Skip to content

Update dependency react-router to v6 [SECURITY]#3186

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-react-router-vulnerability
Open

Update dependency react-router to v6 [SECURITY]#3186
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-react-router-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 9, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 4.3.16.30.2 age confidence

GitHub Vulnerability Alerts

CVE-2025-68470

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Release Notes

remix-run/react-router (react-router)

v6.30.2: v6.30.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

v6.30.1: v6.30.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

v6.30.0: v6.30.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

v6.29.0: v6.29.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

v6.28.2: v6.28.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

v6.28.1: v6.28.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

v6.28.0

Compare Source

Minor Changes
    • Log deprecation warnings for v7 flags (#​11750)
    • Add deprecation warnings to json/defer in favor of returning raw objects
      • These methods will be removed in React Router v7
Patch Changes
  • Update JSDoc URLs for new website structure (add /v6/ segment) (#​12141)
  • Updated dependencies:
    • @remix-run/router@1.21.0

v6.27.0

Compare Source

Minor Changes
  • Stabilize unstable_patchRoutesOnNavigation (#​11973)
    • Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#​11967)
  • Stabilize unstable_dataStrategy (#​11974)
  • Stabilize the unstable_flushSync option for navigations and fetchers (#​11989)
  • Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#​11989)
Patch Changes

  • Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#​12003)

  • Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#​12003)

  • Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#​11967)

  • Updated dependencies:

    • @remix-run/router@1.20.0

v6.26.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.19.2

v6.26.1

Compare Source

Patch Changes
  • Rename unstable_patchRoutesOnMiss to unstable_patchRoutesOnNavigation to match new behavior (#​11888)
  • Updated dependencies:
    • @remix-run/router@1.19.1

v6.26.0

Compare Source

Minor Changes
  • Add a new replace(url, init?) alternative to redirect(url, init?) that performs a history.replaceState instead of a history.pushState on client-side navigation redirects (#​11811)
Patch Changes
  • Fix initial hydration behavior when using future.v7_partialHydration along with unstable_patchRoutesOnMiss (#​11838)
    • During initial hydration, router.state.matches will now include any partial matches so that we can render ancestor HydrateFallback components
  • Updated dependencies:
    • @remix-run/router@1.19.0

v6.25.1

Compare Source

No significant changes to this package were made in this release. See the repo CHANGELOG.md for an overview of all changes in v6.25.1.

v6.25.0

Compare Source

Minor Changes
  • Stabilize future.unstable_skipActionErrorRevalidation as future.v7_skipActionErrorRevalidation (#​11769)
    • When this flag is enabled, actions will not automatically trigger a revalidation if they return/throw a Response with a 4xx/5xx status code
    • You may still opt-into revalidation via shouldRevalidate
    • This also changes shouldRevalidate's unstable_actionStatus parameter to actionStatus
Patch Changes
  • Fix regression and properly decode paths inside useMatch so matches/params reflect decoded params (#​11789)
  • Updated dependencies:
    • @remix-run/router@1.18.0

v6.24.1

Compare Source

Patch Changes
  • When using future.v7_relativeSplatPath, properly resolve relative paths in splat routes that are children of pathless routes (#​11633)
  • Updated dependencies:
    • @remix-run/router@1.17.1

v6.24.0

Compare Source

Minor Changes
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.17.0

v6.23.1

Compare Source

Patch Changes
  • allow undefined to be resolved with <Await> (#​11513)
  • Updated dependencies:
    • @remix-run/router@1.16.1

v6.23.0

Compare Source

Minor Changes
  • Add a new unstable_dataStrategy configuration option (#​11098)
    • This option allows Data Router applications to take control over the approach for executing route loaders and actions
    • The default implementation is today's behavior, to fetch all loaders in parallel, but this option allows users to implement more advanced data flows including Remix single-fetch, middleware/context APIs, automatic loader caching, and more
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.16.0

v6.22.3

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.15.3

v6.22.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.15.2

v6.22.1

Compare Source

Patch Changes
  • Fix encoding/decoding issues with pre-encoded dynamic parameter values (#​11199)
  • Updated dependencies:
    • @remix-run/router@1.15.1

v6.22.0

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.15.0

v6.21.3

Compare Source

Patch Changes
  • Remove leftover unstable_ prefix from Blocker/BlockerFunction types (#​11187)

v6.21.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.14.2

v6.21.1

Compare Source

Patch Changes
  • Fix bug with route.lazy not working correctly on initial SPA load when v7_partialHydration is specified (#​11121)
  • Updated dependencies:
    • @remix-run/router@1.14.1

v6.21.0

Compare Source

Minor Changes

  • Add a new future.v7_relativeSplatPath flag to implement a breaking bug fix to relative routing when inside a splat route. (#​11087)

    This fix was originally added in #​10983 and was later reverted in #​11078 because it was determined that a large number of existing applications were relying on the buggy behavior (see #​11052)

    The Bug
    The buggy behavior is that without this flag, the default behavior when resolving relative paths is to ignore any splat (*) portion of the current route path.

    The Background
    This decision was originally made thinking that it would make the concept of nested different sections of your apps in <Routes> easier if relative routing would replace the current splat:

    <BrowserRouter>
  <Routes>
    <Route path="/" element={<Home />} />
    <Route path="dashboard/*" element={<Dashboard />} />
  </Routes>
</BrowserRouter>

    Any paths like /dashboard, /dashboard/team, /dashboard/projects will match the Dashboard route. The dashboard component itself can then render nested <Routes>:

    function Dashboard() {
  return (
    <div>
      <h2>Dashboard</h2>
      <nav>
        <Link to="/">Dashboard Home</Link>
        <Link to="team">Team</Link>
        <Link to="projects">Projects</Link>
      </nav>

      <Routes>
        <Route path="/" element={<DashboardHome />} />
        <Route path="team" element={<DashboardTeam />} />
        <Route path="projects" element={<DashboardProjects />} />
      </Routes>
    </div>
  );
}

    Now, all links and route paths are relative to the router above them. This makes code splitting and compartmentalizing your app really easy. You could render the Dashboard as its own independent app, or embed it into your large app without making any changes to it.

    The Problem

    The problem is that this concept of ignoring part of a path breaks a lot of other assumptions in React Router - namely that "." always means the current location pathname for that route. When we ignore the splat portion, we start getting invalid paths when using ".":

    // If we are on URL /dashboard/team, and we want to link to /dashboard/team:
function DashboardTeam() {
  // ❌ This is broken and results in <a href="/dashboard">
  return <Link to=".">A broken link to the Current URL</Link>;

  // ✅ This is fixed but super unintuitive since we're already at /dashboard/team!
  return <Link to="./team">A broken link to the Current URL</Link>;
}

    We've also introduced an issue that we can no longer move our DashboardTeam component around our route hierarchy easily - since it behaves differently if we're underneath a non-splat route, such as /dashboard/:widget. Now, our "." links will, properly point to ourself inclusive of the dynamic param value so behavior will break from it's corresponding usage in a /dashboard/* route.

    Even worse, consider a nested splat route configuration:

    <BrowserRouter>
  <Routes>
    <Route path="dashboard">
      <Route path="*" element={<Dashboard />} />
    </Route>
  </Routes>
</BrowserRouter>

    Now, a <Link to="."> and a <Link to=".."> inside the Dashboard component go to the same place! That is definitely not correct!

    Another common issue arose in Data Routers (and Remix) where any <Form> should post to it's own route action if you the user doesn't specify a form action:

    let router = createBrowserRouter({
  path: "/dashboard",
  children: [
    {
      path: "*",
      action: dashboardAction,
      Component() {
        // ❌ This form is broken!  It throws a 405 error when it submits because
        // it tries to submit to /dashboard (without the splat value) and the parent
        // `/dashboard` route doesn't have an action
        return <Form method="post">...</Form>;
      },
    },
  ],
});

    This is just a compounded issue from the above because the default location for a Form to submit to is itself (".") - and if we ignore the splat portion, that now resolves to the parent route.

    The Solution
    If you are leveraging this behavior, it's recommended to enable the future flag, move your splat to it's own route, and leverage ../ for any links to "sibling" pages:

    <BrowserRouter>
  <Routes>
    <Route path="dashboard">
      <Route index path="*" element={<Dashboard />} />
    </Route>
  </Routes>
</BrowserRouter>

function Dashboard() {
  return (
    <div>
      <h2>Dashboard</h2>
      <nav>
        <Link to="..">Dashboard Home</Link>
        <Link to="../team">Team</Link>
        <Link to="../projects">Projects</Link>
      </nav>

      <Routes>
        <Route path="/" element={<DashboardHome />} />
        <Route path="team" element={<DashboardTeam />} />
        <Route path="projects" element={<DashboardProjects />} />
      </Router>
    </div>
  );
}

    This way, . means "the full current pathname for my route" in all cases (including static, dynamic, and splat routes) and .. always means "my parents pathname".

Patch Changes
  • Properly handle falsy error values in ErrorBoundary's (#​11071)
  • Updated dependencies:
    • @remix-run/router@1.14.0

v6.20.1

Compare Source

Patch Changes
  • Revert the useResolvedPath fix for splat routes due to a large number of applications that were relying on the buggy behavior (see #​11052 (comment)). We plan to re-introduce this fix behind a future flag in the next minor version. (#​11078)
  • Updated dependencies:
    • @remix-run/router@1.13.1

v6.20.0

Compare Source

Minor Changes
  • Export the PathParam type from the public API (#​10719)
Patch Changes
  • Fix bug with resolveTo in splat routes (#​11045)
    • This is a follow up to #​10983 to handle the few other code paths using getPathContributingMatches
    • This removes the UNSAFE_getPathContributingMatches export from @remix-run/router since we no longer need this in the react-router/react-router-dom layers
  • Updated dependencies:
    • @remix-run/router@1.13.0

v6.19.0

Compare Source

Minor Changes
  • Add unstable_flushSync option to useNavigate/useSumbit/fetcher.load/fetcher.submit to opt-out of React.startTransition and into ReactDOM.flushSync for state updates (#​11005)
  • Remove the unstable_ prefix from the useBlocker hook as it's been in use for enough time that we are confident in the API. We do not plan to remove the prefix from unstable_usePrompt due to differences in how browsers handle window.confirm that prevent React Router from guaranteeing consistent/correct behavior. (#​10991)
Patch Changes

  • Fix useActionData so it returns proper contextual action data and not any action data in the tree (#​11023)

  • Fix bug in useResolvedPath that would cause useResolvedPath(".") in a splat route to lose the splat portion of the URL path. (#​10983)

    • ⚠️ This fixes a quite long-standing bug specifically for "." paths inside a splat route which incorrectly dropped the splat portion of the URL. If you are relative routing via "." inside a splat route in your application you should double check that your logic is not relying on this buggy behavior and update accordingly.

  • Updated dependencies:

    • @remix-run/router@1.12.0

v6.18.0

Compare Source

Patch Changes
  • Fix the future prop on BrowserRouter, HashRouter and MemoryRouter so that it accepts a Partial<FutureConfig> instead of requiring all flags to be included. (#​10962)
  • Updated dependencies:
    • @remix-run/router@1.11.0

v6.17.0

Compare Source

Patch Changes
  • Fix RouterProvider future prop type to be a Partial<FutureConfig> so that not all flags must be specified (#​10900)
  • Updated dependencies:
    • @remix-run/router@1.10.0

v6.16.0

Compare Source

Minor Changes
  • In order to move towards stricter TypeScript support in the future, we're aiming to replace current usages of any with unknown on exposed typings for user-provided data. To do this in Remix v2 without introducing breaking changes in React Router v6, we have added generics to a number of shared types. These continue to default to any in React Router and are overridden with unknown in Remix. In React Router v7 we plan to move these to unknown as a breaking change. (#​10843)
    • Location now accepts a generic for the location.state value
    • ActionFunctionArgs/ActionFunction/LoaderFunctionArgs/LoaderFunction now accept a generic for the context parameter (only used in SSR usages via createStaticHandler)
    • The return type of useMatches (now exported as UIMatch) accepts generics for match.data and match.handle - both of which were already set to unknown
  • Move the @private class export ErrorResponse to an UNSAFE_ErrorResponseImpl export since it is an implementation detail and there should be no construction of ErrorResponse instances in userland. This frees us up to export a type ErrorResponse which correlates to an instance of the class via InstanceType. Userland code should only ever be using ErrorResponse as a type and should be type-narrowing via isRouteErrorResponse. (#​10811)
  • Export ShouldRevalidateFunctionArgs interface (#​10797)
  • Removed private/internal APIs only required for the Remix v1 backwards compatibility layer and no longer needed in Remix v2 (_isFetchActionRedirect, _hasFetcherDoneAnything) (#​10715)
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.9.0

v6.15.0

Compare Source

Minor Changes
  • Add's a new redirectDocument() function which allows users to specify that a redirect from a loader/action should trigger a document reload (via window.location) instead of attempting to navigate to the redirected location via React Router (#​10705)
Patch Changes
  • Ensure useRevalidator is referentially stable across re-renders if revalidations are not actively occurring (#​10707)
  • Updated dependencies:
    • @remix-run/router@1.8.0

v6.14.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.7.2

v6.14.1

Compare Source

Patch Changes
  • Fix loop in unstable_useBlocker when used with an unstable blocker function (#​10652)
  • Fix issues with reused blockers on subsequent navigations (#​10656)
  • Updated dependencies:
    • @remix-run/router@1.7.1

v6.14.0

Compare Source

Patch Changes
  • Strip basename from locations provided to unstable_useBlocker functions to match useLocation (#​10573)
  • Fix generatePath when passed a numeric 0 value parameter (#​10612)
  • Fix unstable_useBlocker key issues in StrictMode (#​10573)
  • Fix tsc --skipLibCheck:false issues on React 17 (#​10622)
  • Upgrade typescript to 5.1 (#​10581)
  • Updated dependencies:
    • @remix-run/router@1.7.0

v6.13.0

Compare Source

Minor Changes

  • Move React.startTransition usage behind a future flag to avoid issues with existing incompatible Suspense usages. We recommend folks adopting this flag to be better compatible with React concurrent mode, but if you run into issues you can continue without the use of startTransition until v7. Issues usually boils down to creating net-new promises during the render cycle, so if you run into issues you should either lift your promise creation out of the render cycle or put it behind a useMemo. (#​10596)

    Existing behavior will no longer include React.startTransition:

    <BrowserRouter>
  <Routes>{/*...*/}</Routes>
</BrowserRouter>

<RouterProvider router={router} />

    If you wish to enable React.startTransition, pass the future flag to your component:

    <BrowserRouter future={{ v7_startTransition: true }}>
  <Routes>{/*...*/}</Routes>
</BrowserRouter>

<RouterProvider router={router} future={{ v7_startTransition: true }}/>
Patch Changes
  • Work around webpack/terser React.startTransition minification bug in production mode (#​10588)

v6.12.1

Compare Source

[!WARNING]
Please use version 6.13.0 or later instead of 6.12.1. This version suffers from a webpack/terser minification issue resulting in invalid minified code in your resulting production bundles which can cause issues in your application. See #​10579 for more details.

Patch Changes
  • Adjust feature detection of React.startTransition to fix webpack + react 17 compilation error (#​10569)

v6.12.0

Compare Source

Minor Changes
  • Wrap internal router state updates with React.startTransition if it exists (#​10438)
Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.6.3

v6.11.2

Compare Source

Patch Changes
  • Fix basename duplication in descendant <Routes> inside a <RouterProvider> (#​10492)
  • Updated dependencies:
    • @remix-run/router@1.6.2

v6.11.1

Compare Source

Patch Changes
  • Fix usage of Component API within descendant <Routes> (#​10434)
  • Fix bug when calling useNavigate from <Routes> inside a <RouterProvider> (#​10432)
  • Fix usage of <Navigate> in strict mode when using a data router (#​10435)
  • Updated dependencies:
    • @remix-run/router@1.6.1

v6.11.0

Compare Source

Patch Changes
  • Log loader/action errors to the console in dev for easier stack trace evaluation (#​10286)
  • Fix bug preventing rendering of descendant <Routes> when RouterProvider errors existed (#​10374)
  • Fix inadvertent re-renders when using Component instead of element on a route definition (#​10287)
  • Fix detection of useNavigate in the render cycle by setting the activeRef in a layout effect, allowing the navigate function to be passed to child components and called in a useEffect there. (#​10394)
  • Switched from useSyncExternalStore to useState for internal @remix-run/router router state syncing in <RouterProvider>. We found some subtle bugs where router state updates got propagated before other normal useState updates, which could lead to footguns in useEffect calls. (#​10377, #​10409)
  • Allow useRevalidator() to resolve a loader-driven error boundary scenario (#​10369)
  • Avoid unnecessary unsubscribe/resubscribes on router state changes (#​10409)
  • When using a RouterProvider, useNavigate/useSubmit/fetcher.submit are now stable across location changes, since we can handle relative routing via the @remix-run/router instance and get rid of our dependence on useLocation(). When using BrowserRouter, these hooks remain unstable across location changes because they still rely on useLocation(). (#​10336)
  • Updated dependencies:
    • @remix-run/router@1.6.0

v6.10.0

Compare Source

Minor Changes
  • Added support for Future Flags in React Router. The first flag being introduced is future.v7_normalizeFormMethod which will normalize the exposed useNavigation()/useFetcher() formMethod fields as uppercase HTTP methods to align with the fetch() behavior. (#​10207)
    • When future.v7_normalizeFormMethod === false (default v6 behavior),
      • useNavigation().formMethod is lowercase
      • useFetcher().formMethod is lowercase
    • When future.v7_normalizeFormMethod === true:
      • useNavigation().formMethod is uppercase
      • useFetcher().formMethod is uppercase
Patch Changes
  • Fix route ID generation when using Fragments in createRoutesFromElements (#​10193)
  • Updated dependencies:
    • @remix-run/router@1.5.0

v6.9.0

Compare Source

Minor Changes

  • React Router now supports an alternative way to define your route element and errorElement fields as React Components instead of React Elements. You can instead pass a React Component to the new Component and ErrorBoundary fields if you choose. There is no functional difference between the two, so use whichever approach you prefer 😀. You shouldn't be defining both, but if you do Component/ErrorBoundary will "win". (#​10045)

    Example JSON Syntax

    // Both of these work the same:
const elementRoutes = [{
  path: '/',
  element: <Home />,
  errorElement: <HomeError />,
}]

const componentRoutes = [{
  path: '/',
  Component: Home,
  ErrorBoundary: HomeError,
}]

function Home() { ... }
function HomeError() { ... }

    Example JSX Syntax

    // Both of these work the same:
const elementRoutes = createRoutesFromElements(
  <Route path='/' element={<Home />} errorElement={<HomeError /> } />
);

const componentRoutes = createRoutesFromElements(
  <Route path='/' Component={Home} ErrorBoundary={HomeError} />
);

function Home() { ... }
function HomeError() { ... }

  • Introducing Lazy Route Modules! (#​10045)

    In order to keep your application bundles small and support code-splitting of your routes, we've introduced a new lazy() route property. This is an async function that resolves the non-route-matching portions of your route definition (loader, action, element/Component, errorElement/ErrorBoundary, shouldRevalidate, handle).

    Lazy routes are resolved on initial load and during the loading or submitting phase of a navigation or fetcher call. You cannot lazily define route-matching properties (path, index, children) since we only execute your lazy route functions after we've matched known routes.

    Your lazy functions will typically return the result of a dynamic import.

    // In this example, we assume most folks land on the homepage so we include that
// in our critical-path bundle, but then we lazily load modules for /a and /b so
// they don't load until the user navigates to those routes
let routes = createRoutesFromElements(
  <Route path="/" element={<Layout />}>
    <Route index element={<Home />} />
    <Route path="a" lazy={() => import("./a")} />
    <Route path="b" lazy={() => import("./b")} />
  </Route>,
);

    Then in your lazy route modules, export the properties you want defined for the route:

    export async function loader({ request }) {
  let data = await fetchData(request);
  return json(data);
}

// Export a `Component` directly instead of needing to create a React Element from it
export function Component() {
  let data = useLoaderData();

  return (
    <>
      <h1>You made it!</h1>
      <p>{data}</p>
    </>
  );
}

// Export an `ErrorBoundary` directly instead of needing to create a React Element from it
export function ErrorBoundary() {
  let error = useRouteError();
  return isRouteErrorResponse(error) ? (
    <h1>
      {error.status} {error.statusText}
    </h1>
  ) : (
    <h1>{error.message || error}</h1>
  );
}

    An example of this in action can be found in the examples/lazy-loading-router-provider directory of the repository.

    🙌 Huge thanks to @​rossipedia for the Initial Proposal and POC Implementation.

  • Updated dependencies:

    • @remix-run/router@1.4.0
Patch Changes
  • Fix generatePath incorrectly applying parameters in some cases (#​10078)
  • Improve memoization for context providers to avoid unnecessary re-renders (#​9983)

v6.8.2

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.3.3

v6.8.1

Compare Source

Patch Changes
  • Remove inaccurate console warning for POP navigations and update active blocker logic (#​10030)
  • Updated dependencies:
    • @remix-run/router@1.3.2

v6.8.0

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.3.1

v6.7.0

Compare Source

Minor Changes
  • Add unstable_useBlocker hook for blocking navigations within the app's location origin (#​9709)
Patch Changes
  • Fix generatePath when optional params are present (#​9764)
  • Update <Await> to accept ReactNode as children function return result (#​9896)
  • Updated dependencies:
    • @remix-run/router@1.3.0

v6.6.2

Compare Source

Patch Changes
  • Ensure useId consistency during SSR (#​9805)

v6.6.1

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.2.1

v6.6.0

Compare Source

Patch Changes
  • Prevent useLoaderData usage in errorElement (#​9735)
  • Updated dependencies:
    • @remix-run/router@1.2.0

v6.5.0

Compare Source

This release introduces support for Optional Route Segments. Now, adding a ? to the end of any path segment will make that entire segment optional. This works for both static segments and dynamic parameters.

Optional Params Examples

  • <Route path=":lang?/about> will match:
    • /:lang/about
    • /about
  • <Route path="/multistep/:widget1?/widget2?/widget3?"> will match:
    • /multistep
    • /multistep/:widget1
    • /multistep/:widget1/:widget2
    • /multistep/:widget1/:widget2/:widget3

Optional Static Segment Example

  • <Route path="/home?"> will match:
    • /
    • /home
  • <Route path="/fr?/about"> will match:
    • /about
    • /fr/about
Minor Changes
  • Allows optional routes and optional static segments (#​9650)
Patch Changes
  • Stop incorrectly matching on partial named parameters, i.e. <Route path="prefix-:param">, to align with how splat parameters work. If you were previously relying on this behavior then it's recommended to extract the static portion of the path at the useParams call site: (#​9506)
// Old behavior at URL /prefix-123
<Route path="prefix-:id" element={<Comp /> }>

function Comp() {
  let params = useParams(); // { id: '123' }
  let id = params.id; // "123"
  ...
}

// New behavior at URL /prefix-123
<Route path=":id" element={<Comp /> }>

function Comp() {
  let params = useParams(); // { id: 'prefix-123' }
  let id = params.id.replace(/^prefix-/, ''); // "123"
  ...
}
  • Updated dependencies:
    • @remix-run/router@1.1.0

v6.4.5

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.0.5

v6.4.4

Compare Source

Patch Changes
  • Updated dependencies:
    • @remix-run/router@1.0.4

v6.4.3

Compare Source

Patch Changes
  • useRoutes should be able to return null when passing locationArg (#​9485)
  • fix initialEntries type in createMemoryRouter (#​9498)
  • Updated dependencies:
    • @remix-run/router@1.0.3

v6.4.2

Compare Source

Patch Changes
  • Fix IndexRouteObject and NonIndexRouteObject types to make hasErrorElement optional (#​9394)
  • Enhance console error messages for invalid usage of data router hooks (#​9311)
  • If an index route has children, it will result in a runtime error. We have strengthened our RouteObject/RouteProps types to surface the error in TypeScript. (#​9366)
  • Updated dependencies:
    • @remix-run/router@1.0.2

v6.4.1

Compare Source

Patch Changes
  • Preserve state from initialEntries (#​9288)
  • Updated dependencies:
    • @remix-run/router@1.0.1

v6.4.0

Compare Source

Whoa this is a big one! 6.4.0 brings all the data loading and mutation APIs over from Remix. Here's a quick high level overview, but it's recommended you go check out the docs, especially the feature overview and the tutorial.

New APIs

  • Create your router with createMemoryRouter
  • Render your router with <RouterProvider>
  • Load data with a Route loader and mutate with a Route action
  • Handle errors with Route errorElement
  • Defer non-critical data with defer and Await

Bug Fixes

  • Path resolution is now trailing slash agnostic (#​8861)
  • useLocation returns the scoped location inside a <Routes location> component (#​9094)

Updated Dependencies

  • @remix-run/router@1.0.0

v6.3.0: react-router@v6.3.0

Compare Source

What's Changed
New Contributors

Full Changelog: remix-run/react-router@v6.2.2...v6.3.0

v6.2.2

Compare Source

What's Changed
🐛 Bug Fixes
  • Fixed nested splat routes that begin with special URL-safe characters (#​8563)
  • Fixed a bug where index routes were missing route context in some cases (#​8497)
New Contributors

Full Changelog: remix-run/react-router@v6.2.1...v6.2.2

v6.2.1

Compare Source

This release updates the internal history dependency to 5.2.0.

Full Changelog: remix-run/react-router@v6.2.0...v6.2.1

v6.2.0

Compare Source

🐛 Bug fixes

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Jan 9, 2026

OpenAPI Changes

Show/hide ## Changes for v0.yaml: 
## Changes for v0.yaml:


## Changes for v1.yaml:


## Changes for v2.yaml:

Unexpected changes? Ensure your branch is up-to-date with main (consider rebasing).

@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch 29 times, most recently from 8ae9517 to 301443b Compare January 14, 2026 20:28
@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch 8 times, most recently from d5fb84b to ccebfaf Compare January 23, 2026 15:41
@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch 13 times, most recently from 8d274ea to 22a9841 Compare February 5, 2026 19:30
sentry[bot]
sentry bot reviewed Feb 5, 2026
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from 22a9841 to 44945d7 Compare February 5, 2026 20:23
sentry[bot]
sentry bot reviewed Feb 5, 2026
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from 44945d7 to 8c9b493 Compare February 5, 2026 21:23
sentry[bot]
sentry bot reviewed Feb 5, 2026
View reviewed changes
@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from 8c9b493 to 75f7023 Compare February 6, 2026 13:49
@renovate renovate bot force-pushed the renovate/npm-react-router-vulnerability branch from 75f7023 to 1f5ef9b Compare February 6, 2026 15:13
sentry[bot]
sentry bot reviewed Feb 6, 2026
View reviewed changes
frontend/public/package.json
"react-picky": "4.7.2",
"react-redux": "^7.1.0",
"react-router": "4.3.1",
"react-router": "6.30.2",
Copy link

@sentry sentry bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The update to react-router v6 introduces breaking API changes without the necessary code refactoring, which will cause the application to crash on startup.
Severity: CRITICAL

Suggested Fix

To resolve this, either revert the react-router upgrade or, preferably, perform a full migration to the React Router v6 API. This involves replacing <Switch> with <Routes>, using the element prop on <Route> instead of component or render, replacing <Redirect> with <Navigate>, and using hooks like useNavigate and useLocation instead of the withRouter HOC. The react-router-dom package should also be updated to a compatible version.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: frontend/public/package.json#L95

Potential issue: The `react-router` package is being upgraded to version 6, but the
codebase continues to use APIs that were removed in this major version update.
Specifically, the code imports and uses components and functions like `<Switch>`,
`<Redirect>`, the `component` and `render` props on `<Route>`, and the `withRouter` HOC.
These are no longer exported by `react-router` v6. This mismatch will cause import
errors when the application attempts to build or start, leading to a complete failure of
the routing system and preventing the application from loading.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants