Gitpulse
Merged
Size
XL
Change Breakdown
Security70%
Dependencies25%
Docs5%
#3372fix(security): upgrade Remix packages 2.1.0 → 2.17.4

Remix upgraded to address React Router vulnerabilities

DE
devin-ai-integration
·Apr 15, 2026

The webapp's underlying Remix framework has been bumped from 2.1.0 to 2.17.4, patching known security vulnerabilities in React Router and transitive dependencies like tar-fs.

Security vulnerabilities in React Router required an underlying framework update. The web application's Remix dependencies have been bumped from 2.1.0 to 2.17.4. This update patches the routing engine and forces secure versions of transitive dependencies like tar-fs. The upgrade secures the API and dashboard orchestration engine without requiring modifications to the application code. AI coding guidelines were also updated to ensure future development correctly targets the 2.17.4 API surface.

View Original GitHub Description

Summary

Upgrades all @remix-run/* packages in apps/webapp from 2.1.0 → 2.17.4 to address security vulnerabilities. Recreation of #2951 on a fresh checkout of main.

Updated packages (apps/webapp/package.json):

  • @remix-run/express, @remix-run/node, @remix-run/react, @remix-run/serve, @remix-run/server-runtime: 2.1.0 → 2.17.4
  • @remix-run/router: ^1.15.3 → ^1.23.2
  • @remix-run/dev, @remix-run/eslint-config, @remix-run/testing: 2.1.0 → 2.17.4

Root package.json overrides:

  • @remix-run/dev@2.17.4>tar-fs: 2.1.3 → 2.1.4
  • testcontainers@10.28.0>tar-fs: 3.0.9 → 3.1.1

Documentation: Updated Remix version references in CLAUDE.md, apps/webapp/CLAUDE.md, and .cursor/rules/webapp.mdc.

Server changes: Added .server-changes/upgrade-remix-security.md for release tracking per CONTRIBUTING.md.

No application code changes — only package.json files, documentation, a server-changes entry, and the regenerated pnpm-lock.yaml.

Updates since last revision

Addressed all 3 Devin Review findings:

  1. Missing .server-changes/ file — added .server-changes/upgrade-remix-security.md (commit ce22a0bd4)
  2. Sentry Remix patch (@sentry/remix@9.46.0) — verified the patch at patches/@sentry__remix@9.46.0.patch applies cleanly against 2.17.4. The patch modifies Sentry's own RemixInstrumentation wrapper (removing request.clone() and form data attributes), not Remix internals. The underlying Remix APIs it hooks into (callRouteAction, callRouteLoader) are stable across 2.1→2.17.
  3. remix-typedjson@0.3.1 compatibility — peer deps declare @remix-run/react: ^1.16.0 || ^2.0, covering 2.17.4. Confirmed working at runtime across all 22 tested pages that use it (root.tsx, hooks, route loaders).

Verification performed during this session

  • Runtime: Express+Remix integration, magic link login, client-side routing, MetaFunction rendering
  • Operational: hello-world task triggered via API, runs list, run detail, tasks page
  • Comprehensive UI: 22 pages, 11 filter types, environment/project switchers, interactive elements
  • Docker: Production Dockerfile (docker/webapp/Dockerfile) builds successfully
  • Changelog audit: All 16 minor versions reviewed — every breaking change is behind opt-in future flags the webapp doesn't enable

Review & Testing Checklist for Human

  • Verify auth flows in stagingremix-auth, remix-auth-email-link, and remix-auth-github declare peer deps on @remix-run/server-runtime@^1.x, which is now 2.17.4. Login (magic link + OAuth) should be tested in a staging environment since local dev testing may not exercise all auth code paths.
  • Verify tar-fs override versions resolve the targeted security advisories (2.1.4 and 3.1.1)
  • Review new transitive dependencies added by the upgrade: turbo-stream@2.4.1, undici@6.25.0, valibot@1.3.1, ws@7.5.10

Recommended test plan: deploy to staging and exercise core webapp flows — login (email magic link + GitHub OAuth), dashboard navigation, task triggering/viewing, and API endpoints — to catch runtime regressions not covered by local testing.

Notes

  • Peer dependency warnings for remix-auth-* packages (expecting @remix-run/server-runtime@^1.x) were present in the original PR #2951 as well and appear to be pre-existing
  • The lockfile diff is large (~1200 lines) but mechanical — driven by the Remix version bump cascading through transitive dependencies
  • CI failures (audit, units/internal/1-of-8) are unrelated: audit is a claude-code-action bot permissions issue; the internal test failure is a ClickHouse testcontainers Failed to connect to Reaper flake

Link to Devin session: https://app.devin.ai/sessions/d9fa9953b9bf40e5a8d12b8f5ba5b86b Requested by: @ericallam

© 2026 · via Gitpulse