Skip to content

Commit 6bd63a2

Browse files
ersinkocclaude
ersinkoc
and
claude
committed
fix(website): bump react-router to ^7.17.0 to clear 6 CVEs
The marketing site (separate npm project from the pnpm monorepo) pinned react-router ^7.6.2 with the lockfile resolved at 7.13.1, leaving 6 open Dependabot alerts (4 high, 2 moderate): unauth RCE via vendored turbo-stream TYPE_ERROR deserialization (GHSA-49rj-9fvp-4h2h), two DoS (GHSA-rxv8-25v2-qmq8, GHSA-8x6r-g9mw-2r78), RSC redirect XSS (GHSA-8646-j5j9-6r62), prerender Location XSS (GHSA-f22v-gfqf-p8f3), and protocol-relative open redirect (GHSA-2j2x-hqr9-3h42). Bump the floor to ^7.17.0 (latest 7.x, same major) and refresh the lock. `npm audit` now reports 0 vulnerabilities; `npm run build` passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 3e9c869 commit 6bd63a2

2 files changed

Lines changed: 5 additions & 5 deletions

File tree

website/package-lock.json

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

website/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
"lucide-react": "^0.513.0",
1717
"react": "^19.1.0",
1818
"react-dom": "^19.1.0",
19-
"react-router": "^7.6.2",
19+
"react-router": "^7.17.0",
2020
"tailwind-merge": "^3.3.0",
2121
"zustand": "^5.0.5"
2222
},

0 commit comments

Comments
 (0)