React Router Updates & Release Notes

What's Changed

Stabilizations

We've stabilized a bunch of APIs in this release in preparation for a React Router v8 release hopefully in the next month or two. These flag/prop renames are breaking changes if you've already opted into the unstable APIs so please make sure you make the appropriate changes if so.

• future.unstable_passThroughRequests → future.v8_passThroughRequests
• future.unstable_subResourceIntegrity → top-level config.subResourceIntegrity
• prerender.unstable_concurrency → prerender.concurrency
• unstable_url → url (loader, action, middleware, instrumentation args)
• unstable_instrumentations → instrumentations
  • Plus associated types (ServerInstrumentation, ClientInstrumentation, etc.)
• unstable_pattern → pattern (loader, action, middleware, instrumentation args)
• unstable_defaultShouldRevalidate → defaultShouldRevalidate
• unstable_useTransitions → useTransitions
• unstable_mask → mask (on , useLinkClickHandler, useNavigate, and Location)

Route matching optimizations

We've added a handful of route matching optimizations in this release for Framework and Data mode. The changes are mostly related to caching the internal flattened/ranked route branches and reducing additional calls to matchRoutes along the critical path. This should result in improved performance during both server-side request handling and client-side navigations.

Minor Changes

• react-router - Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on , , useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Stabilize the instrumentation APIs (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Stabilize unstable_mask as mask on , useLinkClickHandler, useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Stabilize unstable_url as url on loader, action, and middleware function args (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• react-router - Stabilize unstable_useTransitions as useTransitions on , , , , , , , and useLinkClickHandler (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• @react-router/dev - Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (14999)
  ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
• @react-router/dev - Stabilize prerender.unstable_concurrency as prerender.concurrency (14999)

Patch Changes

• react-router - Add nonce to elements (if provided) (af5d49b)
• react-router - Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#15012)
• react-router - Mark mask as an optional field in Location for easier mocking in unit tests (14999)
• react-router - Improve server-side route matching performance by pre-computing flattened/cached route branches (#14967) (af5d49b)
  • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance
• react-router - Cache flattened/ranked route branches to optimize server-side route matching (#14967)
• react-router - Improve route matching performance in Framework/Data Mode (#14971) (af5d49b)
  • Avoiding unnecessary calls to matchRoutes in data router scenarios
    • This includes adding back the optimization that was removed in 7.6.0 (#13562)
    • The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest
  • Leverage pre-computed pre-computing flattened/cached route branches during client side route matching
  • Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance

Full Changelog: v7.14.2...v7.15.0

Patch Changes

• react-router - Remove the un-documented custom error serialization logic from the internal turbo-stream implementation. React Router only automatically handles serialization of Error and it's standard subtypes (SyntaxError, TypeError, etc.). (#14992)

• react-router - Properly handle parent middleware redirects during fetcher.load (#14974)

• react-router - Remove redundant Omit<RouterProviderProps, "flushSync"> from react-router/dom RouterProvider (#14874)

• react-router - Improved types for generatePath's param arg (#14984)

  Type errors when required params are omitted:

  // Before
  // Passes type checks, but throws at runtime 💥
  generatePath(":required", { required: null });

  // After
  generatePath(":required", { required: null });
  // ^^^^^^^^ Type 'null' is not assignable to type 'string'.ts(2322)

  Allow omission of optional params:

  // Before
  generatePath(":optional?", {});
  // ^^ Property 'optional' is missing in type '{}' but required in type '{ optional: string | null | undefined; }'.ts(2741)

  // After
  generatePath(":optional?", {});

  Allows extra keys:

  // Before
  generatePath(":a", { a: "1", b: "2" });
  // ^ Object literal may only specify known properties, and 'b' does not exist in type '{ a: string; }'.ts(2353)

  // After
  generatePath(":a", { a: "1", b: "2" });

• @react-router/dev - Fix typegen for layouts without pages (#14875)

  Previously, typegen could produce pages: ; in .react-router/types/+routes.ts when a route corresponded to 0 pages

  Now, pages: never; is correctly generated for those cases

Full Changelog: v7.14.1...v7.14.2

Minor Changes

• Add support for Vite 8 (#14876)

Patch Changes

• react-router - Remove recursion from vendored turbo-stream v2 implementation allowing for encoding/decoding of large payloads (#14838)
• react-router - Fix encodeViaTurboStream memory leak via unremoved AbortSignal listener (#14900)
• @react-router/dev - Support for prerendering multiple server bundles with v8_viteEnvironmentApi (#14921)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• @react-router/dev - Pre-rendering and SPA Mode support for RSC Framework Mode (#14907)

• @react-router/dev - Update react-router reveal to support RSC Framework Mode for entry.client, entry.rsc, entry.ssr (#14904)

• react-router - Support in RSC Framework Mode (#14902)

• react-router - Add support for new route module exports in unstable RSC Framework Mode (#14901)

  ⚠️ This is a breaking change if you have already adopted RSC Framework Mode in it's unstable state - you will need to update your route modules to export the new annotations

  The following route module components have their own mutually exclusive server component counterparts:

  Client Component export | Server Component export
  default | ServerComponent
  ErrorBoundary | ServerErrorBoundary
  Layout | ServerLayout
  HydrateFallback | ServerHydrateFallback

  If you were previously exporting a ServerComponent, your ErrorBoundary, Layout, and HydrateFallback were also implicitly server components

  If you want to keep those as server components - rename them and prefix them with Server

  If you were previously importing the implementations of those components from a client module, you can inline them

Patch Changes

• react-router - Add nonce to elements (if provided) (af5d49b)

• react-router - Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#15012)

• react-router - Mark mask as an optional field in Location for easier mocking in unit tests (#14999)

• react-router - Improve server-side route matching performance by pre-computing flattened/cached route branches (#14967) (af5d49b)

  Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

• react-router - Cache flattened/ranked route branches to optimize server-side route matching (#14967)

• react-router - Improve route matching performance in Framework/Data Mode (#14971) (af5d49b)

  Avoiding unnecessary calls to matchRoutes in data router scenarios

  This includes adding back the optimization that was removed in 7.6.0 (#13562)

  The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest

  Leverage pre-computed pre-computing flattened/cached route branches during client side route matching

  Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance

Full Changelog: v7.13.2...v7.14.0

What's Changed

Pass-through Requests (unstable)

By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index+_routes query params). This release introduces a new future.unstable_passThroughRequests flag to disable this normalization and pass the raw HTTP request instance to your handlers.

In addition to reducing server-side overhead by eliminating multiple new Request() calls on the critical path, this also provides additional visibility to your route handlers/instrumentations allowing you to differentiate document from data requests.

If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

// ❌ Before: you could assume there was no `.data` suffix in `request.url`
export async function loader({ request }: Route.LoaderArgs) {
  let url = new URL(request.url);
  if (url.pathname === "/path") {
    // This check will fail with the flag enabled because the `.data` suffix will
    // exist on data requests
  }
}

// ✅ After: use `unstable_url` for normalized routing logic and `request.url` for raw routing logic
export async function loader({ request, unstable_url }: Route.LoaderArgs) {
  if (unstable_url.pathname === "/path") {
    // This will always have the `.data` suffix stripped
  }

  // And now you can distinguish between document versus data requests
  let isDataRequest = new URL(request.url).pathname.endsWith(".data");
}

Route handlers/middleware unstable_url parameter

We have added a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) that contains the normalized URL the application is navigating to or fetching with React Router implementation details removed (.data suffix, index/_routes query params).

This parameter is primarily needed when adopting the new future.unstable_passthroughRequests future flag as a way to continue accessing the normalized URL. If you don't have the flag enabled, then unstable_url will match request.url.

Patch Changes

• react-router - Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#14835)
• react-router - Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#14892)
• react-router - Fix percent encoding in relative path navigation (#14786)
• react-router - Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#14765)
• @react-router/dev - Fix react-router dev crash when Unix socket files exist in the project root (#14854)
• @react-router/dev - Escape redirect locations in pre-rendered redirect HTML (#14880)
• create-react-router - replace chalk with picocolors (#14837)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Sync protocol validation to RSC flows (#14882)
• react-router - Add future.unstable_passThroughRequests flag (#14775)
• react-router - Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.data suffix, index/_routes query params) (#14775)

Full Changelog: v7.13.1...v7.13.2

URL Masking (unstable)

This release includes a new <Link unstable_mask> API which brings first-class support for URL masking to Framework/Data Mode (RFC). This allows the same type of UI you could achieve in Declarative Mode via manual backgroundLocation management. That example has been converted to Data Mode using the new API here.

Patch Changes

• react-router - Clear timeout when turbo-stream encoding completes (#14810)
• react-router - Improve error message when Origin header is invalid (#14743)
• react-router - Fix matchPath optional params matching without a "/" separator. (#14689)
  matchPath("/users/:id?", "/usersblah") now returns null
  matchPath("/test_route/:part?", "/test_route_more") now returns null.
• react-router - Fix HydrateFallback rendering during initial lazy route discovery with matching splat route (#14740)
• react-router - Preserve query parameters and hash on manifest version mismatch reload (#14813)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Add support for <Link unstable_mask> in Framework/Data Mode which allows users to navigate to a URL in the router but "mask" the URL displayed in the browser (#14716)
  This is useful for contextual routing usages such as displaying an image in a modal on top of a gallery, but displaying a browser URL directly to the image that can be shared and loaded without the contextual gallery in the background
  The masked location, if present, will be available on useLocation().unstable_mask so you can detect whether you are currently masked or not
  Masked URLs only work for SPA use cases, and will be removed from history.state during SSR
  This provides a first-class API to mask URLs in Framework/Data Mode to achieve the same behavior you could do in Declarative Mode via manual backgroundLocation management

Full Changelog: v7.13.0...v7.13.1

Minor Changes

• Add fetcherKey as a parameter to patchRoutesOnNavigation (#13061)

Patch Changes

• react-router - Fix a Framework Mode bug where the defaultShouldRevalidate parameter to shouldRevalidate would not be correct after action returned a 4xx/5xx response (true when it should have been false) (#14592)
• react-router - Fix fetcher.submit failing with plain objects containing a tagName property (#14534)
• react-router - Fix the promise returned from useNavigate in Framework/Data Mode so that it properly tracks the duration of popstate navigations (i.e., navigate(-1)) (#14524)
• react-router - Preserve statusText on the ErrorResponse instance when throwing data() from a route handler (#14555)
• react-router - Optimize href() to avoid backtracking regex on splat (#14329)
• @react-router/dev - Fix internal type error in useRoute types that surfaces when skipLibCheck is disabled (#14577)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Add unstable_instrumentations API to allow users to add observability to their apps by instrumenting route loaders, actions, middlewares, lazy, as well as server-side request handlers and client side navigations/fetches (#14412)
• react-router - Add a new unstable_pattern parameter to loaders/actions/middleware which contains the un-interpolated route pattern (i.e., /blog/:slug) which is useful for aggregating logs/metrics by route in instrumentation code (#14412)
• @react-router/dev - Introduce a prerender.unstable_concurrency option, to support running the pre-rendering concurrently, potentially speeding up the build (#14380)

Full Changelog: v7.12.0...v7.13.0

Minor Changes

• react-router - Add crossOrigin prop to Links component (#14687)

Patch Changes

• react-router - Fix double slash normalization for useNavigate paths with a colon (#14718)
• react-router - Fix missing nonce on inline criticalCss (#14691)
• react-router - Update failed origin checks to return a 400 status instead of a 500 (#14737)
• react-router - Loosen allowedActionOrigins glob check so ** matches all domains (#14722)
• @react-router/dev - Bump @remix-run/node-fetch-server dep (#14704)
• @react-router/fs-routes - Fix route file paths when routes directory is outside of the app directory (#13937)

Full Changelog: v7.12.0...v7.13.0

Security Notice

This release addresses 3 security vulnerabilities:

• CSRF in React Router Action/Server Action Request Processing
• XSS via Open Redirects
• React Router SSR XSS in ScrollRestoration

Minor Changes

• react-router - Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins (#14708)
  If you need to permit access to specific external origins, there is a new allowedActionOrigins config field in react-router.config.ts where you can specify external origins

Patch Changes

• react-router - Fix generatePath when used with suffixed params (i.e., /books/:id.json) (#14269)
• react-router - Escape HTML in scroll restoration keys (#14705)
• react-router - Validate redirect locations (#14706)
• @react-router/dev - Fix Maximum call stack size exceeded errors when HMR is triggered against code with cyclic imports (#14522)
• @react-router/dev - Skip SSR middleware in vite preview server for SPA mode (#14673)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Sync protocol validation to RSC flows (#14882)
• react-router - Add future.unstable_passThroughRequests flag (#14775)
• react-router - Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.data suffix, index/_routes query params) (#14775)

Full Changelog: v7.11.0...v7.12.0

We've added vite preview support and stabilized the client-side onError API - please make the appropriate changes if you've adopted the unstable_onError API already in a prior release.

vite preview Support

We've added support for vite preview when using Framework mode to make it easy to preview your production build.

Stabilized Client-side onError

The existing <RouterProvider unstable_onError> / <HydratedRouter unstable_onError> APIs have been stabilized as <RouterProvider onError> / <HydratedRouter onError>. Please see the Error Reporting docs for more information.

Call-site Revalidation Opt-out (unstable)

We've added initial unstable support for call-site revalidation opt-out via a new unstable_defaultShouldRevalidate flag (RFC). This flag is available on all navigation/fetcher submission APIs to alter standard revalidation behavior. If any routes include a shouldRevalidate function, then the flag value will be passed to that function so the route has the final say on revalidation behavior.

This flag is also available on non-submission navigational use cases - for example, you may want to opt-out of revalidation when adding a search param that doesn't impact the UI:

<Link to="?analytics-param=1" unstable_defaultShouldRevalidate={false} />;
navigate("?analytics-param=1", { unstable_defaultShouldRevalidate: false });
setSearchParams(params, { unstable_defaultShouldRevalidate: false });

Minor Changes

• react-router - Stabilize <HydratedRouter onError> / <RouterProvider onError> (#14546)
• @react-router/dev - Add vite preview support (#14507)

Patch Changes

• react-router - Fix unstable_useTransitions prop on <Router> component to permit omission for backwards compatibility (#14646)
• react-router - Allow redirects to be returned from client side middleware (#14598)
• react-router - Handle dataStrategy implementations that return insufficient result sets by adding errors for routes without any available result (#14627)
• @react-router/serve - Update compression and morgan dependencies to address on-headers CVE (#14652)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - RSC: Support for throwing data() and Response from server component render phase (#14632)
• react-router - RSC: Support for throwing redirect Response's at render time (#14596)
• react-router - RSC: routeRSCServerRequest replace fetchServer with serverResponse (#14597)
• @react-router/dev - RSC (Framework mode): Manual chunking for react and react-router deps (#14655)
• @react-router/dev - RSC (Framework mode): Optimize react-server-dom-webpack if in project package.json (#14656)
• @react-router/dev - RSC (Framework mode): Support custom entrypoints (#14643)
• react-router - Add a new unstable_defaultShouldRevalidate flag to various APIs to allow opt-ing out of standard revalidation behaviors (#14542)

Full Changelog: v7.10.1...v7.11.0

We've stabilized a handful of existing APIs and future flags in this release, please make the appropriate changes if you'd adopted any of these APIs in their unstable state!

Stabilized future.v8_splitRouteModules

The existing future.unstable_splitRouteModules flag has been stabilized as future.v8_splitRouteModules in react-router.config.ts. Please see the docs for more information on adopting this flag.

Stabilized future.v8_viteEnvironmentApi

The existing future.unstable_viteEnvironmentApi flag has been stabilized as future.v8_viteEnvironmentApi in react-router.config.ts. Please see the docs for more information on adopting this flag.

Stabilized fetcher.reset()

The existing fetcher.unstable_reset() API has been stabilized as fetcher.reset().

Stabilized DataStrategyMatch.shouldCallHandler()

The existing low-level DataStrategyMatch.unstable_shouldCallHandler() / DataStrategyMatch.unstable_shouldRevalidateArgs APIs have been stabilized as DataStrategyMatch.shouldCallHandler() / DataStrategyMatch.shouldRevalidateArgs. Please see the docs for information about using a custom dataStrategy and how to migrate away from the deprecated DataStrategyMatch.shouldLoad API if you are using that today.

Minor Changes

• react-router - Stabilize fetcher.reset() (#14545)
  ⚠️ This is a breaking change if you have begun using fetcher.unstable_reset() - please update your code to use fetcher.reset()
• react-router - Stabilize the dataStrategy match.shouldCallHandler() / match.shouldRevalidateArgs APIs (#14592)
  ⚠️ This is a breaking change if you have begun using match.unstable_shouldCallHandler() / match.unstable_shouldRevalidateArgs - please update your code to use match.shouldCallHandler() / match.shouldRevalidateArgs
• @react-router/dev - Stabilize future.v8_splitRouteModules, replacing future.unstable_splitRouteModules (#14595)
  ⚠️ This is a breaking change if you have begun using future.unstable_splitRouteModules - please update your react-router.config.ts
• @react-router/dev - Stabilize future.v8_viteEnvironmentApi, replacing future.unstable_viteEnvironmentApi (#14595)
  ⚠️ This is a breaking change if you have begun using future.unstable_viteEnvironmentApi - please update your react-router.config.ts

Patch Changes

• react-router - Fix a Framework Mode bug where the defaultShouldRevalidate parameter to shouldRevalidate would not be correct after action returned a 4xx/5xx response (true when it should have been false) (#14592)
  If your shouldRevalidate function relied on that parameter, you may have seen unintended revalidations
• react-router - Fix fetcher.submit failing with plain objects containing a tagName property (#14534)
• react-router - Fix the promise returned from useNavigate in Framework/Data Mode so that it properly tracks the duration of popstate navigations (i.e., navigate(-1)) (#14524)
• react-router - Preserve statusText on the ErrorResponse instance when throwing data() from a route handler (#14555)
• react-router - Optimize href() to avoid backtracking regex on splat (#14329)
• @react-router/dev - Fix internal type error in useRoute types that surfaces when skipLibCheck is disabled (#14577)
• @react-router/dev - Load environment variables before evaluating routes.ts (#14446)
  For example, you can now compute your routes based on VITE_-prefixed environment variables
• @react-router/dev - Fix rename without mkdir in Vite plugin (#14105)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Add unstable_pattern to the parameters for client side unstable_onError (#14573)
• react-router - Refactor how unstable_onError is called internally by RouterProvider to avoid potential strict mode issues (#14573)
• react-router - Add new unstable_useTransitions flag to routers to give users control over the usage of React.startTransition and React.useOptimistic (#14524)
  Please see the docs for more information
  Framework Mode + Data Mode:
  • /
  • When left unset (current default behavior)
    • Router state updates are wrapped in React.startTransition
    • ⚠️ This can lead to buggy behaviors if you are wrapping your own navigations/fetchers in React.startTransition
  • You should set the flag to true if you run into this scenario to get the enhanced useOptimistic behavior (requires React 19)
  • When set to true
    • Router state updates remain wrapped in React.startTransition (as they are without the flag)
    • / navigations will be wrapped in React.startTransition - You can drop down to useNavigate / useSubmit if you wish to opt out of this outer React.startTransition call for the navigation
    • A subset of router state info will be surfaced to the UI during navigations via React.useOptimistic (i.e., useNavigation(), useFetchers(), etc.)
      • ⚠️ This is a React 19 API so you must also be React 19 to opt into this flag for Framework/Data Mode
  • When set to false
    • The router will not leverage React.startTransition or React.useOptimistic on any navigations or state changes
      Declarative Mode
  • When left unset
    • Router state updates are wrapped in React.startTransition
  • When set to true
    • Router state updates remain wrapped in React.startTransition (as they are without the flag)
    • / navigations will be wrapped in React.startTransition
  • When set to false
    • The router will not leverage React.startTransition on any navigations or state changes

Full Changelog: v7.9.6...v7.10.0

Security Notice

This release addresses 1 security vulnerability:

• Unexpected external redirect via untrusted paths

Patch Changes

• react-router - Properly handle ancestor thrown middleware errors before next() on fetcher submissions (#14517)
• react-router - Fix issue with splat routes interfering with multiple calls to patchRoutesOnNavigation (#14487)
• react-router - Normalize double-slashes in resolvePath (#14529)
• @react-router/dev - Use a dynamic import() to load ESM-only p-map dependency to avoid issues on Node 20.18 and below (#14492)
• @react-router/dev - Short circuit HEAD document requests before calling renderToPipeableStream in the default entry.server.tsx to more closely align with the spec (#14488)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• react-router - Add location/params as arguments to client-side unstable_onError to permit enhanced error reporting (#14509)

Full Changelog: v7.9.5...v7.9.6