fix(ui): bump react-router-dom to patched 7.18.1#244
Conversation
Strix Security ReviewNo security issues found. Updated for Reviewed by Strix |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Summary
react-router-domwas pinned to resolve at7.13.0, whichnpm auditflags high severity across the7.0.0 - 7.15.0range: a vendored turbo-stream deserialization RCE, an open redirect via//-prefixed paths, stored/reflected XSS (Location header,javascript:redirect targets, RSC redirects), a DoS via unbounded__manifestpath expansion, a single-fetch reflected-input DoS, and a CSRF gap on PUT/PATCH/DELETE document requests.Fixes #149
What changed
Ran
npm audit fixinapps/web, which bumped the lockedreact-router/react-router-domresolution to7.18.1(package.json's existing^7.13.0range already permitted this — onlypackage-lock.jsonchanged) and incidentally cleared the moderatepostcssadvisory the issue also mentioned.npm auditno longer flags either.Scope discipline: left the other, unrelated vulnerabilities
npm auditstill lists (babel/core, brace-expansion, esbuild, form-data, js-yaml, linkify-it, markdown-it) untouched — out of scope for this issue.Test plan
npm audit—react-router/postcssno longer flagged (only an unrelated low-severityesbuildadvisory remains)npm run typecheck && npm run lint && npm run buildall passnpm run dev+ a real running API/Postgres viadocker compose): existing session redirected correctly to workspace home, clicked through Projects → issue detail page (fully rendered, 0 console errors), tested browser back (2 steps) and forward navigation (both landed on the correct history entries), and confirmed an unknown route still falls through to the existing catch-all redirect with no crash. No regressions found from the 7.13 → 7.18 bump.