chore: fix high dependabot alerts for node-forge and picomatch

[ignaciosantise]

Summary

• Bumps node-forge resolution from 1.3.2 to 1.4.0, fixing 8 high-severity alerts (signature forgery, certificate chain bypass, DoS)
• Adds picomatch resolutions: v2 line to 2.3.2 and v4 line to 4.0.4, fixing 2 high-severity ReDoS alerts
• Updates lockfiles for both the root monorepo and the expo-multichain example

Test plan

• yarn why node-forge confirms 1.4.0
• yarn why picomatch confirms 2.3.2 (v2), 4.0.4 (v4), 3.0.2 (v3 unaffected)
• yarn install succeeds with no new warnings
• Pre-existing test failure confirmed unrelated

🤖 Generated with Claude Code

---

Note

Low Risk
Lockfile and dependency resolution-only changes; main risk is unexpected transitive dependency behavior changes at install/runtime.

Overview
Updates dependency pinning to address security alerts by bumping node-forge from 1.3.2 to 1.4.0 via root resolutions and the examples/expo-multichain overrides.

Adds/updates picomatch resolution overrides to force patched versions (2.3.2 for v2 and 4.0.4 for v4 at the root; 2.3.2 in the Expo example), and refreshes yarn.lock and examples/expo-multichain/package-lock.json accordingly (including nested expo dependency entries).

^{Written by Cursor Bugbot for commit 817e09e. This will update automatically on new commits. Configure here.}

[claude]

Claude finished @ignaciosantise's task —— View job

---

PR Review

• Read changed files and analyze the dependency resolution changes
• Provide review feedback

---

The node-forge bump to 1.4.0 is correctly applied in both package.json (root resolutions) and examples/expo-multichain/package.json (overrides), with both lockfiles updated.

Issue: picomatch ReDoS fix is incomplete in examples/expo-multichain

The picomatch vulnerability resolutions were added to the root package.json resolutions (Yarn workspace), but the examples/expo-multichain directory uses npm with a separate package-lock.json — it has its own overrides field, not Yarn resolutions.

As a result, the examples/expo-multichain/package-lock.json still contains vulnerable picomatch versions:

• node_modules/picomatch: 2.3.1 (should be 2.3.2)
• node_modules/tinyglobby/node_modules/picomatch: 4.0.3 (should be 4.0.4)

The examples/expo-multichain/package.json overrides block does not include picomatch entries, so the npm lockfile was not updated for those.

Fix: Add picomatch overrides to examples/expo-multichain/package.json:

"overrides": {
  ...
  "picomatch": "2.3.2"
}

Note: npm overrides doesn't support the picomatch@^2/picomatch@^4 range-keyed syntax that Yarn resolutions use — you'd need to verify if a single "picomatch": "2.3.2" override is sufficient to cover the v4 range as well, or use nested package overrides. Then regenerate the lockfile.

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: ef1f084

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ignaciosantise]

@claude review

[claude]

Claude finished @ignaciosantise's task —— View job

---

PR Review

• Read changed files and analyze the dependency resolution changes
• Validate previously flagged issues
• Provide review feedback

---

🔄 Incremental Review:

Previously Flagged Issue: Partially Resolved

The previous review flagged that picomatch overrides were missing from examples/expo-multichain/package.json. This has been partially addressed — "picomatch": "2.3.2" was added to the overrides block (examples/expo-multichain/package.json:91).

However, there is a remaining issue:

node_modules/tinyglobby/node_modules/picomatch is still 4.0.3 (package-lock.json:16888) — the vulnerable v4 version. npm's overrides field does not support the range-keyed syntax ("picomatch@^4") that Yarn resolutions use. The single "picomatch": "2.3.2" override only pins the v2 resolution; it does not cover the v4 range used by tinyglobby.

To fix this, you need a nested override targeting tinyglobby's picomatch dependency:

"overrides": {
  ...
  "picomatch": "2.3.2",
  "tinyglobby": {
    "picomatch": "4.0.4"
  }
}

Then regenerate package-lock.json with npm install.

Note: tinyglobby is a devDependency of tinyglobby here (marked "dev": true, "peer": true at package-lock.json:16890-16891), so the actual runtime risk may be low — but the lockfile still contains the vulnerable version.

---

View job

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix prepared a fix for 1 of the 2 issues found in the latest run.

• ✅ Fixed: Unscoped picomatch override downgrades v3 to v2
  • Changed unscoped picomatch override to scoped overrides (picomatch@^2 and picomatch@^4) allowing @expo/cli to use v3.0.2 instead of being downgraded to v2.3.2.

Or push these changes by commenting:

@cursor push 22a829b18a

Preview (22a829b18a)

diff --git a/examples/expo-multichain/package-lock.json b/examples/expo-multichain/package-lock.json
--- a/examples/expo-multichain/package-lock.json
+++ b/examples/expo-multichain/package-lock.json
@@ -114,7 +114,6 @@
     "node_modules/@babel/core": {
       "version": "7.28.3",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@ampproject/remapping": "^2.2.0",
         "@babel/code-frame": "^7.27.1",
@@ -2379,7 +2378,6 @@
       "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz",
       "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==",
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }
@@ -3815,7 +3813,6 @@
       "resolved": "https://registry.npmjs.org/cross-fetch/-/cross-fetch-4.1.0.tgz",
       "integrity": "sha512-uKm5PU+MHTootlWEY+mZ4vvXoCn4fLQxT9dSc1sXVMSFkINTJVN8cAQROpwcKm8bJ/c7rgZVIBWzH5T78sNZZw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "node-fetch": "^2.7.0"
       }
@@ -3916,7 +3913,6 @@
     "node_modules/@noble/ciphers": {
       "version": "1.3.0",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": "^14.21.3 || >=16"
       },
@@ -4822,7 +4818,6 @@
     "node_modules/@react-navigation/native": {
       "version": "7.1.17",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@react-navigation/core": "^7.12.4",
         "escape-string-regexp": "^4.0.0",
@@ -5511,7 +5506,6 @@
     "node_modules/@solana/web3.js": {
       "version": "1.98.2",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/runtime": "^7.25.0",
         "@noble/curves": "^1.4.2",
@@ -5566,7 +5560,6 @@
     "node_modules/@tanstack/react-query": {
       "version": "5.85.5",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@tanstack/query-core": "5.85.5"
       },
@@ -5715,7 +5708,6 @@
       "integrity": "sha512-hHkbU/eoO3EG5/MZkuFSKmYqPbSVk5byPFa3e7y/8TybHiLMACgI8seVYlicwk7H5K/rI2px9xrQp/C+AUDTiQ==",
       "devOptional": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "csstype": "^3.0.2"
       }
@@ -5792,7 +5784,6 @@
       "version": "8.41.0",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@typescript-eslint/scope-manager": "8.41.0",
         "@typescript-eslint/types": "8.41.0",
@@ -7218,7 +7209,6 @@
       "resolved": "https://registry.npmjs.org/valtio/-/valtio-1.13.2.tgz",
       "integrity": "sha512-Qik0o+DSy741TmkqmRfjq+0xpZBXi/Y6+fXZLn0xNF1z/waFMbE3rkivv5Zcf9RrMUp6zswf2J7sbh2KBlba5A==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "derive-valtio": "0.1.0",
         "proxy-compare": "2.6.0",
@@ -7245,7 +7235,6 @@
       "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz",
       "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=10.0.0"
       },
@@ -7267,7 +7256,6 @@
       "resolved": "https://registry.npmjs.org/@wagmi/core/-/core-2.21.2.tgz",
       "integrity": "sha512-Rp4waam2z0FQUDINkJ91jq38PI5wFUHCv1YBL2LXzAQswaEk1ZY8d6+WG3vYGhFHQ22DXy2AlQ8IWmj+2EG3zQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "eventemitter3": "5.0.1",
         "mipd": "0.0.7",
@@ -7438,8 +7426,7 @@
     },
     "node_modules/@walletconnect/keyvaluestorage/node_modules/idb-keyval": {
       "version": "6.2.2",
-      "license": "Apache-2.0",
-      "peer": true
+      "license": "Apache-2.0"
     },
     "node_modules/@walletconnect/keyvaluestorage/node_modules/unstorage": {
       "version": "1.17.0",
@@ -7548,7 +7535,6 @@
       "resolved": "https://registry.npmjs.org/@walletconnect/react-native-compat/-/react-native-compat-2.22.2.tgz",
       "integrity": "sha512-lLT2fqpjpQHoZYJeif6J+RUL71+bpAQEng52hGSydZo+ntF356ny/C4GkiyICd234x6ilBx55Gf8u7YzQbk7rg==",
       "license": "SEE LICENSE IN LICENSE.md",
-      "peer": true,
       "dependencies": {
         "events": "3.3.0",
         "fast-text-encoding": "1.0.6",
@@ -7814,7 +7800,6 @@
     "node_modules/acorn": {
       "version": "8.15.0",
       "license": "MIT",
-      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -8568,7 +8553,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001735",
         "electron-to-chromium": "^1.5.204",
@@ -8626,7 +8610,6 @@
       "version": "4.0.9",
       "hasInstallScript": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "node-gyp-build": "^4.3.0"
       },
@@ -9584,7 +9567,6 @@
       "resolved": "https://registry.npmjs.org/eciesjs/-/eciesjs-0.4.15.tgz",
       "integrity": "sha512-r6kEJXDKecVOCj2nLMuXK/FCPeurW33+3JRpfXVbjLja3XUYFfD9I/JBreH6sUyzcm3G/YQboBjMla6poKeSdA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@ecies/ciphers": "^0.2.3",
         "@noble/ciphers": "^1.3.0",
@@ -9932,7 +9914,6 @@
       "version": "9.34.0",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.2.0",
         "@eslint-community/regexpp": "^4.12.1",
@@ -10105,7 +10086,6 @@
       "version": "2.32.0",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@rtsao/scc": "^1.1.0",
         "array-includes": "^3.1.9",
@@ -10511,8 +10491,7 @@
       "version": "6.4.9",
       "resolved": "https://registry.npmjs.org/eventemitter2/-/eventemitter2-6.4.9.tgz",
       "integrity": "sha512-JEPTiaOt9f04oa6NOkc4aH+nVp5I3wEjpHbIPqfgCdD5v5bUzy7xQqwcVO2aDQgOWhI28da57HksMrzK9HlRxg==",
-      "license": "MIT",
-      "peer": true
+      "license": "MIT"
     },
     "node_modules/eventemitter3": {
       "version": "5.0.1",
@@ -10536,7 +10515,6 @@
       "resolved": "https://registry.npmjs.org/expo/-/expo-54.0.12.tgz",
       "integrity": "sha512-BVvG1A9BlKAOBwczMi7XThOLzI3TUShkV/yRnAMGvQP5SQFDq7UojkZLLG285gg3OvkoqjMUE0tZvVXbvuI4tA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/runtime": "^7.20.0",
         "@expo/cli": "54.0.10",
@@ -10589,7 +10567,6 @@
       "resolved": "https://registry.npmjs.org/expo-application/-/expo-application-7.0.7.tgz",
       "integrity": "sha512-Jt1/qqnoDUbZ+bK91+dHaZ1vrPDtRBOltRa681EeedkisqguuEeUx4UHqwVyDK2oHWsK6lO3ojetoA4h8OmNcg==",
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "expo": "*"
       }
@@ -10649,7 +10626,6 @@
       "resolved": "https://registry.npmjs.org/expo-constants/-/expo-constants-18.0.9.tgz",
       "integrity": "sha512-sqoXHAOGDcr+M9NlXzj1tGoZyd3zxYDy215W6E0Z0n8fgBaqce9FAYQE2bu5X4G629AYig5go7U6sQz7Pjcm8A==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@expo/config": "~12.0.9",
         "@expo/env": "~2.0.7"
@@ -10724,7 +10700,6 @@
       "resolved": "https://registry.npmjs.org/expo-font/-/expo-font-14.0.8.tgz",
       "integrity": "sha512-bTUHaJWRZ7ywP8dg3f+wfOwv6RwMV3mWT2CDUIhsK70GjNGlCtiWOCoHsA5Od/esPaVxqc37cCBvQGQRFStRlA==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "fontfaceobserver": "^2.1.0"
       },
@@ -10781,7 +10756,6 @@
       "resolved": "https://registry.npmjs.org/expo-linking/-/expo-linking-8.0.8.tgz",
       "integrity": "sha512-MyeMcbFDKhXh4sDD1EHwd0uxFQNAc6VCrwBkNvvvufUsTYFq3glTA9Y8a+x78CPpjNqwNAamu74yIaIz7IEJyg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "expo-constants": "~18.0.8",
         "invariant": "^2.2.4"
@@ -11149,18 +11123,6 @@
         }
       }
     },
-    "node_modules/expo/node_modules/@expo/cli/node_modules/picomatch": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
-      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/expo/node_modules/glob": {
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
@@ -11212,6 +11174,18 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/expo/node_modules/picomatch": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-3.0.2.tgz",
+      "integrity": "sha512-cfDHL6LStTEKlNilboNtobT/kEa30PtAf2Q1OgszfrG/rpVl1xaFWT9ktfkS306GmHgmnad1Sw4wabhlvFtsTw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
     "node_modules/expo/node_modules/ws": {
       "version": "8.18.3",
       "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz",
@@ -15041,7 +15015,6 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.1.0.tgz",
       "integrity": "sha512-FS+XFBNvn3GTAWq26joslQgWNoFu08F4kl0J4CgdNKADkdSGXQyTCnKteIAJy96Br6YbpEU1LSzV5dYtjMkMDg==",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -15059,7 +15032,6 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.1.0.tgz",
       "integrity": "sha512-Xs1hdnE+DyKgeHJeJznQmYMIBG3TKIHJJT95Q58nHLSrElKlGQqDTR2HQ9fx5CN/Gk6Vh/kupBTDLU11/nDk/g==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "scheduler": "^0.26.0"
       },
@@ -15090,7 +15062,6 @@
       "resolved": "https://registry.npmjs.org/react-native/-/react-native-0.81.4.tgz",
       "integrity": "sha512-bt5bz3A/+Cv46KcjV0VQa+fo7MKxs17RCcpzjftINlen4ZDUl0I6Ut+brQ2FToa5oD0IB0xvQHfmsg2EDqsZdQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@jest/create-cache-key-function": "^29.7.0",
         "@react-native/assets-registry": "0.81.4",
@@ -15148,7 +15119,6 @@
       "resolved": "https://registry.npmjs.org/react-native-gesture-handler/-/react-native-gesture-handler-2.28.0.tgz",
       "integrity": "sha512-0msfJ1vRxXKVgTgvL+1ZOoYw3/0z1R+Ked0+udoJhyplC2jbVKIJ8Z1bzWdpQRCV3QcQ87Op0zJVE5DhKK2A0A==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@egjs/hammerjs": "^2.0.17",
         "hoist-non-react-statics": "^3.3.0",
@@ -15182,7 +15152,6 @@
       "resolved": "https://registry.npmjs.org/react-native-reanimated/-/react-native-reanimated-4.1.2.tgz",
       "integrity": "sha512-qzmQiFrvjm62pRBcj97QI9Xckc3EjgHQoY1F2yjktd0kpjhoyePeuTEXjYRCAVIy7IV/1cfeSup34+zFThFoHQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "react-native-is-edge-to-edge": "^1.2.1",
         "semver": "7.7.2"
@@ -15199,7 +15168,6 @@
       "resolved": "https://registry.npmjs.org/react-native-safe-area-context/-/react-native-safe-area-context-5.6.1.tgz",
       "integrity": "sha512-/wJE58HLEAkATzhhX1xSr+fostLsK8Q97EfpfMDKo8jlOc1QKESSX/FQrhk7HhQH/2uSaox4Y86sNaI02kteiA==",
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "react": "*",
         "react-native": "*"
@@ -15210,7 +15178,6 @@
       "resolved": "https://registry.npmjs.org/react-native-screens/-/react-native-screens-4.16.0.tgz",
       "integrity": "sha512-yIAyh7F/9uWkOzCi1/2FqvNvK6Wb9Y1+Kzn16SuGfN9YFJDTbwlzGRvePCNTOX0recpLQF3kc2FmvMUhyTCH1Q==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "react-freeze": "^1.0.0",
         "react-native-is-edge-to-edge": "^1.2.1",
@@ -15226,7 +15193,6 @@
       "resolved": "https://registry.npmjs.org/react-native-svg/-/react-native-svg-15.12.1.tgz",
       "integrity": "sha512-vCuZJDf8a5aNC2dlMovEv4Z0jjEUET53lm/iILFnFewa15b4atjVxU6Wirm6O9y6dEsdjDZVD7Q3QM4T1wlI8g==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "css-select": "^5.1.0",
         "css-tree": "^1.1.3",
@@ -15252,7 +15218,6 @@
       "resolved": "https://registry.npmjs.org/react-native-web/-/react-native-web-0.21.1.tgz",
       "integrity": "sha512-BeNsgwwe4AXUFPAoFU+DKjJ+CVQa3h54zYX77p7GVZrXiiNo3vl03WYDYVEy5R2J2HOPInXtQZB5gmj3vuzrKg==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/runtime": "^7.18.6",
         "@react-native/normalize-colors": "^0.74.1",
@@ -15281,7 +15246,6 @@
       "resolved": "https://registry.npmjs.org/react-native-worklets/-/react-native-worklets-0.5.1.tgz",
       "integrity": "sha512-lJG6Uk9YuojjEX/tQrCbcbmpdLCSFxDK1rJlkDhgqkVi1KZzG7cdcBFQRqyNOOzR9Y0CXNuldmtWTGOyM0k0+w==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/plugin-transform-arrow-functions": "^7.0.0-0",
         "@babel/plugin-transform-class-properties": "^7.0.0-0",
@@ -15339,7 +15303,6 @@
     "node_modules/react-refresh": {
       "version": "0.14.2",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -15434,7 +15397,6 @@
     "node_modules/readable-stream": {
       "version": "3.6.2",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "inherits": "^2.0.3",
         "string_decoder": "^1.1.1",
@@ -16229,7 +16191,6 @@
       "resolved": "https://registry.npmjs.org/socket.io-client/-/socket.io-client-4.8.1.tgz",
       "integrity": "sha512-hJVXfu3E28NmzGk8o1sHhN3om52tRvwYeidbj7xKy2eIIse5IoKX3USlS6Tqt3BHAtflLIkCQBkzVrEEfWUyYQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@socket.io/component-emitter": "~3.1.0",
         "debug": "~4.3.2",
@@ -16885,10 +16846,11 @@
       }
     },
     "node_modules/tinyglobby/node_modules/picomatch": {
-      "version": "4.0.3",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=12"
       },
@@ -17079,7 +17041,6 @@
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
       "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -17348,7 +17309,6 @@
       "resolved": "https://registry.npmjs.org/use-sync-external-store/-/use-sync-external-store-1.4.0.tgz",
       "integrity": "sha512-9WXSPC5fMv61vaupRkCKCxsPxBocVnwakBEkMIHHpkTTg6icbJtg6jzgtLDm4bl3cSHAca52rYWih0k4K3PfHw==",
       "license": "MIT",
-      "peer": true,
       "peerDependencies": {
         "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
       }
@@ -17357,7 +17317,6 @@
       "version": "5.0.10",
       "hasInstallScript": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "node-gyp-build": "^4.3.0"
       },
@@ -17410,7 +17369,6 @@
       "resolved": "https://registry.npmjs.org/valtio/-/valtio-2.1.8.tgz",
       "integrity": "sha512-fjTPbJyKEmfVBZUOh3V0OtMHoFUGr4+4XpejjxhNJE/IS2l8rDbyJuzi3w/fZWBDyk7BJOpG+lmvTK5iiVhXuQ==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "proxy-compare": "^3.0.1"
       },
@@ -17463,7 +17421,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@noble/curves": "1.9.1",
         "@noble/hashes": "1.8.0",
@@ -17547,7 +17504,6 @@
       "resolved": "https://registry.npmjs.org/wagmi/-/wagmi-2.17.5.tgz",
       "integrity": "sha512-Sk2e40gfo68gbJ6lHkpIwCMkH76rO0+toCPjf3PzdQX37rZo9042DdNTYcSg3zhnx8abFJtrk/5vAWfR8APTDw==",
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@wagmi/connectors": "5.11.2",
         "@wagmi/core": "2.21.2",
@@ -17813,7 +17769,6 @@
     "node_modules/ws": {
       "version": "7.5.10",
       "license": "MIT",
-      "peer": true,
       "engines": {
         "node": ">=8.3.0"
       },
@@ -17949,7 +17904,6 @@
     "node_modules/zod": {
       "version": "3.22.4",
       "license": "MIT",
-      "peer": true,
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
       }

diff --git a/examples/expo-multichain/package.json b/examples/expo-multichain/package.json
--- a/examples/expo-multichain/package.json
+++ b/examples/expo-multichain/package.json
@@ -88,7 +88,8 @@
     "lodash": "4.17.23",
     "bn.js": "5.2.3",
     "minimatch": "10.2.1",
-    "picomatch": "2.3.2"
+    "picomatch@^2": "2.3.2",
+    "picomatch@^4": "4.0.4"
   },
   "private": true
 }

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

You have used all of your free Bugbot PR reviews.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ignaciosantise]

@claude review

[claude]

Claude finished @ignaciosantise's task —— View job

---

PR Review

• Read changed files and analyze the dependency resolution changes
• Validate previously flagged issues
• Provide review feedback

---

🔄 Incremental Review:

All Previously Flagged Issues: Resolved ✅

1. Cursor Bugbot — Unscoped picomatch override downgrades v3 to v2
Confirmed resolved in the latest commit (ef1f084). examples/expo-multichain/package.json now uses scoped syntax:

"picomatch@^2": "2.3.2",
"picomatch@^4": "4.0.4"

The lockfile confirms node_modules/expo/node_modules/picomatch is correctly at 3.0.2 (v3 range preserved).

2. Previous Claude review — tinyglobby/node_modules/picomatch still at 4.0.3
Confirmed resolved. The lockfile now shows node_modules/tinyglobby/node_modules/picomatch at 4.0.4.

3. Previous Claude review — Root picomatch still at 2.3.1
Confirmed resolved. node_modules/picomatch is now 2.3.2.

Summary of Current State

• node-forge: 1.4.0 ✅
• picomatch (v2 line): 2.3.2 ✅
• picomatch (v3 line, expo): 3.0.2 (unaffected, preserved) ✅
• picomatch (v4 line, tinyglobby): 4.0.4 ✅

✅ No remaining issues. All security fixes are correctly applied with proper scoping in both the root Yarn workspace and the expo-multichain npm example.

---

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​babel/​plugin-proposal-class-properties@​7.18.6
	@​babel/​plugin-proposal-private-methods@​7.18.6
	@​testing-library/​jest-native@​5.4.3
	@​storybook/​theming@​8.6.15
	@​react-native/​typescript-config@​0.76.7
	@​storybook/​react-webpack5@​8.6.15
	@​storybook/​addon-webpack5-compiler-babel@​3.0.6
	@​walletconnect/​react-native-compat@​2.22.2 ⏵ 2.21.5					+20
	@​tanstack/​query-async-storage-persister@​5.40.0
	@​changesets/​changelog-github@​0.5.1
	@​types/​gh-pages@​6.1.0
	@​tanstack/​react-query-persist-client@​5.56.2
	@​react-native/​metro-config@​0.76.7
	@​babel/​preset-typescript@​7.24.7
	@​babel/​plugin-transform-flow-strip-types@​7.26.5
	@​storybook/​react@​8.6.15
	@​react-native/​eslint-config@​0.76.7
	@​types/​qrcode@​1.5.5
	@​types/​jest@​29.5.7
	@​babel/​preset-env@​7.28.0
	@​storybook/​blocks@​8.6.15
	@​expo/​metro-runtime@​6.1.2 ⏵ 4.0.1	+1		+1	-1
	@​coinbase/​wallet-mobile-sdk@​1.1.2
	@​types/​react@​19.1.13 ⏵ 18.2.79
	@​babel/​core@​7.28.3 ⏵ 7.28.0
	@​babel/​core@​7.28.3 ⏵ 7.26.10	+1		+1
	@​bitcoinerlab/​secp256k1@​1.2.0
	@​types/​node@​24.3.0 ⏵ 22.10.1
	@​react-native/​babel-preset@​0.81.4 ⏵ 0.76.7
	babel-plugin-react-require@​4.0.3
	babel-plugin-react-native-web@​0.21.1 ⏵ 0.19.13
	uuid@​11.1.0
	@​storybook/​test@​8.6.15
See 16 more rows in the dashboard

View full report