Skip to content

chore(deps): update dependency @react-router/node to v7.9.4 [security]#41

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-node-vulnerability
Open

chore(deps): update dependency @react-router/node to v7.9.4 [security]#41
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-node-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@react-router/node (source) 7.4.17.9.4 age adoption passing confidence

React Router has Path Traversal in File Session Storage

CVE-2025-61686 / GHSA-9583-h5hc-x8cw

More information

Details

If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.

Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

remix-run/react-router (@​react-router/node)

v7.9.4

Compare Source

Patch Changes
  • Validate format of incoming session ids (#​14426)
  • Updated dependencies:
    • react-router@7.9.4

v7.9.3

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.9.3

v7.9.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.9.2

v7.9.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.9.1

v7.9.0

Compare Source

Minor Changes
Patch Changes
  • Updated dependencies:
    • react-router@7.9.0

v7.8.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.8.2

v7.8.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.8.1

v7.8.0

Compare Source

Patch Changes
  • [UNSTABLE] Change getLoadContext signature (type GetLoadContextFunction) when future.unstable_middleware is enabled so that it returns an unstable_RouterContextProvider instance instead of a Map used to contruct the instance internally (#​14097)

    • This also removes the type unstable_InitialContext export
    • ⚠️ This is a breaking change if you have adopted middleware and are using a custom server with a getLoadContext function
  • Updated dependencies:

    • react-router@7.8.0

v7.7.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.7.1

v7.7.0

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.7.0

v7.6.3

Compare Source

Patch Changes
  • Remove old "install" package exports (#​13762)
  • Updated dependencies:
    • react-router@7.6.3

v7.6.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.6.2

v7.6.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.6.1

v7.6.0

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.6.0

v7.5.3

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.3

v7.5.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.2

v7.5.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.1

v7.5.0

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@netlify

netlify Bot commented Jan 8, 2026

Copy link
Copy Markdown

Deploy Preview for vektorprogrammet-dashboard ready!

Name Link
🔨 Latest commit 9e2acc8
🔍 Latest deploy log https://app.netlify.com/projects/vektorprogrammet-dashboard/deploys/69efec40c23cca000802be27
😎 Deploy Preview https://deploy-preview-41--vektorprogrammet-dashboard.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse
1 paths audited
Performance: 98
Accessibility: 100
Best Practices: 100
SEO: 90
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@sonarqubecloud

sonarqubecloud Bot commented Jan 8, 2026

Copy link
Copy Markdown

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jan 8, 2026

Copy link
Copy Markdown

Deploying dashboard with  Cloudflare Pages  Cloudflare Pages

Latest commit: 9e2acc8
Status: ✅  Deploy successful!
Preview URL: https://27c61b8a.dashboard-14q.pages.dev
Branch Preview URL: https://renovate-npm-react-router-no.dashboard-14q.pages.dev

View logs

@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 2 times, most recently from 3c6fb9c to 26d7b3f Compare February 12, 2026 17:31
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch from 26d7b3f to 01c0e86 Compare February 19, 2026 17:56
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch from 01c0e86 to 4cdedb2 Compare March 9, 2026 16:38
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch from 4cdedb2 to fe62822 Compare March 23, 2026 16:27
@renovate renovate Bot changed the title chore(deps): update dependency @react-router/node to v7.9.4 [security] chore(deps): update dependency @react-router/node to v7.9.4 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-react-router-node-vulnerability branch March 27, 2026 02:03
@renovate renovate Bot changed the title chore(deps): update dependency @react-router/node to v7.9.4 [security] - autoclosed chore(deps): update dependency @react-router/node to v7.9.4 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 2 times, most recently from fe62822 to e735377 Compare March 30, 2026 21:34
@renovate renovate Bot changed the title chore(deps): update dependency @react-router/node to v7.9.4 [security] chore(deps): update dependency @react-router/node to v7.9.4 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency @react-router/node to v7.9.4 [security] - autoclosed chore(deps): update dependency @react-router/node to v7.9.4 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 2 times, most recently from e735377 to 9e2acc8 Compare April 27, 2026 23:07
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants