Skip to content

Bump react-router from 6.30.3 to 7.13.1#2860

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/react-router-7.13.1
Open

Bump react-router from 6.30.3 to 7.13.1#2860
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/react-router-7.13.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 5, 2026
edited
Loading

Bumps react-router from 6.30.3 to 7.13.1.

Release notes

Sourced from react-router's releases.

v7.13.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7131

v7.13.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7130

v7.12.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7120

v7.11.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7110

v7.10.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7101

v7.10.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7100

v7.9.6

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v796

v7.9.5

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v795

v7.9.4

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v794

v7.9.3

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v793

v7.9.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v792

v7.9.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v791

v7.9.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v790

v7.8.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v782

v7.8.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v781

v7.8.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v780

v7.7.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v771

... (truncated)

Changelog

Sourced from react-router's changelog.

7.13.1

Patch Changes

  • fix null reference exception in bad codepath leading to invalid route tree comparisons (#14780)

  • fix: clear timeout when turbo-stream encoding completes (#14810)

  • Improve error message when Origin header is invalid (#14743)

  • Fix matchPath optional params matching without a "/" separator. (#14689)

    • matchPath("/users/:id?", "/usersblah") now returns null.
    • matchPath("/test_route/:part?", "/test_route_more") now returns null.

  • add RSC unstable_getRequest (#14758)

  • Fix HydrateFallback rendering during initial lazy route discovery with matching splat route (#14740)

  • [UNSTABLE] Add support for <Link unstable_mask> in Data Mode which allows users to navigate to a URL in the router but "mask" the URL displayed in the browser. This is useful for contextual routing usages such as displaying an image in a model on top of a gallery, but displaying a browser URL directly to the image that can be shared and loaded without the contextual gallery in the background. (#14716)

    // routes/gallery.tsx
export function clientLoader({ request }: Route.LoaderArgs) {
  let sp = new URL(request.url).searchParams;
  return {
    images: getImages(),
    // When the router location has the image param, load the modal data
    modalImage: sp.has("image") ? getImage(sp.get("image")!) : null,
  };
}
export default function Gallery({ loaderData }: Route.ComponentProps) {
return (
<>
<GalleryGrid>
{loaderData.images.map((image) => (
<Link
key={image.id}
{/* Navigate the router to /galley?image=N /}}
to={/gallery?image=${image.id}}
{/ But display /images/N in the URL bar */}}
unstable_mask={/images/${image.id}}
>
<img src={image.url} alt={image.alt} />
</Link>
))}
</GalleryGrid>
  {/* When the modal data exists, display the modal */}
  {data.modalImage ? (

... (truncated)

Commits
  • aa3f078 chore: Update version for release (#14829)
  • 3207a5c chore: Update version for release (pre) (#14814)
  • aa93af3 Merge branch 'main' into release-next
  • db7eb57 Fix manifest version mismatch reload losing query parameters and hash (#14813)
  • 2994019 Add support for <Link unstable_mask> (#14716)
  • 6dda561 fix: clear timeout when turbo-stream encoding completes (#14735) (#14810)
  • 407d885 Revert "fix: clear timeout when turbo-stream encoding completes (#14735)" (#1...
  • 11a1600 Fix meta function API reference URL (#14808)
  • 44991a9 fix: clear timeout when turbo-stream encoding completes (#14735)
  • b66e632 Fix hydrate fallback rendering during initial lazy route discovery (#14740)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Medium Risk
This is a major-version routing library upgrade that can introduce runtime/navigation regressions, especially with react-router-dom and peer dependency ranges remaining on v6.

Overview
Bumps react-router from 6.30.3 to 7.13.1 in packages/core, packages/gui, and packages/wallets.

Updates package-lock.json accordingly, adding new transitive deps (cookie, set-cookie-parser) required by react-router@7, while react-router-dom remains on 6.30.3 (and package peer dependency ranges for react-router still reference ^6.30.3).

Written by Cursor Bugbot for commit 81578e2. This will update automatically on new commits. Configure here.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 5, 2026
@dependabot dependabot Bot requested a review from a team as a code owner March 5, 2026 20:33
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code Changed Required label for PR that categorizes merge commit message as "Changed" for changelog labels Mar 5, 2026
@dependabot dependabot Bot mentioned this pull request Mar 5, 2026
Closed
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 5, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedreact-router@​7.13.1811007998100

View full report

cursor[bot]
cursor Bot reviewed Mar 5, 2026
View reviewed changes
Comment thread packages/gui/package.json
"react-number-format": "5.4.3",
"react-redux": "8.1.2",
"react-router": "6.30.3",
"react-router": "7.13.1",
Copy link
Copy Markdown

@cursor cursor Bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incompatible react-router v7 with react-router-dom v6

High Severity

react-router was bumped from v6 to v7 (a major version change), but react-router-dom remains at 6.30.3 across all three packages. react-router-dom v6 depends on and expects react-router v6 — these two packages are incompatible when mixed across major versions. In v7, react-router-dom was effectively merged into react-router, making the v6 react-router-dom fundamentally incompatible with react-router v7. This will cause runtime errors in routing throughout the application. The codebase imports from both react-router and react-router-dom extensively.

Additional Locations (2)

Fix in Cursor Fix in Web

Comment thread packages/core/package.json
@dependabot
Bump react-router from 6.30.3 to 7.13.1
81578e2 
Bumps [react-router](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router) from 6.30.3 to 7.13.1.
- [Release notes](https://github.com/remix-run/react-router/releases)
- [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router/CHANGELOG.md)
- [Commits](https://github.com/remix-run/react-router/commits/react-router@7.13.1/packages/react-router)

---
updated-dependencies:
- dependency-name: react-router
  dependency-version: 7.13.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/react-router-7.13.1 branch from 802a9cf to 81578e2 Compare March 8, 2026 00:32
cursor[bot]
cursor Bot reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread package-lock.json
"react-dom": "^18.2.0",
"react-hook-form": "^7.45.4",
"react-router": "^6.30.3",
"react-router": "^7.13.1",
Copy link
Copy Markdown

@cursor cursor Bot Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile peerDependencies out of sync with package.json

Medium Severity

The package-lock.json shows "react-router": "^7.13.1" in the peerDependencies sections for packages/core and packages/wallets, but the actual package.json files still have "react-router": "^6.30.3" in their peerDependencies. Dependabot updated the lockfile's peerDependencies entries without updating the corresponding package.json peerDependencies, creating a lockfile that is out of sync with the source of truth. This will cause peer dependency resolution mismatches on fresh installs.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants