Update dependency react-router to v7.15.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	7.14.0 → 7.15.0

---

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

CVE-2026-42211 / GHSA-49rj-9fvp-4h2h

More information

Details

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-42211
• https://github.com/advisories/GHSA-49rj-9fvp-4h2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

CVE-2026-40181 / GHSA-2j2x-hqr9-3h42

More information

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42
• https://nvd.nist.gov/vuln/detail/CVE-2026-40181
• https://github.com/advisories/GHSA-2j2x-hqr9-3h42

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

CVE-2026-42342 / GHSA-8x6r-g9mw-2r78

More information

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78
• https://nvd.nist.gov/vuln/detail/CVE-2026-42342
• https://github.com/advisories/GHSA-8x6r-g9mw-2r78

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

remix-run/react-router (react-router)

v7.15.0

Compare Source

Minor Changes

• Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on <Link>, <Form>, useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize the instrumentation APIs. unstable_instrumentations is now instrumentations and unstable_pattern is now pattern (a993f09)

  • The unstable_ServerInstrumentation, unstable_ClientInstrumentation, unstable_InstrumentRequestHandlerFunction, unstable_InstrumentRouterFunction, unstable_InstrumentRouteFunction, and unstable_InstrumentationHandlerResult types have had their unstable_ prefixes removed
  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_mask as mask on <Link>, useLinkClickHandler, and useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_url as url on loader, action, and middleware function args (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_useTransitions as useTransitions on <BrowserRouter>, <HashRouter>, <HistoryRouter>, <MemoryRouter>, <Router>, <RouterProvider>, <HydratedRouter>, and useLinkClickHandler (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

Patch Changes

• Add nonce to <Scripts> <link rel="modulepreload"> elements (if provided) (af5d49b)

• Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#​15012)

• Improve server-side route matching performance by pre-computing flattened/cached route branches (#​14967) (af5d49b)

  • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

• Mark mask as an optional field in Location for easier mocking in unit tests (#​14999)

• Cache flattened/ranked route branches to optimize server-side route matching (#​14967)

• Improve route matching performance in Framework/Data Mode (#​14971) (af5d49b)

  • Avoiding unnecessary calls to matchRoutes in data router scenarios
    • This includes adding back the optimization that was removed in 7.6.0 (#​13562)
    • The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest
  • Leverage pre-computed pre-computing flattened/cached route branches during client side route matching
  • Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance

v7.14.2

Compare Source

Patch Changes

• Remove the un-documented custom error serialization logic from the internal turbo-stream implementation. React Router only automatically handles serialization of Error and it's standard subtypes (SyntaxError, TypeError, etc.). ([aabf4a1)

• Properly handle parent middleware redirects during fetcher.load ([aabf4a1)

• Remove redundant Omit<RouterProviderProps, "flushSync"> from react-router/dom RouterProvider ([aabf4a1)

• Improved types for generatePath's param arg ([aabf4a1)

  Type errors when required params are omitted:

  // Before
  // Passes type checks, but throws at runtime 💥
  generatePath(":required", { required: null });
  
  // After
  generatePath(":required", { required: null });
  //                          ^^^^^^^^ Type 'null' is not assignable to type 'string'.ts(2322)

  Allow omission of optional params:

  // Before
  generatePath(":optional?", {});
  //                         ^^ Property 'optional' is missing in type '{}' but required in type '{ optional: string | null | undefined; }'.ts(2741)
  
  // After
  generatePath(":optional?", {});

  Allows extra keys:

  // Before
  generatePath(":a", { a: "1", b: "2" });
  //                           ^ Object literal may only specify known properties, and 'b' does not exist in type '{ a: string; }'.ts(2353)
  
  // After
  generatePath(":a", { a: "1", b: "2" });

v7.14.1

Compare Source

Patch Changes

• Fix a potential race condition that can occur when rendering a HydrateFallback and initial loaders land before the router.subscribe call happens in the RouterProvider layout effect
• Normalize double-slashes in redirect paths

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.