Last 12 weeks · 0 commits
3 of 6 standards met
Adds a workflow-level block to . The test workflow only reads the repository contents; it does not push, comment, or release. Declaring the minimum scope means a compromised third-party action cannot abuse the run's token to escalate. This is the pattern GitHub recommends in their token hardening guide and is what OpenSSF Scorecard's check looks for. A recent reminder of why this matters: tj-actions/changed-files compromise in March 2025 (CVE-2025-30066). Verified with .
Reproduction Fork with failing tests: https://github.com/ebsmoove/history/tree/bug-report/v4-open-redirect-cve-2025-68470 Steps to reproduce: 1. Clone the fork: 2. Checkout branch: 3. Install dependencies: 4. Run tests: 5. Observe 8 failing tests demonstrating the open redirect vulnerability Fix available:** https://github.com/remix-run/history/pull/981 System Info System: OS: macOS 15.6.1 CPU: (12) arm64 Apple M2 Pro Memory: 1.98 GB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 22.14.0 - /Users/X/.asdf/installs/nodejs/22.14.0/bin/node npm: 10.9.2 - /Users/X/.asdf/plugins/nodejs/shims/npm Used Package Manager npm Expected Behavior Pathnames with embedded double-slashes like should be normalized to to prevent the browser from interpreting them as protocol-relative URLs that redirect to external sites. Actual Behavior Pathnames with embedded double-slashes like are passed through unchanged, allowing browsers to interpret them as protocol-relative URLs (e.g., ), enabling open redirect attacks.
## Summary This PR fixes a high-severity open redirect vulnerability (CVE-2025-68470) in the package that affects all React Router v5 applications. This work was co-authored by my coworkers Kevin Polson and Eric Boshart ## Vulnerability Details CVE: CVE-2025-68470 Snyk ID: SNYK-JS-REACTROUTER-14908286 Severity: High (CVSS 7.1) Type: Open Redirect (CWE-601) Affected Versions**: All versions // Redirects externally // Redirects externally javascript // After fix createLocation('//evil.com') // → pathname: "/evil.com" (safe, internal path) createLocation('/path//to///resource') // → pathname: "/path/to/resource" ``` ### Key Changes: 1. After pathname decoding, detect and normalize embedded double-slashes 2. Replace consecutive slashes (/\/\/+/g) with single slash 3. Emit development warning to guide developers to correct usage 4. Maintains full backward compatibility ### Testing Test Coverage: 132/132 tests passing All 122 existing tests continue to pass 10 new security-specific tests added: ### References Snyk Advisory: https://security.snyk.io/vuln/SNYK-JS-REACTROUTER-14908286 CWE-601: https://cwe.mitre.org/data/definitions/601.html React Router v6 Fix: The vulnerability was fixed in react-router@6.30.2+, but v5 users cannot easily upgrade
I work on software supply chain security and have been hardening GitHub Actions workflows across OSS projects. Each of these workflows runs without a top-level block, so its inherits the repository (or org) default, which is frequently read/write for all scopes. This PR sets at the workflow level for , which is all these jobs need (checkout plus the build/test steps). Scoping the token to read-only shrinks what a compromised step or dependency can do, a concern made concrete by the March 2025 compromise (CVE-2025-30066), where a leaked write-scoped was the blast radius. No job behavior changes; the steps already only read the repository.
Hello, we've upgraded the history version to 5.0.0 without knowing it because it was set to "latest" in package.json. What we have found is that the url in the browser gets correctly updated using "history.push()" (with both BrowserHistory and HashHistory) but the navigation is not tirggered anymore. Also, using react-router-dom Link component, the path gets built wrong, skipping the first "/" after the base path. Switching back to 4.10.1 fixed the issues for us.
Repository: remix-run/history. Description: Manage session history with JavaScript Stars: 8313, Forks: 957. Primary language: JavaScript. Languages: JavaScript (54.3%), TypeScript (37.2%), HTML (8.5%). License: MIT. Latest release: v5.3.0 (4y ago). Open PRs: 18, open issues: 108. Last activity: 1y ago. Community health: 50%. Top contributors: mjackson, taion, michalkvasnicak, timdorr, ryanflorence, chaance, pshrmn, greenkeeperio-bot, TrySound, tvervest and others.