[Snyk] Security upgrade react-native from 0.77.0 to 0.84.0#157
[Snyk] Security upgrade react-native from 0.77.0 to 0.84.0#157
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
There was a problem hiding this comment.
Pull request overview
This PR is an automated Snyk security upgrade that attempts to update React Native from version 0.77.0 to 0.84.0 in the example application to address two security vulnerabilities in transitive dependencies: a medium-severity "Missing Release of Resource after Effective Lifetime" issue in the inflight package (SNYK-JS-INFLIGHT-6095116) and a low-severity "Regular Expression Denial of Service (ReDoS)" vulnerability in the brace-expansion package (SNYK-JS-BRACEEXPANSION-9789073).
Changes:
- Upgrades react-native from 0.77.0 to 0.84.0 in example/package.json
- Updates yarn.lock with corresponding dependency changes including Metro bundler (0.81.x → 0.83.3), React scheduler (0.24.0-canary → 0.27.0), and switches from JSC to Hermes JavaScript engine
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| example/package.json | Updates react-native dependency version from 0.77.0 to 0.84.0 |
| example/yarn.lock | Comprehensive lockfile update reflecting all transitive dependency changes from the React Native version upgrade |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "react": "18.3.1", | ||
| "react-native": "0.77.0" | ||
| "react-native": "0.84.0" |
There was a problem hiding this comment.
This PR claims to upgrade react-native from 0.77.0 to 0.84.0, but this is a very large version jump that appears suspicious. React Native version 0.84.0 likely does not exist yet based on the normal versioning progression of the project. Additionally, only the example directory is being updated while the root package.json remains at 0.77.0, creating an inconsistency across the repository. This discrepancy suggests the Snyk-generated PR may have issues and should be carefully reviewed before merging.
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
example/package.jsonexample/yarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-INFLIGHT-6095116
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)