[Snyk] Fix for 3 vulnerabilities

[johnnyhuy]

Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/app/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Cross-site Scripting (XSS) SNYK-JS-REMIXRUNROUTER-14908530	646
	Open Redirect SNYK-JS-REACTROUTER-14908286	641
	Open Redirect SNYK-JS-REMIXRUNROUTER-14908287	641

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect
🦉 Cross-site Scripting (XSS)

[Copilot]

Pull request overview

This PR addresses three high-severity security vulnerabilities in the react-router dependencies by upgrading react-router and react-router-dom from version 6.3.0 to 6.30.3. The vulnerabilities include Cross-site Scripting (XSS) and Open Redirect issues.

Changes:

• Updated react-router from ^6.3.0 to ^6.30.3
• Updated react-router-dom from ^6.3.0 to ^6.30.3

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

Upgrades react-router and react-router-dom from 6.3.0 to 6.30.3 to address 3 high-severity security vulnerabilities: XSS (SNYK-JS-REMIXRUNROUTER-14908530) and two Open Redirect issues (SNYK-JS-REACTROUTER-14908286, SNYK-JS-REMIXRUNROUTER-14908287).

Key points:

• Security fix addresses critical vulnerabilities with scores of 641-646
• Major version jump (6.3.0 → 6.30.3) may include breaking changes
• yarn.lock update failed and requires manual resolution before merge
• App uses react-router minimally (routing via FlatRoutes and Route from react-router-dom in App.tsx)

Actions needed:

• Run yarn install to update yarn.lock with the new package versions
• Test routing functionality to ensure compatibility with 27+ minor version updates
• Verify all route navigation works as expected across the application

Confidence Score: 4/5

• This PR is safe to merge once yarn.lock is updated, with low risk given the targeted security fixes
• Score reflects that this is a necessary security update addressing high-severity vulnerabilities. The change is straightforward (dependency version bump), but the significant version jump (6.3.0 → 6.30.3) requires testing to ensure compatibility. The main blocker is the yarn.lock update failure, which must be resolved manually. Once yarn.lock is updated and basic routing is tested, this should be safe to merge.
• No files require special attention once yarn.lock is updated

Important Files Changed

Filename	Overview
packages/app/package.json	upgraded react-router from 6.3.0 to 6.30.3 and react-router-dom from 6.3.0 to 6.30.3 to fix 3 high-severity vulnerabilities (XSS and Open Redirect), but yarn.lock needs manual update

Sequence Diagram

sequenceDiagram
    participant Snyk
    participant PR as Pull Request #77
    participant PJ as package.json
    participant YL as yarn.lock
    participant App as Backstage App
    
    Snyk->>PR: Detect 3 high-severity vulnerabilities
    Note over Snyk: XSS (score 646)<br/>Open Redirect (score 641)<br/>Open Redirect (score 641)
    
    Snyk->>PJ: Update react-router 6.3.0 → 6.30.3
    Snyk->>PJ: Update react-router-dom 6.3.0 → 6.30.3
    
    Snyk--xYL: ⚠️ Failed to update yarn.lock
    Note over YL: Manual update required<br/>before merging
    
    rect rgb(255, 245, 230)
        Note over PR,App: Required Actions Before Merge
        PR->>YL: Run yarn install
        YL->>App: Test routing functionality
        App->>App: Verify FlatRoutes & navigation
    end

Loading

[greptile-apps]

Greptile's behavior is changing!

From now on, if a review finishes with no comments, we will not post an additional "statistics" comment to confirm that our review found nothing to comment on. However, you can confirm that we reviewed your changes in the status check section.

_{This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".}