fix(deps): bump react-router-dom to 7.18.1 (security #235, #238) #239

Merged
maximus merged 1 commit from issue-238-react-router-dom into main 2026-07-01 23:58:55 +00:00
Owner

Fixes #235
Fixes #238

Bump react-router-dom 7.13.0 → 7.18.1, ce qui tire react-router 7.13.0 → 7.18.1 (≥ 7.15.1).

Vulnérabilités résolues

  • #235 react-router (cause racine) — 7 advisories : turbo-stream RCE non authentifié (GHSA-49rj-9fvp-4h2h), DoS __manifest (GHSA-8x6r-g9mw-2r78), DoS single-fetch (GHSA-rxv8-25v2-qmq8), XSS RSC redirect (GHSA-8646-j5j9-6r62).
  • #238 react-router-dom — 0 CVE propre, vulnérable uniquement par héritage transitif de react-router (npm audit : viaParents=['react-router']). Un seul bump du parent ferme les deux issues.

npm audit : 5 → 3 vulns (les 2 react-router* high éliminées). Reste vite/vitest/@babel/core → PR tooling séparée (#236, #237).

Validation

  • npm ls react-routerreact-router-dom@7.18.1 → react-router@7.18.1 (≥ 7.15.1) ✓
  • npm audit : react-router et react-router-dom absents ✓
  • npm run build (tsc + vite) vert ✓
  • Bump mineur, pas de major (react-router-dom latest = 7.18.1)

Contexte produit : app Tauri desktop (SPA cliente locale, pas de serveur SSR/RSC) → surface réelle faible, hardening propre.

🤖 Generated with Claude Code

Fixes #235 Fixes #238 Bump `react-router-dom` 7.13.0 → 7.18.1, ce qui tire `react-router` 7.13.0 → 7.18.1 (≥ 7.15.1). ## Vulnérabilités résolues - **#235 react-router** (cause racine) — 7 advisories : turbo-stream RCE non authentifié (GHSA-49rj-9fvp-4h2h), DoS `__manifest` (GHSA-8x6r-g9mw-2r78), DoS single-fetch (GHSA-rxv8-25v2-qmq8), XSS RSC redirect (GHSA-8646-j5j9-6r62). - **#238 react-router-dom** — 0 CVE propre, vulnérable uniquement par héritage transitif de react-router (`npm audit` : `viaParents=['react-router']`). Un seul bump du parent ferme les deux issues. `npm audit` : **5 → 3 vulns** (les 2 `react-router*` high éliminées). Reste `vite`/`vitest`/`@babel/core` → PR tooling séparée (#236, #237). ## Validation - `npm ls react-router` → `react-router-dom@7.18.1 → react-router@7.18.1` (≥ 7.15.1) ✓ - `npm audit` : `react-router` et `react-router-dom` absents ✓ - `npm run build` (tsc + vite) vert ✓ - Bump mineur, pas de major (react-router-dom latest = 7.18.1) _Contexte produit : app Tauri desktop (SPA cliente locale, pas de serveur SSR/RSC) → surface réelle faible, hardening propre._ 🤖 Generated with [Claude Code](https://claude.com/claude-code)
maximus added 1 commit 2026-07-01 12:42:23 +00:00
fix(deps): bump react-router-dom to 7.18.1 (fixes #235, #238)
All checks were successful
PR Check / rust (pull_request) Successful in 23m56s
PR Check / frontend (pull_request) Successful in 2m35s
713667c33d
react-router-dom@7.13.0 pulled react-router@7.13.0, affected by 7 advisories
(turbo-stream RCE, DoS __manifest/single-fetch, XSS RSC redirect), corrected
in <7.15.1. Bumping the parent to 7.18.1 pulls react-router@7.18.1 and clears
both npm audit entries. react-router-dom carries no advisory of its own (#238
inherited transitively from #235). Build (tsc + vite) green; no major bump.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author
Owner

Review — APPROVE

Bump react-router-dom 7.13.0 → 7.18.1 (tire react-router → 7.18.1). Diff minimal et scoped.

Sécurité — aucun secret/token ; pas de code applicatif, uniquement package.json + lock.
Correctnessnpm audit : react-router et react-router-dom désormais absents (5 → 3 vulns). npm ls react-router → 7.18.1 (≥ 7.15.1). Aucune dérive transitive dans le lock (seuls les 2 paquets changent version/resolved/integrity). Bump mineur, pas de major.
Quality — changement idiomatique, cohérent.
Data — aucune migration SQL.

npm run build (tsc + vite) vert. Ferme #235 (cause racine) + #238 (héritage transitif) en un commit, conformément à la reco du Defenseur.

## Review — APPROVE ✅ Bump `react-router-dom` 7.13.0 → 7.18.1 (tire `react-router` → 7.18.1). Diff minimal et scoped. **Sécurité** — aucun secret/token ; pas de code applicatif, uniquement package.json + lock. **Correctness** — `npm audit` : `react-router` et `react-router-dom` désormais absents (5 → 3 vulns). `npm ls react-router` → 7.18.1 (≥ 7.15.1). Aucune dérive transitive dans le lock (seuls les 2 paquets changent version/resolved/integrity). Bump mineur, pas de major. **Quality** — changement idiomatique, cohérent. **Data** — aucune migration SQL. `npm run build` (tsc + vite) vert. Ferme #235 (cause racine) + #238 (héritage transitif) en un commit, conformément à la reco du Defenseur.
maximus merged commit 6aa4f66242 into main 2026-07-01 23:58:55 +00:00
maximus deleted branch issue-238-react-router-dom 2026-07-01 23:58:55 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: maximus/Simpl-Resultat#239
No description provided.