[Security] Bump react-router and react-router-dom

Bumps react-router to 7.6.2 and updates ancestor dependency react-router-dom. These dependencies need to be updated together.

Updates react-router from 7.1.1 to 7.6.2 This update includes a security fix.

Vulnerabilities fixed

React Router allows pre-render data spoofing on React-Router framework mode

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

• "@​react-router/node": "^7.5.0",
• "@​react-router/serve": "^7.5.0",
• "react": "^19.0.0"
• "react-dom": "^19.0.0"
• "react-router": "^7.5.0"

1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
2. Add a simple page using a loader (example: routes/ssr)

... (truncated)

Patched versions: 7.5.2 Affected versions: >= 7.0, <= 7.5.1

Release notes

Sourced from react-router's releases.

v7.6.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v761

v7.6.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v760

v7.5.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v753

v7.5.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v752

v7.5.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v751

v7.5.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v750

v7.4.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v741

v7.4.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v740

v7.3.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v730

v7.2.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v720

v.7.1.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v715

v7.1.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v714

v7.1.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v713

v7.1.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v712

Changelog

Sourced from react-router's changelog.

7.6.2

Patch Changes

• Avoid additional with-props chunk in Framework Mode by moving route module component prop logic from the Vite plugin to react-router (#13650)
• [INTERNAL] Slight refactor of internal headers() function processing for use with RSC (#13639)

7.6.1

Patch Changes

• Update Route.MetaArgs to reflect that data can be potentially undefined (#13563)

  This is primarily for cases where a route loader threw an error to it's own ErrorBoundary. but it also arises in the case of a 404 which renders the root ErrorBoundary/meta but the root loader did not run because not routes matched.

• Partially revert optimization added in 7.1.4 to reduce calls to matchRoutes because it surfaced other issues (#13562)

• Fix typegen when same route is used at multiple paths (#13574)

  For example, routes/route.tsx is used at 4 different paths here:

  import { type RouteConfig, route } from "@react-router/dev/routes";
  export default [
    route("base/:base", "routes/base.tsx", [
      route("home/:home", "routes/route.tsx", { id: "home" }),
      route("changelog/:changelog", "routes/route.tsx", { id: "changelog" }),
      route("splat/*", "routes/route.tsx", { id: "splat" }),
    ]),
    route("other/:other", "routes/route.tsx", { id: "other" }),
  ] satisfies RouteConfig;

  Previously, typegen would arbitrarily pick one of these paths to be the "winner" and generate types for the route module based on that path. Now, typegen creates unions as necessary for alternate paths for the same route file.

• Better types for params (#13543)

  For example:

  // routes.ts
  import { type RouteConfig, route } from "@react-router/dev/routes";
  export default [
  route("parent/:p", "routes/parent.tsx", [
  route("layout/:l", "routes/layout.tsx", [
  route("child1/:c1a/:c1b", "routes/child1.tsx"),
  route("child2/:c2a/:c2b", "routes/child2.tsx"),
  ]),

... (truncated)

Commits

• 49e7664 chore: Update version for release (#13733)
• da12c2b Merge branch 'release-next' into dev
• a36c505 chore: Update version for release (#13670)
• 15087c0 chore: Update version for release (pre) (#13669)
• 1f54134 Revert tsup changes from build (#13667)
• f43b55e fix: move with-props logic to core library (#13650)
• 4eb6fd8 chore: Update version for release (pre) (#13653)
• 77ec8e0 force new prerelease
• 85959f3 Internal refactor of getDocumentHeaders for re-use with RSC (#13639)
• ec173d8 chore: Update version for release (pre) (#13637)
• Additional commits viewable in compare view

Updates react-router-dom from 7.1.1 to 7.6.2

Release notes

Sourced from react-router-dom's releases.

v7.1.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v713

react-router-dom-v5-compat@6.4.0-pre.15

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.15
  • react-router-dom@6.4.0-pre.15

react-router-dom-v5-compat@6.4.0-pre.11

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.11
  • react-router-dom@6.4.0-pre.11

react-router-dom-v5-compat@6.4.0-pre.10

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.10
  • react-router-dom@6.4.0-pre.10

react-router-dom-v5-compat@6.4.0-pre.9

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.9
  • react-router-dom@6.4.0-pre.9

react-router-dom-v5-compat@6.4.0-pre.8

Patch Changes

• Updated dependencies
  • react-router@6.4.0-pre.8
  • react-router-dom@6.4.0-pre.8

Changelog

Sourced from react-router-dom's changelog.

7.6.2

Patch Changes

• Updated dependencies:
  • react-router@7.6.2

7.6.1

Patch Changes

• Updated dependencies:
  • react-router@7.6.1

7.6.0

Patch Changes

• Updated dependencies:
  • react-router@7.6.0

7.5.3

Patch Changes

• Updated dependencies:
  • react-router@7.5.3

7.5.2

Patch Changes

• Updated dependencies:
  • react-router@7.5.2

7.5.1

Patch Changes

• Updated dependencies:
  • react-router@7.5.1

7.5.0

Patch Changes

• Updated dependencies:
  • react-router@7.5.0

7.4.1

... (truncated)

Commits

• 49e7664 chore: Update version for release (#13733)
• a36c505 chore: Update version for release (#13670)
• 15087c0 chore: Update version for release (pre) (#13669)
• 4eb6fd8 chore: Update version for release (pre) (#13653)
• ec173d8 chore: Update version for release (pre) (#13637)
• 8389d48 Update dev dependencies to React 19 (#13558)
• c29148e chore: Update version for release (#13561)
• 3adc571 chore: Update version for release (pre) (#13545)
• 9a41029 chore: Update version for release (#13482)
• 945295b chore: Update version for release (pre) (#13479)
• Additional commits viewable in compare view