chore(monorepo): update dependency @react-router/node to v7.9.4 [security]#1534
chore(monorepo): update dependency @react-router/node to v7.9.4 [security]#1534renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 744 in 08647f0
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
renovate
Bot
force-pushed
the
renovate/npm-react-router-node-vulnerability
branch
from
08647f0 to
b784c1d
Compare
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
renovate
Bot
changed the title
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
🧹 Starting cleanup of preview environment resources... |
|
❌ Preview environment cleanup failure. Cleanup Status:
Some resources may require manual cleanup. Check the workflow logs for details. |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-react-router-node-vulnerability
branch
2 times, most recently
from
b784c1d to
2613cc8
Compare
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
renovate
Bot
force-pushed
the
renovate/npm-react-router-node-vulnerability
branch
from
2613cc8 to
7e7d344
Compare
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
renovate
Bot
force-pushed
the
renovate/npm-react-router-node-vulnerability
branch
from
eeeb6bb to
56ef85e
Compare
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
renovate
Bot
force-pushed
the
renovate/npm-react-router-node-vulnerability
branch
from
56ef85e to
2b1f617
Compare
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 6891 in 2b1f617
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 6904 in 2b1f617
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 6917 in 2b1f617
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 6984 in 2b1f617
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 6994 in 2b1f617
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 7003 in 2b1f617
There was a problem hiding this comment.
[misspell] reported by reviewdog 🐶
"optimise" is a misspelling of "optimize"
suddenlygiovanni.dev/pnpm-lock.yaml
Line 7012 in 2b1f617
|
🔄 Preview deployment started... Please wait while we deploy your changes! |
|
❌ Preview deployment failure. Deployment failed. Please check the workflow logs for more details. |
This PR contains the following updates:
7.7.0→7.9.4React Router has Path Traversal in File Session Storage
CVE-2025-61686 / GHSA-9583-h5hc-x8cw
More information
Details
If applications use
createFileSessionStorage()from@react-router/node(or@remix-run/node/@remix-run/denoin Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
remix-run/react-router (@react-router/node)
v7.9.4Compare Source
Patch Changes
react-router@7.9.4v7.9.3Compare Source
Patch Changes
react-router@7.9.3v7.9.2Compare Source
Patch Changes
react-router@7.9.2v7.9.1Compare Source
Patch Changes
react-router@7.9.1v7.9.0Compare Source
Minor Changes
Stabilize middleware and context APIs. (#14215)
We have removed the
unstable_prefix from the following APIs and they are now considered stable and ready for production use:RouterContextProvidercreateContextcreateBrowserRoutergetContextoption<HydratedRouter>getContextpropPlease see the Middleware Docs, the Middleware RFC, and the Client-side Context RFC for more information.
Patch Changes
react-router@7.9.0v7.8.2Compare Source
Patch Changes
react-router@7.8.2v7.8.1Compare Source
Patch Changes
react-router@7.8.1v7.8.0Compare Source
Patch Changes
[UNSTABLE] Change
getLoadContextsignature (type GetLoadContextFunction) whenfuture.unstable_middlewareis enabled so that it returns anunstable_RouterContextProviderinstance instead of aMapused to contruct the instance internally (#14097)type unstable_InitialContextexportgetLoadContextfunctionUpdated dependencies:
react-router@7.8.0v7.7.1Compare Source
Patch Changes
react-router@7.7.1Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.