Deps: Bump react-router from 7.1.5 to 7.2.0

[dependabot]

Bumps react-router from 7.1.5 to 7.2.0.

Release notes

Sourced from react-router's releases.

v7.2.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v720

Changelog

Sourced from react-router's changelog.

7.2.0

Minor Changes

• New type-safe href utility that guarantees links point to actual paths in your app (#13012)

  import { href } from "react-router";
  export default function Component() {
  const link = href("/blog/:slug", { slug: "my-first-post" });
  return (
  <main>
  <Link to={href("/products/:id", { id: "asdf" })} />
  <NavLink to={href("/:lang?/about", { lang: "en" })} />
  </main>
  );
  }

Patch Changes

• Fix typegen for repeated params (#13012)

  In React Router, path parameters are keyed by their name. So for a path pattern like /a/:id/b/:id?/c/:id, the last :id will set the value for id in useParams and the params prop. For example, /a/1/b/2/c/3 will result in the value { id: 3 } at runtime.

  Previously, generated types for params incorrectly modeled repeated params with an array. So /a/1/b/2/c/3 generated a type like { id: [1,2,3] }.

  To be consistent with runtime behavior, the generated types now correctly model the "last one wins" semantics of path parameters. So /a/1/b/2/c/3 now generates a type like { id: 3 }.

• Don't apply Single Fetch revalidation de-optimization when in SPA mode since there is no server HTTP request (#12948)

• Properly handle revalidations to across a prerender/SPA boundary (#13021)

  • In "hybrid" applications where some routes are pre-rendered and some are served from a SPA fallback, we need to avoid making .data requests if the path wasn't pre-rendered because the request will 404
  • We don't know all the pre-rendered paths client-side, however:
    • All loader data in ssr:false mode is static because it's generated at build time
    • A route must use a clientLoader to do anything dynamic
    • Therefore, if a route only has a loader and not a clientLoader, we disable revalidation by default because there is no new data to retrieve
    • We short circuit and skip single fetch .data request logic if there are no server loaders with shouldLoad=true in our single fetch dataStrategy
    • This ensures that the route doesn't cause a .data request that would 404 after a submission

• Error at build time in ssr:false + prerender apps for the edge case scenario of: (#13021)

  • A parent route has only a loader (does not have a clientLoader)
  • The parent route is pre-rendered

... (truncated)

Commits

• 4b5793d chore: Update version for release (#13051)
• e7eb36f chore: Update version for release (pre) (#13050)
• 95fd01d chore: Update version for release (pre) (#13048)
• 597f3d2 Fix clientLoader calls to serverLoader for prerendered routes (#13047)
• 6bb9e5c chore: Update version for release (pre) (#13041)
• 5811466 Add additional JSDoc comments to commonly used APIs for better API reference ...
• 3f98a9a chore: Update version for release (pre) (#13038)
• ab5b05b feat(react-router): add SerializesTo brand type (#12264)
• e8719ad chore: Update version for release (pre) (#13022)
• f27fcf2 Fix a few edge case bugs with hybrid ssr:false/prerender scenarios (#13021)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 211c4fa.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
npm/react-router	7.2.0	🟢 3.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 6/26 approved changesets -- score normalized to 2 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected
npm/react-router	^7.2.0	🟢 3.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 6/26 approved changesets -- score normalized to 2 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 32 existing vulnerabilities detected

Scanned Files

• package-lock.json
• package.json

[github-actions]

Conventional Commits Report

Type	Number
Dependencies	1

🚀 Conventional commits found.