Skip to content

fix(deps): update dependency react-router to v6.30.4 [security]#4944

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-vulnerability
Open

fix(deps): update dependency react-router to v6.30.4 [security]#4944
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 6.30.36.30.4 age confidence

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

CVE-2026-40181 / GHSA-2j2x-hqr9-3h42

More information

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

remix-run/react-router (react-router)

v6.30.4: v6.30.4

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6304

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team June 14, 2026 23:30
@openshift-ci

openshift-ci Bot commented Jun 14, 2026

Copy link
Copy Markdown

Hi @renovate[bot]. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov

codecov Bot commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.25%. Comparing base (0125ff6) to head (679bcc9).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4944      +/-   ##
==========================================
- Coverage   55.82%   55.25%   -0.58%     
==========================================
  Files         121      109      -12     
  Lines        2350     2132     -218     
  Branches      539      537       -2     
==========================================
- Hits         1312     1178     -134     
+ Misses       1033      953      -80     
+ Partials        5        1       -4
Flag Coverage Δ
rhdh 55.25% <ø> (-0.58%) ⬇️

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0125ff6...679bcc9. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

@renovate
fix(deps): update dependency react-router to v6.30.4 [security]
679bcc9 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/npm-react-router-vulnerability branch from ba3afe5 to 679bcc9 Compare June 15, 2026 04:41
@sonarqubecloud

sonarqubecloud Bot commented Jun 15, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Image was built and published successfully. It is available at:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christoph-jerolimov christoph-jerolimov Awaiting requested review from christoph-jerolimov

@hopehadfield hopehadfield Awaiting requested review from hopehadfield

Assignees

No one assigned

Labels

kind/dependency upgrade kind/security needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants