[Bug]: Shopify CLI React Router version check expects 7.9.2, but Hydrogen officially supports 7.12.0

[lexabu]

Description

The shopify hydrogen dev command displays a misleading version mismatch warning when React Router 7.12.0 is installed, even though Hydrogen officially updated to 7.12.0 in the skeleton@2025.7.1 release.

Current behavior

Running shopify hydrogen dev with @shopify/cli@3.90.0 (latest) displays:

╭─ warning ────────────────────────────────────────────────────────────╮
│                                                                      │
│  React Router version mismatch detected                              │
│                                                                      │
│  Hydrogen requires React Router 7.9.x for proper functionality.      │
│                                                                      │
│  Version mismatches found:                                           │
│    • react-router: installed 7.12.0, expected 7.9.2                  │
│    • @react-router/dev: installed 7.12.0, expected 7.9.2             │
│    • @react-router/fs-routes: installed 7.12.0, expected 7.9.2       │
│                                                                      │
│  To fix this issue, run:                                             │
│    npm install react-router@7.9.2                                    │
│    npm install -D @react-router/dev@7.9.2 @react-router/fs-routes@7.9.2 │
│                                                                      │
│  This may cause issues with routing, code splitting, and other       │
│  features.                                                           │
╰──────────────────────────────────────────────────────────────────────╯

Expected behavior

No warning should be displayed when React Router 7.12.0 is installed, since this is the version Hydrogen officially supports.

Root cause

In packages/cli/src/lib/react-router-version-check.ts, the EXPECTED_VERSION constant has been updated to "7.12.0" on the main branch. However, this fix has not been released in any @shopify/cli version yet. Both @shopify/cli@3.89.0 (Homebrew) and @shopify/cli@3.90.0 (npm, latest) still ship with EXPECTED_VERSION = "7.9.2" in their bundled dist/index.js.

Why this matters

1. Security: React Router 7.9.2 has multiple known CVEs that are fixed in 7.12.0:

   • GHSA-h5cw-625j-3rxh: CSRF in Action/Server Action Request Processing
   • GHSA-2w69-qvjg-hvjx: XSS via Open Redirects
   • GHSA-8v8x-cx79-35w7: SSR XSS in ScrollRestoration
   • GHSA-9jcx-v3wj-wh4m: Unexpected external redirect via untrusted paths
   • GHSA-9583-h5hc-x8cw: Path Traversal in @react-router/node File Session Storage

2. Misleading guidance: The CLI actively tells developers to downgrade to a vulnerable version (7.9.2), which is the opposite of what they should do.

3. Inconsistency with official releases:

   • skeleton@2025.7.1 (release notes) explicitly states: "Update React Router to 7.12.0 with stabilized future flags"
   • @shopify/cli-hydrogen@11.1.6 changelog references PR chore(deps): bump RR7 to v7.12.0 #3346 which bumped RR7 to 7.12.0
   • The skeleton template on main pins React Router at 7.12.0
   • Yet the released CLI tells users 7.12.0 is wrong

Environment

• @shopify/cli: 3.90.0 (latest as of Feb 2026)
• @shopify/hydrogen: 2025.7.3
• react-router: 7.12.0
• Node: 22.x
• OS: macOS

Steps to reproduce

1. Create or use a Hydrogen project with React Router 7.12.0 (matching skeleton@2025.7.1)
2. Run shopify hydrogen dev
3. Observe the incorrect version mismatch warning

Suggested fix

Release a CLI version that includes the already-merged fix from main where EXPECTED_VERSION is set to "7.12.0" in packages/cli/src/lib/react-router-version-check.ts.

[fredericoo]

please check if this applies