Skip to content

[Snyk] Fix for 1 vulnerabilities#7456

Open
ggazzo wants to merge 1 commit into
developfrom
snyk-fix-f4ea9a78c394deeabf0c6672dcdb6ec9
Open

[Snyk] Fix for 1 vulnerabilities#7456
ggazzo wants to merge 1 commit into
developfrom
snyk-fix-f4ea9a78c394deeabf0c6672dcdb6ec9

Conversation

@ggazzo

@ggazzo ggazzo commented Jun 30, 2026

Copy link
Copy Markdown
Member

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue
high severity Inefficient Algorithmic Complexity
SNYK-JS-BRACEEXPANSION-17706650

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@ggazzo

ggazzo commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

Merge Risk: High

This upgrade includes major versions for expo, react-native, and react-native-bootsplash, introducing significant and mandatory breaking changes. The most critical changes are the complete removal of the React Native bridge, a fork of Expo Router from React Navigation, and an increase in the minimum required iOS version.

1. Expo: 54.0.35 → 56.0.0 (High Risk)

The upgrade to Expo SDK 56 introduces a major breaking change for navigation and raises the minimum iOS deployment target.

  • Expo Router Fork: Expo Router no longer depends on React Navigation. All imports from @react-navigation/* (e.g., useNavigation) must be updated to pull from expo-router instead. This is a mandatory code change for any app using Expo Router for navigation.
  • iOS Version Requirement: The minimum iOS deployment target has been increased to 16.4.
  • Push Notifications: In SDK 55, using push notifications in Expo Go on Android now throws an error, requiring a development build for testing.
  • Removed APIs: The notification field in app.json has been removed in SDK 55.

2. React Native: 0.81.5 → 0.85.0 (High Risk)

This upgrade spans several versions and completes the transition to the New Architecture, removing the legacy bridge entirely.

  • Bridge and Interop Layer Removed: As of version 0.85, the legacy React Native bridge and the New Architecture interoperability layer are completely gone. Any third-party libraries that have not been fully migrated to the New Architecture will break.
  • Jest Configuration: The Jest preset has been moved to a separate package. You must update your jest.config.js to use preset: '@react-native/jest-preset'.
  • Hermes V1 Engine: Hermes V1 is now the default JavaScript engine, which should bring performance improvements without required configuration changes.
  • Faster iOS Builds: Precompiled binaries for iOS are now default, which will significantly speed up clean build times.

3. react-native-bootsplash: 6.3.12 → 7.0.0 (Medium Risk)

A major version bump indicates breaking changes. The library's documentation points to a migration guide for upgrading from v6. Version 7 adds features like edge-to-edge support on Android, which may require configuration changes.

Recommendation: This is a high-effort, high-risk upgrade. Before merging, you must:

  1. Audit all third-party native modules to ensure they are compatible with the New Architecture (without the interop layer).
  2. Refactor all navigation imports to use expo-router instead of @react-navigation/native.
  3. Update your Jest configuration file.
  4. Verify that your project and CI environment can target iOS 16.4.
  5. Follow the react-native-bootsplash migration guide.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@ggazzo ggazzo requested a deployment to approve_e2e_testing June 30, 2026 23:31 — with GitHub Actions Waiting
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f0758344-a8fd-451c-a2ea-a5af498125b3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants