From d371e417efeb06e65ff8f751c6d23c07303b27c4 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 11:47:44 +0100 Subject: [PATCH 01/11] pin remix dependencies --- .../e2e-tests/test-applications/remix-hydrogen/package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index 40da7f5fb859..5f92b3e97cd0 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -14,9 +14,9 @@ "test:assert": "pnpm playwright test" }, "dependencies": { - "@remix-run/react": "^2.15.2", - "@remix-run/server-runtime": "^2.15.2", - "@remix-run/cloudflare-pages": "^2.15.2", + "@remix-run/react": "2.15.2", + "@remix-run/server-runtime": "2.15.2", + "@remix-run/cloudflare-pages": "2.15.2", "@sentry/cloudflare": "latest || *", "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", From 0114bd2203cea0696ab01cbe2510e7821ea270e4 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 11:51:51 +0100 Subject: [PATCH 02/11] update --- .../e2e-tests/test-applications/remix-hydrogen/package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index 5f92b3e97cd0..decca9cbed31 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -14,9 +14,9 @@ "test:assert": "pnpm playwright test" }, "dependencies": { - "@remix-run/react": "2.15.2", - "@remix-run/server-runtime": "2.15.2", - "@remix-run/cloudflare-pages": "2.15.2", + "@remix-run/react": "2.15.3", + "@remix-run/server-runtime": "2.15.3", + "@remix-run/cloudflare-pages": "2.15.3", "@sentry/cloudflare": "latest || *", "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", From 2031b52fe13df4e2f8d3f02df8617e58a3d6028b Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 11:54:20 +0100 Subject: [PATCH 03/11] update --- .../e2e-tests/test-applications/remix-hydrogen/package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index decca9cbed31..cc124c3339ae 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -14,9 +14,9 @@ "test:assert": "pnpm playwright test" }, "dependencies": { - "@remix-run/react": "2.15.3", - "@remix-run/server-runtime": "2.15.3", - "@remix-run/cloudflare-pages": "2.15.3", + "@remix-run/react": "2.17.1", + "@remix-run/server-runtime": "2.17.1", + "@remix-run/cloudflare-pages": "2.17.1", "@sentry/cloudflare": "latest || *", "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", From 2c8f91c221518d6776c5f11aa65a8db57a25b796 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 11:55:26 +0100 Subject: [PATCH 04/11] . --- .../e2e-tests/test-applications/remix-hydrogen/package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index cc124c3339ae..4b719f3ddbe3 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -14,9 +14,9 @@ "test:assert": "pnpm playwright test" }, "dependencies": { - "@remix-run/react": "2.17.1", - "@remix-run/server-runtime": "2.17.1", - "@remix-run/cloudflare-pages": "2.17.1", + "@remix-run/react": "2.17.3", + "@remix-run/server-runtime": "2.17.3", + "@remix-run/cloudflare-pages": "2.17.3", "@sentry/cloudflare": "latest || *", "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", From d81c878546371c3b08c150bc7e99532b760ad52a Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 12:28:35 +0100 Subject: [PATCH 05/11] update --- .github/dependency-review-config.yml | 2 ++ .../e2e-tests/test-applications/remix-hydrogen/package.json | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index 8608d2381ace..752a2c576146 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -11,3 +11,5 @@ allow-ghsas: - GHSA-gp8f-8m3g-qvj9 # devalue vulnerability - this is just used by nuxt & astro as transitive dependency - GHSA-vj54-72f3-p5jv + # React Router has XSS Vulnerability - we need this for the remix-hydrogen E2E test + - GHSA-3cgp-3xvw-98x8 diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index 4b719f3ddbe3..5f92b3e97cd0 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -14,9 +14,9 @@ "test:assert": "pnpm playwright test" }, "dependencies": { - "@remix-run/react": "2.17.3", - "@remix-run/server-runtime": "2.17.3", - "@remix-run/cloudflare-pages": "2.17.3", + "@remix-run/react": "2.15.2", + "@remix-run/server-runtime": "2.15.2", + "@remix-run/cloudflare-pages": "2.15.2", "@sentry/cloudflare": "latest || *", "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", From 9d8f675b4d7bdff0860a57c1963d239ece659458 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 12:30:59 +0100 Subject: [PATCH 06/11] ignore more stuff --- .github/dependency-review-config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index 752a2c576146..555d92223f14 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -13,3 +13,4 @@ allow-ghsas: - GHSA-vj54-72f3-p5jv # React Router has XSS Vulnerability - we need this for the remix-hydrogen E2E test - GHSA-3cgp-3xvw-98x8 + - GHSA-8v8x-cx79-35w7 From 5f0630a7ce07d17a3679d1d465e53aea76232b70 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 12:35:17 +0100 Subject: [PATCH 07/11] . --- .github/dependency-review-config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index 555d92223f14..ffc61c6b0024 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -11,6 +11,6 @@ allow-ghsas: - GHSA-gp8f-8m3g-qvj9 # devalue vulnerability - this is just used by nuxt & astro as transitive dependency - GHSA-vj54-72f3-p5jv - # React Router has XSS Vulnerability - we need this for the remix-hydrogen E2E test + # we need these for the remix-hydrogen E2E test - GHSA-3cgp-3xvw-98x8 - GHSA-8v8x-cx79-35w7 From d42239fab8fa2441e750750255d00d41aa90246d Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 13:10:11 +0100 Subject: [PATCH 08/11] pin react --- .../e2e-tests/test-applications/remix-hydrogen/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index 5f92b3e97cd0..08f6f51fbab8 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -25,8 +25,8 @@ "graphql": "^16.6.0", "graphql-tag": "^2.12.6", "isbot": "^3.8.0", - "react": "^18.2.0", - "react-dom": "^18.2.0" + "react": "18.2.0", + "react-dom": "18.2.0" }, "devDependencies": { "@graphql-codegen/cli": "5.0.2", From 9ae9b1b3aa08a0d83f59e699c7956f8dd4298f19 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 13:21:15 +0100 Subject: [PATCH 09/11] pin more --- .../test-applications/remix-hydrogen/package.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index 08f6f51fbab8..a22f74305254 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -21,10 +21,10 @@ "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", "@shopify/hydrogen": "2025.4.0", - "@shopify/remix-oxygen": "^2.0.10", - "graphql": "^16.6.0", - "graphql-tag": "^2.12.6", - "isbot": "^3.8.0", + "@shopify/remix-oxygen": "2.0.10", + "graphql": "16.6.0", + "graphql-tag": "2.12.6", + "isbot": "3.8.0", "react": "18.2.0", "react-dom": "18.2.0" }, From 9e6fa58cd39bfae292a7a10cec7f6fb47e09a6f1 Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 13:30:29 +0100 Subject: [PATCH 10/11] clean --- .github/dependency-review-config.yml | 3 --- .../test-applications/remix-hydrogen/package.json | 10 +++++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/dependency-review-config.yml b/.github/dependency-review-config.yml index ffc61c6b0024..8608d2381ace 100644 --- a/.github/dependency-review-config.yml +++ b/.github/dependency-review-config.yml @@ -11,6 +11,3 @@ allow-ghsas: - GHSA-gp8f-8m3g-qvj9 # devalue vulnerability - this is just used by nuxt & astro as transitive dependency - GHSA-vj54-72f3-p5jv - # we need these for the remix-hydrogen E2E test - - GHSA-3cgp-3xvw-98x8 - - GHSA-8v8x-cx79-35w7 diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index a22f74305254..8c2342737464 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -14,9 +14,9 @@ "test:assert": "pnpm playwright test" }, "dependencies": { - "@remix-run/react": "2.15.2", - "@remix-run/server-runtime": "2.15.2", - "@remix-run/cloudflare-pages": "2.15.2", + "@remix-run/react": "^2.15.2", + "@remix-run/server-runtime": "^2.15.2", + "@remix-run/cloudflare-pages": "^2.15.2", "@sentry/cloudflare": "latest || *", "@sentry/remix": "latest || *", "@sentry/vite-plugin": "^4.6.1", @@ -25,8 +25,8 @@ "graphql": "16.6.0", "graphql-tag": "2.12.6", "isbot": "3.8.0", - "react": "18.2.0", - "react-dom": "18.2.0" + "react": "^18.2.0", + "react-dom": "^18.2.0" }, "devDependencies": { "@graphql-codegen/cli": "5.0.2", From c38650fa4e2268c34321c581d4ca458fc4e3881c Mon Sep 17 00:00:00 2001 From: Nicolas Hrubec Date: Wed, 14 Jan 2026 13:47:20 +0100 Subject: [PATCH 11/11] only pin shopify remi-oxygen --- .../e2e-tests/test-applications/remix-hydrogen/package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json index 8c2342737464..1ec7d2833a65 100644 --- a/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json +++ b/dev-packages/e2e-tests/test-applications/remix-hydrogen/package.json @@ -22,9 +22,9 @@ "@sentry/vite-plugin": "^4.6.1", "@shopify/hydrogen": "2025.4.0", "@shopify/remix-oxygen": "2.0.10", - "graphql": "16.6.0", - "graphql-tag": "2.12.6", - "isbot": "3.8.0", + "graphql": "^16.6.0", + "graphql-tag": "^2.12.6", + "isbot": "^3.8.0", "react": "^18.2.0", "react-dom": "^18.2.0" },