Update dependency remix-run/react-router to v7.12.0

[renovate]

This PR contains the following updates:

Package	Update	Change
remix-run/react-router	minor	7.11.0 → 7.12.0

---

Release Notes

remix-run/react-router (remix-run/react-router)

v7.12.0

Compare Source

Date: 2026-01-07

Security Notice

This release addresses 3 security vulnerabilities:

• CSRF in React Router Action/Server Action Request Processing
• XSS via Open Redirects
• React Router SSR XSS in ScrollRestoration

Minor Changes

• react-router - Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins (#​14708)
  • If you need to permit access to specific external origins, there is a new allowedActionOrigins config field in react-router.config.ts where you can specify external origins

Patch Changes

• react-router - Fix generatePath when used with suffixed params (i.e., /books/:id.json) (#​14269)
• react-router - Escape HTML in scroll restoration keys (#​14705)
• react-router - Validate redirect locations (#​14706)
• @react-router/dev - Fix Maximum call stack size exceeded errors when HMR is triggered against code with cyclic imports (#​14522)
• @react-router/dev - Skip SSR middleware in vite preview server for SPA mode (#​14673)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#​14674)
• react-router - Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#​14675)
• react-router - Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency (#​14663)
  • These are not intended to be used for new apps but intended to help apps using unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs
• @react-router/dev - Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#​14644)

  • Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

    URL /a/b/c	HTTP pathname	request pathname`
    Document	/a/b/c	/a/b/c ✅
    Data	/a/b/c.data	/a/b/c ✅

    URL /a/b/c/	HTTP pathname	request pathname`
    Document	/a/b/c/	/a/b/c/ ✅
    Data	/a/b/c.data	/a/b/c ⚠️

  • With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

    URL /a/b/c	HTTP pathname	request pathname`
    Document	/a/b/c	/a/b/c ✅
    Data	/a/b/c.data	/a/b/c ✅

    URL /a/b/c/	HTTP pathname	request pathname`
    Document	/a/b/c/	/a/b/c/ ✅
    Data	/a/b/c/_.data ⬅️	/a/b/c/ ✅

  • This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic

  • Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format - This does not impact the request pathname which is still / in all cases

Full Changelog: v7.11.0...v7.12.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.