From 6bd63a2ca0e20d9a46209b5cdc54022f09782888 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ersin=20KO=C3=87?= <ersinkoc@gmail.com>
Date: Fri, 5 Jun 2026 17:59:38 +0300
Subject: [PATCH] fix(website): bump react-router to ^7.17.0 to clear 6 CVEs

The marketing site (separate npm project from the pnpm monorepo) pinned
react-router ^7.6.2 with the lockfile resolved at 7.13.1, leaving 6 open
Dependabot alerts (4 high, 2 moderate): unauth RCE via vendored
turbo-stream TYPE_ERROR deserialization (GHSA-49rj-9fvp-4h2h), two DoS
(GHSA-rxv8-25v2-qmq8, GHSA-8x6r-g9mw-2r78), RSC redirect XSS
(GHSA-8646-j5j9-6r62), prerender Location XSS (GHSA-f22v-gfqf-p8f3), and
protocol-relative open redirect (GHSA-2j2x-hqr9-3h42).

Bump the floor to ^7.17.0 (latest 7.x, same major) and refresh the lock.
`npm audit` now reports 0 vulnerabilities; `npm run build` passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 website/package-lock.json | 8 ++++----
 website/package.json      | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/website/package-lock.json b/website/package-lock.json
index cde0bba64..1ac47f491 100644
--- a/website/package-lock.json
+++ b/website/package-lock.json
@@ -14,7 +14,7 @@
         "lucide-react": "^0.513.0",
         "react": "^19.1.0",
         "react-dom": "^19.1.0",
-        "react-router": "^7.6.2",
+        "react-router": "^7.17.0",
         "tailwind-merge": "^3.3.0",
         "zustand": "^5.0.5"
       },
@@ -2364,9 +2364,9 @@
       }
     },
     "node_modules/react-router": {
-      "version": "7.13.1",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.13.1.tgz",
-      "integrity": "sha512-td+xP4X2/6BJvZoX6xw++A2DdEi++YypA69bJUV5oVvqf6/9/9nNlD70YO1e9d3MyamJEBQFEzk6mbfDYbqrSA==",
+      "version": "7.17.0",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.17.0.tgz",
+      "integrity": "sha512-FDELK7rTMlCHO5+reyXsPlmfr7N1F91lPHsWYfMEGQm/KQ+F4JFM8jGoeQDmDvdTs93Fw9aSilH+uKRb4/jXvQ==",
       "license": "MIT",
       "dependencies": {
         "cookie": "^1.0.1",
diff --git a/website/package.json b/website/package.json
index 965527c0f..5eeab0659 100644
--- a/website/package.json
+++ b/website/package.json
@@ -16,7 +16,7 @@
     "lucide-react": "^0.513.0",
     "react": "^19.1.0",
     "react-dom": "^19.1.0",
-    "react-router": "^7.6.2",
+    "react-router": "^7.17.0",
     "tailwind-merge": "^3.3.0",
     "zustand": "^5.0.5"
   },