[Snyk] Fix for 5 vulnerabilities#771
Conversation
…lnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-UUID-16133035 - https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-16133132 - https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-16134530 - https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-16134549 - https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-16134552
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "compressorjs": "^1.1.1", | ||
| "elliptic": "^6.5.5", | ||
| "expo": "^50.0.20", | ||
| "expo": "^55.0.0", |
There was a problem hiding this comment.
🔴 Incomplete Expo SDK upgrade: expo bumped to ^55 while react-native, react, and most expo- packages remain at Expo 50-compatible versions*
This Snyk-automated PR bumps expo from ^50.0.20 to ^55.0.0 to fix transitive vulnerabilities in uuid and xmldom, but it does not update the tightly-coupled companion packages. Expo SDK versions are architecturally bound to specific React Native versions (e.g., SDK 50 → RN 0.73), yet react-native remains hard-pinned at 0.73.7 and react at 18.2.0. Additionally, multiple expo-* satellite packages (expo-clipboard: ~5.0.0, expo-document-picker: ~11.10.1, expo-image-manipulator: ~11.8.0, expo-image-picker: ~14.7.1, expo-localization: ~14.8.4, expo-status-bar: ~1.11.1) are still at their Expo SDK 50-compatible versions. The PR itself demonstrates awareness of the new versioning scheme by updating expo-linking to ~55.0.0 (aligned with SDK 55), which makes the inconsistency with the other unchanged expo-* packages even more apparent. This will cause dependency resolution failures or runtime incompatibilities when building the example app.
Unchanged companion packages still at Expo 50 versions
react-native: 0.73.7(pinned, Expo 50 era)react: 18.2.0(pinned)expo-clipboard: ~5.0.0expo-document-picker: ~11.10.1expo-image-manipulator: ~11.8.0expo-image-picker: ~14.7.1expo-localization: ~14.8.4expo-status-bar: ~1.11.1@expo/webpack-config: ^19.0.1react-native-reanimated: ~3.6.2react-native-safe-area-context: 4.8.2react-native-screens: ~3.29.0babel-preset-expo(transitive via yarn.lock:~10.0.2)
Prompt for agents
The Snyk bot bumped expo from ^50 to ^55 to fix transitive vulnerabilities (uuid, xmldom), but Expo SDK upgrades require upgrading the entire ecosystem in lockstep. The react-native version (0.73.7), react version (18.2.0), and all expo-* satellite packages (expo-clipboard, expo-document-picker, expo-image-manipulator, expo-image-picker, expo-localization, expo-status-bar, etc.) must be updated to their Expo SDK 55-compatible versions. Similarly, react-native-reanimated, react-native-safe-area-context, react-native-screens, and @expo/webpack-config need compatible versions.
The recommended approach is to either:
1. Run npx expo install --fix to automatically resolve all Expo-compatible package versions after updating expo, OR
2. Reject this automated PR and instead perform a proper Expo SDK upgrade using the official upgrade guide (npx expo upgrade), OR
3. Find an alternative way to address the uuid/xmldom vulnerabilities without upgrading the Expo SDK major version (e.g., using resolutions/overrides in package.json to pin the transitive dependencies to patched versions).
Option 3 is likely the least disruptive approach for an example app.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 5 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/connect-examples/expo-example/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-UUID-16133035
SNYK-JS-XMLDOMXMLDOM-16133132
SNYK-JS-XMLDOMXMLDOM-16134530
SNYK-JS-XMLDOMXMLDOM-16134549
SNYK-JS-XMLDOMXMLDOM-16134552
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 XML Injection