Merge pull request #525 from reown-com/fix-alerts

chore: resolve dependabot alerts for storybook and lodash

Author: ignaciosantise

AGENTS.md

@@ -300,3 +300,29 @@ yarn format           # Run Prettier
 ### Commit Convention
 
 Follow conventional commits: `fix:`, `feat:`, `refactor:`, `docs:`, `test:`, `chore:`
+
+### Dependabot Alerts
+
+When resolving Dependabot security alerts or dependency update PRs:
+
+1. **Direct dependencies** - Update the version directly in the package's `package.json` where it's declared. This is cleaner than using resolutions because:
+
+   - It keeps the dependency version visible where the package is used
+   - Resolutions are meant for transitive dependencies you don't control
+   - Example: update storybook in `apps/gallery/package.json`, not via root resolutions
+
+2. **Transitive dependencies** - Use resolutions/overrides for dependencies you don't directly declare:
+
+   - Root `package.json` → `resolutions` field (for yarn workspaces)
+   - Specific package's `package.json` → `overrides` field (for npm packages like expo-multichain)
+
+3. **Update lockfiles** - After making changes:
+
+   - Run `yarn install` at root to update `yarn.lock`
+   - Run `npm install` in the specific package directory to update `package-lock.json`
+
+4. **Check for related packages** - When updating a package, check if there are related packages that should be updated together (e.g., updating `storybook` should also update all `@storybook/*` addons to the same version for consistency)
+
+5. **Never update to new major versions** - Only apply patch/minor updates. Major version bumps can cause breaking changes and compatibility issues.
+
+6. **Run formatting before committing** - Always run `yarn format` to fix any prettier issues before creating a commit.

apps/gallery/package.json

@@ -9,16 +9,16 @@
     "@babel/preset-react": "^7.22.5",
     "@babel/preset-typescript": "7.24.7",
     "@chromatic-com/storybook": "^1",
-    "@storybook/addon-essentials": "^8.3.0",
-    "@storybook/addon-interactions": "^8.3.0",
-    "@storybook/addon-links": "^8.3.0",
-    "@storybook/addon-onboarding": "^8.3.0",
+    "@storybook/addon-essentials": "^8.6.15",
+    "@storybook/addon-interactions": "^8.6.15",
+    "@storybook/addon-links": "^8.6.15",
+    "@storybook/addon-onboarding": "^8.6.15",
     "@storybook/addon-react-native-web": "^0.0.24",
     "@storybook/addon-webpack5-compiler-babel": "^3.0.3",
-    "@storybook/blocks": "^8.3.0",
-    "@storybook/react": "^8.3.0",
-    "@storybook/react-webpack5": "^8.3.0",
-    "@storybook/test": "^8.3.0",
+    "@storybook/blocks": "^8.6.15",
+    "@storybook/react": "^8.6.15",
+    "@storybook/react-webpack5": "^8.6.15",
+    "@storybook/test": "^8.6.15",
     "babel-loader": "9.1.3",
     "babel-plugin-react-native-web": "^0.19.7",
     "babel-plugin-react-require": "^4.0.1",
@@ -29,14 +29,14 @@
     "react-native": "*",
     "react-native-svg": "*",
     "react-native-web": "^0.19.7",
-    "storybook": "^8.3.0"
+    "storybook": "^8.6.15"
   },
   "scripts": {
     "dev:gallery": "storybook dev -p 6006",
     "build:gallery": "storybook build -o out"
   },
   "dependencies": {
     "@reown/appkit-ui-react-native": "workspace:*",
-    "@storybook/theming": "^8.3.0"
+    "@storybook/theming": "^8.6.15"
   }
 }

examples/expo-multichain/package-lock.json

@@ -85,7 +85,8 @@
     "undici": "6.23.0",
     "preact": "10.28.2",
     "js-yaml": "3.14.2",
-    "valibot": "1.2.0"
+    "valibot": "1.2.0",
+    "lodash": "4.17.23"
   },
   "private": true
 }