Skip to content

fix(deps): update react-router monorepo to v7.18.0#450

Merged
pactflow-renovate-bot[bot] merged 1 commit into
masterfrom
renovate/react-router-monorepo
Jun 19, 2026
Merged

fix(deps): update react-router monorepo to v7.18.0#450
pactflow-renovate-bot[bot] merged 1 commit into
masterfrom
renovate/react-router-monorepo

Conversation

@pactflow-renovate-bot

@pactflow-renovate-bot pactflow-renovate-bot Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 7.17.07.18.0 age confidence
react-router-dom (source) 7.17.07.18.0 age confidence

Release Notes

remix-run/react-router (react-router)

v7.18.0

Compare Source

Patch Changes
  • Fix server handler prerender responses when using ssr: false and future.v8_trailingSlashAwareDataRequests: true. Avoids false positive "SPA Mode" detection when serving prerendered paths (#​15173)
  • Use the ServerRouter nonce for nonce-aware SSR components when they don't provide their own value so strict CSP pages can load them. (#​15170)
  • Use turbo-stream to serialize and deserialize Framework Mode hydration errors (#​15175)
  • Precompute route branch matchers to avoid recompiling route path regexes during matching (#​15186)
  • Use the constructed request URL host when validating action request origins. (#​15185)
  • Remove the un-documented custom error serialization logic from Data Mode SSR built-in hydration flows (#​15175)
  • Validate protocols in RSC render redirects (#​15177)
  • Consolidate url normalization logic and better handle mixed slashes (#​15176)
remix-run/react-router (react-router-dom)

v7.18.0

Compare Source

Date: 2026-06-16

What's Changed
CSRF Check Logic Fix

We made a bug fix in our underlying CSRF checks in this release that may be a "breaking bug fix" for some users deployed behind a reverse proxy. The CSRF check now checks directly against the host in the request url provided, instead of looking directly at HTTP headers which is an adapter concern. If your adapter is not setting the expected host in the request URL, you may need to add the new internal host to your allowedActionOrigins config. This is most likely to occur in @react-router/serve apps or @react-router/express apps without the trust proxy setting enabled. We recommend testing this against application mutation requests as part of your upgrade.

Minor Changes
  • @react-router/architect - Add a useRequestContextDomainName option to createRequestHandler to derive request URL hosts from the API Gateway request context (#​15185)
    • This flag will become the default behavior in v8, so it is recommended to adopt to prepare for and to v8 better align with your deployment architecture and rely less on manual header parsing in the adapter
    • See the docs for more information
Patch Changes
  • react-router - Fix server handler prerender responses when using ssr: false and future.v8_trailingSlashAwareDataRequests: true (#​15173)
    • Avoids false positive "SPA Mode" detection when serving prerendered paths
  • react-router - Use the ServerRouter nonce for nonce-aware SSR components when they don't provide their own value so strict CSP pages can load them (#​15170)
  • react-router - Use turbo-stream to serialize and deserialize Framework Mode hydration errors (#​15175)
  • react-router - Optimize route matching by extending precomputed route branches to include matchers (#​15186)
  • react-router - Use the constructed request URL host instead of header checks when validating action request origins in the CSRF check (#​15185)
  • react-router - Remove the un-documented custom error serialization logic from Data Mode SSR built-in hydration flows (#​15175)
  • react-router - Validate protocols in RSC render redirects (#​15177)
  • react-router - Consolidate url normalization logic and better handle mixed slashes (#​15176)
  • @react-router/dev - Pass Vite server.watch config to child compiler in development mode. (#​15178)
  • @react-router/dev - Ignore external Vite server environments in Framework Mode build hooks (#​14883)
    • When future.v8_viteEnvironmentApi is enabled, React Router previously treated any non-client Vite environment as its own server build
    • This caused issues with integrations like Nitro, where plugins can register additional environments
    • Framework Mode build hooks now ignore external server environments and only process the app's own server build
  • @react-router/express - Adjust express adapter host computation (#​15185)
    • read port from x-forwarded-host based on trust proxy setting
    • handle invalid hostname characters

Full Changelog: v7.17.0...v7.18.0

Configuration

📅 Schedule: (in timezone Australia/Melbourne)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@pactflow-renovate-bot pactflow-renovate-bot Bot enabled auto-merge (squash) June 19, 2026 15:07
@pactflow-renovate-bot pactflow-renovate-bot Bot merged commit 7b7d873 into master Jun 19, 2026
6 checks passed
@pactflow-renovate-bot pactflow-renovate-bot Bot deleted the renovate/react-router-monorepo branch June 19, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants