Skip to content

chore(deps): force joi >= 18.2.1 to fix CVE-2026-48038 (Dependabot #253)#14841

Merged
osama-rizk merged 1 commit into
mainfrom
fix/dependabot-253-joi-cve-2026-48038
Jun 12, 2026
Merged

chore(deps): force joi >= 18.2.1 to fix CVE-2026-48038 (Dependabot #253)#14841
osama-rizk merged 1 commit into
mainfrom
fix/dependabot-253-joi-cve-2026-48038

Conversation

@osama-rizk

Copy link
Copy Markdown
Contributor

Description

Resolves Dependabot alert #253CVE-2026-48038 / GHSA-q7cg-457f-vx79 (medium, DoS).

joi versions < 18.2.1 throw an uncaught RangeError on deeply nested input through recursive link() schemas, which can crash a process that validates untrusted input without a surrounding try/catch.

Exposure in this repo

joi is a transitive, runtime dependency (yarn.lock), pulled in only by React Native dev tooling:

  • @react-native-community/cli-configjoi@^17.2.1
  • @react-native-community/cli-typesjoi@^17.2.1

It resolved to 17.13.3. There is no 17.x patch; the fix first lands in joi@18.2.1 (a new major).

Fix

Pin joi to ^18.2.1 via a resolutions entry in the root package.json, matching the existing pattern used for other security overrides in that block (fast-xml-parser, form-data, qs, serialize-javascript, …), and regenerate yarn.lock.

  • joi@^17.2.1, joi@^18.2.1 now both resolve to 18.2.1; no vulnerable 17.x remains in the lockfile.
  • joi 18 requires node >= 20, already satisfied by the repo toolchain.
  • The joi API used by the RN CLI (object/string/validate/etc.) is unchanged in v18.

Testing

  • yarn install regenerates a consistent lockfile (joi 18.2.1 + its v18 dependency tree: @hapi/address, @hapi/formula, @hapi/hoek@^11, @hapi/topo@^6, @standard-schema/spec, …).
  • Relying on CI to validate the full build/test matrix.

joi < 18.2.1 has an uncaught RangeError on deeply nested input through
recursive link() schemas (GHSA-q7cg-457f-vx79, CVE-2026-48038, DoS, medium).

joi is a transitive dependency pulled in only by
@react-native-community/cli-config and @react-native-community/cli-types
("joi": "^17.2.1"). There is no 17.x patch; the fix lands in 18.2.1, a
major bump. Pin via a yarn resolution, matching the existing pattern for
other security overrides in this block. node>=20 engine requirement of
joi 18 is already satisfied by the repo toolchain.
@osama-rizk osama-rizk requested a review from a team as a code owner June 12, 2026 08:43
@changeset-bot

changeset-bot Bot commented Jun 12, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 20269c1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@osama-rizk osama-rizk merged commit 0c96bf9 into main Jun 12, 2026
42 checks passed
@osama-rizk osama-rizk deleted the fix/dependabot-253-joi-cve-2026-48038 branch June 12, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants