Skip to content

chore(deps): update dependency @remix-run/node to v2.17.2 [security]#1771

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-remix-run-node-vulnerability
Open

chore(deps): update dependency @remix-run/node to v2.17.2 [security]#1771
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-remix-run-node-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jan 9, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@remix-run/node (source) 2.17.02.17.2 age confidence

React Router has Path Traversal in File Session Storage

CVE-2025-61686 / GHSA-9583-h5hc-x8cw

More information

Details

If applications use createFileSessionStorage() from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files.

Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information.

Severity

  • CVSS Score: 9.1 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@renovate renovate Bot requested a review from a team as a code owner January 9, 2026 02:47
@vercel
Copy link
Copy Markdown

vercel Bot commented Jan 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
preview-kit-next-app-router Ready Ready Preview, Comment Mar 13, 2026 3:52pm
preview-kit-next-pages-router Ready Ready Preview, Comment Mar 13, 2026 3:52pm
preview-kit-remix Ready Ready Preview, Comment Mar 13, 2026 3:52pm
preview-kit-test-studio Ready Ready Preview, Comment Mar 13, 2026 3:52pm

Request Review

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Jan 9, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​remix-run/​node@​2.17.2991007490100
Updatednpm/​@​types/​react@​19.2.9 ⏵ 19.2.14100 +110079 +192 -2100
Updatednpm/​isbot@​5.1.33 ⏵ 5.1.36100 +110010094 +2100

View full report

@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch from 2d0dec7 to 87bea96 Compare January 19, 2026 13:17
@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch from 87bea96 to eee6966 Compare January 19, 2026 20:56
@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch from eee6966 to 9d68e57 Compare January 23, 2026 20:47
@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch from 9d68e57 to 39b6512 Compare January 29, 2026 12:56
@renovate renovate Bot changed the title chore(deps): update dependency @remix-run/node to v2.17.2 [security] chore(deps): update dependency @remix-run/node to v2.17.2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-remix-run-node-vulnerability branch March 27, 2026 02:50
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Mar 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency @remix-run/node to v2.17.2 [security] - autoclosed chore(deps): update dependency @remix-run/node to v2.17.2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch 2 times, most recently from 6d33048 to 8c6f16b Compare March 30, 2026 19:12
@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch from 8c6f16b to 0651027 Compare April 1, 2026 16:00
@renovate renovate Bot changed the title chore(deps): update dependency @remix-run/node to v2.17.2 [security] chore(deps): update dependency @remix-run/node to v2.17.2 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency @remix-run/node to v2.17.2 [security] - autoclosed chore(deps): update dependency @remix-run/node to v2.17.2 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-remix-run-node-vulnerability branch 2 times, most recently from 0651027 to cf15554 Compare April 27, 2026 20:19
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants