[Snyk] Security upgrade react-native from 0.59.9 to 0.69.12#791
[Snyk] Security upgrade react-native from 0.59.9 to 0.69.12#791gastonmorixe wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15032660 - https://snyk.io/vuln/SNYK-JS-TAR-15127355
There was a problem hiding this comment.
Pull request overview
This PR attempts to upgrade React Native from 0.59.9 to 0.69.12 in the Example application to fix two directory traversal vulnerabilities in the tar dependency (SNYK-JS-TAR-15032660 and SNYK-JS-TAR-15127355). However, the upgrade is incomplete and will cause breaking changes.
Changes:
- Upgrades react-native dependency from 0.59.9 to 0.69.12 in Example/package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "react": "16.8.3", | ||
| "react-native": "0.59.9" | ||
| "react-native": "0.69.12" |
There was a problem hiding this comment.
This upgrade from React Native 0.59.9 to 0.69.12 is incompatible with React 16.8.3. React Native 0.69.x requires React 18.0.0 or higher according to the official React Native compatibility matrix. The current React version (16.8.3) will cause runtime errors and build failures.
Additionally, the start script on line 6 references "node_modules/react-native/local-cli/cli.js" which was removed in React Native 0.60. From 0.60 onwards, React Native uses the @react-native-community/cli package instead.
To properly upgrade to React Native 0.69.12, the following changes are needed:
- Update React to version 18.0.0 or higher
- Update react-test-renderer to match the React version
- Update the start script to use "react-native start" instead
- Update other dependencies like metro-react-native-babel-preset to compatible versions
- Update the yarn.lock file (which the PR description indicates has failed)
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
Example/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15032660
SNYK-JS-TAR-15127355
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal