Patch: Address three CVEs with dependency updates

[SvenVw]

Summary by CodeRabbit

• Chores
  • Version bumped to 0.26.5
  • Dependencies updated
  • Security vulnerabilities patched (CVE-2026-21884, CVE-2026-22029, CVE-2026-22030)

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Replaces #408

[changeset-bot]

⚠️ No Changeset found

Latest commit: 01c5e2a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

👋 Hotfix Branch PR Detected!

Before merging this Pull Request into main, please ensure you have finalized the hotfix by manually running the 'Release' workflow on this hotfix/202600109-react-router branch.

This will:

1. Bump package versions.
2. Generate changelogs.
3. Create Git tags.

You can trigger the workflow from the 'Actions' tab, selecting the 'Release' workflow, and choosing this hotfix/202600109-react-router branch.

[coderabbitai]

Walkthrough

This pull request bumps the fdm-app package version to 0.26.5 and updates multiple dependencies including @react-router packages (^7.11.0 to ^7.12.0), posthog-js (^1.313.0 to ^1.316.0), and posthog-node (^5.18.1 to ^5.20.0). A CHANGELOG entry documents security patches for CVE-2026-21884, CVE-2026-22029, and CVE-2026-22030.

Changes

Cohort / File(s)	Summary
Dependency & Version Updates fdm-app/package.json	Version bump from 0.26.4 to 0.26.5; @react-router packages updated from ^7.11.0 to ^7.12.0; posthog-js updated from ^1.313.0 to ^1.316.0; posthog-node updated from ^5.18.1 to ^5.20.0
Changelog Documentation fdm-app/CHANGELOG.md	New patch release entry for version 0.26.5 documenting CVE security patch fixes

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Patch for CVE-2025-15284 #399: Sequential dependency version bumps in fdm-app/package.json including posthog and @react-router package updates
• Update dependencies to address CVE-2025-55182 #364: Similar dependency version bumps in package.json with CHANGELOG entries documenting CVE patches
• chore: bump version number and update changelog #180: Package version bump and CHANGELOG entry updates following the same release pattern

Suggested labels

bug

Poem

🐰 Dependencies dance, CVEs take flight,
React Router hops to version new and bright,
PostHog whispers through the security night,
Patch 0.26.5 shines clean and right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: addressing three CVEs through dependency updates, which is exactly what the changeset does.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hotfix/202600109-react-router

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d99cef and 01c5e2a.

📒 Files selected for processing (2)

• fdm-app/CHANGELOG.md
• fdm-app/package.json

✅ Files skipped from review due to trivial changes (1)

• fdm-app/CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (1)

• fdm-app/package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.47%. Comparing base (7d6325e) to head (3d99cef).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #409   +/-   ##
=======================================
  Coverage   87.47%   87.47%           
=======================================
  Files          91       91           
  Lines        4559     4559           
  Branches     1391     1391           
=======================================
  Hits         3988     3988           
  Misses        571      571           

Flag	Coverage Δ
fdm-calculator	86.98% <ø> (ø)
fdm-core	87.66% <ø> (ø)
fdm-data	92.12% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.changeset/calm-ties-join.md:
- Line 5: The changeset incorrectly claims CVE-2026-22030 is fixed by bumping
react-router to 7.12.0; CVE-2026-22030 is in @remix-run/server-runtime (fixed in
v2.17.3) and CVE-2026-22029 is in @remix-run/router (fixed in v1.23.2), so
update the changeset text and dependencies accordingly: remove CVE-2026-22030
from .changeset/calm-ties-join.md or clarify it only applies if this repo
depends on @remix-run/server-runtime, check package.json for
@remix-run/server-runtime and, if present and you use server-side actions, bump
it to 2.17.3 (and update lockfile), check package.json for @remix-run/router
and, if present or if your react-router upgrade pulls it in, bump to v1.23.2
(and update lockfile), run npm/yarn install and a vulnerabilities scan to verify
both CVEs are resolved, and update the changeset to list only the CVEs actually
fixed by the committed dependency upgrades and mention any additional required
upgrades.

In @fdm-app/package.json:
- Around line 66-67: Update the PR description or changeset to explicitly
document the routine dependency bump of posthog packages: mention that
"posthog-js" was updated to ^1.316.0 and "posthog-node" to ^5.20.0, reference
the commit message "chore: update posthog" to show intent, and state that these
are maintenance/security/version sync updates with no functional changes
expected; include any relevant testing/verifications performed (e.g.,
smoke-tested analytics flows) so reviewers can quickly confirm it's safe.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7d6325e and 3d99cef.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .changeset/calm-ties-join.md
• fdm-app/package.json

🧰 Additional context used

🧠 Learnings (13)

📓 Common learnings

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 45
File: fdm-app/app/routes/farm.$b_id_farm._index.tsx:1-1
Timestamp: 2025-01-14T16:06:24.294Z
Learning: In the fdm-app codebase, the `redirect` function should be imported from `react-router`, not `react-router-dom`.

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 45
File: fdm-app/app/routes/farm.$b_id_farm.settings._index.tsx:1-1
Timestamp: 2025-01-14T16:06:21.832Z
Learning: In the fdm project, `redirect` and other routing utilities should be imported from `react-router` instead of `react-router-dom`.

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 6
File: fdm-app/vite.config.ts:5-9
Timestamp: 2024-11-25T12:42:32.783Z
Learning: In the `fdm-app` project, SvenVw is preparing for migration to Remix v3 and may include type declarations or configurations for v3 features in advance, such as in `vite.config.ts`.

📚 Learning: 2024-11-25T12:42:32.783Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 6
File: fdm-app/vite.config.ts:5-9
Timestamp: 2024-11-25T12:42:32.783Z
Learning: In the `fdm-app` project, SvenVw is preparing for migration to Remix v3 and may include type declarations or configurations for v3 features in advance, such as in `vite.config.ts`.

Applied to files:

• .changeset/calm-ties-join.md

📚 Learning: 2025-01-14T16:06:21.832Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 45
File: fdm-app/app/routes/farm.$b_id_farm.settings._index.tsx:1-1
Timestamp: 2025-01-14T16:06:21.832Z
Learning: In the fdm project, `redirect` and other routing utilities should be imported from `react-router` instead of `react-router-dom`.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-04-18T13:49:17.029Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 124
File: fdm-app/app/components/custom/farm/farm-title.tsx:3-3
Timestamp: 2025-04-18T13:49:17.029Z
Learning: In the fdm project, NavLink and other routing components can be imported from either "react-router" or "react-router-dom" as react-router-dom is included in react-router.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-01-14T16:06:24.294Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 45
File: fdm-app/app/routes/farm.$b_id_farm._index.tsx:1-1
Timestamp: 2025-01-14T16:06:24.294Z
Learning: In the fdm-app codebase, the `redirect` function should be imported from `react-router`, not `react-router-dom`.

Applied to files:

• fdm-app/package.json

📚 Learning: 2024-12-11T12:09:35.540Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 20
File: fdm-app/tsconfig.json:8-9
Timestamp: 2024-12-11T12:09:35.540Z
Learning: In the `fdm-app/tsconfig.json` file, the include path `.react-router/types/**/*` refers to a build-time generated directory which is intentionally not included in the repository.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-05-09T14:41:43.484Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 138
File: fdm-app/app/components/custom/fertilizer-applications/form.tsx:6-6
Timestamp: 2025-05-09T14:41:43.484Z
Learning: The project uses React Router v7 which exports a Form component directly from the "react-router" package, making importing from "remix-run/react" unnecessary.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-05-09T14:41:43.484Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 138
File: fdm-app/app/components/custom/fertilizer-applications/form.tsx:6-6
Timestamp: 2025-05-09T14:41:43.484Z
Learning: The project uses React Router v7 which exports a Form component directly from the "react-router" package, not from "remix-run/react".

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-10-15T08:11:10.649Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 299
File: fdm-docs/package.json:22-35
Timestamp: 2025-10-15T08:11:10.649Z
Learning: Docusaurus versions 3.7 and later support both React 18 and React 19. The peerDependencies are specified as "react": "^18.0.0 || ^19.0.0" and "react-dom": "^18.0.0 || ^19.0.0".

Applied to files:

• fdm-app/package.json

📚 Learning: 2024-12-16T10:56:07.561Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 16
File: fdm-app/app/routes/app.addfarm.$b_id_farm.cultivations.$b_lu_catalogue.fertilizers.tsx:1-1
Timestamp: 2024-12-16T10:56:07.561Z
Learning: The project uses `react-router` v7, and the `data` function is exported and used for error handling in loaders and actions.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-05-09T14:53:44.578Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 138
File: fdm-app/app/components/custom/combobox.tsx:34-37
Timestamp: 2025-05-09T14:53:44.578Z
Learning: In the context of this React Router v7 project, it's important to follow the pattern of importing only the types (like UseFormReturn) from "react-hook-form" while importing the Form component from "react-router" to avoid naming conflicts.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-01-09T16:07:36.741Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 42
File: fdm-app/app/routes.ts:81-81
Timestamp: 2025-01-09T16:07:36.741Z
Learning: The route pattern "api/auth/:" in React Router configuration is a specific requirement of the better-auth package (version ^1.1.10). It serves as a catch-all route for authentication endpoints and should not be modified to a standard dynamic parameter format, as it would break the authentication functionality.

Applied to files:

• fdm-app/package.json

📚 Learning: 2025-05-09T14:58:10.465Z

Learnt from: SvenVw
Repo: SvenVw/fdm PR: 138
File: fdm-app/app/components/custom/combobox.tsx:34-37
Timestamp: 2025-05-09T14:58:10.465Z
Learning: When updating React components that use both react-hook-form and React Router v7, it's important to only import types (like UseFormReturn, FieldValues) from react-hook-form to avoid naming conflicts with React Router's Form component. Use `import type { ... } from 'react-hook-form'` syntax to ensure only types are imported.

Applied to files:

• fdm-app/package.json

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: core (24)

🔇 Additional comments (1)

fdm-app/package.json (1)

33-34: No issues identified. React Router v7.12.0 (released January 7, 2026) is the current version with no breaking changes, and all necessary packages—@react-router/node, @react-router/serve, react-router, react-router-dom, @react-router/dev, and @react-router/fs-routes—are consistently updated to ^7.12.0. The omitted packages (@react-router/architect, @react-router/cloudflare, @react-router/express, @react-router/remix-config-routes-adapter) are platform-specific adapters not required for this project's Node.js-based deployment setup.