Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MINIMATCH-15353387 - https://snyk.io/vuln/SNYK-JS-MINIMATCH-15353389
revan-zhang
requested review from
ezailWang,
huhuanming,
originalix and
sidmorizon
as code owners
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "react-dom": "19.1.0", | ||
| "react-mobile-cropper": "^0.10.0", | ||
| "react-native": "0.81.5", | ||
| "react-native": "0.84.0", |
There was a problem hiding this comment.
🔴 react-native upgrade to 0.84.0 is nullified by resolutions field still pinning 0.81.5
The dependencies field at line 175 changes react-native from 0.81.5 to 0.84.0, but the resolutions field at package.json:333 still pins react-native to 0.81.5. In Yarn workspaces, the resolutions field takes precedence over dependencies for version resolution across the entire workspace. This means the vulnerability fix is completely ineffective — react-native will still resolve to 0.81.5 everywhere.
Root Cause and Full Impact
The Snyk bot only modified the dependencies section but failed to also update the resolutions section. The resolutions override at package.json:333 reads:
"react-native": "0.81.5"
This forces all react-native resolutions across the monorepo to 0.81.5, regardless of what dependencies declares.
Additionally, apps/mobile/package.json still pins react-native to 0.81.5, and the yarn.lock still resolves react-native to npm:0.81.5. The metro resolutions (package.json:336-344) are also pinned to 0.83.2 which is the version compatible with RN 0.81.x, not 0.84.x.
Impact: The stated purpose of this PR — fixing minimatch vulnerabilities by upgrading react-native — is not achieved. The vulnerable version 0.81.5 will continue to be installed. Furthermore, the inconsistency between dependencies (0.84.0) and resolutions (0.81.5) creates a confusing state where the declared dependency doesn't match what's actually installed.
Prompt for agents
To actually apply the react-native upgrade, you need to update multiple locations in addition to the dependencies field:
1. In package.json, update the resolutions field at line 333 from "react-native": "0.81.5" to "react-native": "0.84.0"
2. In apps/mobile/package.json, update "react-native" from "0.81.5" to "0.84.0"
3. In apps/mobile/package.json, update "@react-native/metro-config" from "0.81.5" to the version compatible with RN 0.84.0
4. Update the metro resolution pins (package.json lines 336-344) to versions compatible with RN 0.84.0
5. Run yarn install to regenerate yarn.lock
6. Verify all react-native-* peer dependencies are compatible with 0.84.0 (react-native-reanimated, react-native-screens, react-native-web, etc.)
Note: This is a major React Native version bump (0.81 -> 0.84) that will likely require significant testing and possibly code changes across the mobile app. Consider whether this upgrade is the right approach to fix the minimatch vulnerability, or if a more targeted fix is possible.
Was this helpful? React with 👍 or 👎 to provide feedback.
| "react-beautiful-dnd": "13.1.1", | ||
| "react-dom": "19.1.0", | ||
| "react-mobile-cropper": "^0.10.0", | ||
| "react-native": "0.81.5", | ||
| "react-native": "0.84.0", |
There was a problem hiding this comment.
🔴 yarn.lock not updated — dependency versions in lockfile don't match package.json
The yarn.lock file was not updated to reflect the dependency changes in package.json. The lockfile still resolves node-gyp to 11.5.0 (under the ^11.5.0 range) and react-native to 0.81.5. Since the lockfile has no entry for node-gyp@^12.0.0 or react-native@0.84.0, running yarn install will either fail or produce inconsistent results.
Detailed Explanation
The PR description itself warns: "Failed to update the yarn.lock, please update manually before merging." The current state of the lockfile shows:
node-gypresolves^11.2.0, ^11.5.0to11.5.0— there is no resolution for^12.0.0react-nativeresolves tonpm:0.81.5— there is no resolution for0.84.0
Merging this PR without updating yarn.lock means:
- CI/CD pipelines that run
yarn install --immutable(frozen lockfile) will fail immediately - Developers pulling this branch will get errors or stale dependency versions
- The vulnerability fixes are not actually installed
Impact: Build failures in CI and broken developer workflow. The security vulnerabilities remain unpatched.
(Refers to lines 165-175)
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-MINIMATCH-15353387
SNYK-JS-MINIMATCH-15353389
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)