Skip to content

Upgrade react-router-dom from 6.16.0 to 6.30.3#11591

Merged
ivarconr merged 1 commit intomainfrom
claude/fix-security-vulnerability-DTaMX
Mar 30, 2026
Merged

Upgrade react-router-dom from 6.16.0 to 6.30.3#11591
ivarconr merged 1 commit intomainfrom
claude/fix-security-vulnerability-DTaMX

Conversation

@ivarconr
Copy link
Copy Markdown
Member

@ivarconr ivarconr commented Mar 12, 2026

Summary

This PR upgrades the react-router-dom dependency to a newer minor version, bringing in bug fixes and improvements from the React Router library.

Changes

  • Updated react-router-dom from version 6.16.0 to 6.30.3 in frontend dependencies

Notes

  • This is a minor version bump within the 6.x release line, which should maintain API compatibility
  • The lockfile has been updated to reflect transitive dependency changes

https://claude.ai/code/session_01Eojjz9XpWCQjqhXbiiSii1

@claude
fix: upgrade react-router-dom to 6.30.3 to fix security vulnerabilities
03d9ee7 
Upgrades react-router-dom from 6.16.0 to 6.30.3 to address multiple
high/critical CVEs affecting react-router 6.x, including:
- CVE-2025-61686 (CVSS 9.1) - Path Traversal
- CVE-2026-22029 (CVSS 8.0) - XSS via Redirect
- CVE-2025-59057 (CVSS 7.6) - Cross-Site Scripting
- CVE-2026-22030 (CVSS 6.5) - CSRF
- CVE-2025-68470 (CVSS 6.5) - Open Redirect

Fixes Dependabot alert #317.

https://claude.ai/code/session_01Eojjz9XpWCQjqhXbiiSii1
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 12, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/@remix-run/router 1.23.2 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 3Found 9/28 approved changesets -- score normalized to 3
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/react-router 6.30.3 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 3Found 9/28 approved changesets -- score normalized to 3
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/react-router-dom 6.30.3 🟢 5.3
Details
CheckScoreReason
Code-Review🟢 3Found 9/28 approved changesets -- score normalized to 3
Maintained🟢 1030 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • frontend/yarn.lock

@ivarconr ivarconr added the 🤖 all-ai Fully LLM generated (minor human check) label Mar 12, 2026
@kwasniew
Copy link
Copy Markdown
Contributor

kwasniew commented Mar 12, 2026
edited
Loading

There's a reason I didn't upgrade this one before. When you test unleash with open console the latest version generates lots of warnings that require router config changes.

@gastonfournier gastonfournier moved this from New to In Progress in Issues and PRs Mar 13, 2026
@ivarconr
Copy link
Copy Markdown
Member Author

ivarconr commented Mar 13, 2026

There's a reason I didn't upgrade this one before. When you test unleash with open console the latest version generates lots of warnings that require router config changes.

thanks. I will take a deeper look.

@ivarconr
Copy link
Copy Markdown
Member Author

ivarconr commented Mar 13, 2026

Where do you see these warnings? I cannot see anything in the console log.
image

@kwasniew
Copy link
Copy Markdown
Contributor

kwasniew commented Mar 13, 2026

@ivarconr I will check later which pages triggered those. It was very specific urls

@github-project-automation github-project-automation Bot moved this from In Progress to Approved PRs in Issues and PRs Mar 27, 2026
@ivarconr ivarconr merged commit a3ae454 into main Mar 30, 2026
12 checks passed
@ivarconr ivarconr deleted the claude/fix-security-vulnerability-DTaMX branch March 30, 2026 07:13
@github-project-automation github-project-automation Bot moved this from Approved PRs to Done in Issues and PRs Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kwasniew kwasniew kwasniew approved these changes

@gastonfournier gastonfournier Awaiting requested review from gastonfournier

Assignees

@ivarconr ivarconr

Labels

🤖 all-ai Fully LLM generated (minor human check)

Projects

Issues and PRs
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ivarconr @kwasniew @gastonfournier @claude