[Bug]: @shopify/cli@3.90.0 ships outdated React Router version check from @shopify/cli-hydrogen

[lexabu]

Description

@shopify/cli@3.90.0 (latest) bundles an outdated version of the @shopify/cli-hydrogen React Router version check that expects 7.9.2, even though:

1. The Hydrogen team already updated EXPECTED_VERSION to "7.12.0" on main (packages/cli/src/lib/react-router-version-check.ts)
2. This fix was included in @shopify/cli-hydrogen@11.1.6 (via PR #3346)
3. The skeleton template updated to React Router 7.12.0 in skeleton@2025.7.1

Current behavior

Running shopify hydrogen dev with @shopify/cli@3.90.0 displays a warning telling developers to downgrade React Router from 7.12.0 to 7.9.2:

╭─ warning ────────────────────────────────────────────────────────────╮
│                                                                      │
│  React Router version mismatch detected                              │
│                                                                      │
│  Hydrogen requires React Router 7.9.x for proper functionality.      │
│                                                                      │
│  Version mismatches found:                                           │
│    • react-router: installed 7.12.0, expected 7.9.2                  │
│    • @react-router/dev: installed 7.12.0, expected 7.9.2             │
│    • @react-router/fs-routes: installed 7.12.0, expected 7.9.2       │
│                                                                      │
│  To fix this issue, run:                                             │
│    npm install react-router@7.9.2                                    │
│    npm install -D @react-router/dev@7.9.2 @react-router/fs-routes@7.9.2 │
│                                                                      │
╰──────────────────────────────────────────────────────────────────────╯

Evidence

Confirmed by inspecting the bundled CLI code:

# @shopify/cli@3.90.0 (npm, latest)
$ grep "EXPECTED_VERSION" node_modules/@shopify/cli/dist/index.js
], EXPECTED_VERSION = "7.9.2";   # ← stale, should be "7.12.0"

# @shopify/cli@3.89.0 (Homebrew, latest)
$ grep "EXPECTED_VERSION" /opt/homebrew/Cellar/shopify-cli/3.89.0/.../dist/index.js
], EXPECTED_VERSION = "7.9.2";   # ← same stale value

Meanwhile, the Hydrogen repo main branch already has the fix:

const EXPECTED_VERSION = '7.12.0';  // ← correct

Security concern

React Router 7.9.2 has multiple known CVEs fixed in 7.12.0:

• GHSA-h5cw-625j-3rxh: CSRF in Action/Server Action Request Processing
• GHSA-2w69-qvjg-hvjx: XSS via Open Redirects
• GHSA-8v8x-cx79-35w7: SSR XSS in ScrollRestoration
• GHSA-9jcx-v3wj-wh4m: Unexpected external redirect via untrusted paths
• GHSA-9583-h5hc-x8cw: Path Traversal in @react-router/node

The CLI is actively advising developers to install a vulnerable version.

Expected behavior

The next @shopify/cli release should bundle @shopify/cli-hydrogen@11.1.6+ which contains the corrected version check.

Environment

• @shopify/cli: 3.90.0 (npm) / 3.89.0 (Homebrew)
• Node: 22.x
• OS: macOS

Related

• [Bug]: Shopify CLI React Router version check expects 7.9.2, but Hydrogen officially supports 7.12.0 hydrogen#3449 — companion issue filed on the Hydrogen repo
• chore(deps): bump RR7 to v7.12.0 hydrogen#3346 — PR that updated the version check to 7.12.0
• @shopify/cli-hydrogen@11.1.6 changelog confirms the fix was included

[fredericoo]

Hey there,

The reason why this happens is that we use @shopify/cli internally for shopify commands. We are working on making it use your local version of hydrogen so these misleading warnings stop happening.

We are pending a release of the CLI that should get rid of those in the next release.

Does this stop you from developing or is it just a warning?

[lexabu]

Thanks for the quick response @fredericoo!

To answer your question: it's just a warning and doesn't block development. The app runs fine with React Router 7.12.0 despite the warning.

The main concerns are:

1. Developer confusion — New developers or those less familiar with the Hydrogen ecosystem might follow
   the CLI's advice and actually downgrade to 7.9.2, which has known CVEs
2. CI noise — The warning can clutter logs and cause false alarms in automated pipelines

Good to hear a fix is in the works. Using the local Hydrogen version for checks sounds like the right approach — it would prevent these sync issues from recurring.

Thanks for the transparency on the timeline!

[oertels]

This issue blocks me from upgrading hydrogen: I have these in my dependencies:

"@shopify/hydrogen": "^2025.7.0",
"react-router": "^7.9.2",

$ npm run dev

│  There are 2 new @shopify/hydrogen versions available.                                                                                                                                                                                                                                                                                                                                                                                                          
│  Current: ^2025.7.0 | Latest: 2025.10.0

$ h2 upgrade

Error coming from `npm install @shopify/hydrogen@2025.10.0 graphql-config@5.0.3`

Command failed with exit code 1: npm install @shopify/hydrogen@2025.10.0 graphql-config@5.0.3
(node:42750) [DEP0174] DeprecationWarning: Calling promisify on a function that returns a Promise is likely a mistake.
(Use `node --trace-deprecation ...` to show where the warning was created)
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: my-project@0.4
npm ERR! Found: react-router@7.13.0
npm ERR! node_modules/react-router
npm ERR!   react-router@"^7.9.2" from the root project
npm ERR!   peer react-router@"^7.12.0" from @react-router/dev@7.12.0
npm ERR!   node_modules/@react-router/dev
npm ERR!     @react-router/dev@"^7.9.2" from the root project
npm ERR!     peer @react-router/dev@"7.12.0" from @shopify/hydrogen@2025.10.0
npm ERR!     node_modules/@shopify/hydrogen
npm ERR!       @shopify/hydrogen@"2025.10.0" from the root project
npm ERR!   1 more (@react-router/serve)
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react-router@"7.12.0" from @shopify/hydrogen@2025.10.0
npm ERR! node_modules/@shopify/hydrogen
npm ERR!   @shopify/hydrogen@"2025.10.0" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!

[sameerxanand]

Can someone please explain how to upgrade Hydrogen? This issue blocks me.

> h2 upgrade --version 2026.1.0
╭─ info ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                                                                          │
│  Included in this upgrade:                                                                                                               │
│                                                                                                                                          │
│  Features                                                                                                                                │
│    • Update Storefront API and Customer Account API to 2026-01                                                                           │
│    • Add support for Bun and npm shrinkwrap lockfiles                                                                                    │
│    • Update Storefront API and Customer Account API to 2025-10                                                                           │
│    • Add cartGiftCardCodesAdd mutation                                                                                                   │
│    • Add cartDeliveryAddressesReplace mutation                                                                                           │
│    • Add React 19 support                                                                                                                │
│    • Add visitorConsent support to @inContext directive                                                                                  │
│    • Add parent prop to AddToCartButton for nested cart lines                                                                            │
│    • Migrate to Shopify's new cookie system                                                                                              │
│    • Improve development cold start time with static server build import                                                                 │
│    • React Router 7.12 stabilized APIs                                                                                                   │
│                                                                                                                                          │
│  Fixes                                                                                                                                   │
│    • Fix virtual routes failing when file paths contain spaces                                                                           │
│    • Update skeleton template to use cartGiftCardCodesAdd mutation                                                                       │
│    • Add nested cart line items display to skeleton template                                                                             │
│    • Add OAuth query parameter support to login route                                                                                    │
│    • Add locale and loginHintMode parameters to Customer Account login                                                                   │
│    • Add article_reference metafield type support                                                                                        │
│    • BREAKING: cartDeliveryAddressesUpdate empty array behavior                                                                          │
│    • Fix upgrade notice showing incorrect versions                                                                                       │
│    • Ensure SEO recommendations match Shopify Admin                                                                                      │
│    • Fix Privacy Banner and analytics event issues                                                                                       │
│    • Remove regulation-specific privacy fields from public API                                                                           │
│                                                                                                                                          │
╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

?  Are you sure you want to upgrade to 2026.1.0?
✔  Yes, confirm


── external error ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Error coming from `npm install @shopify/hydrogen@2026.1.0`

Command failed with exit code 1: npm install @shopify/hydrogen@2026.1.0
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: humanaut-shopify-storefront@1.2.0
npm error Found: @react-router/dev@7.9.2
npm error node_modules/@react-router/dev
npm error   dev @react-router/dev@"7.9.2" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @react-router/dev@"7.12.0" from @shopify/hydrogen@2026.1.0
npm error node_modules/@shopify/hydrogen
npm error   @shopify/hydrogen@"2026.1.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /Users/sameeranand/.npm/_logs/2026-02-26T16_39_29_404Z-eresolve-report.txt
npm error A complete log of this run can be found in: /Users/sameeranand/.npm/_logs/2026-02-26T16_39_29_404Z-debug-0.log

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

What are we supposed to do?

[lexabu]

This is still not fixed in @shopify/cli@3.91.0 — the bundled EXPECTED_VERSION is still "7.9.2".

[github-actions]

This issue seems inactive. If it's still relevant, please add a comment saying so. Otherwise, take no action.
→ If there's no activity within a week, then a bot will automatically close this.
Thanks for helping to improve Shopify's dev tooling and experience.

P.S. You can learn more about why we stale issues here.