chore(deps): bump react-router from 7.14.0 to 7.15.0

[dependabot]

Bumps react-router from 7.14.0 to 7.15.0.

Release notes

Sourced from react-router's releases.

v7.15.0

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7150

v7.14.2

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7142

v7.14.1

See the changelog for release notes: https://github.com/remix-run/react-router/blob/main/CHANGELOG.md#v7141

Changelog

Sourced from react-router's changelog.

v7.15.0

Minor Changes

• Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on <Link>, <Form>, useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize the instrumentation APIs. unstable_instrumentations is now instrumentations and unstable_pattern is now pattern (a993f09)

  • The unstable_ServerInstrumentation, unstable_ClientInstrumentation, unstable_InstrumentRequestHandlerFunction, unstable_InstrumentRouterFunction, unstable_InstrumentRouteFunction, and unstable_InstrumentationHandlerResult types have had their unstable_ prefixes removed
  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_mask as mask on <Link>, useLinkClickHandler, and useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_url as url on loader, action, and middleware function args (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_useTransitions as useTransitions on <BrowserRouter>, <HashRouter>, <HistoryRouter>, <MemoryRouter>, <Router>, <RouterProvider>, <HydratedRouter>, and useLinkClickHandler (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

Patch Changes

• Add nonce to <Scripts> <link rel="modulepreload"> elements (if provided) (af5d49b)

• Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#15012)

• Improve server-side route matching performance by pre-computing flattened/cached route branches (#14967) (af5d49b)

  • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

• Mark mask as an optional field in Location for easier mocking in unit tests (#14999)

• Cache flattened/ranked route branches to optimize server-side route matching (#14967)

• Improve route matching performance in Framework/Data Mode (#14971) (af5d49b)

  • Avoiding unnecessary calls to matchRoutes in data router scenarios
    • This includes adding back the optimization that was removed in 7.6.0 (#13562)
    • The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest
  • Leverage pre-computed pre-computing flattened/cached route branches during client side route matching
  • Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance

v7.14.2

... (truncated)

Commits

• 97c8de7 Release v7.15.0 (#15018)
• af5d49b Update change files again
• a993f09 Update change files
• 362635b Move chnageset to change file
• e756132 chore: format
• 49295b5 Stabilize APIs (#14999)
• 5f61543 Client-side route matching optimizations (#14971)
• 67518cb Remove unnecessary hasShouldRevalidate condition for opting out (#15012)
• 6f18edd Add nonce to scripts modulepreload (#15002)
• 10a9686 Migrate changeset to change file
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade react-router from 7.14.0 to 7.15.0. This stabilizes previously unstable_* APIs and improves route matching performance; only update code if we used those unstable options.

• Migration
  • unstable_defaultShouldRevalidate → defaultShouldRevalidate
  • unstable_instrumentations → instrumentations, unstable_pattern → pattern (types drop unstable_ prefix)
  • unstable_mask → mask; Location.unstable_mask → Location.mask
  • unstable_normalizePath → normalizePath (static handler options)
  • future.unstable_passThroughRequests → future.v8_passThroughRequests
  • Loader/action/middleware args: unstable_url → url
  • Routers: unstable_useTransitions → useTransitions
  • Remove unstable_subResourceIntegrity from runtime config; set subResourceIntegrity in react-router.config.ts

^{Written for commit 86d57c6. Summary will update on new commits.}

[sovri]

Key Changes in React-Router 7.15.0

This update introduces several breaking changes for users who previously opted into unstable APIs, alongside performance improvements and bug fixes. Below is a breakdown of the most relevant changes:

Breaking Changes (Major)

• Stabilized APIs: Several previously unstable APIs have been stabilized, requiring code updates if you were using them:

  • unstable_defaultShouldRevalidate → defaultShouldRevalidate
  • unstable_mask → mask
  • unstable_url → url
  • unstable_useTransitions → useTransitions
  • unstable_instrumentations → instrumentations
  • unstable_pattern → pattern

  If your application uses any of these APIs, you will need to update your code to reflect the new naming conventions.

Performance Improvements (Info)

• Route Matching Optimizations: The update includes significant performance improvements for both server-side and client-side route matching:
  • Pre-computing flattened/cached route branches reduces redundant calculations.
  • Avoiding unnecessary calls to matchRoutes in data router scenarios.
  • Benchmarks show a 10-30% improvement in request handling performance.

Security Enhancements (Minor)

• Nonce Support: The update adds nonce support to <Scripts> and <link rel="modulepreload"> elements, which is useful for applications enforcing Content Security Policy (CSP).

Bug Fixes (Minor)

• Fixed a bug with unstable_defaultShouldRevalidate={false} where parent routes without a shouldRevalidate function were incorrectly included in single fetch calls for new child route data.

Recommendations

1. Review Stabilized APIs: If your application uses any of the previously unstable APIs, update them to their stabilized counterparts.
2. Test Performance: While the performance improvements are significant, it is recommended to test the application under load to ensure the changes align with your expectations.
3. Check for Additional Changes: Review the full changelog for any additional minor or patch changes that might impact your application.

This update is a dependency-only change and does not require modifications to application code unless you were using the stabilized APIs.

[sovri]

Breaking changes in stabilized APIs

The update stabilizes several previously unstable APIs (e.g., unstable_defaultShouldRevalidate → defaultShouldRevalidate, unstable_mask → mask). Consumers using these APIs will need to update their code to reflect the new naming conventions. This is a breaking change for those who opted into the unstable versions.

🔍 Audit Reference: SOVRI-MT-EBA2-8A69

[codspeed-hq]

Merging this PR will not alter performance

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 4 improved benchmarks
❌ 2 regressed benchmarks
✅ 20 untouched benchmarks

Warning

Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
❌	from_status_code_500	125.3 ns	154.4 ns	-18.88%
❌	from_status_code_404	154.7 ns	183.9 ns	-15.86%
⚡	normalize_link_check_parallelism	150 ns	120.8 ns	+24.14%
⚡	normalize_max_concurrent	150 ns	120.8 ns	+24.14%
⚡	reject_invalid	610.3 ns	493.6 ns	+23.64%
⚡	split	501.1 ns	442.8 ns	+13.17%

Tip

Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing dependabot/npm_and_yarn/react-router-7.15.0 (86d57c6) with main (46d16cb)}