Skip to content

Fix high-severity audit findings across matcher, router, CI, and build#1

Merged
ConsoleTVs merged 2 commits intomainfrom
fix/audit-high-severity-issues
Apr 12, 2026
Merged

Fix high-severity audit findings across matcher, router, CI, and build#1
ConsoleTVs merged 2 commits intomainfrom
fix/audit-high-severity-issues

Conversation

@ConsoleTVs
Copy link
Copy Markdown
Member

@ConsoleTVs ConsoleTVs commented Apr 12, 2026

Summary

Matcher Correctness

  • Fix falsy handler values (0, "", false) silently treated as unregistered — changed truthiness checks to !== undefined
  • Throw on conflicting dynamic/wildcard param names at the same trie level (e.g., registering both /user/:id and /user/:name)

SSR Safety

  • Guard window.navigation fallback with typeof window check — prevents ReferenceError in Node.js SSR
  • Add 'http://localhost' base URL to new URL() in useNextMatch — prevents TypeError on relative paths

Security

  • Strip inherited middleware, scroll, and focusReset from redirect routes — redirects fire in the precommit phase before middleware renders, so inherited auth guards were silently bypassed
  • Scope CI workflow contents: write and id-token: write permissions to the release job only (previously granted to all jobs including check and build)

Dependencies & Build

  • Update vite from 8.0.3 to 8.0.8 — patches 3 high-severity CVEs (path traversal, server.fs.deny bypass, WebSocket file read)
  • Exclude example and test-helper .d.ts files from the published package via dts() plugin exclude patterns

Tests

  • Added 27 new tests covering falsy handlers, param name conflicts, root handler matching, and redirect middleware stripping

Breaking Changes

createMatcher: conflicting param names now throw

Registering routes with different dynamic param names at the same trie level (e.g., /user/:id/profile and /user/:name/settings) now throws an error instead of silently dropping the second name.

redirect(): no longer inherits middleware, scroll, or focusReset

Redirect routes created via .redirect() inside a middleware group no longer attach the group's middleware to the handler. This was dead code — middleware never executed on redirects because the precommit redirect fires before render. If you relied on middleware side effects during redirect prefetch, move that logic into the redirect callback.

@ConsoleTVs
fix: resolve high-severity audit findings across matcher, router, CI,…
eea80d3 
… and build

- Fix falsy handler values (0, '', false) treated as unregistered in matcher
- Throw on conflicting dynamic/wildcard param names at the same trie level
- Guard window.navigation fallback for SSR environments
- Use base URL in useNextMatch to prevent TypeError on relative paths
- Strip inherited middleware/scroll/focusReset from redirect routes
- Scope CI workflow write permissions to release job only
- Update vite 8.0.3 -> 8.0.8 to patch 3 known CVEs
- Exclude example/test .d.ts files from published package
@ConsoleTVs ConsoleTVs marked this pull request as ready for review April 12, 2026 12:00
@ConsoleTVs ConsoleTVs merged commit 92089bf into main Apr 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ConsoleTVs