Skip to content

Update compression package to fix on-headers CVE #14652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brophdawg11 merged 7 commits into from
Dec 10, 2025
Merged

Update compression package to fix on-headers CVE #14652

brophdawg11 merged 7 commits into from
Dec 10, 2025
+76 −69

Conversation

@ErlendS
Copy link
Contributor

@ErlendS ErlendS commented Dec 10, 2025
edited
Loading

Updates compression package to v1.8.1 so its sub-dependency on-headers gets updated to v1.1.0 to fix its security vulnerability.

Additional info

Versions <1.1.0 of on-headers are vulnerable to http response header manipulation:
GHSA-76c9-3jph-rj3q

Looking at compression's changelog for v1.8.0, I see no changes that should require updates in react-router.

Ran pnpm test from root and all tests still pass ✅

@changeset-bot
Copy link

changeset-bot bot commented Dec 10, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 12bde17

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages
Name Type
@react-router/serve Patch
@react-router/dev Patch
@react-router/fs-routes Patch
@react-router/remix-routes-option-adapter Patch
create-react-router Patch
react-router Patch
react-router-dom Patch
@react-router/architect Patch
@react-router/cloudflare Patch
@react-router/express Patch
@react-router/node Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@remix-cla-bot
Copy link
Contributor

remix-cla-bot bot commented Dec 10, 2025

Hi @ErlendS,

Welcome, and thank you for contributing to React Router!

Before we consider your pull request, we ask that you sign our Contributor License Agreement (CLA). We require this only once.

You may review the CLA and sign it by adding your name to contributors.yml.

Once the CLA is signed, the CLA Signed label will be added to the pull request.

If you have already signed the CLA and received this response in error, or if you have any questions, please contact us at [email protected].

Thanks!

- The Remix team

@remix-cla-bot
Copy link
Contributor

remix-cla-bot bot commented Dec 10, 2025

Thank you for signing the Contributor License Agreement. Let's get this merged! 🥳

@brophdawg11
Copy link
Contributor

brophdawg11 commented Dec 10, 2025

Thanks! I noticed that morgan also had the same on-headers update (link), so I updated that and a few more places where we have compression as a dep (playgrounds, etc)

brophdawg11
brophdawg11 reviewed Dec 10, 2025
View reviewed changes
@brophdawg11 brophdawg11 self-assigned this Dec 10, 2025
@brophdawg11 brophdawg11 added dependencies Pull requests that update a dependency file pkg:@react-router/serve labels Dec 10, 2025
@ErlendS
Copy link
Contributor Author

ErlendS commented Dec 10, 2025

Great! Thanks for jumping on this so quick!

ErlendS
ErlendS commented Dec 10, 2025
View reviewed changes
@brophdawg11 brophdawg11 merged commit 37fe291 into remix-run:dev Dec 10, 2025
7 of 8 checks passed
@brophdawg11 brophdawg11 removed their assignment Dec 10, 2025
@brophdawg11 brophdawg11 added the awaiting release This issue has been fixed and will be released soon label Dec 10, 2025
@github-actions github-actions bot mentioned this pull request Dec 15, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Dec 15, 2025

🤖 Hello there,

We just published version 7.11.0-pre.0 which includes this pull request. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

@github-actions github-actions bot mentioned this pull request Dec 17, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Dec 17, 2025

🤖 Hello there,

We just published version 7.11.0 which includes this pull request. If you'd like to take it for a test run please try it out and let us know what you think!

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brophdawg11 brophdawg11 brophdawg11 approved these changes

Assignees

No one assigned

Labels

awaiting release This issue has been fixed and will be released soon CLA Signed dependencies Pull requests that update a dependency file pkg:@react-router/serve

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ErlendS @brophdawg11