Update react-router-dom 7.11.0 → 7.12.0 (minor)

[depfu]

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ react-router-dom (7.11.0 → 7.12.0) · Repo · Changelog

Release Notes

7.12.0 (from changelog)

Date: 2026-01-07

Minor Changes

• react-router - Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins (#14708)
  • If you need to permit access to specific external origins, there is a new allowedActionOrigins config field in react-router.config.ts where you can specify external origins

Patch Changes

• react-router - Fix generatePath when used with suffixed params (i.e., /books/:id.json) (#14269)
• react-router - Escape HTML in scroll restoration keys (#14705)
• react-router - Validate redirect locations (#14706)
• @react-router/dev - Fix Maximum call stack size exceeded errors when HMR is triggered against code with cyclic imports (#14522)
• @react-router/dev - Skip SSR middleware in vite preview server for SPA mode (#14673)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Preserve clientLoader.hydrate=true when using <HydratedRouter unstable_instrumentations> (#14674)
• react-router - Pass <Scripts nonce> value through to the underlying importmap script tag when using future.unstable_subResourceIntegrity (#14675)
• react-router - Export UNSAFE_createMemoryHistory and UNSAFE_createHashHistory alongside UNSAFE_createBrowserHistory for consistency (#14663)
  • These are not intended to be used for new apps but intended to help apps using unstable_HistoryRouter migrate from v6->v7 so they can adopt the newer APIs
• @react-router/dev - Add a new future.unstable_trailingSlashAwareDataRequests flag to provide consistent behavior of request.pathname inside middleware, loader, and action functions on document and data requests when a trailing slash is present in the browser URL. (#14644)

  • Currently, your HTTP and request pathnames would be as follows for /a/b/c and /a/b/c/

    URL /a/b/c	HTTP pathname	request pathname`
    Document	/a/b/c	/a/b/c ✅
    Data	/a/b/c.data	/a/b/c ✅

    URL /a/b/c/	HTTP pathname	request pathname`
    Document	/a/b/c/	/a/b/c/ ✅
    Data	/a/b/c.data	/a/b/c ⚠️

  • With this flag enabled, these pathnames will be made consistent though a new _.data format for client-side .data requests:

    URL /a/b/c	HTTP pathname	request pathname`
    Document	/a/b/c	/a/b/c ✅
    Data	/a/b/c.data	/a/b/c ✅

    URL /a/b/c/	HTTP pathname	request pathname`
    Document	/a/b/c/	/a/b/c/ ✅
    Data	/a/b/c/_.data ⬅️	/a/b/c/ ✅

  • This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic

  • Enabling this flag also changes the format of client side .data requests from /_root.data to /_.data when navigating to / to align with the new format - This does not impact the request pathname which is still / in all cases

Full Changelog: v7.11.0...v7.12.0

Does any of this look wrong? Please let us know.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[netlify]

✅ Deploy Preview for firefox-devtools-react-contextmenu ready!

Name	Link
🔨 Latest commit	70387ee
🔍 Latest deploy log	https://app.netlify.com/projects/firefox-devtools-react-contextmenu/deploys/696e5551280bc70008a410ea
😎 Deploy Preview	https://deploy-preview-375--firefox-devtools-react-contextmenu.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.