chore(deps): update dependency react-router to v7.12.0 [security] (#8085)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [react-router](https://redirect.github.com/remix-run/react-router)
([source](https://redirect.github.com/remix-run/react-router/tree/HEAD/packages/react-router))
| [`7.11.0` →
`7.12.0`](https://renovatebot.com/diffs/npm/react-router/7.11.0/7.12.0)
|
![age](https://developer.mend.io/api/mc/badges/age/npm/react-router/7.12.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/react-router/7.11.0/7.12.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-21884](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7)

A XSS vulnerability exists in in React Router's `<ScrollRestoration>`
API in [Framework Mode](https://reactrouter.com/start/modes#framework)
when using the `getKey`/`storageKey` props during Server-Side Rendering
which could allow arbitrary JavaScript execution during SSR if untrusted
content is used to generate the keys.

> [!NOTE]
> This does not impact applications if developers have [disabled
server-side rendering](https://reactrouter.com/how-to/spa) in Framework
Mode, or if they are using [Declarative
Mode](https://reactrouter.com/start/modes#declarative)
(`<BrowserRouter>`) or [Data
Mode](https://reactrouter.com/start/modes#data)
(`createBrowserRouter`/`<RouterProvider>`).

####
[CVE-2026-22029](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx)

React Router (and Remix v1/v2) SPA open navigation redirects originating
from loaders or actions in [Framework
Mode](https://reactrouter.com/start/modes#framework), [Data
Mode](https://reactrouter.com/start/modes#data), or the unstable RSC
modes can result in unsafe URLs causing unintended javascript execution
on the client. This is only an issue if developers are creating redirect
paths from untrusted content or via an open redirect.

> [!NOTE]
> This does not impact applications that use [Declarative
Mode](https://reactrouter.com/start/modes#declarative)
(`<BrowserRouter>`).

####
[CVE-2026-22030](https://redirect.github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh)

React Router (or Remix v2) is vulnerable to CSRF attacks on document
POST requests to UI routes when using server-side route `action`
handlers in [Framework
Mode](https://reactrouter.com/start/modes#framework), or when using
React Server Actions in the new unstable RSC modes.

> [!NOTE]
> This does not impact applications that use [Declarative
Mode](https://reactrouter.com/start/modes#declarative)
(`<BrowserRouter>`) or [Data
Mode](https://reactrouter.com/start/modes#data)
(`createBrowserRouter`/`<RouterProvider>`).

---

### Release Notes

<details>
<summary>remix-run/react-router (react-router)</summary>

###
[`v7.12.0`](https://redirect.github.com/remix-run/react-router/blob/HEAD/packages/react-router/CHANGELOG.md#7120)

[Compare
Source](https://redirect.github.com/remix-run/react-router/compare/[email protected]@7.12.0)

##### Minor Changes

- Add additional layer of CSRF protection by rejecting submissions to UI
routes from external origins. If you need to permit access to specific
external origins, you can specify them in the `react-router.config.ts`
config `allowedActionOrigins` field.
([#&#8203;14708](https://redirect.github.com/remix-run/react-router/pull/14708))

##### Patch Changes

- Fix `generatePath` when used with suffixed params (i.e.,
"/books/:id.json")
([#&#8203;14269](https://redirect.github.com/remix-run/react-router/pull/14269))

- Export `UNSAFE_createMemoryHistory` and `UNSAFE_createHashHistory`
alongside `UNSAFE_createBrowserHistory` for consistency. These are not
intended to be used for new apps but intended to help apps usiong
`unstable_HistoryRouter` migrate from v6->v7 so they can adopt the newer
APIs.
([#&#8203;14663](https://redirect.github.com/remix-run/react-router/pull/14663))

- Escape HTML in scroll restoration keys
([#&#8203;14705](https://redirect.github.com/remix-run/react-router/pull/14705))

- Validate redirect locations
([#&#8203;14706](https://redirect.github.com/remix-run/react-router/pull/14706))

- \[UNSTABLE] Pass `<Scripts nonce>` value through to the underlying
`importmap` `script` tag when using
`future.unstable_subResourceIntegrity`
([#&#8203;14675](https://redirect.github.com/remix-run/react-router/pull/14675))

- \[UNSTABLE] Add a new `future.unstable_trailingSlashAwareDataRequests`
flag to provide consistent behavior of `request.pathname` inside
`middleware`, `loader`, and `action` functions on document and data
requests when a trailing slash is present in the browser URL.
([#&#8203;14644](https://redirect.github.com/remix-run/react-router/pull/14644))

Currently, your HTTP and `request` pathnames would be as follows for
`/a/b/c` and `/a/b/c/`

  | URL `/a/b/c` | **HTTP pathname** | **`request` pathname\`** |
  | ------------ | ----------------- | ------------------------ |
  | **Document** | `/a/b/c`          | `/a/b/c` ✅               |
  | **Data**     | `/a/b/c.data`     | `/a/b/c` ✅               |

  | URL `/a/b/c/` | **HTTP pathname** | **`request` pathname\`** |
  | ------------- | ----------------- | ------------------------ |
  | **Document**  | `/a/b/c/`         | `/a/b/c/` ✅              |
  | **Data**      | `/a/b/c.data`     | `/a/b/c` ⚠️              |

With this flag enabled, these pathnames will be made consistent though a
new `_.data` format for client-side `.data` requests:

  | URL `/a/b/c` | **HTTP pathname** | **`request` pathname\`** |
  | ------------ | ----------------- | ------------------------ |
  | **Document** | `/a/b/c`          | `/a/b/c` ✅               |
  | **Data**     | `/a/b/c.data`     | `/a/b/c` ✅               |

  | URL `/a/b/c/` | **HTTP pathname**  | **`request` pathname\`** |
  | ------------- | ------------------ | ------------------------ |
  | **Document**  | `/a/b/c/`          | `/a/b/c/` ✅              |
  | **Data**      | `/a/b/c/_.data` ⬅️ | `/a/b/c/` ✅              |

This a bug fix but we are putting it behind an opt-in flag because it
has the potential to be a "breaking bug fix" if you are relying on the
URL format for any other application or caching logic.

Enabling this flag also changes the format of client side `.data`
requests from `/_root.data` to `/_.data` when navigating to `/` to align
with the new format. This does not impact the `request` pathname which
is still `/` in all cases.

- Preserve `clientLoader.hydrate=true` when using `<HydratedRouter
unstable_instrumentations>`
([#&#8203;14674](https://redirect.github.com/remix-run/react-router/pull/14674))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/UI5/webcomponents-react).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Lukas Harbarth <[email protected]>

Author: renovate[bot]