Skip to content

Update react-router-dom 7.17.0 → 7.18.1 (minor)#423

Open
depfu[bot] wants to merge 1 commit into
masterfrom
depfu/update/yarn/react-router-dom-7.18.1
Open

Update react-router-dom 7.17.0 → 7.18.1 (minor)#423
depfu[bot] wants to merge 1 commit into
masterfrom
depfu/update/yarn/react-router-dom-7.18.1

Conversation

@depfu

@depfu depfu Bot commented Jul 6, 2026

Copy link
Copy Markdown

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ react-router-dom (7.17.0 → 7.18.1) · Repo · Changelog

Release Notes

7.18.0 (from changelog)

Date: 2026-06-16

What's Changed

CSRF Check Logic Fix

We made a bug fix in our underlying CSRF checks in this release that may be a "breaking bug fix" for some users deployed behind a reverse proxy. The CSRF check now checks directly against the host in the request url provided, instead of looking directly at HTTP headers which is an adapter concern. If your adapter is not setting the expected host in the request URL, you may need to add the new internal host to your allowedActionOrigins config. This is most likely to occur in @react-router/serve apps or @react-router/express apps without the trust proxy setting enabled. We recommend testing this against application mutation requests as part of your upgrade.

Minor Changes

  • @react-router/architect - Add a useRequestContextDomainName option to createRequestHandler to derive request URL hosts from the API Gateway request context (#15185)
    • This flag will become the default behavior in v8, so it is recommended to adopt to prepare for and to v8 better align with your deployment architecture and rely less on manual header parsing in the adapter
    • See the docs for more information

Patch Changes

  • react-router - Fix server handler prerender responses when using ssr: false and future.v8_trailingSlashAwareDataRequests: true (#15173)
    • Avoids false positive "SPA Mode" detection when serving prerendered paths
  • react-router - Use the ServerRouter nonce for nonce-aware SSR components when they don't provide their own value so strict CSP pages can load them (#15170)
  • react-router - Use turbo-stream to serialize and deserialize Framework Mode hydration errors (#15175)
  • react-router - Optimize route matching by extending precomputed route branches to include matchers (#15186)
  • react-router - Use the constructed request URL host instead of header checks when validating action request origins in the CSRF check (#15185)
  • react-router - Remove the un-documented custom error serialization logic from Data Mode SSR built-in hydration flows (#15175)
  • react-router - Validate protocols in RSC render redirects (#15177)
  • react-router - Consolidate url normalization logic and better handle mixed slashes (#15176)
  • @react-router/dev - Pass Vite server.watch config to child compiler in development mode. (#15178)
  • @react-router/dev - Ignore external Vite server environments in Framework Mode build hooks (#14883)
    • When future.v8_viteEnvironmentApi is enabled, React Router previously treated any non-client Vite environment as its own server build
    • This caused issues with integrations like Nitro, where plugins can register additional environments
    • Framework Mode build hooks now ignore external server environments and only process the app's own server build
  • @react-router/express - Adjust express adapter host computation (#15185)
    • read port from x-forwarded-host based on trust proxy setting
    • handle invalid hostname characters

Full Changelog: v7.17.0...v7.18.0

Does any of this look wrong? Please let us know.


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu Bot requested review from canova and fatadel as code owners July 6, 2026 18:55
@depfu depfu Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026
@netlify

netlify Bot commented Jul 6, 2026

Copy link
Copy Markdown

Deploy Preview for firefox-devtools-react-contextmenu ready!

Name Link
🔨 Latest commit 0699830
🔍 Latest deploy log https://app.netlify.com/projects/firefox-devtools-react-contextmenu/deploys/6a4bfa30d0cb1900080e83aa
😎 Deploy Preview https://deploy-preview-423--firefox-devtools-react-contextmenu.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants