GitShow/remix-run/history
remix-run

history

Manage session history with JavaScript

by remix-run
Star on GitHubForknpm

JavaScript

8.3k stars957 forks76 contributorsQuiet · 1y agoSince 2015v5.3.0MIT

Meet the team

See all 76 on GitHub →
mjackson
mjackson811 contributions
taion
taion88 contributions
michalkvasnicak
michalkvasnicak21 contributions
timdorr
timdorr18 contributions
ryanflorence
ryanflorence16 contributions
chaance
chaance15 contributions
pshrmn
pshrmn14 contributions
greenkeeperio-bot
greenkeeperio-bot11 contributions

Languages

View on GitHub →
JavaScript54.3%
TypeScript37.2%
HTML8.5%

Commit activity

Last 12 weeks · 0 commits

Full graph →

Community health

3 of 6 standards met

Community profile →
50
✓README✓License✓Contributing○Code of Conduct○Issue Template○PR Template

Recent PRs & issues

Quiet · Last activity 1y ago
See all on GitHub →
arpitjain099
chore(ci): declare contents: read on testOpenPR

Adds a workflow-level block to . The test workflow only reads the repository contents; it does not push, comment, or release. Declaring the minimum scope means a compromised third-party action cannot abuse the run's token to escalate. This is the pattern GitHub recommends in their token hardening guide and is what OpenSSF Scorecard's check looks for. A recent reminder of why this matters: tj-actions/changed-files compromise in March 2025 (CVE-2025-30066). Verified with .

arpitjain099 · 1mo ago
ebsmoove
[Security] Open Redirect vulnerability via double-slash pathname in history v4.x (CVE-2025-68470)OpenIssue

Reproduction Fork with failing tests: https://github.com/ebsmoove/history/tree/bug-report/v4-open-redirect-cve-2025-68470 Steps to reproduce: 1. Clone the fork: 2. Checkout branch: 3. Install dependencies: 4. Run tests: 5. Observe 8 failing tests demonstrating the open redirect vulnerability Fix available:** https://github.com/remix-run/history/pull/981 System Info System: OS: macOS 15.6.1 CPU: (12) arm64 Apple M2 Pro Memory: 1.98 GB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 22.14.0 - /Users/X/.asdf/installs/nodejs/22.14.0/bin/node npm: 10.9.2 - /Users/X/.asdf/plugins/nodejs/shims/npm Used Package Manager npm Expected Behavior Pathnames with embedded double-slashes like should be normalized to to prevent the browser from interpreting them as protocol-relative URLs that redirect to external sites. Actual Behavior Pathnames with embedded double-slashes like are passed through unchanged, allowing browsers to interpret them as protocol-relative URLs (e.g., ), enabling open redirect attacks.

ebsmoove · 5mo ago
KyleSudu1
Fix/v4 open redirect CVE 2025 68470 v2OpenPR

## Summary This PR fixes a high-severity open redirect vulnerability (CVE-2025-68470) in the package that affects all React Router v5 applications. This work was co-authored by my coworkers Kevin Polson and Eric Boshart ## Vulnerability Details CVE: CVE-2025-68470 Snyk ID: SNYK-JS-REACTROUTER-14908286 Severity: High (CVSS 7.1) Type: Open Redirect (CWE-601) Affected Versions**: All versions // Redirects externally // Redirects externally javascript // After fix createLocation('//evil.com') // → pathname: "/evil.com" (safe, internal path) createLocation('/path//to///resource') // → pathname: "/path/to/resource" ``` ### Key Changes: 1. After pathname decoding, detect and normalize embedded double-slashes 2. Replace consecutive slashes (/\/\/+/g) with single slash 3. Emit development warning to guide developers to correct usage 4. Maintains full backward compatibility ### Testing Test Coverage: 132/132 tests passing All 122 existing tests continue to pass 10 new security-specific tests added: ### References Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 CWE-601: https://cwe.mitre.org/data/definitions/601.html React Router v6 Fix: The vulnerability was fixed in react-router@6.30.2+, but v5 users cannot easily upgrade

KyleSudu1 · 5mo ago

Recent fixes

View closed PRs →
arpitjain099
ci: scope test workflow token to contents: readMergedPR

I work on software supply chain security and have been hardening GitHub Actions workflows across OSS projects. Each of these workflows runs without a top-level block, so its inherits the repository (or org) default, which is frequently read/write for all scopes. This PR sets at the workflow level for , which is all these jobs need (checkout plus the build/test steps). Scoping the token to read-only shrinks what a compromised step or dependency can do, a concern made concrete by the March 2025 compromise (CVE-2025-30066), where a leaked write-scoped was the blast radius. No job behavior changes; the steps already only read the repository.

arpitjain099 · 1mo ago
GaetanoPiazzolla
React router not working after upgrading to v 5ClosedIssue

Hello, we've upgraded the history version to 5.0.0 without knowing it because it was set to "latest" in package.json. What we have found is that the url in the browser gets correctly updated using "history.push()" (with both BrowserHistory and HashHistory) but the navigation is not tirggered anymore. Also, using react-router-dom Link component, the path gets built wrong, skipping the first "/" after the base path. Switching back to 4.10.1 fixed the issues for us.

GaetanoPiazzolla · 1y ago
Structured data for AI agents

Repository: remix-run/history. Description: Manage session history with JavaScript Stars: 8313, Forks: 957. Primary language: JavaScript. Languages: JavaScript (54.3%), TypeScript (37.2%), HTML (8.5%). License: MIT. Latest release: v5.3.0 (4y ago). Open PRs: 18, open issues: 108. Last activity: 1y ago. Community health: 50%. Top contributors: mjackson, taion, michalkvasnicak, timdorr, ryanflorence, chaance, pshrmn, greenkeeperio-bot, TrySound, tvervest and others.

·@ofershap

Replace github.com with gitshow.dev