[Snyk] Security upgrade react-router-dom from 5.0.0 to 6.0.0 #66
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
admin-frontend/package.json
admin-frontend/package-lock.json
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-PATHTOREGEXP-7925106
Release notes
Package name: react-router-dom
React Router v6 is here!
Please go read our blog post for more information on all the great stuff in v6 including notes about how to upgrade from React Router v5 and Reach Router.
Remember last week when we said
Yeah, about that … 😅
We found and squashed a few high-priority bugs that needed to be addressed first. But it's coming very soon, we promise! In the mean time, here's what you'll get from our eight-est and greatest beta release:
🐛 Bug Fixes
useHref
that resulted in the incorrect resolved value in cases where abasename
is used on the<Router />
component (See #8133 and #8142 for details).*
path value) are now correctly ranked ahead of layout routes.🗒️ Docs
We've added lots of goodies to our
docs
andexamples
, and there's a lot more yet to come. Take a look and see if you find something that makes your work a little easier! We think the lazy loading and custom query parsing examples are particularly cool! 🤓In this release we made a small but significant change to how
<Link to="..">
works. This is going to help out a lot if you were trying to use links in a*
route.We have also backed out our blocking/prompt APIs for the stable v6 release. We will revisit this post 6.0 when we have a little more time to get it right.
✨ Features
The major change in this release could also be classified as a bugfix or a breaking change, depending on how you look at it. We essentialy altered the way
<Link to="..">
works. See #8086 for the motivation behind this change.You'll probably want to reread the section in the v5 => v6 migration guide about
<Link to>
values (it has been updated), but it basically boils down to this: any leading..
segment in a<Link to>
value traverses "up" one route and builds upon that route's path instead of just removing one URL segment. This feature really completes the story of relative routes and links.We could consider this a bugfix, since this is how it was always intended to work in the first place. Without it, you'd have a difficult time linking predictably in
*
routes because your<a href>
would be different depending on the number of segments in the current URL.The reason this could also be considered a breaking change is that
..
now works slightly differently in<Link to>
than it would in<a href>
. When you have<a href="..">
it operates on the URL pathname, removing one segment of the current URL. However, since many routes really only match a single segment of the URL, there is often no difference between<Link to="..">
and<a href="..">
.💔 Breaking Changes
useBlocker()
,usePrompt()
, and<Prompt>
for now. We will revisit these post 6.0 when we have more time to get it right. But we don't want it to block (see what I did there) the release of all the other awesome stuff we've got in v6.🛠 Roadmap
We anticipate this will be the last beta release before v6 stable next week. Please give it a shot and let us know how it goes!
👍 Upgrading
If you're thinking about upgrading to v6, I published a few notes this past week that may help you:
<Redirect>
elements from any<Switch>
es you may have in your v5 app and how you can get better SEO in the process if you're currently relying on client-side redirects.<Route>
elements, which won't work in v6.Both of those posts contain steps you can take today in your v5 app without upgrading to v6.
We are also developing a backwards compat lib that should help some of you upgrade from v5 to v6. We'll post more about this when it's ready.
💻 Installing
Development for v6 has switched from
dev
to themain
branch.If you'd like to test it out, install from npm:
$ npm install history react-router-dom@next
No big enhancements in this release, just squashing bugs and writing lots of tests! Also, we are hard at work on cranking out examples for v6. See the end of this post for an update on our roadmap between here and v6 stable.
🧰 Examples
We have begun creating some examples for v6 that we hope will help developers make effective use of all the new features we have. So far, we have examples for the following:
<Outlet>
APIuseNavigate()
hook, the<Navigate>
element, andlocation.state
useSearchParams()
hook<StaticRouter>
on the server and uses a<BrowserRouter>
withReactDOM.hydrate()
on the clientEach example includes a button in the README that allows you to instantly launch a running instance on StackBlitz that you can play with. We hope you enjoy exploring!
🐛 Bugfixes
<NavLink>
match only whole URL segments instead of pieces. This means that<NavLink to="/home/users">
will still be active at/home/users
, but not at/home/users2
. See #7523path
) never match unless one of their children do. See #8085<Routes>
. This reverses a decision that we made in beta.5 to remove them. See #8073💔 Breaking Changes
*
) match only after a/
in the URL. This means that<Route path="files*">
will always match as if it were<Route path="files/*">
. The router will issue a warning if your route path ends with*
but not/*
🛠 Roadmap
We are very close to a stable release! The last big code changes we need to make are:
<Link to="..">
operates on the URL pathname. However, this makes it difficult to link to the parent route when you're in a splat route. See #8086. This will be a breaking change.useBlocker()
and<Prompt>
in our initial v6 release, with plans to revisit them and possibly add them back at some point in the future. I still need to write up something here that explains our rationale. This will also be a breaking change.<Routes location>
prop will be in v6, but it isn't ideal for animation.💻 Installing
Development for v6 is chugging along on the
dev
branch.If you'd like to test it out, install from npm:
$ npm install history react-router-dom@next
This week's release adds some much-needed polish to a few niche features of the router: splat routes (a route that uses a
*
path) and basenames. It also adds arenderMatches
API that completes the story for those of you who may have been usingreact-router-config
in v4 and v5.🐛 Bugfixes
*
in a child route path matches after a slash following its parent route path. This fixes some situations where the*
was overly greedy (see #7972)<Link to=".">
anduseResolvedPath(".")
values are fixed in splat routes. Previously these resolved relative to the parent route's path. They now resolve relative to the path of the route that rendered them.✨ Enhancements
This release makes it easier to work with apps that have multiple entry points. Using the
<Router basename>
prop allows React Router to be easily deployed on only a portion of a larger site by using a portion of the URL pathname (the "basename") to transparently prefix all route paths and link navigations.For example, you can deploy one React Router app at the
/inbox
URL prefix, and another one at the/admin
prefix. These base URLs represent two different entry points into your app, each with its own bundles. The rest of your site, including the root / URL could be rendered by something other than React Router, for example by your server framework of choice.In the bundle for each entry point, simply initialize React Router with the basename of that entry point.
Then define your routes and link paths without using the
/inbox
URL prefix in any of them. The entire app will run relative to that prefix.Another improvement in this release is the addition of the
renderMatches
API, which is the complement ofmatchRoutes
. These APIs are both very low-level and should not normally be needed. But they are sometimes nice to use if you are doing your own data loading using the array ofmatches
that you get back frommatchRoutes
.matchRoutes
andrenderMatches
are the equivalent of thereact-router-config
package we shipped in v4 and v5, just built directly into the router instead of in a separate package.💔 Breaking Changes
<Routes basename>
has moved to<Router basename>
. This prop is also available on all router variants (<BrowserRouter>
,<HashRouter>
, etc.).useLocation().pathname
no longer includes the basename, if present.basename
argument was removed fromuseRoutes
. This reverts the signature touseRoutes(routes, location)
, same as it was previous to beta.4.<Routes>
do not get the params from their parents. This helps a set of<Routes>
to be more portable by decoupling it from the params of its parents and makes it easier to know which params will be returned fromuseParams()
. If you were relying on this behavior previously, you'll need to pass along the params manually to the elements rendered by the descendant<Routes>
. See this comment for an example of how this is to be done and for a potential workaround if you really need the old behavior.match.pathname
in a splat route now includes the portion of the pathname matched by the*
. This makes the*
param behave much more like other dynamic:id
-style params.<Link>
s in splat routes is changed now because the entire pathname that was matched by that route is now different (see previous bullet). Instead of resolving relative to the portion of the pathname before the*
, paths resolve relative to the full pathname that was matched by the route.💻 Installing
Development for v6 is chugging along on the
dev
branch.If you'd like to test it out, install from npm:
$ npm install history react-router-dom@next
Last week we released a lot of nice little bug features, but we did get a little carried away and let a little bug slip through with relative path resolution. Our bad! That nasty lil' guy is squashed in this week's beta. 🐛
And there's more! Let's dive in…
🐛 Bugfixes
✨ Enhancements
Params
type which is now generic, so you can add your own types if you know what to expect from functions that return query parameters. (#8019)let { valid, invalid } = useParams(); // No problems here!
let match = useMatch("profile/:userId");
let userId = match?.params.user; // wrong param, but TS doesn't know that!
// after:
let { valid, invalid } = useParams<"valid" | "key">(); // Property 'invalid' does not exist on type 'Params<"valid" | "key">'
let match = useMatch<"userId">("profile/:userId");
let userId = match?.params.user; // Property 'user' does not exist on type 'Params<"userId">'
There was quite a bit of discussion in #7335 from people who are using constants to define their route paths. In this style, paths are often written as absolute paths from the root
/
URL. These constants are then able to be used both in<Route path>
definitions as well as<Link to>
values. It usually looks something like this:const USERS_INDEX_PATH =
<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-smi">USERS_PATH</span><span class="pl-kos">}</span></span>/
;const USER_PROFILE_PATH =
<span class="pl-s1"><span class="pl-kos">${</span><span class="pl-smi">USERS_PATH</span><span class="pl-kos">}</span></span>/:id
;function UsersRoutes() {
return (
<Routes>
<Route path={USERS_PATH} element={<UsersLayout />}>
<Route path={USERS_INDEX_PATH} element={<UsersIndex />} />
<Route path={USER_PROFILE_PATH} element={<UserProfile />} />
</Route>
</Routes>
);
}
This style of use is now fully supported in v6. This is great for people who write their apps like this, but it technically could cause some breakage if you were using absolute paths (that start with
/
) in nested routes in previous betas. To fix this, simply remove the/
from the beginning of any route paths that are meant to be relative. React Router will throw an error if you are using absolute paths that don't match their parent route paths. Hopefully this should help you find them if you are upgrading.If you were using
<Route path="/">
to indicate an index route, you can now use the new<Route index>
prop to accomplish the same thing. Theindex
prop makes it easy to scan a route config to find the index route. It also provides a guarantee that nobody will ever add children to that route.Here's the same route config as the one above, but rewritten with relative paths and the
index
prop:A lot of our work on React Router is about doing the least surprising thing for our users. Allowing absolute paths in nested routes gets us a little closer to that goal!
💔 Breaking Changes
Removed the ability for nested route paths to begin with a
/
and not contain the complete path of their parent routes. This was necessary in order to introduce support for absolute paths in nested routes, described in detail aboveRemoved the
createRoutesFromArray
utility function. You can now pass your routes directly touseRoutes
ormatchRoutes
without passing it throughcreateRoutesFromArray
firstRemoved the
PartialRouteObject
type. If you were importing and using this type before, useRouteObject
instead, which has been updated to make all properties optionalThe
useRoutes
API has changed slightly. Instead of passing a basename as the second argument, you should instead pass it as a named property in an object:useRoutes([...routes], basename);
// After
useRoutes([...routes], { basename });
matchPath
function now returnsmatch.pattern
instead ofmatch.path
, which is a little more descriptive about what it actually is💻 Installing
Development for v6 is chugging along on the
dev
branch.If you'd like to test it out, install from npm:
$ npm install history react-router-dom@next
Loads of goodies for you this week, as well as a few breaking changes for all of you eager beavers who are brave enough to use beta software in production! 🦫
(seriously, thank you all for helping us tighten up our APIs and fix nasty bugs)
💔 Breaking Changes!
NavLink
no longer supports theactiveClassName
oractiveStyle
props. Instead, we provide a more powerful API that allows you to pass functions to either theclassName
orstyle
props to conditionally apply values based on the link'sactive
state. While a bit more verbose in some cases, this offers a nicer experience for folks who use utility class-based CSS. (#7194)<NavLink className="link" activeClassName="active-link" />
<NavLink style={{ color: "blue" }} activeStyle={{ color: "green" }} />
// After
<NavLink
className={({ isActive }) =>
link <span class="pl-s1"><span class="pl-kos">${</span></span></span> <span class="pl-s"><span class="pl-s1"> <span class="pl-s1">isActive</span></span></span> <span class="pl-s"><span class="pl-s1"> ? <span class="pl-s">"active-link"</span></span></span> <span class="pl-s"><span class="pl-s1"> : <span class="pl-c">// Couldn't do this before!</span></span></span> <span class="pl-s"><span class="pl-s1"> <span class="pl-s">"inactive-link"</span></span></span> <span class="pl-s"><span class="pl-s1"> <span class="pl-kos">}</span></span>
}
/>
<NavLink style={({ isActive }) => ({ color: isActive ? "green" : "blue" })} />
useRoutes
API has changed slightly. Instead of passing a basename as the second argument, you should instead pass it as a named property in an object:useRoutes([...routes], basename);
// After
useRoutes([...routes], { basename });
🐛 Bugfixes
basename
prop onRoutes
is treated as case-insensitive (#7997)useNavigate
previously used the incorrectpathname
when called from parent routes when the URL matches one of its children. This fix also applies touseSearchParams
(#7880)✨ Enhancements
Routes
anduseRoutes
now allow you to override thelocation
, which may be useful when building some modal interfaces and route transition animations. We are working hard to update our docs to include examples for advanced patterns where this might be useful, but in the mean time this also bringsRoutes
closer to feature parity with v5'sSwitch
via thelocation
prop. (#7117)useClickHandler
andusePressHandler
to make customizingLinks
a bit easier. (#7998)Link
, be sure to render an actual HTML anchor element, otherwise your app will likely be inaccessible without a significant amount of additional work which, I assure you, you don't want to do!💻 Installing
Development for v6 is chugging along on the
dev
branch.If you'd like to test it out, install from npm:
$ npm install history react-router-dom@next
🙏 Credits
Thanks to @ andrelandgraf, @ dhulme, @ fgatti675, @ hugmanrique, @ MeiKatz, @ chaance and @ mjackson for your contributions!
🐛 Bugfixes
displayName
back to<Link />
and<NavLink />
components✨ Enhancements
navigate
function now prepends hash and search strings by default:useParams
now returns parameters from nested<Route />
s when called in a parent<Route />
💻 Installing
Development for v6 is chugging along on the
dev
branch.If you'd like to test it out, install from npm:
$ npm install history react-router-dom@next
🙏 Credits
Thanks to @ liho98, @ wojtekmaj, @ cravend, @ chaance and @ mjackson for your contributions!
Enjoy!
This release of
react-router-dom
adds support for passing a function to either theclassName
orstyle
props to conditionally apply values based on the link'sactive
state.This provides similar functionality as the existing
activeClassName
andactiveStyle
props, but is a bit more powerful. For example, you can now easily apply styles exclusively to an inactiveNavLink
as well. This offers a nicer experience for folks who use utility class-based CSS tools such as Tailwind.Note that as of
v6.0.0-beta.3
, theactiveClassName
andactiveStyle
props are removed completely. Adding support for functional className and style props to both v5 and v6 will give v5 users an easier upgrade path.Thanks to @ tim-phillips for raising the issue that inspired the change! 🥳
This release fixes a bug with
<Link>
so that, when theto
location is the same as the current, the history state entry is replaced instead of pushed to the stack. See #5362 for details. 🥳Thanks to @ guidobouman for the PR and for everyone else who weighed in for the fix!
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)