[Snyk] Security upgrade react-native from 0.71.4 to 0.74.0#33
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-15155603
There was a problem hiding this comment.
Pull request overview
This PR upgrades React Native from version 0.71.4 to 0.74.0 to address a high-severity security vulnerability (SNYK-JS-FASTXMLPARSER-15155603, score 828) in the fast-xml-parser dependency. The upgrade involves updating only the direct react-native dependency in package.json, which triggers extensive changes in yarn.lock due to the updated dependency tree.
Changes:
- Upgraded react-native from 0.71.4 to 0.74.0 (3 minor versions)
- Updated transitive dependencies including Metro bundler (0.73.x → 0.80.x), Babel packages, and React Native's internal packages
- Fast-xml-parser upgraded from 4.0.12 to 4.5.3 (addresses security vulnerability)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Single line change upgrading react-native dependency to 0.74.0 |
| yarn.lock | Extensive dependency tree updates reflecting React Native 0.74.0 and its transitive dependencies, including security fixes |
Comments suppressed due to low confidence (1)
package.json:29
- The upgrade to React Native 0.74.0 may be incompatible with several existing dependencies in the project:
-
react-native-reanimated 3.1.0 - This version was released in early 2023 and may not support React Native 0.74.0 (released in 2024). Check the compatibility matrix at https://docs.swmansion.com/react-native-reanimated/docs/fundamentals/installation
-
react-native-gesture-handler 2.9.0 - Released in early 2023, may require an upgrade to support React Native 0.74.0
-
@react-native-firebase dependencies (17.4.3) - These may need verification for 0.74.0 compatibility
-
lottie-react-native 7.0.0 - May need compatibility verification
-
Other navigation and UI libraries - Should be tested for compatibility
It's recommended to check each library's documentation for React Native 0.74.0 compatibility and upgrade them as needed before merging this PR.
"react-native": "0.74.0",
"react-native-gesture-handler": "2.9.0",
"react-native-progress": "5.0.0",
"react-native-reanimated": "3.1.0",
"react-native-safe-area-context": "4.5.0",
"react-native-screens": "3.34.0",
"react-native-svg": "13.9.0"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-FASTXMLPARSER-15155603
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Uncaught Exception