Skip to content

fix(deps): vuln minor upgrades — 12 packages (minor: 4 · patch: 8) [web-frontend]#255

Closed
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/web-frontend/2-1776935578
Closed

fix(deps): vuln minor upgrades — 12 packages (minor: 4 · patch: 8) [web-frontend]#255
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/web-frontend/2-1776935578

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented Apr 23, 2026

Summary: High-severity security update — 12 packages upgraded (MINOR changes included)

Manifests changed:

  • web-frontend (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
vite 7.3.1 7.3.2 patch Direct 2 HIGH, 1 MODERATE
@datadog/browser-logs 6.28.1 6.32.0 minor Direct -
@datadog/browser-rum 6.28.1 6.32.0 minor Direct -
@datadog/browser-rum-react 6.28.1 6.32.0 minor Direct -
@eslint/js 9.31.0 9.39.4 minor Direct -
@mui/icons-material 7.3.9 7.3.10 patch Direct -
@mui/material 7.3.9 7.3.10 patch Direct -
@tailwindcss/vite 4.2.1 4.2.3 patch Direct -
react 19.2.4 19.2.5 patch Direct -
react-dom 19.2.4 19.2.5 patch Direct -
react-router 7.13.1 7.13.2 patch Direct -
tailwindcss 4.2.1 4.2.3 patch Direct -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (2 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
vite GHSA-p9ff-h696-f583 HIGH Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket 7.3.1 8.0.5
vite GHSA-v2wj-q39q-566r HIGH Vite: server.fs.deny bypassed with queries 7.3.1 8.0.5
ℹ️ Other Vulnerabilities (1)
Package CVE Severity Summary Unsafe Version Fixed In
vite GHSA-4w7w-66w2-5vf9 MODERATE Vite Vulnerable to Path Traversal in Optimized Deps .map Handling 7.3.1 8.0.5

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod
Copy link
Copy Markdown
Contributor

campaigner-prod Bot commented Apr 23, 2026
edited by atlassian Bot
Loading

Release Notes

vite (7.3.1 → 7.3.2) — GitHub Release

Please refer to CHANGELOG.md for details.

@datadog/browser-logs (6.28.1 → 6.32.0) — GitHub Release

v6.32.0

Public Changes:

Internal Changes:

(truncated)

v6.31.0

Public Changes:

(truncated — see source for full notes)

@datadog/browser-rum (6.28.1 → 6.32.0) — GitHub Release

v6.32.0

Public Changes:

Internal Changes:

(truncated)

v6.31.0

Public Changes:

(truncated — see source for full notes)

@datadog/browser-rum-react (6.28.1 → 6.32.0) — GitHub Release

v6.32.0

Public Changes:

Internal Changes:

(truncated)

v6.31.0

Public Changes:

(truncated — see source for full notes)

@eslint/js (9.31.0 → 9.39.4) — GitHub Release

v9.39.4

Bug Fixes

Documentation

Chores

v9.39.3

Bug Fixes

Chores

v9.39.2

Bug Fixes

Build Related

Chores

v9.39.1

Bug Fixes

Documentation

Chores

(truncated — see source for full notes)

@mui/icons-material (7.3.9 → 7.3.10) — GitHub Release

A big thanks to the 15 contributors who made this release possible. A few highlights ✨:

  • 📖 Added the Menubar component page to the docs.

@mui/material@7.3.10

Docs

Core

All contributors of this release in alphabetical order: @Ahmad-Alaziz, @aman44444, @anchmelev, @arminmeh, @cherniavskii, @DanailH, @dav-is, @GerardasB, @mj12albert, @olivier-lxo, @pcorpet, @sai6855, @silviuaavram, @siriwatknp, @ZeeshanTamboli

@mui/material (7.3.9 → 7.3.10) — GitHub Release

A big thanks to the 15 contributors who made this release possible. A few highlights ✨:

  • 📖 Added the Menubar component page to the docs.

@mui/material@7.3.10

Docs

Core

All contributors of this release in alphabetical order: @Ahmad-Alaziz, @aman44444, @anchmelev, @arminmeh, @cherniavskii, @DanailH, @dav-is, @GerardasB, @mj12albert, @olivier-lxo, @pcorpet, @sai6855, @silviuaavram, @siriwatknp, @ZeeshanTamboli

@tailwindcss/vite (4.2.1 → 4.2.3) — GitHub Release

v4.2.3

Fixed

(truncated)

v4.2.2

Added

Fixed

react (19.2.4 → 19.2.5) — GitHub Release

React Server Components

react-dom (19.2.4 → 19.2.5) — GitHub Release

React Server Components

react-router (7.13.1 → 7.13.2) — Changelog

Date: 2026-03-23

What's Changed

Pass-through Requests (unstable)

By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params). This release introduces a new future.unstable_passThroughRequests flag to disable this normalization and pass the raw HTTP request instance to your handlers.

In addition to reducing server-side overhead by eliminating multiple new Request() calls on the critical path, this also provides additional visibility to your route handlers/instrumentations allowing you to differentiate document from data requests.

If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

// ❌ Before: you could assume there was no `.data` suffix in `request.url`
export async function loader({ request }: Route.LoaderArgs) {
  let url = new URL(request.url);
  if (url.pathname === "/path") {
    // This check will fail with the flag enabled because the `.data` suffix will
    // exist on data requests
  }
}

// ✅ After: use `unstable_url` for normalized routing logic and `request.url`
// for raw routing logic
export async function loader({ request, unstable_url }: Route.LoaderArgs) {
  if (unstable_url.pathname === "/path") {
    // This will always have the `.data` suffix stripped
  }

  // And now you can distinguish between document versus data requests
  let isDataRequest = new URL(request.url).pathname.endsWith(".data");
}

Route handlers/middleware unstable_url parameter

We have added a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) that contains the normalized URL the application is navigating to or fetching with React Router implementation details removed (.datasuffix, index/_routes query params).

This parameter is primarily needed when adopting the new future.unstable_passthroughRequests future flag as a way to continue accessing the normalized URL. If you don't have the flag enabled, then unstable_url will match request.url.

Patch Changes

Unstable Changes

⚠️ Unstable features are not recommended for production use

(truncated)

tailwindcss (4.2.1 → 4.2.3) — GitHub Release

v4.2.3

Fixed

(truncated)

v4.2.2

Added

Fixed

Generated by ADMS Sources: 11 GitHub Releases, 1 Changelog.

@seberm-6
Copy link
Copy Markdown

seberm-6 commented Apr 23, 2026

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.

@campaigner-prod campaigner-prod Bot closed this Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-high-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seberm-6