update react-router-dom and vite dependencies to address security vulnerabilities

[brianlenz]

Component / Package Name:

This PR contains:

• bugfix
• feature
• refactor
• documentation
• other

Are tests included?

• yes (bugfixes and features will not be merged without tests)
• no

Breaking Changes?

• yes (breaking changes will not be merged unless absolutely necessary)
• no

If yes, please include "BREAKING CHANGES:" in the first commit message body, followed by a description of what is breaking.

List any relevant issue numbers:

resolves #460

Description

The dependency updates address the following vulnerabilities:
vite:
GHSA-fx2h-pf6j-xcff
GHSA-v6wh-96g9-6wx3

react-router-dom -> react-router:
GHSA-49rj-9fvp-4h2h
GHSA-8646-j5j9-6r62
GHSA-8x6r-g9mw-2r78
GHSA-rxv8-25v2-qmq8
GHSA-2j2x-hqr9-3h42
GHSA-f22v-gfqf-p8f3
GHSA-84g9-w2xq-vcv6

[greptile-apps]

Confidence Score: 4/5

Safe to merge — only dependency version bumps, no functional code changes.

Both targeted packages are bumped well beyond the vulnerable ranges and the lock file is consistent with the manifest changes. The exact pinning of react-router-dom means future patches will again require a manual PR, but this was the pre-existing pattern. No major version jumps or API-breaking changes are introduced.

No files require special attention. The lock file collateral transitive updates are benign promotions from release-candidate to stable.

Important Files Changed

Filename	Overview
packages/jsx-email/package.json	Single-line bump of react-router-dom from 7.12.0 to 7.18.0 (exact pin, consistent with prior style). No other changes.
pnpm-workspace.yaml	Vite catalog entry bumped from 8.0.10 to 8.0.16 to address GHSA-fx2h-pf6j-xcff; affects all workspace consumers of the catalog entry.
pnpm-lock.yaml	Lock file updated to reflect both direct dependency bumps; also captures transitive updates to @rolldown/* bindings (rc.17 → 1.0.3), @oxc-project/types, and a postcss patch for unocss.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Security Dependency Updates] --> B[react-router-dom 7.12.0 to 7.18.0]
    A --> C[vite catalog 8.0.10 to 8.0.16]
    B --> D[packages/jsx-email/package.json - exact pin]
    C --> E[pnpm-workspace.yaml - catalog entry]
    E --> F[All workspace packages using vite catalog]
    D --> G[pnpm-lock.yaml updated]
    F --> G
    G --> H[Transitive side-effects]
    H --> I[rolldown bindings rc.17 to 1.0.3]
    H --> J[oxc-project/types 0.127.0 to 0.133.0]
    H --> K[postcss 8.5.14 to 8.5.15 for unocss only]
    B --> L[Addresses 8 react-router CVEs]
    C --> M[Addresses GHSA-fx2h-pf6j-xcff]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Security Dependency Updates] --> B[react-router-dom 7.12.0 to 7.18.0]
    A --> C[vite catalog 8.0.10 to 8.0.16]
    B --> D[packages/jsx-email/package.json - exact pin]
    C --> E[pnpm-workspace.yaml - catalog entry]
    E --> F[All workspace packages using vite catalog]
    D --> G[pnpm-lock.yaml updated]
    F --> G
    G --> H[Transitive side-effects]
    H --> I[rolldown bindings rc.17 to 1.0.3]
    H --> J[oxc-project/types 0.127.0 to 0.133.0]
    H --> K[postcss 8.5.14 to 8.5.15 for unocss only]
    B --> L[Addresses 8 react-router CVEs]
    C --> M[Addresses GHSA-fx2h-pf6j-xcff]

Loading

_{Reviews (1): Last reviewed commit: "update react-router-dom and vite depende..." | Re-trigger Greptile}

[greptile-apps]

react-router-dom is pinned to an exact version rather than a patch-compatible range. This means future security patches for this package will require another manual PR instead of being picked up automatically by pnpm update. Using a patch-compatible range (^7.18.0) would let the lock file resolve the latest compatible release without manual intervention each time.

Suggested change

	"react-router-dom": "7.18.0",
	"react-router-dom": "^7.18.0",

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[brianlenz]

@shellscape I agree with this feedback, but I was unsure of the reasoning for pinning the specific version, so I didn't want to make the change without your input.