fix(deps): bump react-router to 6.30.4 (GHSA-2j2x-hqr9-3h42) #292

Merged

owlburtoe merged 1 commit from fix/react-router-6.30.4-ghsa into main

2026-06-03 20:27:49 -04:00

owlburtoe commented

2026-06-03 20:03:40 -04:00

Owner

Why

A newly published advisory GHSA-2j2x-hqr9-3h42 (CVSS 6.6, Medium) flags react-router@6.30.3. Because OSV.dev now serves it, the Dependency Audit job (osv-scanner) started failing on every open PR (#291, #287, #286, #255) and on main — none of these PRs introduced the problem.

Change

Bump react-router-dom ^6.30.3 → ^6.30.4, which pulls patched react-router@6.30.4 (the transitive that was flagged).
Refresh pnpm-lock.yaml accordingly.

Verification

pnpm install --frozen-lockfile ✓ (lockfile consistent)
osv-scanner --config=.osv-scanner.toml --lockfile=pnpm-lock.yaml → No issues found ✓
pnpm check:react-versions → aligned ✓

Once merged, #291 rebases clean and the renovate PRs auto-rebase to green.

## Why A newly published advisory **GHSA-2j2x-hqr9-3h42** (CVSS 6.6, Medium) flags `react-router@6.30.3`. Because OSV.dev now serves it, the **Dependency Audit** job (`osv-scanner`) started failing on *every* open PR (#291, #287, #286, #255) and on main — none of these PRs introduced the problem. ## Change - Bump `react-router-dom` `^6.30.3` → `^6.30.4`, which pulls patched `react-router@6.30.4` (the transitive that was flagged). - Refresh `pnpm-lock.yaml` accordingly. ## Verification - `pnpm install --frozen-lockfile` ✓ (lockfile consistent) - `osv-scanner --config=.osv-scanner.toml --lockfile=pnpm-lock.yaml` → **No issues found** ✓ - `pnpm check:react-versions` → aligned ✓ Once merged, #291 rebases clean and the renovate PRs auto-rebase to green.

owlburtoe added 1 commit

2026-06-03 20:03:40 -04:00

fix(deps): bump react-router to 6.30.4 (GHSA-2j2x-hqr9-3h42)

Code Scanning / Semgrep OSS source scan (pull_request) Successful in 35s

Details

Code Scanning / Gitleaks secret scan (pull_request) Successful in 8s

Details

Security, Type Check & Runtime / Dependency Audit (pull_request) Successful in 10m20s

Details

Security, Type Check & Runtime / Migration Guardrails (pull_request) Successful in 10m42s

Details

Security, Type Check & Runtime / Type Check (pull_request) Successful in 11m36s

Details

Security, Type Check & Runtime / Backend Runtime Smoke (pull_request) Successful in 11m40s

Details

E2E Tests / e2e (pull_request) Successful in 15m45s

Details

Release Artifacts / Validate release candidate (pull_request) Successful in 10m53s

Details

Release Artifacts / Build and push Docker release images (pull_request) Has been skipped

Details

Release Artifacts / Deploy to staging (pull_request) Has been skipped

Details

685037d3dd

The react-router 6.30.3 advisory GHSA-2j2x-hqr9-3h42 (CVSS 6.6) was
newly published to OSV.dev, failing the Dependency Audit gate on every
open PR. Bump react-router-dom to ^6.30.4, which pulls the patched
react-router 6.30.4 transitive. osv-scanner now reports no issues.

owlburtoe merged commit ff91a8cb17 into main

2026-06-03 20:27:49 -04:00

owlburtoe deleted branch fix/react-router-6.30.4-ghsa

2026-06-03 20:27:50 -04:00

owlburtoe referenced this pull request from a commit

2026-06-03 20:27:51 -04:00

Merge pull request 'fix(deps): bump react-router to 6.30.4 (GHSA-2j2x-hqr9-3h42)' (#292) from fix/react-router-6.30.4-ghsa into main