fix(deps): update dependency react-router to v6.30.2 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	6.21.3 → 6.30.2

---

React Router has unexpected external redirect via untrusted paths

CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m

More information

Details

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
• https://nvd.nist.gov/vuln/detail/CVE-2025-68470
• https://github.com/advisories/GHSA-9jcx-v3wj-wh4m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

remix-run/react-router (react-router)

v6.30.2: v6.30.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

v6.30.1: v6.30.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

v6.30.0: v6.30.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

v6.29.0: v6.29.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

v6.28.2: v6.28.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

v6.28.1: v6.28.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

v6.28.0

Compare Source

Minor Changes

• • Log deprecation warnings for v7 flags (#​11750)
  • Add deprecation warnings to json/defer in favor of returning raw objects
    • These methods will be removed in React Router v7

Patch Changes

• Update JSDoc URLs for new website structure (add /v6/ segment) (#​12141)
• Updated dependencies:
  • @remix-run/router@1.21.0

v6.27.0

Compare Source

Minor Changes

• Stabilize unstable_patchRoutesOnNavigation (#​11973)
  • Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#​11967)
• Stabilize unstable_dataStrategy (#​11974)
• Stabilize the unstable_flushSync option for navigations and fetchers (#​11989)
• Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#​11989)

Patch Changes

• Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#​12003)

• Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#​12003)

• Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#​11967)

• Updated dependencies:

  • @remix-run/router@1.20.0

v6.26.2

Compare Source

Patch Changes

• Updated dependencies:
  • @remix-run/router@1.19.2

v6.26.1

Compare Source

Patch Changes

• Rename unstable_patchRoutesOnMiss to unstable_patchRoutesOnNavigation to match new behavior (#​11888)
• Updated dependencies:
  • @remix-run/router@1.19.1

v6.26.0

Compare Source

Minor Changes

• Add a new replace(url, init?) alternative to redirect(url, init?) that performs a history.replaceState instead of a history.pushState on client-side navigation redirects (#​11811)

Patch Changes

• Fix initial hydration behavior when using future.v7_partialHydration along with unstable_patchRoutesOnMiss (#​11838)
  • During initial hydration, router.state.matches will now include any partial matches so that we can render ancestor HydrateFallback components
• Updated dependencies:
  • @remix-run/router@1.19.0

v6.25.1

Compare Source

No significant changes to this package were made in this release. See the repo CHANGELOG.md for an overview of all changes in v6.25.1.

v6.25.0

Compare Source

Minor Changes

• Stabilize future.unstable_skipActionErrorRevalidation as future.v7_skipActionErrorRevalidation (#​11769)
  • When this flag is enabled, actions will not automatically trigger a revalidation if they return/throw a Response with a 4xx/5xx status code
  • You may still opt-into revalidation via shouldRevalidate
  • This also changes shouldRevalidate's unstable_actionStatus parameter to actionStatus

Patch Changes

• Fix regression and properly decode paths inside useMatch so matches/params reflect decoded params (#​11789)
• Updated dependencies:
  • @remix-run/router@1.18.0

v6.24.1

Compare Source

Patch Changes

• When using future.v7_relativeSplatPath, properly resolve relative paths in splat routes that are children of pathless routes (#​11633)
• Updated dependencies:
  • @remix-run/router@1.17.1

v6.24.0

Compare Source

Minor Changes

• Add support for Lazy Route Discovery (a.k.a. Fog of War) (#​11626)
  • RFC: https://redirect.github.com/remix-run/react-router/discussions/11113
  • unstable_patchRoutesOnMiss docs: https://reactrouter.com/v6/routers/create-browser-router

Patch Changes

• Updated dependencies:
  • @remix-run/router@1.17.0

v6.23.1

Compare Source

Patch Changes

• allow undefined to be resolved with <Await> (#​11513)
• Updated dependencies:
  • @remix-run/router@1.16.1

v6.23.0

Compare Source

Minor Changes

• Add a new unstable_dataStrategy configuration option (#​11098)
  • This option allows Data Router applications to take control over the approach for executing route loaders and actions
  • The default implementation is today's behavior, to fetch all loaders in parallel, but this option allows users to implement more advanced data flows including Remix single-fetch, middleware/context APIs, automatic loader caching, and more

Patch Changes

• Updated dependencies:
  • @remix-run/router@1.16.0

v6.22.3

Compare Source

Patch Changes

• Updated dependencies:
  • @remix-run/router@1.15.3

v6.22.2

Compare Source

Patch Changes

• Updated dependencies:
  • @remix-run/router@1.15.2

v6.22.1

Compare Source

Patch Changes

• Fix encoding/decoding issues with pre-encoded dynamic parameter values (#​11199)
• Updated dependencies:
  • @remix-run/router@1.15.1

v6.22.0

Compare Source

Patch Changes

• Updated dependencies:
  • @remix-run/router@1.15.0

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (4ef9318) to head (d8150f4).

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #476   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          109       109           
  Lines         1100      1100           
  Branches       163       163           
=========================================
  Hits          1100      1100           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.