Skip to content

fix(deps): pin patched versions to resolve 4 Dependabot alerts#318

Merged
msingleton merged 1 commit into
mainfrom
security/2026-05-12-rn-iterate-deps
May 14, 2026
Merged

fix(deps): pin patched versions to resolve 4 Dependabot alerts#318
msingleton merged 1 commit into
mainfrom
security/2026-05-12-rn-iterate-deps

Conversation

@msingleton
Copy link
Copy Markdown
Member

@msingleton msingleton commented May 12, 2026
edited
Loading

Summary

Pins three transitive devDependencies to patched versions via the existing resolutions block, resolving 4 open GitHub Dependabot alerts.

Vulnerabilities resolved

Alert CVE Package From → To Reaches via
#282 CVE-2026-44665 fast-xml-builder 1.1.4 → 1.2.0 @react-native-community/cli-platform-applefast-xml-parser
#283 CVE-2026-6321 fast-uri 3.1.0 → 3.1.2 @commitlint/cliajv@8
#284 CVE-2026-6322 fast-uri 3.1.0 → 3.1.2 same as above
#285 CVE-2026-44728 @babel/plugin-transform-modules-systemjs 7.29.0 → 7.29.4 @babel/preset-env

Exploitability assessment

All four are transitive devDependencies — none ship in the published SDK. Even at the build-tool layer they're not exploitable in our usage:

  • fast-xml-builder: vuln is attribute injection during XML building. Only used by RN CLI to generate Xcode/Android project files (no attacker-controlled input).
  • fast-uri: URI normalization issues. ajv is used at build time by commitlint, not for validating user-supplied URLs.
  • @babel/plugin-transform-modules-systemjs: advisory explicitly says "Users that only compile trusted code are not impacted." We only compile our own SDK and do not use the modules: "systemjs" option.

Pinning to clean up the alerts is the lowest-friction path and follows the existing pattern in this repo's resolutions block (already pins qs, tar, undici, fast-xml-parser for security).

Test plan

  • yarn install — regenerated yarn.lock cleanly
  • yarn typecheck — green
  • yarn lint — green
  • yarn test — green
  • yarn prepare (bob build) — green

@msingleton
fix(deps): pin fast-xml-builder, fast-uri, babel-systemjs to patched …
6c70939 
…versions

Resolves four GitHub Dependabot alerts via resolutions block:

- CVE-2026-44665 (fast-xml-builder ^1.1.7) — attribute injection in XML
  serializer. Reaches via @react-native-community/cli-platform-apple →
  fast-xml-parser. Build-time only (Xcode/Android project file generation,
  no attacker-controlled input), but trivial to pin.

- CVE-2026-6321 + CVE-2026-6322 (fast-uri ^3.1.2) — URI normalization
  path-traversal and host-confusion. Reaches via @commitlint/cli → ajv.
  Build-time only; not in published SDK.

- CVE-2026-44728 (@babel/plugin-transform-modules-systemjs ^7.29.4) —
  RCE when compiling untrusted code with modules: "systemjs". Reaches via
  @babel/preset-env. We compile our own SDK only, so not exploitable;
  pinning clears the noise.

All four are transitive devDependencies — none ship in the published
SDK. yarn install + typecheck + lint + jest + bob build all green.
@msingleton msingleton merged commit f4bdf94 into main May 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sambrown3 sambrown3 sambrown3 approved these changes

@lankybutmacho lankybutmacho Awaiting requested review from lankybutmacho

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msingleton @sambrown3