Skip to content

fix(security): upgrade Remix packages 2.1.0 → 2.17.4 #2951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
D-K-P wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(security): upgrade Remix packages 2.1.0 → 2.17.4 #2951

D-K-P wants to merge 5 commits into from
+353 −432

Conversation

@D-K-P
Copy link
Member

@D-K-P D-K-P commented Jan 27, 2026
edited by devin-ai-integration bot
Loading

Upgraded packages:

  • @remix-run/express: 2.1.0 → 2.17.4
  • @remix-run/node: 2.1.0 → 2.17.4
  • @remix-run/react: 2.1.0 → 2.17.4
  • @remix-run/router: 1.15.3 → 1.23.2
  • @remix-run/serve: 2.1.0 → 2.17.4
  • @remix-run/server-runtime: 2.1.0 → 2.17.4
  • @remix-run/dev: 2.1.0 → 2.17.4
  • @remix-run/eslint-config: 2.1.0 → 2.17.4
  • @remix-run/testing: 2.1.0 → 2.17.4

Also updated tar-fs override for new @remix-run/dev version.

Open with Devin

@D-K-P
fix(security): upgrade Remix packages 2.1.0 → 2.17.3
4ef0cba 
Addresses CVE-2026-22029 (XSS via open redirects in loaders/actions).

Upgraded packages:
- @remix-run/express: 2.1.0 → 2.17.3
- @remix-run/node: 2.1.0 → 2.17.3
- @remix-run/react: 2.1.0 → 2.17.3
- @remix-run/router: 1.15.3 → 1.23.2
- @remix-run/serve: 2.1.0 → 2.17.3
- @remix-run/server-runtime: 2.1.0 → 2.17.3
- @remix-run/dev: 2.1.0 → 2.17.3
- @remix-run/eslint-config: 2.1.0 → 2.17.3
- @remix-run/testing: 2.1.0 → 2.17.3

Also updated tar-fs override for new @remix-run/dev version.
@changeset-bot
Copy link

changeset-bot bot commented Jan 27, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 4c2bf66

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 27, 2026
edited
Loading

Walkthrough

This pull request updates Remix packages in apps/webapp/package.json: @remix-run/express, @remix-run/node, @remix-run/react, @remix-run/serve, and @remix-run/server-runtime from 2.1.0 to 2.17.4; @remix-run/router from ^1.15.3 to ^1.23.2; and devDependencies @remix-run/dev, @remix-run/eslint-config, and @remix-run/testing to 2.17.4. The root package.json overrides were adjusted: @remix-run/dev's tar-fs mapping updated to 2.1.4, and testcontainers tar-fs mapping updated to 3.1.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description check ⚠️ Warning The description is largely incomplete relative to the template; it lists upgraded packages but lacks testing steps, changelog entry, and unchecked checklist items. Add Testing section describing steps taken, fill in Changelog section with change summary, and check/complete all checklist items as applicable.
✅ Passed checks (2 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title accurately summarizes the main change: upgrading Remix packages from 2.1.0 to 2.17.4, which is the primary modification in the changeset.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@package.json`:
- Line 89: Update the tar-fs override in package.json to patch CVE-2025-59343:
change the override entry for "@remix-run/[email protected]>tar-fs" from "2.1.3" to
"2.1.4" (or any later 2.1.x) so the dependency used by `@remix-run/dev`@2.17.3
picks up the fixed version.
📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eeab6bd and 4ef0cba.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • apps/webapp/package.json
  • package.json
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{js,ts,jsx,tsx,json,md,yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier before committing

Files:

  • apps/webapp/package.json
  • package.json
🧠 Learnings (4)
📓 Common learnings 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/webapp.mdc:0-0
Timestamp: 2025-11-27T16:26:58.661Z
Learning: Applies to apps/webapp/**/*.{ts,tsx} : Follow the Remix 2.1.0 and Express server conventions when updating the main trigger.dev webapp

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-27T16:26:37.432Z
Learning: The webapp at apps/webapp is a Remix 2.1 application using Node.js v20
📚 Learning: 2025-11-27T16:26:37.432Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-27T16:26:37.432Z
Learning: The webapp at apps/webapp is a Remix 2.1 application using Node.js v20

Applied to files:

  • apps/webapp/package.json
  • package.json
📚 Learning: 2025-11-27T16:26:58.661Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/webapp.mdc:0-0
Timestamp: 2025-11-27T16:26:58.661Z
Learning: Applies to apps/webapp/**/*.{ts,tsx} : Follow the Remix 2.1.0 and Express server conventions when updating the main trigger.dev webapp

Applied to files:

  • apps/webapp/package.json
  • package.json
📚 Learning: 2026-01-15T11:50:06.067Z 
Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`

Applied to files:

  • package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
  • GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
  • GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
  • GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
  • GitHub Check: typecheck / typecheck
🔇 Additional comments (2)
apps/webapp/package.json (2)

231-233: No action required — all peer dependencies for Remix 2.17.3 are compatible.

The upgrade to @remix-run/dev, @remix-run/eslint-config, and @remix-run/testing 2.17.3 is compatible with the current tooling stack: TypeScript 5.5.4 (satisfies ^5.1.0), Vite ^5.4.21 (satisfies ^5.1.0 || ^6.0.0), ESLint ^8.24.0 (satisfies ^8.0.0), and React 18.x. No peer dependency conflicts or config changes are needed.

103-108: CVE-2026-22029 fix is included; remove Single Fetch breaking changes concern.

The upgrade to 2.17.3 safely includes the @remix-run/router 1.23.2+ fix for CVE-2026-22029 (XSS in redirect handling). Single Fetch is not enabled in remix.config.js, so the breaking changes mentioned do not apply—loaders/actions/redirect handling remains stable. However, audit redirect patterns using untrusted sources (e.g., submission.value.redirectUrl in resource routes) to ensure they don't accept arbitrary user-provided URLs that could exploit the XSS before the patched version was deployed.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

@nicktrn nicktrn changed the title fix(security): upgrade Remix packages 2.1.0 → 2.17.3 fix(security): upgrade Remix packages 2.1.0 → 2.17.4 Jan 27, 2026
@nicktrn nicktrn marked this pull request as ready for review January 27, 2026 19:39
devin-ai-integration[bot]
devin-ai-integration bot reviewed Jan 27, 2026
View reviewed changes
Copy link

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional flags.

Open in Devin Review

@vibe-kanban-cloud
Copy link

vibe-kanban-cloud bot commented Jan 28, 2026

Review Complete

Your review story is ready!

View Story

Comment !reviewfast on this PR to re-generate the story.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@D-K-P @nicktrn