Skip to content

chore(deps): update dependency @remix-run/react to v2.17.3 [security]#3900

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate-npm-remix-run-react-vulnerability
Open

chore(deps): update dependency @remix-run/react to v2.17.3 [security]#3900
renovate[bot] wants to merge 1 commit intomainfrom
renovate-npm-remix-run-react-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 15, 2026

This PR contains the following updates:

Package Change Age Confidence
@remix-run/react (source) 2.16.42.17.3 age confidence

GitHub Vulnerability Alerts

CVE-2025-59057

A XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

Note

This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity
  • CVSS Score: 7.6 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CVE-2026-21884

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

Note

This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity
  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Release Notes

remix-run/remix (@​remix-run/react)

v2.17.0

Compare Source

v2.16.5

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency label Apr 15, 2026
@netlify
Copy link
Copy Markdown

netlify bot commented Apr 15, 2026
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit 08996f6
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69e00b8072acf2000841f017

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 51.76
  • Iterations/s: 17.25
  • Failed Requests: 0.00% (0 of 3115)
📜 Logs 

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.1 MB 19 kB/s
     data_sent......................: 2.4 MB 40 kB/s
     http_req_blocked...............: avg=6.41µs   min=2.43µs   med=5.07µs   max=791.07µs p(90)=6.38µs   p(95)=7.04µs  
     http_req_connecting............: avg=314ns    min=0s       med=0s       max=277µs    p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=76.68ms  min=7.18ms   med=61.4ms   max=362.71ms p(90)=131.55ms p(95)=150.82ms
       { expected_response:true }...: avg=76.68ms  min=7.18ms   med=61.4ms   max=362.71ms p(90)=131.55ms p(95)=150.82ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 3115
     http_req_receiving.............: avg=81.84µs  min=28.98µs  med=73.47µs  max=1.12ms   p(90)=109.34µs p(95)=137.49µs
     http_req_sending...............: avg=38.74µs  min=10.65µs  med=27.79µs  max=2.22ms   p(90)=41.99µs  p(95)=58.16µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=76.56ms  min=7.05ms   med=61.26ms  max=362.53ms p(90)=131.46ms p(95)=150.69ms
     http_reqs......................: 3115   51.759166/s
     iteration_duration.............: avg=231.72ms min=155.87ms med=220.97ms max=783.96ms p(90)=285.16ms p(95)=317.96ms
     iterations.....................: 1038   17.247517/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants