Skip to content

security: fix remaining high-severity dependency vulnerabilities#249

Merged
Bulzan Sergiu (busec0) merged 1 commit intomainfrom
sergiubulzan/fix-remaining-security-vulnerabilities
Mar 23, 2026
Merged

security: fix remaining high-severity dependency vulnerabilities#249
Bulzan Sergiu (busec0) merged 1 commit intomainfrom
sergiubulzan/fix-remaining-security-vulnerabilities

Conversation

@busec0
Copy link
Member

@busec0 Bulzan Sergiu (busec0) commented Mar 20, 2026
edited
Loading

Summary

  • Update fast-xml-parser 4.5.4 → 5.5.6 in react-native yarn resolutions and react-native-expo overrides/resolutions (CVE-2026-26278)
  • Update flatted 3.3.3 → 3.4.2 in react-native yarn resolutions (unbounded recursion DoS + prototype pollution)
  • Update json gem 2.16.0 → 2.19.2 in react-native Gemfile (high severity)

Resolves Dependabot alerts: #264, #265, #266, #267, #268

Linear Tickets

Small Peer - Security

Closes

  • SPO-232 — flatted unbounded recursion DoS (react-native/yarn.lock, dependabot #264)
  • SPO-256 — fast-xml-parser CVE-2026-26278 (react-native-expo/package-lock.json, dependabot #265)
  • SPO-258 — fast-xml-parser CVE-2026-26278 (react-native/yarn.lock, dependabot #266)
  • SPO-257 — fast-xml-parser CVE-2026-26278 (react-native-expo/yarn.lock, dependabot #267)
  • SPO-275 — Ruby JSON format string injection (react-native/Gemfile.lock, dependabot #268)

Likely also resolved (verify before closing)

Update

  • SPO-298 — react-native-expo dependency vulnerability tracking issue

Test plan

  • Verify yarn.lock files resolve updated package versions
  • Verify package-lock.json in react-native-expo has fast-xml-parser 5.5.6
  • Verify bundle exec works with updated json gem
  • CI passes

🤖 Generated with Claude Code

@busec0 @claude
security: fix remaining high-severity dependency vulnerabilities
bc9ab53 
Update vulnerable dependencies in react-native and react-native-expo:

- fast-xml-parser: 4.5.4 → 5.5.6 (CVE-2026-26278, entity expansion bypass)
- flatted: 3.3.3 → 3.4.2 (unbounded recursion DoS + prototype pollution)
- json gem: 2.16.0 → 2.19.2 (high severity vulnerability)

Resolves dependabot alerts: #264, #265, #266, #267, #268

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 20, 2026 15:06
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates dependency pins/lockfiles in the React Native sample apps to remediate high-severity vulnerability alerts (Dependabot #264–#268), including JS package overrides and a Ruby gem bump.

Changes:

  • Bump fast-xml-parser to 5.5.6 via Yarn resolutions / npm overrides and update associated lockfiles.
  • Bump flatted to 3.4.2 (react-native resolutions + lockfile).
  • Bump Ruby json gem to 2.19.2 and add a minimum constraint in Gemfile.

Reviewed changes

Copilot reviewed 3 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
react-native/yarn.lock Locks fast-xml-parser@5.5.6 (+ new transitive deps) and flatted@3.4.2.
react-native/package.json Forces fast-xml-parser@5.5.6 and flatted@3.4.2 via resolutions.
react-native/Gemfile Adds json (>= 2.17.2) to address gem vulnerability.
react-native/Gemfile.lock Updates locked json version and bundler version.
react-native-expo/yarn.lock Updates fast-xml-parser lock entry and adds new transitive deps.
react-native-expo/package.json Forces fast-xml-parser@5.5.6 via resolutions + overrides.
react-native-expo/package-lock.json Locks fast-xml-parser@5.5.6 and adds new transitive deps.
Files not reviewed (1)
  • react-native-expo/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@busec0 Bulzan Sergiu (busec0) requested a review from a team March 23, 2026 09:20
@busec0
Copy link
Member Author

Bulzan Sergiu (busec0) commented Mar 23, 2026

React Native Expo CI / Test Android - BrowserStack Maestro (pull_request) -> Failing, but a flake on browser stack. The Automation just scrolls past the element it fails to find 🙃 . Merging without it, it works on 1 out of 2 devices anyway.

@busec0 Bulzan Sergiu (busec0) merged commit 6e98a22 into main Mar 23, 2026
15 of 16 checks passed
@busec0 Bulzan Sergiu (busec0) deleted the sergiubulzan/fix-remaining-security-vulnerabilities branch March 23, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nickrobinson Nick Robinson (nickrobinson) nickrobinson approved these changes

@kristopherjohnson Kristopher Johnson (kristopherjohnson) Awaiting requested review from kristopherjohnson kristopherjohnson is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@busec0 @nickrobinson