SAP / ui5-webcomponents-react / 14658211346
89%

DEFAULT BRANCH: main
Ran
Jobs 6
Files 218
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 88.213% (+0.05%) from 88.163%
14658211346

push

github

web-flow 
chore(deps): update dependency react-router to v7.5.2 [security] (main) (#7271)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [react-router](https://redirect.github.com/remix-run/react-router)
([source](https://redirect.github.com/remix-run/react-router/tree/HEAD/packages/react-router))
| [`7.5.1` ->
`7.5.2`](https://renovatebot.com/diffs/npm/react-router/7.5.1/7.5.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/react-router/7.5.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/react-router/7.5.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/react-router/7.5.1/7.5.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react-router/7.5.1/7.5.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-43864](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322)

## Summary
After some research, it turns out that it is possible to force an
application to switch to SPA mode by adding a header to the request. If
the application uses SSR and is forced to switch to SPA, this causes an
error that completely corrupts the page. If a cache system is in place,
this allows the response containing the error to be cached, resulting in
a cache poisoning that strongly impacts the availability of the
application.

## Details
The vulnerable header is `X-React-Router-SPA-Mode`; adding it to a
request sent to a page/endpoint using a loader throws an error. Here is
[the vulnerable
code](https://redirect.github.com/remix-run/react-router/blob/e6c53a013/packages/react-router/lib/server-runtime/server.ts#L407)
:

<img wi... (continued)

3013 of 3965 branches covered (75.99%)

5291 of 5998 relevant lines covered (88.21%)

95859.3 hits per line

Subprojects
ID Flag name Job ID Ran Files Coverage
1 main/src/internal 14658211346.1 149
15.15
 GitHub Action Run
2 compat 14658211346.2 160
18.64
 GitHub Action Run
3 base 14658211346.3 149
16.78
 GitHub Action Run
4 cypress-commands 14658211346.4 149
15.22
 GitHub Action Run
5 charts 14658211346.5 207
27.53
 GitHub Action Run
6 main/src/components 14658211346.6 149
85.89
 GitHub Action Run
Source Files on build 14658211346