fix(security): upgrade Remix packages 2.1.0 → 2.17.4

[D-K-P]

Upgraded packages:

• @remix-run/express: 2.1.0 → 2.17.4
• @remix-run/node: 2.1.0 → 2.17.4
• @remix-run/react: 2.1.0 → 2.17.4
• @remix-run/router: 1.15.3 → 1.23.2
• @remix-run/serve: 2.1.0 → 2.17.4
• @remix-run/server-runtime: 2.1.0 → 2.17.4
• @remix-run/dev: 2.1.0 → 2.17.4
• @remix-run/eslint-config: 2.1.0 → 2.17.4
• @remix-run/testing: 2.1.0 → 2.17.4

Also updated tar-fs override for new @remix-run/dev version.

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4c2bf66

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This pull request updates Remix packages in apps/webapp/package.json: @remix-run/express, @remix-run/node, @remix-run/react, @remix-run/serve, and @remix-run/server-runtime from 2.1.0 to 2.17.4; @remix-run/router from ^1.15.3 to ^1.23.2; and devDependencies @remix-run/dev, @remix-run/eslint-config, and @remix-run/testing to 2.17.4. The root package.json overrides were adjusted: @remix-run/dev's tar-fs mapping updated to 2.1.4, and testcontainers tar-fs mapping updated to 3.1.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete relative to the template; it lists upgraded packages but lacks testing steps, changelog entry, and unchecked checklist items.	Add Testing section describing steps taken, fill in Changelog section with change summary, and check/complete all checklist items as applicable.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately summarizes the main change: upgrading Remix packages from 2.1.0 to 2.17.4, which is the primary modification in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@package.json`:
- Line 89: Update the tar-fs override in package.json to patch CVE-2025-59343:
change the override entry for "@remix-run/dev@2.17.3>tar-fs" from "2.1.3" to
"2.1.4" (or any later 2.1.x) so the dependency used by `@remix-run/dev`@2.17.3
picks up the fixed version.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eeab6bd and 4ef0cba.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• apps/webapp/package.json
• package.json

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,ts,jsx,tsx,json,md,yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

Format code using Prettier before committing

Files:

• apps/webapp/package.json
• package.json

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/webapp.mdc:0-0
Timestamp: 2025-11-27T16:26:58.661Z
Learning: Applies to apps/webapp/**/*.{ts,tsx} : Follow the Remix 2.1.0 and Express server conventions when updating the main trigger.dev webapp

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-27T16:26:37.432Z
Learning: The webapp at apps/webapp is a Remix 2.1 application using Node.js v20

📚 Learning: 2025-11-27T16:26:37.432Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-27T16:26:37.432Z
Learning: The webapp at apps/webapp is a Remix 2.1 application using Node.js v20

Applied to files:

• apps/webapp/package.json
• package.json

📚 Learning: 2025-11-27T16:26:58.661Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: .cursor/rules/webapp.mdc:0-0
Timestamp: 2025-11-27T16:26:58.661Z
Learning: Applies to apps/webapp/**/*.{ts,tsx} : Follow the Remix 2.1.0 and Express server conventions when updating the main trigger.dev webapp

Applied to files:

• apps/webapp/package.json
• package.json

📚 Learning: 2026-01-15T11:50:06.067Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-15T11:50:06.067Z
Learning: Applies to {packages,integrations}/**/* : Add a changeset when modifying any public package in `packages/*` or `integrations/*` using `pnpm run changeset:add`

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: typecheck / typecheck

🔇 Additional comments (2)

apps/webapp/package.json (2)

231-233: No action required — all peer dependencies for Remix 2.17.3 are compatible.

The upgrade to @remix-run/dev, @remix-run/eslint-config, and @remix-run/testing 2.17.3 is compatible with the current tooling stack: TypeScript 5.5.4 (satisfies ^5.1.0), Vite ^5.4.21 (satisfies ^5.1.0 || ^6.0.0), ESLint ^8.24.0 (satisfies ^8.0.0), and React 18.x. No peer dependency conflicts or config changes are needed.

---

103-108: CVE-2026-22029 fix is included; remove Single Fetch breaking changes concern.

The upgrade to 2.17.3 safely includes the @remix-run/router 1.23.2+ fix for CVE-2026-22029 (XSS in redirect handling). Single Fetch is not enabled in remix.config.js, so the breaking changes mentioned do not apply—loaders/actions/redirect handling remains stable. However, audit redirect patterns using untrusted sources (e.g., submission.value.redirectUrl in resource routes) to ensure they don't accept arbitrary user-provided URLs that could exploit the XSS before the patched version was deployed.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional flags.

[vibe-kanban-cloud]

Review Complete

Your review story is ready!

View Story

Comment !reviewfast on this PR to re-generate the story.