fix: resolve Dependabot security vulnerabilities

giolaq · giolaq · commit 1d13b1904354 · 2025-11-19T12:29:00.000+09:00
- Update @react-native-community/cli from 11.3.2 to 17.0.1 - Add resolutions to force secure versions: - js-yaml: ^3.14.2 (fixes prototype pollution CVE) - min-document: ^2.19.1 (fixes prototype pollution) - Transitive dependency updates via yarn.lock: - on-headers: 1.1.0 (fixes CVE-2025-7339) - compression: 1.8.1 (fixes CVE-2025-7339) - brace-expansion: 1.1.12 (fixes ReDoS vulnerability) Resolves: #53, #54, #59, #61
diff --git a/apps/vega/package.json b/apps/vega/package.json
@@ -45,7 +45,7 @@
     "@amazon-devices/kepler-cli-platform": "^0",
     "@babel/core": "^7.20.0",
     "@babel/traverse": "^7.20.0",
-    "@react-native-community/cli": "11.3.2",
+    "@react-native-community/cli": "17.0.1",
     "@react-native-community/cli-tools": "^11.0.0",
     "@react-native/eslint-config": "0.72.2",
     "@react-native/metro-config": "^0.72.6",
diff --git a/package.json b/package.json
@@ -7,6 +7,10 @@
     "packages/*"
   ],
   "packageManager": "yarn@4.5.0",
+  "resolutions": {
+    "js-yaml": "^3.14.2",
+    "min-document": "^2.19.1"
+  },
   "scripts": {
     "dev": "yarn workspace @multi-tv/expo-multi-tv start",
     "dev:android": "yarn workspace @multi-tv/expo-multi-tv android",
diff --git a/yarn.lock b/yarn.lock
