Last 12 weeks · 366 commits
4 of 6 standards met
Summary Upgrade axios from 1.6.8 to 1.7.4 to fix CVE-2024-39338. Vulnerability Description: axios: axios: Server-Side Request Forgery Evidence Scanner confirmation: trivy rule flagged this pattern. Production code*: This file is in the production codebase, not test-only code. Threat Model Context This is a web application - XSS and injection vulnerabilities can affect end users. Changes Verification [x] Build passes [x] Scanner re-scan confirms fix [x] LLM code review passed This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation. Automated security fix by OrbisAI Security*
Description can crash when another process runs at the same time. The failure is a filesystem race on : This happens because the dev-server typegen watcher and a standalone invocation both try to remove and rewrite the same generated directories concurrently. Reproduction 1. Start the dev server in a Framework Mode app: 2. While dev is running, trigger typegen from another process (common in real projects): Or run a script that shells out to typegen, e.g.: with a pre-commit hook that also runs before . 3. Repeat a few times or trigger a route-config change in dev while typegen is running. Expected: Both processes complete; generated types stay consistent. Actual: Dev server or typegen crashes with when one process s (or the whole tree) while the other is still writing. Root cause In : and call before writing also calls on route-config changes, which removes There is no cross-process coordination between the Vite plugin watcher and CLI Proposed fix 1. Serialize typegen writes with a cross-process lock outside the generated tree (e.g. ), so dev watcher and CLI typegen cannot overlap destructive writes 2. Retry on retryable errors (, , ) with short backoff before surfacing the error Environment : 8.1.0 Node: >= 22 OS: macOS (also reported on other platforms with parallel file operations) Happy to open a PR with lock + retry if this approach looks good.
The example for navigating with a object places inside the object: But is not a property of (, and is only / / ), so this is a TypeScript excess-property error. At runtime reads from its second argument (), so the above is silently dropped, and is empty on the next page, which is the opposite of what the sentence right below the example promises. This moves into the options argument so the example type-checks and actually populates .
classifies each path segment as static, dynamic, or empty to rank matching routes. A segment that starts with a param but carries a static suffix, such as , is dynamic: compiles it to and captures a param. But scores it as a fully static segment, so and a truly static get the same score and tie. The tie is broken by declaration order, so when the dynamic route is declared first, a request for the literal matches with instead of the static route. This breaks the invariant that a static route beats a dynamic one regardless of order, and the documented workaround of adding a static path to disambiguate does not help, since the static path is present and still loses. Real cases: per-language sitemaps or feeds ( + ), asset routes ( + ), extension routes ( + ). Cause : const paramRe = /^:[\w-]+$/; The trailing requires the whole segment to be a bare param, so a param with a static suffix fails the test and is scored as static. The router's own definition of a param is a segment that starts with ( uses ; a mid-segment colon like stays static). Fix Drop the so a segment counts as dynamic when it starts with a param token: const paramRe = /^:[\w-]+/; Predicate table after the change: dynamic, dynamic, dynamic, dynamic, static, static (mid-segment colon, unchanged), static. Added (uses the export): the static route wins in either declaration order, and still matches . It fails before the change; the , and suites (82 tests) stay green. One point for review: this also changes a previously order-dependent case. no longer automatically outranks a sibling ; both are dynamic now and tie, so declaration order decides. That is arguably more correct, but if you would rather rank suffix-params strictly between plain-dynamic and static, that needs a dedicated weight, which is the re-weighting direction discussed in #13666. This change stays narrow and only corrects the static-vs-dynamic inversion.
Repository: remix-run/react-router. Description: Declarative routing for React Stars: 56489, Forks: 10902. Primary language: TypeScript. Languages: TypeScript (98.9%), JavaScript (0.8%), CSS (0.3%), Shell (0%), MDX (0%). License: MIT. Homepage: https://reactrouter.com Latest release: react-router@8.1.0 (4d ago). Open PRs: 34, open issues: 88. Last activity: 1d ago. Community health: 75%. Top contributors: brophdawg11, mjackson, ryanflorence, remix-run-bot, chaance, pcattori, markdalgleish, taion, github-actions[bot], timdorr and others.