[Release-4.19] OCPBUGS-73654: CVE-2026-22029 fix to @remix-run/router to 1.23.2

[MrSanketkumar]

Summary by CodeRabbit

• Chores
  • Updated development dependencies to newer compatible versions for router and related tooling.
  • Added package-manager constraints (resolutions/overrides) to lock specific library versions for consistent builds.
  • Enforced a compatible UI library and aligned React versions to prevent integration regressions during development and testing.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-73654, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-73654 to depend on a bug targeting a version in 4.20.0, 4.20.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2046b796-6a18-4cfd-ba65-8a9719472062

📥 Commits

Reviewing files that changed from the base of the PR and between f6b9c76 and 25a94c3.

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Walkthrough

Updates dev dependency react-router-dom-v5-compat from ^6.22.2 to ^6.30.0, adds @remix-run/router ^1.23.2 to devDependencies, and adds resolutions and overrides entries to pin @remix-run/router and constrain @patternfly/react-core (and related React versions).

Changes

Cohort / File(s)	Summary
Dependency & Package Constraints package.json	Bumped react-router-dom-v5-compat to ^6.30.0; added devDependency @remix-run/router ^1.23.2; added resolutions forcing @remix-run/router ^1.23.2; added overrides to pin @patternfly/react-core to 6.1.1-prerelease.2 and align react/react-dom and @remix-run/router.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: updating @remix-run/router to version 1.23.2 to fix CVE-2026-22029, which is the primary dependency update in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR is not applicable to the Stable and Deterministic Test Names check, which is designed for Go/Ginkgo projects. The repository is a Node.js/TypeScript React console plugin using Cypress, with only package.json dependency updates.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code or Go files; Ginkgo check is not applicable to this Node.js/JavaScript project.
Microshift Test Compatibility	✅ Passed	This pull request is not applicable to the MicroShift Test Compatibility check. The repository is a TypeScript/JavaScript React console plugin project with zero Go files and zero Ginkgo test files. The PR only updates dependency versions in package.json. Since this project does not contain any Ginkgo e2e tests and the changes do not introduce any new tests, the MicroShift compatibility requirements do not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates npm dependencies in package.json for a Node.js React console plugin using Cypress, not Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only package.json dependencies without changing deployment manifests; topology-aware scheduling check not applicable.
Ote Binary Stdout Contract	✅ Passed	The OTE Binary Stdout Contract check is not applicable to this PR as it only modifies package.json for Node.js/JavaScript dependencies in a TypeScript/JavaScript console plugin project with no Go code or test binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request only modifies package.json to update the @remix-run/router dependency version and add package manager constraints. There are no new Ginkgo e2e tests added, so this check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-73654, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-73660 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-73660 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-73654, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-73660 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-73660 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

Details

In response to this:

Summary by CodeRabbit

• Chores
• Updated dependencies to latest compatible versions for improved stability and compatibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

125-126: Prefer exact pin for the CVE resolution override.

Using ^1.23.2 allows silently pulling newer 1.x releases on future yarn install commands; for a security backport on a release branch, exact pinning ensures reproducible and deterministic resolutions.

Suggested change

-    "@remix-run/router": "^1.23.2"
+    "@remix-run/router": "1.23.2"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 125 - 126, The dependency resolution for the CVE
override uses a caret range for "@remix-run/router" which can pull newer 1.x
releases; update the package.json dependency entry for "@remix-run/router" to an
exact pinned version (replace "^1.23.2" with "1.23.2") so installs are
deterministic and reproducible while leaving "lodash-es" unchanged unless
similar pinning is needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 125-126: The dependency resolution for the CVE override uses a
caret range for "@remix-run/router" which can pull newer 1.x releases; update
the package.json dependency entry for "@remix-run/router" to an exact pinned
version (replace "^1.23.2" with "1.23.2") so installs are deterministic and
reproducible while leaving "lodash-es" unchanged unless similar pinning is
needed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6e40c98d-6231-4cf4-9098-2ac1f20493ef

📥 Commits

Reviewing files that changed from the base of the PR and between df46c30 and 70d440e.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[MrSanketkumar]

/jira refresh

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-73654, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.19.z) matches configured target version for branch (4.19.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-73660 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-73660 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
• bug has dependents

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

126-133: Prefer exact pins in resolutions and overrides for clearer CVE remediation intent.

Both lines 126 and 132 use ^1.23.2, which resolves to 1.23.2 in yarn.lock. While the lockfile currently pins the exact version, using 1.23.2 (without the caret) makes the security fix intent explicit and avoids potential future drift if the lockfile is regenerated.

Suggested change

-    "@remix-run/router": "^1.23.2"
+    "@remix-run/router": "1.23.2"

Apply this change to both lines 126 and 132.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 126 - 133, Update the package.json
overrides/resolutions entries for `@remix-run/router` to use an exact version pin
instead of a caret range: replace "^1.23.2" with "1.23.2" in both places so the
overrides and/or overrides-like block explicitly lock `@remix-run/router` to
1.23.2 (look for the "@remix-run/router" key in the top-level
dependencies/resolutions and inside the "overrides" object).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 126-133: Update the package.json overrides/resolutions entries for
`@remix-run/router` to use an exact version pin instead of a caret range: replace
"^1.23.2" with "1.23.2" in both places so the overrides and/or overrides-like
block explicitly lock `@remix-run/router` to 1.23.2 (look for the
"@remix-run/router" key in the top-level dependencies/resolutions and inside the
"overrides" object).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bf731621-48fa-412d-84e6-0f783ccae04c

📥 Commits

Reviewing files that changed from the base of the PR and between 70d440e and f6b9c76.

📒 Files selected for processing (1)

• package.json

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrSanketkumar, upalatucci

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [upalatucci]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@MrSanketkumar: Jira Issue OCPBUGS-73654: All pull requests linked via external trackers have merged:

• openshift/networking-console-plugin#405

Jira Issue OCPBUGS-73654 has been moved to the MODIFIED state.

Details

In response to this:

Summary by CodeRabbit

• Chores
• Updated development dependencies to newer compatible versions for router and related tooling.
• Added package-manager constraints (resolutions/overrides) to lock specific library versions for consistent builds.
• Enforced a compatible UI library and aligned React versions to prevent integration regressions during development and testing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 4.19.0-0.nightly-2026-05-04-142831