NTL DEPLOY: Try the new AI workflow →

Posts tagged "Remix"

Subscribe to feed

  • React Router 7 apps can now be deployed to Edge Functions

    November 10, 2025

    React Router 7 apps on Netlify are deployed to Serverless Functions by default. Now, you can choose to deploy your app to Edge Functions instead, bringing your page renders, data loaders, and actions closer to your users while lowering cold start times.

    How to use it

    1. Ensure you’re on version 7.9.0 or later of React Router:
    npm install react-router@latest @react-router/node@latest @react-router/dev@latest
    1. Update to the latest version of the Netlify React Router plugin:
    npm install @netlify/vite-plugin-react-router@latest
    1. Enable the new edge option in your vite.config.ts (or .js):
    export default defineConfig({
      plugins: [
        reactRouter(),
        netlifyReactRouter({ edge: true }), // <- deploy to Edge Functions
        netlify(),
      ],
    })
    1. Finally, create a file at app/entry.server.tsx (or .jsx) containing this single line:
    export { default } from 'virtual:netlify-server-entry'

    On your next deploy, page renders, loaders, and actions will all run in an edge function.

    When to use it

    Choose Edge Functions when:

    • You need minimal latency for your globally distributed users (edge functions run on the node closest to the user)
    • You need to optimize cold starts (initialization is faster with the slim Deno edge runtime)
    • Your data loaders and actions make requests to databases and APIs that are also globally distributed, or none at all
    • You need to support very large request or response bodies (Serverless Functions have a 6 MB limit)

    Choose Serverless Functions when:

    • Your data loaders and actions make requests to databases or APIs that are centrally located (canceling out much of the benefit of edge compute)
    • Your server-side code is CPU-intensive (Serverless Functions run on more powerful machines)
    • You need longer execution times (Functions allow up to 30s clock time, while Edge Functions are limited to 50ms CPU time)
    • You cannot use Edge Functions due to their runtime constraints or limitations

    Next steps

  • React Router 7 middleware now supported

    October 24, 2025

    React Router 7 recently launched its long-awaited middleware feature, stable since v7.9.0.

    Middleware is now fully supported on Netlify.

    How to use it

    Ensure you’re on version 7.9.0 or later of React Router:

    npm install react-router@latest @react-router/node@latest @react-router/dev@latest

    Upgrade to version 2 of the Netlify React Router plugin:

    npm install @netlify/vite-plugin-react-router@latest

    After that, middleware works out of the box.

    Next steps

  • Security Update: React Router and Remix Vulnerabilities

    April 27, 2025

    We are aware of recently disclosed vulnerabilities affecting React Router and Remix:

    1. CVE 2025-31137 (React Router 7 and Remix): Spoof request path allowing certain access control bypasses
    2. CVE-2025-43864 (React Router 7 only): Cache poisoning leading to unusable responses
    3. CVE-2025-43865 (React Router 7 only): Cache poisoning with arbitrary data

    Impact on Netlify sites:

    • CVE 2025-31137: Sites on Netlify are not vulnerable, because the Netlify CDN cache varies on the query string by default, and Remix and React Router sites on Netlify do not use the impacted Express package.
    • CVE-2025-43864: Sites on Netlify using React Router 7.2.0 to 7.5.1 were vulnerable until 04/27 3:00 UTC. However, exploitation requires all of the following conditions for a given URL to be poisonable:
      • The site must not be using React Router’s SPA mode.
      • The page or loader must be explicitly setting caching headers.
      • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).
    • CVE-2025-43865: Sites on Netlify using React Router 7.0.0 to 7.5.1 were vulnerable until 04/27 3:00 UTC. However, exploitation requires all of the following conditions for a given URL to be poisonable:
      • The page or loader must be explicitly setting caching headers.
      • A malicious request would need to be the first request to reach the cache (such as immediately after a deploy or cache invalidation).

    We strongly recommend upgrading to the latest versions of React Router (7.5.2).

    Given these specific requirements, the number of vulnerable Netlify sites is low. However, out of an abundance of caution, our engineering team is actively rolling out a mitigation to further protect against these vulnerabilities. We will continue to monitor the situation and will provide updates as our work progresses.

    Update: As of 2025-04-27 3:00 AM UTC, a mitigation has been rolled out to the Netlify CDN for all vulnerable sites.

  • User admin template built with Remix and Supabase

    March 21, 2025

    Screenshot of Remix Admin Supabase Starter

    When creating a new site from a template, there is a new option available — Remix Admin Supabase Starter.

    This is a simple user admin application with CRUD operations for individual user records. The template is built with Remix and using Supabase as the backend (database) provider.

    The repo is available at netlify-templates/remix-admin-template, and you can view a read-only demo here.