[Security] Bump react-router and react-router-dom

Bumps react-router to 7.6.0 and updates ancestor dependency react-router-dom. These dependencies need to be updated together.

Updates react-router from 7.1.1 to 7.6.0 This update includes a security fix.

Vulnerabilities fixed

React Router allows pre-render data spoofing on React-Router framework mode

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

• "@​react-router/node": "^7.5.0",
• "@​react-router/serve": "^7.5.0",
• "react": "^19.0.0"
• "react-dom": "^19.0.0"
• "react-router": "^7.5.0"

1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
2. Add a simple page using a loader (example: routes/ssr)

... (truncated)

Patched versions: 7.5.2 Affected versions: >= 7.0, <= 7.5.1

Release notes

Sourced from react-router's releases.

v7.6.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v760

v7.5.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v753

v7.5.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v752

v7.5.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v751

v7.5.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v750

v7.4.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v741

v7.4.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v740

v7.3.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v730

v7.2.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v720

v.7.1.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v715

v7.1.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v714

v7.1.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v713

v7.1.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v712

Changelog

Sourced from react-router's changelog.

7.6.0

Minor Changes

• Added a new react-router.config.ts routeDiscovery option to configure Lazy Route Discovery behavior. (#13451)

  • By default, Lazy Route Discovery is enabled and makes manifest requests to the /__manifest path:
    • routeDiscovery: { mode: "lazy", manifestPath: "/__manifest" }
  • You can modify the manifest path used:
    • routeDiscovery: { mode: "lazy", manifestPath: "/custom-manifest" }
  • Or you can disable this feature entirely and include all routes in the manifest on initial document load:
    • routeDiscovery: { mode: "initial" }

• Add support for route component props in createRoutesStub. This allows you to unit test your route components using the props instead of the hooks: (#13528)

  let RoutesStub = createRoutesStub([
    {
      path: "/",
      Component({ loaderData }) {
        let data = loaderData as { message: string };
        return <pre data-testid="data">Message: {data.message}</pre>;
      },
      loader() {
        return { message: "hello" };
      },
    },
  ]);
  render(<RoutesStub />);
  await waitFor(() => screen.findByText("Message: hello"));

Patch Changes

• Fix react-router module augmentation for NodeNext (#13498)

• Don't bundle react-router in react-router/dom CJS export (#13497)

• Fix bug where a submitting fetcher would get stuck in a loading state if a revalidating loader redirected (#12873)

• Fix hydration error if a server loader returned undefined (#13496)

• Fix initial load 404 scenarios in data mode (#13500)

• Stabilize useRevalidator's revalidate function (#13542)

• Preserve status code if a clientAction throws a data() result in framework mode (#13522)

... (truncated)

Commits

• c29148e chore: Update version for release (#13561)
• 3adc571 chore: Update version for release (pre) (#13545)
• 0fe5d6d Fix middleware error bubbling scenarios (#13538)
• 1678d41 feat(react-router): stabilize useRevalidator's revalidate (#13542)
• 5af3eaa Add component props support to createRoutesStub (#13528)
• 4e427a3 Short circuit dataStrategy post processing on aborted requests (#13521)
• 7583dc7 Preserve status code on clientAction throw data() results (#13522)
• 26ecf2f Fix fetcher state stuck on loading if a loader redirects (#12873)
• 5a966cb Inline turbo-stream@2.4.1 and fix decode ordering of Map/Set instances (#13518)
• eb59d5f feat(react-router): don't bundle react-router in react-router/dom export ...
• Additional commits viewable in compare view

Updates react-router-dom from 7.1.1 to 7.6.0

Release notes

Sourced from react-router-dom's releases.

v7.1.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v713

react-router-dom-v5-compat@6.4.0-pre.15

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.15
  • react-router-dom@6.4.0-pre.15

react-router-dom-v5-compat@6.4.0-pre.11

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.11
  • react-router-dom@6.4.0-pre.11

react-router-dom-v5-compat@6.4.0-pre.10

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.10
  • react-router-dom@6.4.0-pre.10

react-router-dom-v5-compat@6.4.0-pre.9

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.9
  • react-router-dom@6.4.0-pre.9

react-router-dom-v5-compat@6.4.0-pre.8

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.8
  • react-router-dom@6.4.0-pre.8

Changelog

Sourced from react-router-dom's changelog.

7.6.0

Patch Changes

• Updated dependencies:
  • react-router@7.6.0

7.5.3

Patch Changes

• Updated dependencies:
  • react-router@7.5.3

7.5.2

Patch Changes

• Updated dependencies:
  • react-router@7.5.2

7.5.1

Patch Changes

• Updated dependencies:
  • react-router@7.5.1

7.5.0

Patch Changes

• Updated dependencies:
  • react-router@7.5.0

7.4.1

Patch Changes

• Updated dependencies:
  • react-router@7.4.1

7.4.0

Patch Changes

• Updated dependencies:
  • react-router@7.4.0

7.3.0

... (truncated)

Commits

• c29148e chore: Update version for release (#13561)
• 3adc571 chore: Update version for release (pre) (#13545)
• 9a41029 chore: Update version for release (#13482)
• 945295b chore: Update version for release (pre) (#13479)
• 5819e0c chore: Update version for release (#13456)
• d0cac33 chore: Update version for release (pre) (#13454)
• 5dd7c15 chore: Update version for release (#13422)
• 6ce4a79 chore: Update version for release (pre) (#13412)
• 15e0a5e chore: Update version for release (#13366)
• e6630c6 chore: Update version for release (pre) (#13355)
• Additional commits viewable in compare view