[Bug]: @shopify/cli@3.90.0 ships outdated React Router version check from @shopify/cli-hydrogen

[lexabu]

Description

@shopify/cli@3.90.0 (latest) bundles an outdated version of the @shopify/cli-hydrogen React Router version check that expects 7.9.2, even though:

1. The Hydrogen team already updated EXPECTED_VERSION to "7.12.0" on main (packages/cli/src/lib/react-router-version-check.ts)
2. This fix was included in @shopify/cli-hydrogen@11.1.6 (via PR #3346)
3. The skeleton template updated to React Router 7.12.0 in skeleton@2025.7.1

Current behavior

Running shopify hydrogen dev with @shopify/cli@3.90.0 displays a warning telling developers to downgrade React Router from 7.12.0 to 7.9.2:

╭─ warning ────────────────────────────────────────────────────────────╮
│                                                                      │
│  React Router version mismatch detected                              │
│                                                                      │
│  Hydrogen requires React Router 7.9.x for proper functionality.      │
│                                                                      │
│  Version mismatches found:                                           │
│    • react-router: installed 7.12.0, expected 7.9.2                  │
│    • @react-router/dev: installed 7.12.0, expected 7.9.2             │
│    • @react-router/fs-routes: installed 7.12.0, expected 7.9.2       │
│                                                                      │
│  To fix this issue, run:                                             │
│    npm install react-router@7.9.2                                    │
│    npm install -D @react-router/dev@7.9.2 @react-router/fs-routes@7.9.2 │
│                                                                      │
╰──────────────────────────────────────────────────────────────────────╯

Evidence

Confirmed by inspecting the bundled CLI code:

# @shopify/cli@3.90.0 (npm, latest)
$ grep "EXPECTED_VERSION" node_modules/@shopify/cli/dist/index.js
], EXPECTED_VERSION = "7.9.2";   # ← stale, should be "7.12.0"

# @shopify/cli@3.89.0 (Homebrew, latest)
$ grep "EXPECTED_VERSION" /opt/homebrew/Cellar/shopify-cli/3.89.0/.../dist/index.js
], EXPECTED_VERSION = "7.9.2";   # ← same stale value

Meanwhile, the Hydrogen repo main branch already has the fix:

const EXPECTED_VERSION = '7.12.0';  // ← correct

Security concern

React Router 7.9.2 has multiple known CVEs fixed in 7.12.0:

• GHSA-h5cw-625j-3rxh: CSRF in Action/Server Action Request Processing
• GHSA-2w69-qvjg-hvjx: XSS via Open Redirects
• GHSA-8v8x-cx79-35w7: SSR XSS in ScrollRestoration
• GHSA-9jcx-v3wj-wh4m: Unexpected external redirect via untrusted paths
• GHSA-9583-h5hc-x8cw: Path Traversal in @react-router/node

The CLI is actively advising developers to install a vulnerable version.

Expected behavior

The next @shopify/cli release should bundle @shopify/cli-hydrogen@11.1.6+ which contains the corrected version check.

Environment

• @shopify/cli: 3.90.0 (npm) / 3.89.0 (Homebrew)
• Node: 22.x
• OS: macOS

Related

• [Bug]: Shopify CLI React Router version check expects 7.9.2, but Hydrogen officially supports 7.12.0 hydrogen#3449 — companion issue filed on the Hydrogen repo
• chore(deps): bump RR7 to v7.12.0 hydrogen#3346 — PR that updated the version check to 7.12.0
• @shopify/cli-hydrogen@11.1.6 changelog confirms the fix was included

[fredericoo]

Hey there,

The reason why this happens is that we use @shopify/cli internally for shopify commands. We are working on making it use your local version of hydrogen so these misleading warnings stop happening.

We are pending a release of the CLI that should get rid of those in the next release.

Does this stop you from developing or is it just a warning?

[lexabu]

Thanks for the quick response @fredericoo!

To answer your question: it's just a warning and doesn't block development. The app runs fine with React Router 7.12.0 despite the warning.

The main concerns are:

1. Developer confusion — New developers or those less familiar with the Hydrogen ecosystem might follow
   the CLI's advice and actually downgrade to 7.9.2, which has known CVEs
2. CI noise — The warning can clutter logs and cause false alarms in automated pipelines

Good to hear a fix is in the works. Using the local Hydrogen version for checks sounds like the right approach — it would prevent these sync issues from recurring.

Thanks for the transparency on the timeline!

[oertels]

This issue blocks me from upgrading hydrogen: I have these in my dependencies:

"@shopify/hydrogen": "^2025.7.0",
"react-router": "^7.9.2",

$ npm run dev

│  There are 2 new @shopify/hydrogen versions available.                                                                                                                                                                                                                                                                                                                                                                                                          
│  Current: ^2025.7.0 | Latest: 2025.10.0

$ h2 upgrade

Error coming from `npm install @shopify/hydrogen@2025.10.0 graphql-config@5.0.3`

Command failed with exit code 1: npm install @shopify/hydrogen@2025.10.0 graphql-config@5.0.3
(node:42750) [DEP0174] DeprecationWarning: Calling promisify on a function that returns a Promise is likely a mistake.
(Use `node --trace-deprecation ...` to show where the warning was created)
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: my-project@0.4
npm ERR! Found: react-router@7.13.0
npm ERR! node_modules/react-router
npm ERR!   react-router@"^7.9.2" from the root project
npm ERR!   peer react-router@"^7.12.0" from @react-router/dev@7.12.0
npm ERR!   node_modules/@react-router/dev
npm ERR!     @react-router/dev@"^7.9.2" from the root project
npm ERR!     peer @react-router/dev@"7.12.0" from @shopify/hydrogen@2025.10.0
npm ERR!     node_modules/@shopify/hydrogen
npm ERR!       @shopify/hydrogen@"2025.10.0" from the root project
npm ERR!   1 more (@react-router/serve)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react-router@"7.12.0" from @shopify/hydrogen@2025.10.0
npm ERR! node_modules/@shopify/hydrogen
npm ERR!   @shopify/hydrogen@"2025.10.0" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!