Skip to content

🚨 [security] Update @react-native-community/cli 19.1.1 → 20.1.1 (major)#7099

Open
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/npm/@react-native-community/cli-20.1.1
Open

🚨 [security] Update @react-native-community/cli 19.1.1 → 20.1.1 (major)#7099
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/npm/@react-native-community/cli-20.1.1

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Feb 4, 2026

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​react-native-community/cli (19.1.1 → 20.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Release Notes

20.1.1

What's Changed

  • fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

  • @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

New Contributors

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​react-native-community/cli-platform-android (indirect, 19.1.1 → 20.1.1) · Repo · Changelog

Release Notes

20.1.1

What's Changed

  • fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

  • @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

New Contributors

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​react-native-community/cli-platform-ios (indirect, 19.1.1 → 20.1.1) · Repo · Changelog

Release Notes

20.1.1

What's Changed

  • fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

  • @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

New Contributors

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​react-native-community/cli-server-api (indirect, 19.1.1 → 20.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Release Notes

20.1.1

What's Changed

  • fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

  • @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

New Contributors

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dayjs (indirect, 1.11.13 → 1.11.19) · Repo · Changelog

Release Notes

1.11.19

1.11.19 (2025-10-31)

Bug Fixes

  • added usage warnings for diff + updated unit tests (#2948) (269a7a9)
  • dont instantiate regexes within ar locale functions to avoid performance overhead (#2898) (af5e9f0)
  • replace italian locale "un' ora fa" with "un'ora fa", add tests for it (#2930) (9e9f76c)
  • Updated Belarusian locale with relative time (#2656) (1d8746c)

1.11.18

1.11.18 (2025-08-30)

Bug Fixes

  • error semantic-release dependency (8cfb313)

1.11.17

1.11.17 (2025-08-29)

Bug Fixes

  • [en-AU] locale use the same ordinal as moment (#2878) (1b95ecd)

1.11.16

1.11.16 (2025-08-29)

Bug Fixes

  • test release workflow (no code changes) (c38c428)

1.11.15

1.11.15 (2025-08-28)

Bug Fixes

  • Fix misspellings in Irish or Irish Gaelic [ga] (#2861) (9c14a42)

1.11.14

1.11.14 (2025-08-27)

Bug Fixes

  • .utcOffset(0, true) result and its clone are different bug (#2505) (fefdcd4)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ errorhandler (indirect, 1.5.1 → 1.5.2) · Repo · Changelog

Release Notes

1.5.2

What's Changed

  • chore: add support for OSSF scorecard reporting by @inigomarquinez in #27
  • docs: state assumption in readme examples by @dpopp07 in #29
  • chore: upgrade scorecard workflow pinned action versions by @carpasse in #30
  • ci: apply OSSF Scorecard security best practices by @UlisesGascon in #31
  • chore: add funding to package.json by @bjohansebas in #43
  • build(deps): bump github/codeql-action from 3.27.9 to 3.29.5 by @dependabot[bot] in #44
  • build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #46
  • build(deps): bump github/codeql-action from 3.29.7 to 3.29.11 by @dependabot[bot] in #45
  • build(deps): bump github/codeql-action from 3.29.11 to 4.31.2 by @dependabot[bot] in #50
  • build(deps): bump actions/upload-artifact from 4.5.0 to 5.0.0 by @dependabot[bot] in #49
  • build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #52
  • build(deps): bump github/codeql-action from 4.31.2 to 4.31.5 by @dependabot[bot] in #51
  • Migrate CI from Travis to GitHub Actions by @nanotower in #53
  • build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @dependabot[bot] in #48
  • Update patch version, dev dependencies, and CI workflow by @nanotower in #54
  • build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @dependabot[bot] in #36
  • build(deps-dev): bump eslint-plugin-import from 2.275 to 2.32.0 by @dependabot[bot] in #41
  • chore: remove HISTORY.md from package files by @nanotower in #55
  • chore: remove Travis CI configuration file by @nanotower in #57
  • Release: 1.5.2 by @nanotower in #56

New Contributors

Full Changelog: 1.5.1...1.5.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 strict-url-sanitise (added, 0.0.1)

🆕 semver (added, 7.7.3)

🗑️ @​jest/types (removed)

🗑️ @​types/yargs (removed)

🗑️ pretty-format (removed)

🗑️ react-is (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added depfu no-changelog no-jira-ticket Skip checking the PR title for Jira reference labels Feb 4, 2026
@depfu depfu bot requested a review from a team February 4, 2026 10:40
@cla-bot cla-bot bot added the cla: yes label Feb 4, 2026
@depfu depfu bot mentioned this pull request Feb 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@depfu depfu[bot]

Labels

cla: yes depfu no-changelog no-jira-ticket Skip checking the PR title for Jira reference

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants