Skip to content

CONSOLE-5415: Bump react-router to 7.15#16726

Open
vojtechszocs wants to merge 1 commit into
openshift:mainfrom
vojtechszocs:bump-react-router
Open

CONSOLE-5415: Bump react-router to 7.15#16726
vojtechszocs wants to merge 1 commit into
openshift:mainfrom
vojtechszocs:bump-react-router

Conversation

@vojtechszocs

@vojtechszocs vojtechszocs commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Analysis / Root cause

Related CVE in react-router package - DoS via unbounded path expansion in __manifest endpoint

Note - Console does not use @remix-run/server-runtime package - this CVE is not effective on Console project.

Analysis by Claude Code

No, CVE-2026-42342 does not apply to OpenShift Console.

The advisory explicitly states this vulnerability does not impact applications using:

- Declarative Mode (<BrowserRouter>)
- Data Mode (createBrowserRouter / <RouterProvider>)

The __manifest endpoint is a server-side construct that only exists in React Router's Framework Mode (the full-stack SSR mode,
formerly Remix). It's the server that performs the unbounded path expansion when processing crafted requests to that endpoint.

Console uses react-router purely as a client-side SPA router — there is no server-side rendering, no __manifest endpoint, and no
@remix-run/server-runtime. The vulnerable code path simply doesn't exist in Console's usage.

That said, bumping to 7.15 is still reasonable for staying current, but it's not a security-critical upgrade for this project.

Solution description

Bump react-router package to version 7.15.1 along with related semver range in Console package.json file.

Test cases

Update Console dependencies and rebuild Console plugin SDK packages, then check for react-router peer dependency in the generated package manifest.

cd frontend
yarn install && yarn generate
jq '.peerDependencies."react-router"' < packages/console-dynamic-plugin-sdk/dist/core/package.json

Summary by CodeRabbit

  • Bug Fixes
    • Restored React Router default transition behavior by removing the explicit transition override.
  • Chores
    • Updated React Router to ~7.15.1 in the main frontend and the dynamic demo plugin.
    • Updated the console plugin SDK changelog with the matching React Router semver range.
  • Tests
    • Updated unit test routing mocks to match the revised location shape by removing unstable_mask where applicable.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci openshift-ci Bot requested review from TheRealJon and spadgett July 7, 2026 19:49
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 89f1ac8a-7807-4e9a-aecc-bc59e1be6a51

📥 Commits

Reviewing files that changed from the base of the PR and between 98ee2f9 and 2ec0e1d.

⛔ Files ignored due to path filters (2)
  • dynamic-demo-plugin/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
  • frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (12)
  • dynamic-demo-plugin/package.json
  • frontend/package.json
  • frontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.md
  • frontend/packages/dev-console/src/components/import/__tests__/DeployImage.spec.tsx
  • frontend/packages/dev-console/src/components/import/jar/__tests__/UploadJarPage.spec.tsx
  • frontend/packages/knative-plugin/src/components/add/__tests__/EventSinkPage.spec.tsx
  • frontend/packages/knative-plugin/src/components/knatify/__tests__/CreateKnatifyPage.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/__tests__/catalog-source.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/operand/__tests__/index.spec.tsx
  • frontend/public/components/app.tsx
  • frontend/public/components/utils/__tests__/telemetry.spec.ts
  • frontend/public/components/utils/telemetry.ts
💤 Files with no reviewable changes (8)
  • frontend/packages/knative-plugin/src/components/add/tests/EventSinkPage.spec.tsx
  • frontend/public/components/utils/telemetry.ts
  • frontend/public/components/utils/tests/telemetry.spec.ts
  • frontend/packages/dev-console/src/components/import/jar/tests/UploadJarPage.spec.tsx
  • frontend/packages/dev-console/src/components/import/tests/DeployImage.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/tests/catalog-source.spec.tsx
  • frontend/packages/knative-plugin/src/components/knatify/tests/CreateKnatifyPage.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/operand/tests/index.spec.tsx
✅ Files skipped from review due to trivial changes (3)
  • frontend/package.json
  • dynamic-demo-plugin/package.json
  • frontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.md
🚧 Files skipped from review as they are similar to previous changes (1)
  • frontend/public/components/app.tsx

Walkthrough

React Router was updated to ~7.15.1, router transition configuration and telemetry location shaping were adjusted, and test mocks were aligned by removing unstable_mask.

Changes

React Router alignment

Layer / File(s) Summary
Dependency and release metadata
frontend/package.json, dynamic-demo-plugin/package.json, frontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.md
Updated React Router version constraints and added the corresponding unreleased changelog entry and references.
Runtime router and telemetry handling
frontend/public/components/app.tsx, frontend/public/components/utils/telemetry.ts
Removed the explicit transition setting from BrowserRouter and omitted unstable_mask from telemetry locations.
Test location mocks
frontend/packages/dev-console/..., frontend/packages/knative-plugin/..., frontend/packages/operator-lifecycle-manager/..., frontend/public/components/utils/__tests__/telemetry.spec.ts
Removed unstable_mask from mocked location objects while preserving other fields and assertions.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: plugin-api-approved

Suggested reviewers: rhamilto, fsgreco, Leo6Leo, galkremer1

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly identifies the Jira issue and the main change: bumping react-router to 7.15.
Description check ✅ Passed The description covers the root cause, solution, and test cases, though several template sections are still unfilled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Touched specs only contain static Jest/Ginkgo-style titles; no dynamic IDs, timestamps, names, or generated values were added.
Test Structure And Quality ✅ Passed Changed tests are Jest/React Testing Library specs, not Ginkgo, and no cluster-timeout patterns appear in the modified files.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the changed files are package/config updates and Jest unit tests, so MicroShift compatibility isn’t implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Go/Ginkgo e2e tests were added; the PR only changes frontend deps, app code, and Jest unit tests.
Topology-Aware Scheduling Compatibility ✅ Passed Changed files are frontend router deps, changelog, and tests only; no manifests/controllers or pod scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed No process-level stdout writes were added; changed files are browser/test code only, and searches found no main/init/TestMain/BeforeSuite logging.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the diff only touches frontend package/test files and contains no IPv4 or external-network test logic.
No-Weak-Crypto ✅ Passed Touched files only bump react-router or remove router mock fields; telemetry.ts/app.tsx contain no weak crypto, custom crypto, or secret/token comparisons.
Container-Privileges ✅ Passed Diff only touches package metadata, changelog, tests, TSX files, and lockfiles; no container/K8s manifests or privileged settings appear in the PR.
No-Sensitive-Data-In-Logs ✅ Passed The diff only bumps react-router and removes obsolete unstable_mask mocks; no new console/logger calls or sensitive fields were added to logs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@vojtechszocs vojtechszocs changed the title Bump react-router to 7.15 WiP Bump react-router to 7.15 Jul 7, 2026
@openshift-ci openshift-ci Bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. component/sdk Related to console-plugin-sdk labels Jul 7, 2026
@openshift-ci openshift-ci Bot added component/core Related to console core functionality component/dev-console Related to dev-console component/knative Related to knative-plugin component/olm Related to OLM labels Jul 8, 2026
@vojtechszocs vojtechszocs changed the title WiP Bump react-router to 7.15 Bump react-router to 7.15 Jul 8, 2026
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 8, 2026
@vojtechszocs vojtechszocs changed the title Bump react-router to 7.15 CONSOLE-5415: Bump react-router to 7.15 Jul 8, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 8, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@vojtechszocs: This pull request references CONSOLE-5415 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Analysis / Root cause

Related CVE in react-router package - DoS via unbounded path expansion in __manifest endpoint

Note - Console does not use @remix-run/server-runtime package - this CVE is not effective on Console project.

Analysis by Claude Code

No, CVE-2026-42342 does not apply to OpenShift Console.

The advisory explicitly states this vulnerability does not impact applications using:

- Declarative Mode (<BrowserRouter>)
- Data Mode (createBrowserRouter / <RouterProvider>)

The __manifest endpoint is a server-side construct that only exists in React Router's Framework Mode (the full-stack SSR mode,
formerly Remix). It's the server that performs the unbounded path expansion when processing crafted requests to that endpoint.

Console uses react-router purely as a client-side SPA router — there is no server-side rendering, no __manifest endpoint, and no
@remix-run/server-runtime. The vulnerable code path simply doesn't exist in Console's usage.

That said, bumping to 7.15 is still reasonable for staying current, but it's not a security-critical upgrade for this project.

Solution description

Bump react-router package to version 7.15.1 along with related semver range in Console package.json file.

Test cases

Update Console dependencies and rebuild Console plugin SDK packages, then check for react-router peer dependency in the generated package manifest.

cd frontend
yarn install && yarn generate
jq '.peerDependencies."react-router"' < packages/console-dynamic-plugin-sdk/dist/core/package.json

Summary by CodeRabbit

  • Bug Fixes

  • Adjusted routing behavior to use React Router’s default transition handling instead of explicitly disabling transitions.

  • Chores

  • Updated the routing dependency to a newer compatible version.

  • Updated the console plugin SDK changelog with an unreleased entry for the routing dependency semver range change.

  • Tests

  • Updated routing-location mocks used by unit tests to match the updated router/location shape.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot added the kind/demo-plugin Related to dynamic-demo-plugin label Jul 8, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
dynamic-demo-plugin/package.json (1)

34-34: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Tilde range instead of exact pin.

The dependency uses a ~7.15.1 semver range rather than an exact pinned version. Path instructions for manifest files call for pinning exact versions for supply-chain security. This matches the pre-existing convention in this file/repo, so it's not a regression introduced by this change, but worth noting.

As per path instructions, **/{requirements*.txt,Pipfile*,pyproject.toml,package*.json,...}: "Pin exact versions; verify hashes where supported".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dynamic-demo-plugin/package.json` at line 34, The dependency entry for
react-router in the package manifest is using a tilde semver range instead of a
fully pinned version. Update the manifest to pin react-router to an exact
version, following the repo’s package.json convention for supply-chain safety;
keep the change localized to the react-router entry in the package.json
dependency list.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@dynamic-demo-plugin/package.json`:
- Line 34: The dependency entry for react-router in the package manifest is
using a tilde semver range instead of a fully pinned version. Update the
manifest to pin react-router to an exact version, following the repo’s
package.json convention for supply-chain safety; keep the change localized to
the react-router entry in the package.json dependency list.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ae625c6c-1c48-4122-8575-16aba1a7b21b

📥 Commits

Reviewing files that changed from the base of the PR and between c8440da and 317087a.

⛔ Files ignored due to path filters (2)
  • dynamic-demo-plugin/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
  • frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (12)
  • dynamic-demo-plugin/package.json
  • frontend/package.json
  • frontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.md
  • frontend/packages/dev-console/src/components/import/__tests__/DeployImage.spec.tsx
  • frontend/packages/dev-console/src/components/import/jar/__tests__/UploadJarPage.spec.tsx
  • frontend/packages/knative-plugin/src/components/add/__tests__/EventSinkPage.spec.tsx
  • frontend/packages/knative-plugin/src/components/knatify/__tests__/CreateKnatifyPage.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/__tests__/catalog-source.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/operand/__tests__/index.spec.tsx
  • frontend/public/components/app.tsx
  • frontend/public/components/utils/__tests__/telemetry.spec.ts
  • frontend/public/components/utils/telemetry.ts
💤 Files with no reviewable changes (8)
  • frontend/packages/operator-lifecycle-manager/src/components/tests/catalog-source.spec.tsx
  • frontend/packages/dev-console/src/components/import/tests/DeployImage.spec.tsx
  • frontend/packages/knative-plugin/src/components/knatify/tests/CreateKnatifyPage.spec.tsx
  • frontend/public/components/utils/tests/telemetry.spec.ts
  • frontend/packages/knative-plugin/src/components/add/tests/EventSinkPage.spec.tsx
  • frontend/packages/dev-console/src/components/import/jar/tests/UploadJarPage.spec.tsx
  • frontend/packages/operator-lifecycle-manager/src/components/operand/tests/index.spec.tsx
  • frontend/public/components/utils/telemetry.ts
✅ Files skipped from review due to trivial changes (1)
  • frontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • frontend/public/components/app.tsx
  • frontend/package.json

@vojtechszocs

Copy link
Copy Markdown
Contributor Author

/retest

@vojtechszocs

Copy link
Copy Markdown
Contributor Author

/test backend

1 similar comment
@vojtechszocs

Copy link
Copy Markdown
Contributor Author

/test backend

@spadgett spadgett left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spadgett, vojtechszocs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-gcp-console
/test e2e-playwright

@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 9, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2026
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 10, 2026
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@vojtechszocs: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. component/core Related to console core functionality component/dev-console Related to dev-console component/knative Related to knative-plugin component/olm Related to OLM component/sdk Related to console-plugin-sdk jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/demo-plugin Related to dynamic-demo-plugin

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants