Fixed a security vulnerability that allowed URL manipulation and potential cache pollution via the Host and X-Forwarded-Host headers due to inadequate port sanitization.

Patch Changes

react-router - Dedupe calls to route.lazy functions (#13260)
@react-router/dev - Fix path in prerender error messages (#13257)
@react-router/dev - Fix typegen for virtual modules when moduleDetection is set to force (#13267)
@react-router/express - Better validation of x-forwarded-host header to prevent potential security issues (#13309)

Unstable Changes

⚠️ Unstable features are not recommended for production use

react-router - Fix types on unstable_MiddlewareFunction to avoid type errors when a middleware doesn't return a value (#13311)
react-router - Add support for route.unstable_lazyMiddleware function to allow lazy loading of middleware logic (#13210)
- ⚠️ We do not recommend adoption of this API currently as we are likely going to change it prior to the stable release of middleware
- ⚠️ This may be a breaking change if your app is currently returning unstable_middleware from route.lazy
- The route.unstable_middleware property is no longer supported in the return value from route.lazy
- If you want to lazily load middleware, you must use route.unstable_lazyMiddleware
@react-router/dev - When both future.unstable_middleware and future.unstable_splitRouteModules are enabled, split unstable_clientMiddleware route exports into separate chunks when possible (#13210)
@react-router/dev - Improve performance of future.unstable_middleware by ensuring that route modules are only blocking during the middleware phase when the unstable_clientMiddleware has been defined (#13210)