Skip to content

fix: bump react-server-dom-parcel in internal repo deps #14636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
qu0b wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: bump react-server-dom-parcel in internal repo deps #14636

qu0b wants to merge 3 commits into from
+15 −14

Conversation

@qu0b
Copy link

@qu0b qu0b commented Dec 5, 2025
edited
Loading

@changeset-bot
Copy link

changeset-bot bot commented Dec 5, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 8ab8468

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@remix-cla-bot
Copy link
Contributor

remix-cla-bot bot commented Dec 5, 2025

Hi @qu0b,

Welcome, and thank you for contributing to React Router!

Before we consider your pull request, we ask that you sign our Contributor License Agreement (CLA). We require this only once.

You may review the CLA and sign it by adding your name to contributors.yml.

Once the CLA is signed, the CLA Signed label will be added to the pull request.

If you have already signed the CLA and received this response in error, or if you have any questions, please contact us at [email protected].

Thanks!

- The Remix team

@remix-cla-bot
Copy link
Contributor

remix-cla-bot bot commented Dec 5, 2025

Thank you for signing the Contributor License Agreement. Let's get this merged! 🥳

brophdawg11
brophdawg11 approved these changes Dec 5, 2025
View reviewed changes
Copy link
Contributor

@brophdawg11 brophdawg11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@brophdawg11
Copy link
Contributor

brophdawg11 commented Dec 5, 2025

CI is failing because the package.json files are out of sync with the lockfile. Can you run pnpm install locally to update the lockfile commit that as well?

@brophdawg11 brophdawg11 changed the title fix: bump react-server-dom-parcel to patch CVE-2025-55182 fix: bump react-server-dom-parcel in internal repo deps Dec 5, 2025
@brophdawg11 brophdawg11 added the dependencies Pull requests that update a dependency file label Dec 5, 2025
@timdorr
Copy link
Member

timdorr commented Dec 5, 2025

I ran it. It should go through now.

@dexter-11
Copy link

dexter-11 commented Dec 6, 2025
edited
Loading

@timdorr @brophdawg11 @qu0b Can we also bump "@vitejs/plugin-rsc": "0.4.30" to the latest as per the same blog? I found multiple instances of it using this search on react-router

There is a vulnerable instance of "react-server-dom-webpack": "^19.1.1" present in packages/plugin-rsc/package.json for v0.4.30 of the @vitejs/plugin-rsc package, which is a point of concern.

  • Instead of bumping, we could also include the fixed version of react-server-dom-webpack package in react-router to override it.

@timdorr
Copy link
Member

timdorr commented Dec 6, 2025

This is all internal tooling and devDependencies. It doesn't affect users of the library, so it doesn't need to be updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brophdawg11 brophdawg11 brophdawg11 approved these changes

Assignees

No one assigned

Labels

CLA Signed dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@qu0b @brophdawg11 @timdorr @dexter-11