Skip to content

fix(ui): bump react-router-dom to patched 7.18.1#244

Merged
nazarli-shabnam merged 1 commit into
mainfrom
149-bump-react-router
Jul 3, 2026
Merged

fix(ui): bump react-router-dom to patched 7.18.1#244
nazarli-shabnam merged 1 commit into
mainfrom
149-bump-react-router

Conversation

@nazarli-shabnam

@nazarli-shabnam nazarli-shabnam commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

react-router-dom was pinned to resolve at 7.13.0, which npm audit flags high severity across the 7.0.0 - 7.15.0 range: a vendored turbo-stream deserialization RCE, an open redirect via //-prefixed paths, stored/reflected XSS (Location header, javascript: redirect targets, RSC redirects), a DoS via unbounded __manifest path expansion, a single-fetch reflected-input DoS, and a CSRF gap on PUT/PATCH/DELETE document requests.

Fixes #149

What changed

Ran npm audit fix in apps/web, which bumped the locked react-router/react-router-dom resolution to 7.18.1 (package.json's existing ^7.13.0 range already permitted this — only package-lock.json changed) and incidentally cleared the moderate postcss advisory the issue also mentioned. npm audit no longer flags either.

Scope discipline: left the other, unrelated vulnerabilities npm audit still lists (babel/core, brace-expansion, esbuild, form-data, js-yaml, linkify-it, markdown-it) untouched — out of scope for this issue.

Test plan

  • npm auditreact-router/postcss no longer flagged (only an unrelated low-severity esbuild advisory remains)
  • npm run typecheck && npm run lint && npm run build all pass
  • Live manual smoke-test (Playwright against npm run dev + a real running API/Postgres via docker compose): existing session redirected correctly to workspace home, clicked through Projects → issue detail page (fully rendered, 0 console errors), tested browser back (2 steps) and forward navigation (both landed on the correct history entries), and confirmed an unknown route still falls through to the existing catch-all redirect with no crash. No regressions found from the 7.13 → 7.18 bump.

Copilot AI review requested due to automatic review settings July 3, 2026 18:14
@strix-security

strix-security Bot commented Jul 3, 2026

Copy link
Copy Markdown

Strix Security Review

No security issues found.

Updated for e26edaa.


Reviewed by Strix
Re-run review · Configure security review settings

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • apps/web/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 302371c5-d6b3-49b8-8d35-02500db13e5d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 149-bump-react-router

Comment @coderabbitai help to get the list of available commands.

@nazarli-shabnam nazarli-shabnam self-assigned this Jul 3, 2026
@nazarli-shabnam nazarli-shabnam merged commit 76bc282 into main Jul 3, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[CHORE] Bump vulnerable react-router-dom (7.13.0) to a patched release

2 participants