Home Original page

security: bump Remix packages to ^2.17.2 (example app, integration-tests, test app) by thomasrockhu-codecov · Pull Request #299 · codecov/codecov-javascript-bundler-plugins

@thomasrockhu-codecov

Summary

Bumps @remix-run/* to ^2.17.2 across:

  • examples/remix (original scope)
  • integration-tests devDependencies (@remix-run/dev, @remix-run/node, @remix-run/react)
  • integration-tests/test-apps/remix

This consolidates what was previously split across PR #299, #300, and #301.

Addresses:

  • Critical path traversal in file session storage (GHSA-9583-h5hc-x8cw)
  • Related high-severity issues in transitive deps (e.g. ws, undici, body-parser) cleared by current Remix patch lines.

Supersedes: #300, #301

Test plan

  • CI passes for this branch.

@thomasrockhu-codecov 

Addresses critical path traversal in @remix-run/node (GHSA-9583-h5hc-x8cw)
and related high-severity transitive issues (ws, undici, body-parser) by
moving the example onto patched Remix 2.17.x.

Made-with: Cursor

@sentry

@codecov-notifications

@sentry

Bundle Report

Changes will decrease total bundle size by 287.35kB (-3.56%) ⬇️. This is within the configured threshold ✅

Detailed changes
Bundle name Size Change
@codecov/vite-plugin-esm 6.39kB 5.15kB (415.5%) ⬆️
@codecov/bundler-plugin-core-esm 14.67kB -297.93kB (-95.31%) ⬇️
@codecov/rollup-plugin-esm 1.3kB -5.11kB (-79.7%) ⬇️
@codecov/example-remix-app-client-esm 269.27kB 16.6kB (6.57%) ⬆️
@codecov/example-remix-app-server-esm 12.64kB 83 bytes (0.66%) ⬆️
@codecov/example-sveltekit-app-client-esm 727.67kB 2 bytes (0.0%) ⬆️
@codecov/example-sveltekit-app-server-esm 984.06kB 1 bytes (0.0%) ⬆️
@codecov/nextjs-webpack-plugin-esm 1.11kB -3.74kB (-77.06%) ⬇️
@codecov/astro-plugin-esm 862 bytes -2.41kB (-73.62%) ⬇️

Affected Assets, Files, and Routes:

view changes for bundle: @codecov/example-remix-app-client-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
assets/components-*.js 24.45kB 249.88kB 10.85% ⚠️
assets/entry.client-*.js -7.86kB 3.87kB -67.03%
assets/root-*.js 14 bytes 1.45kB 0.98%
view changes for bundle: @codecov/rollup-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.mts (New) 1.3kB 1.3kB 100.0% 🚀
index.mjs (Deleted) -6.41kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-remix-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.js 83 bytes 7.27kB 1.16%

App Routes Affected:

App Route Size Change Total Size Change (%)
/ 83 bytes 7.27kB 1.16%
view changes for bundle: @codecov/example-astro-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
manifest_CrFNoW3r.mjs (New) 3.34kB 3.34kB 100.0% 🚀
manifest_DhlY6ZhK.mjs (Deleted) -3.34kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-sveltekit-app-client-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
_app/immutable/chunks/entry.*.js 2 bytes 31.45kB 0.01%
view changes for bundle: @codecov/example-next-app-client-array-push

Assets Changed:

Asset Name Size Change Total Size Change (%)
static/S6nK0RwNXHZpwo-*.js (New) 77 bytes 77 bytes 100.0% 🚀
static/S6nK0RwNXHZpwo-*.js (New) 224 bytes 224 bytes 100.0% 🚀
static/QTO9WiNxPtd6lUjBdMqpL/_buildManifest.js (Deleted) -224 bytes 0 bytes -100.0% 🗑️
static/QTO9WiNxPtd6lUjBdMqpL/_ssgManifest.js (Deleted) -77 bytes 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/astro-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.cts (New) 862 bytes 862 bytes 100.0% 🚀
index.mjs (Deleted) -3.27kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/nextjs-webpack-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.cts (New) 1.11kB 1.11kB 100.0% 🚀
index.mjs (Deleted) -4.86kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-astro-5-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
manifest_DbnHrRGa.mjs (New) 3.37kB 3.37kB 100.0% 🚀
manifest_DSGL0gAn.mjs (Deleted) -3.37kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/vite-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.mjs (New) 6.39kB 6.39kB 100.0% 🚀
index.d.cts (Deleted) -1.24kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-next-15-app-client-array-push

Assets Changed:

Asset Name Size Change Total Size Change (%)
static/zutYPvZ4RzG4YaC9HULb0/_buildManifest.js (New) 543 bytes 543 bytes 100.0% 🚀
static/zutYPvZ4RzG4YaC9HULb0/_ssgManifest.js (New) 77 bytes 77 bytes 100.0% 🚀
static/90lMxIzeZ1s_Ls5nGwa7l/_buildManifest.js (Deleted) -543 bytes 0 bytes -100.0% 🗑️
static/90lMxIzeZ1s_Ls5nGwa7l/_ssgManifest.js (Deleted) -77 bytes 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-sveltekit-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
chunks/internal.js 1 bytes 18.48kB 0.01%
view changes for bundle: @codecov/bundler-plugin-core-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.mts (New) 14.67kB 14.67kB 100.0% 🚀
index.mjs (Deleted) -312.6kB 0 bytes -100.0% 🗑️ 
Resolve pnpm-lock.yaml by regenerating after merge.

Made-with: Cursor
Combine changes from PR #300 and PR #301 into PR #299: align
integration-tests and integration-tests/test-apps/remix with patched
Remix releases (GHSA-9583-h5hc-x8cw and related advisories).

Made-with: Cursor

This was referenced

Apr 3, 2026

@thomasrockhu-codecov

@thomasrockhu-codecov thomasrockhu-codecov changed the title security: bump Remix packages to ^2.17.2 in example app security: bump Remix packages to ^2.17.2 (example app, integration-tests, test app)

Apr 3, 2026

jason-ford-codecov