Skip to content

Update dependency @react-router/node to v7.9.4 [SECURITY]#543

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-node-vulnerability
Open

Update dependency @react-router/node to v7.9.4 [SECURITY]#543
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-node-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jan 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@react-router/node (source) 7.4.17.9.4 age adoption passing confidence

React Router has Path Traversal in File Session Storage

CVE-2025-61686 / GHSA-9583-h5hc-x8cw

More information

Details

If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.

Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

remix-run/react-router (@​react-router/node)

v7.9.4

Compare Source

Patch Changes
  • Validate format of incoming session ids (#​14426)
  • Updated dependencies:
    • react-router@7.9.4

v7.9.3

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.9.3

v7.9.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.9.2

v7.9.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.9.1

v7.9.0

Compare Source

Minor Changes
Patch Changes
  • Updated dependencies:
    • react-router@7.9.0

v7.8.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.8.2

v7.8.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.8.1

v7.8.0

Compare Source

Patch Changes
  • [UNSTABLE] Change getLoadContext signature (type GetLoadContextFunction) when future.unstable_middleware is enabled so that it returns an unstable_RouterContextProvider instance instead of a Map used to contruct the instance internally (#​14097)

    • This also removes the type unstable_InitialContext export
    • ⚠️ This is a breaking change if you have adopted middleware and are using a custom server with a getLoadContext function
  • Updated dependencies:

    • react-router@7.8.0

v7.7.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.7.1

v7.7.0

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.7.0

v7.6.3

Compare Source

Patch Changes
  • Remove old "install" package exports (#​13762)
  • Updated dependencies:
    • react-router@7.6.3

v7.6.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.6.2

v7.6.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.6.1

v7.6.0

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.6.0

v7.5.3

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.3

v7.5.2

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.2

v7.5.1

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.1

v7.5.0

Compare Source

Patch Changes
  • Updated dependencies:
    • react-router@7.5.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jan 8, 2026

Copy link
Copy Markdown

Deploying homepage with  Cloudflare Pages  Cloudflare Pages

Latest commit: 668d074
Status: ✅  Deploy successful!
Preview URL: https://36ead351.homepage-dl3.pages.dev
Branch Preview URL: https://renovate-npm-react-router-no.homepage-dl3.pages.dev

View logs

@netlify

netlify Bot commented Jan 8, 2026

Copy link
Copy Markdown

Deploy Preview for vektorprogrammet-homepage ready!

Name Link
🔨 Latest commit c96ee5f
🔍 Latest deploy log https://app.netlify.com/projects/vektorprogrammet-homepage/deploys/69af045b2c258a0008fd2a89
😎 Deploy Preview https://deploy-preview-543--vektorprogrammet-homepage.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse
1 paths audited
Performance: 85
Accessibility: 69
Best Practices: 83
SEO: 86
PWA: 60
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 2 times, most recently from 551024e to 9eb2236 Compare January 29, 2026 17:51
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch from 9eb2236 to 1ae0bae Compare February 12, 2026 09:59
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 3 times, most recently from 7e3cd28 to 3732e5d Compare February 23, 2026 17:29
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 2 times, most recently from d858bbf to c96ee5f Compare March 9, 2026 17:33
@sonarqubecloud

sonarqubecloud Bot commented Mar 9, 2026

Copy link
Copy Markdown

@renovate renovate Bot changed the title chore(deps): update dependency @react-router/node to v7.9.4 [security] Update dependency @react-router/node to v7.9.4 [SECURITY] Apr 8, 2026
@renovate renovate Bot changed the title Update dependency @react-router/node to v7.9.4 [SECURITY] Update dependency @react-router/node to v7.9.4 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-react-router-node-vulnerability branch April 27, 2026 18:04
@renovate renovate Bot changed the title Update dependency @react-router/node to v7.9.4 [SECURITY] - autoclosed Update dependency @react-router/node to v7.9.4 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-react-router-node-vulnerability branch 2 times, most recently from c96ee5f to 668d074 Compare April 27, 2026 23:03
@netlify

netlify Bot commented Apr 27, 2026

Copy link
Copy Markdown

Deploy Preview for vektorprogrammet-homepage ready!

Name Link
🔨 Latest commit 668d074
🔍 Latest deploy log https://app.netlify.com/projects/vektorprogrammet-homepage/deploys/69efeb4084c5a50008aafb30
😎 Deploy Preview https://deploy-preview-543--vektorprogrammet-homepage.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse
1 paths audited
Performance: 85
Accessibility: 69
Best Practices: 83
SEO: 86
PWA: 60
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants