fix(deps): update dependency react-router to v6.30.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	6.26.2 → 6.30.2

---

React Router has unexpected external redirect via untrusted paths

CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m

More information

Details

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
• https://nvd.nist.gov/vuln/detail/CVE-2025-68470
• https://github.com/advisories/GHSA-9jcx-v3wj-wh4m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

remix-run/react-router (react-router)

v6.30.2: v6.30.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/v6/CHANGELOG.md#v6302

v6.30.1: v6.30.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6301

v6.30.0: v6.30.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6300

v6.29.0: v6.29.0

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6290

v6.28.2: v6.28.2

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6282

v6.28.1: v6.28.1

Compare Source

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v6281

v6.28.0

Compare Source

Minor Changes

• • Log deprecation warnings for v7 flags (#​11750)
  • Add deprecation warnings to json/defer in favor of returning raw objects
    • These methods will be removed in React Router v7

Patch Changes

• Update JSDoc URLs for new website structure (add /v6/ segment) (#​12141)
• Updated dependencies:
  • @remix-run/router@1.21.0

v6.27.0

Compare Source

Minor Changes

• Stabilize unstable_patchRoutesOnNavigation (#​11973)
  • Add new PatchRoutesOnNavigationFunctionArgs type for convenience (#​11967)
• Stabilize unstable_dataStrategy (#​11974)
• Stabilize the unstable_flushSync option for navigations and fetchers (#​11989)
• Stabilize the unstable_viewTransition option for navigations and the corresponding unstable_useViewTransitionState hook (#​11989)

Patch Changes

• Fix bug when submitting to the current contextual route (parent route with an index child) when an ?index param already exists from a prior submission (#​12003)

• Fix useFormAction bug - when removing ?index param it would not keep other non-Remix index params (#​12003)

• Fix types for RouteObject within PatchRoutesOnNavigationFunction's patch method so it doesn't expect agnostic route objects passed to patch (#​11967)

• Updated dependencies:

  • @remix-run/router@1.20.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.