.30.26.24.0->6.30.26.29.0->6.30.26.28.0->6.30.26.23.0->6.30.26.26.0->6.30.26.27.0->6.30.26.28.2->6.30.26.30.0->6.30.26.25.1->6.30.26.0.0-beta.0 || ^6.3.0->6.30.2 ^6.30.26.24.1->6.30.26.28.1->6.30.2React Router has unexpected external redirect via untrusted paths
CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m
More information
Details
An attacker-supplied path can be crafted so that when a React Router application navigates to it via
navigate(),<Link>, orredirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
remix-run/react-router (react-router)
v6.30.2: v6.30.2Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302
v6.30.1: v6.30.1Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301
v6.30.0: v6.30.0Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300
v6.29.0: v6.29.0Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290
v6.28.2: v6.28.2Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282
v6.28.1: v6.28.1Compare Source
See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281
v6.28.0Compare Source
Minor Changes
json/deferin favor of returning raw objectsPatch Changes
@remix-run/router@1.21.0v6.27.0Compare Source
Minor Changes
unstable_patchRoutesOnNavigation(#11973)PatchRoutesOnNavigationFunctionArgstype for convenience (#11967)unstable_dataStrategy(#11974)unstable_flushSyncoption for navigations and fetchers (#11989)unstable_viewTransitionoption for navigations and the correspondingunstable_useViewTransitionStatehook (#11989)Patch Changes
Fix bug when submitting to the current contextual route (parent route with an index child) when an
?indexparam already exists from a prior submission (#12003)Fix
useFormActionbug - when removing?indexparam it would not keep other non-Remixindexparams (#12003)Fix types for
RouteObjectwithinPatchRoutesOnNavigationFunction'spatchmethod so it doesn't expect agnostic route objects passed topatch(#11967)Updated dependencies:
@remix-run/router@1.20.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
Note
Updates routing deps across many workspaces for consistency and security.
react-routerlock entries to6.30.xand aligns@remix-run/routerto1.23.2yarn.lockfilespeerDependenciesinbitbucket-pull-requestsplugin to requirereact-router 6.30.2Written by Cursor Bugbot for commit 2321c30. This will update automatically on new commits. Configure here.