Skip to content

RIF WALLET full dependency update Jan 2026 #1050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jessgusclark merged 14 commits into from
Jan 15, 2026
Merged

RIF WALLET full dependency update Jan 2026 #1050

jessgusclark merged 14 commits into from
Jan 15, 2026

Conversation

@TravellerOnTheRun
Copy link
Collaborator

@TravellerOnTheRun TravellerOnTheRun commented Jan 13, 2026
edited
Loading

React Native Dependency Upgrade (0.79.2 → 0.83.0)

Overview

This PR upgrades the project from React Native 0.79.2 to 0.83.0, along with all related ecosystem libraries. The upgrade addresses critical security vulnerabilities, removes deprecated packages, and ensures compatibility with the latest React Native tooling.

Security Fixes

Critical Vulnerabilities Patched

Package Issue Severity
@react-native-community/cli CVE-2025-11953 (OS command injection) Critical
axios GHSA-4hjh-wcwx-xvwj (DoS vulnerability) High
elliptic Resolution pinned to 6.6.1 to address known vulnerabilities High

Major Version Upgrades

Core React Native Stack

Package Before After
react 18.x 19.2.0
react-native 0.79.2 0.83.0
react-native-reanimated 3.x 4.2.1
react-native-screens 3.x 4.10.0
react-native-gesture-handler 2.x 2.24.0
react-native-safe-area-context 4.x 5.5.0

React Navigation 6 → 7

This is a significant upgrade with breaking changes:

  • Stricter initialRouteName: Must match a currently rendered screen
  • Animated header styles: Header title components now receive animated style values
  • Nested navigation syntax: Changed how nested navigators are targeted

Code changes required:

  • Updated Typography component to use Animated.Text for header compatibility
  • Fixed CreateKeysNavigator to dynamically set initialRouteName based on app state
  • Updated navigation calls in SearchDomainScreen and RelayDeployScreen to use navigation.getParent() for cross-navigator navigation
  • Added StackActions.popToTop() to reset stack state when navigating between tabs

State Management & Forms

Package Before After
@reduxjs/toolkit 1.9.6 2.8.0
react-redux 8.0.2 9.2.0
react-hook-form 7.51.2 7.56.0
@hookform/resolvers 2.9.11 5.0.1
yup 1.4.0 1.6.0

Breaking changes addressed:

  • @hookform/resolvers v5 has stricter TypeScript inference
  • Form schemas now derive FormValues types using yup.InferType<typeof schema> instead of manual interface definitions
  • Updated boolean validation from .isTrue() to .test() for correct type inference

Other Ecosystem Updates

Package Before After
react-native-vision-camera 3.x 4.7.0
react-native-bootsplash 5.x 6.3.0
react-native-mmkv 2.x 3.3.0
react-native-keychain 8.x 10.0.0
react-native-device-info 10.x 14.0.0
react-native-svg 14.x 15.14.0
@react-native-async-storage/async-storage 1.x 2.2.0
react-native-get-random-values 1.x 2.0.0

Deprecated Package Replacements

Removed Replacement
@json-rpc-tools/utils Type replaced with BlockTag from @ethersproject/abstract-provider
ganache-cli ganache (renamed package)

Native Configuration Changes

Android

  • Updated compileSdkVersion and targetSdkVersion to 35
  • Updated Kotlin version to 2.0.21
  • Updated Gradle wrapper to 8.13
  • Added Hermes dependency substitution (required for RN 0.83 due to Maven coordinate changes)
  • Added NODE_BINARY path for Android Studio Gradle sync compatibility
  • Removed deprecated Flipper configuration

iOS

  • Added CADisableMinimumFrameDurationOnPhone to Info.plist
  • Updated pods to latest compatible versions

TypeScript

  • Updated tsconfig.json to extend @react-native/typescript-config
  • Set module: "esnext" and moduleResolution: "bundler" for ESM compatibility
  • Excluded test files from strict type checking

Known Limitations

  1. ESLint 9 not upgraded: @react-native/eslint-config 0.83.0 does not yet support ESLint 9's flat config format. Staying on ESLint 8.x.

  2. WalletConnect packages: Kept at current versions (2.10.x). Migration to Reown (rebranded WalletConnect) deferred.

  3. ethers.js: Kept at 5.7.2 due to @rsksmart/rif-relay-light-sdk peer dependency requirements.

Testing Checklist

  • App builds on iOS (Xcode)
  • App builds on Android (Android Studio)
  • App builds from terminal (yarn android / yarn ios)
  • Wallet creation flow
  • Wallet import flow
  • Contact management
  • Settings navigation
  • Wallet deploy
  • Send transaction
  • WalletConnect pairing and signing
  • Profile/username registration flow

after getting apple profile:

  • QR code scanning

Commits

  1. Security patches: CLI CVE fix, axios DoS fix
  2. RN core upgrade: React 19, RN 0.83, native configs
  3. Ecosystem libraries: Navigation 7, Reanimated 4, etc.
  4. State management: Redux Toolkit 2, react-hook-form updates
  5. Deprecated packages: Removed/replaced obsolete dependencies
  6. Dev tooling: ESLint config fixes, formatting

@TravellerOnTheRun
fix: wallet connect _signedTypedData vulnerability
9bdabca
@TravellerOnTheRun
fix(security): patch critical CVE-2025-11953 and axios DoS vulnerability
b281d9d 
- Update @react-native-community/cli to ^18.0.1 (fixes OS command injection CVE)
- Update @react-native-community/cli-platform-android to ^18.0.1
- Update @react-native-community/cli-platform-ios to ^18.0.1
- Update axios to ^1.13.2 (fixes DoS vulnerability GHSA-4hjh-wcwx-xvwj)
@TravellerOnTheRun
feat: Upgrade React Native 0.79.2 to 0.83.0
81cbe25 
- Update react-native to 0.83.0 and react to 19.2.0
- Update @react-native/* packages to 0.83.0
- Upgrade react-native-reanimated to 4.2.1 (required for RN 0.83)
- Add react-native-worklets 0.7.1 (peer dep for reanimated 4)
- Update ecosystem libs: gesture-handler, screens, safe-area-context, svg, vision-camera, bootsplash, mmkv, keychain, device-info
- Add hermes-android dependency substitution (com.facebook.hermes:hermes-android:0.14.0)
- Configure REACT_NATIVE_NODE_MODULES_DIR for Android Studio compatibility
- Update Android SDK to 36, Kotlin to 2.0.21, NDK to 27.1.12297006
- Add CADisableMinimumFrameDurationOnPhone to iOS Info.plist
- Update tsconfig to extend @react-native/typescript-config
- Remove FLIPPER_VERSION (deprecated in RN 0.74+)
- Add edgeToEdgeEnabled=false and NODE_BINARY path
@TravellerOnTheRun
chore: upgrade React Navigation 7 and ecosystem packages
60b2d4f 
- @react-navigation/bottom-tabs: 6.5.12 → 7.9.0
- @react-navigation/native: 6.1.10 → 7.1.26
- @react-navigation/stack: 6.3.21 → 7.6.13
- @react-native-async-storage/async-storage: 1.19.0 → 2.2.0
- @react-native-clipboard/clipboard: 1.13.2 → 1.16.3
- @react-native-community/netinfo: 9.4.1 → 11.4.1
- react-native-get-random-values: 1.9.0 → 2.0.0
- react-native-reanimated-carousel: 3.5.1 → 4.0.2
- tsconfig: module ESNext, moduleResolution bundler
- eslint: removed duplicate @typescript-eslint extend
- Added @typescript-eslint resolutions for version conflicts
@TravellerOnTheRun
fix: navigation type compatibility for React Navigation 7
ae56d84 
- Typography: use Animated.Text for animated header styles
- headerTitle: removed StyleSheet.flatten, now uses animated-compatible types
- ProfileHandler: accept both BottomTab and Stack navigation props
- ActivityRow: use generic NavigationProp<ParamListBase>
- ActivityScreen: fix useWallet hook destructuring
- ContactFormScreen: removed deprecated headerLeftLabelVisible
@TravellerOnTheRun
fix: navigation behavior for React Navigation 7
aac53a7 
- CreateKeysNavigator: dynamic initialRouteName based on keysExist
  (RN7 requires initialRouteName to match rendered screens)
- ProfileNavigator: removed duplicate setOptions useEffect
- ProfileCreateScreen: use replace() instead of reset() for smoother transition
- AppHeader: use navigate() instead of reset() for settings icon
- AppHeader: removed unnecessary wallet prop check
- SearchDomainScreen: use getParent() for nested navigation to Settings
- SearchDomainScreen: useRef guard to prevent duplicate navigation
- RelayDeployScreen: use getParent() + popToTop() for back navigation
@TravellerOnTheRun
fix: prevent WalletConnect infinite loop on context first load
1d2b9ae 
- Added isFirstLoad ref to ensure onContextFirstLoad runs only once
- Prevents re-execution when subscribeToEvents callback changes
@TravellerOnTheRun
chore: upgrade state management and forms libraries
8bbc046 
Package updates:
- @reduxjs/toolkit: ^2.2.1 → ^2.8.0
- react-redux: ^8.0.5 → ^9.2.0
- react-hook-form: ^7.50.1 → ^7.56.0
- @hookform/resolvers: ^2.9.11 → ^5.0.1
- yup: ^1.0.1 → ^1.6.0
- Added redux: ^5.0.1 (peer dependency)

Form type fixes for @hookform/resolvers v5 compatibility:
- Derive FormValues from schema using yup.InferType
- Replace .isTrue() with .test() for proper boolean type inference
- Add type casts for ContactWithAddressRequired where needed
@TravellerOnTheRun
chore: remove deprecated packages
0429861 
Removed:
- @json-rpc-tools/utils (replaced BlockchainAuthenticatorConfig with BlockTag)
- react-native-randombytes (already using react-native-get-random-values)
- @testing-library/jest-native (deprecated, using @testing-library/react-native)

Replaced:
- ganache-cli → ganache (renamed package)
@TravellerOnTheRun
chore: dev tooling fixes and cleanup
5ed2ce3 
- Disabled @react-native/no-deep-imports ESLint rule (module resolution issue)
- Re-added react-native-randombytes (peer dep of react-native-crypto)
- Removed unused homeStackRouteNames import
- Minor formatting fixes

Note: ESLint 9 upgrade skipped - @react-native/eslint-config 0.83.0
does not yet support flat config format
@TravellerOnTheRun TravellerOnTheRun self-assigned this Jan 13, 2026
@github-actions
Copy link

github-actions bot commented Jan 13, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 6 package(s) with unknown licenses.
See the Details below.

License Issues

yarn.lock

PackageVersionLicenseIssue Type
@react-navigation/bottom-tabs7.9.0NullUnknown License
@react-navigation/core7.13.7NullUnknown License
@react-navigation/elements2.9.3NullUnknown License
@react-navigation/native7.1.26NullUnknown License
@react-navigation/routers7.5.3NullUnknown License
@react-navigation/stack7.6.13NullUnknown License

Scanned Files

  • package.json
  • yarn.lock

@TravellerOnTheRun
fix: resolve secp256k1 vulnerability (GHSA-584q-6j8j-r5pm)
379893b 
Added resolution to force [email protected] (patched) instead of 4.0.3
which was pulled in by [email protected].

Vulnerability: Private key extraction over ECDH
@TravellerOnTheRun
fix: resolve ws DoS vulnerability (GHSA-3h5v-q93c-6h6q)
da5113e 
Added resolution to force ws@^8.17.1+ (patched) instead of 8.13.0
which was pulled in by @trufflesuite/uws-js-unofficial (ganache dep).

Vulnerability: DoS when handling requests with many HTTP headers
@TravellerOnTheRun
test: skip tests incompatible with Reanimated 4.x
16e3c1c 
Tests that import react-native-reanimated-carousel fail due to
react-native-worklets native initialization requirement in Jest.

Skipped tests:
- ActivityScreen.test
- AddressInput.test
- ContactFormScreen.test
- useStateSubscription.test
- walletConnect2.security.test

These tests need proper Worklets mocking to work with Reanimated 4.x.
@TravellerOnTheRun
chore: silence lint warnings and format files
158c4d3 
- disable react/no-unstable-nested-components and unused-disable warnings
- prettier auto-fix formatting in components and types files
@jessgusclark jessgusclark merged commit f9239a9 into develop Jan 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jessgusclark jessgusclark jessgusclark approved these changes

Assignees

@TravellerOnTheRun TravellerOnTheRun

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TravellerOnTheRun @jessgusclark