Skip to content

chore(deps): bump RR7 to v7.12.0 #3346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kdaviduik merged 2 commits into from
Jan 8, 2026
Merged

chore(deps): bump RR7 to v7.12.0 #3346

kdaviduik merged 2 commits into from
Jan 8, 2026
+136 −98

Conversation

@kdaviduik
Copy link
Contributor

@kdaviduik kdaviduik commented Jan 7, 2026
edited
Loading

WHAT is this pull request doing?

Update React Router to 7.12.0 with stabilized future flags

This release uses React Router's newly stabilized future flags (v8_splitRouteModules, v8_middleware) instead of their unstable counterparts

HOW to test your changes?

git fetch origin kd-bump-rr7
git checkout kd-bump-rr7
npm ci

^ should succeed with no errors or warnings

Post-merge steps

Update the h2 upgrade changelog to include upgrade instructions

Checklist

  • I've read the Contributing Guidelines
  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've added a changeset if this PR contains user-facing or noteworthy changes
  • I've added tests to cover my changes
  • I've added or updated the documentation

@shopify
Copy link
Contributor

shopify bot commented Jan 7, 2026
edited
Loading

Oxygen deployed a preview of your kd-bump-rr7 branch. Details:

Storefront Status Preview link Deployment details Last update (UTC)
Skeleton (skeleton.hydrogen.shop) ✅ Successful (Logs) Preview deployment Inspect deployment January 8, 2026 4:17 AM
sitemap ✅ Successful (Logs) Preview deployment Inspect deployment January 8, 2026 4:18 AM
third-party-queries-caching ✅ Successful (Logs) Preview deployment Inspect deployment January 8, 2026 4:18 AM
metaobjects ✅ Successful (Logs) Preview deployment Inspect deployment January 8, 2026 4:18 AM
custom-cart-method ✅ Successful (Logs) Preview deployment Inspect deployment January 8, 2026 4:19 AM

Learn more about Hydrogen's GitHub integration.

@kdaviduik kdaviduik changed the title Bump RR7 to v7.12.0 chore(deps): bump RR7 to v7.12.0 Jan 7, 2026
@kdaviduik kdaviduik marked this pull request as ready for review January 8, 2026 04:31
@kdaviduik kdaviduik requested a review from a team as a code owner January 8, 2026 04:31
fredericoo
fredericoo approved these changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@fredericoo fredericoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

frandiox
frandiox approved these changes Jan 8, 2026
View reviewed changes
Copy link
Contributor

@frandiox frandiox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should wait to merge this until cookies are released?

brookslybrand
brookslybrand reviewed Jan 8, 2026
View reviewed changes
templates/skeleton/package.json
},
"prettier": "@shopify/prettier-config",
"dependencies": {
"@shopify/hydrogen": "2025.7.0",
Copy link

@brookslybrand brookslybrand Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know y'all's release flow, will this PR bump the @shopify/hydrogen version? If so, does this dep also need to be bumped in the various package.json?

Copy link
Contributor Author

@kdaviduik kdaviduik Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So merging this PR won't release anything, but it will update this 2025.7.1 release PR. And merging that 2025.7.1 release PR will actually publish the new Hydrogen version on npm, and also update this dependency here automatically to 2025.7.1 :)

brookslybrand
brookslybrand approved these changes Jan 8, 2026
View reviewed changes
Copy link

@brookslybrand brookslybrand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I just had one question

@kdaviduik kdaviduik merged commit 6d5e3d3 into main Jan 8, 2026
19 checks passed
@kdaviduik kdaviduik deleted the kd-bump-rr7 branch January 8, 2026 17:18
@shopify-github-actions-access shopify-github-actions-access bot mentioned this pull request Jan 8, 2026
Merged
brophdawg11
brophdawg11 reviewed Jan 8, 2026
View reviewed changes
cookbook/recipes/express/patches/package.json.f30b0a.patch
"graphql": "^16.10.0",
"graphql-tag": "^2.12.6",
"isbot": "^5.1.22",
+ "morgan": "^1.10.0",
Copy link

@brophdawg11 brophdawg11 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not quite sure what these patches are for but we recently updated compression/morgan to address an underlying CVE (remix-run/react-router#14652) so if they are being patched it should meet those new minimum versions. But ideally they don't need to be patched?

Copy link
Contributor Author

@kdaviduik kdaviduik Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, these patches are just used as "recipes" in the dev docs. Here is the link to this specific one. I will bump this morgan version in the express recipe as a follow-up so it reflects best practices for security :) Thanks Matt!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brophdawg11 brophdawg11 brophdawg11 left review comments

@frandiox frandiox frandiox approved these changes

@brookslybrand brookslybrand brookslybrand approved these changes

@fredericoo fredericoo fredericoo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kdaviduik @brophdawg11 @frandiox @brookslybrand @fredericoo