Skip to content

chore(deps): refresh lockfiles to clear Dependabot security alerts#2744

Merged
kesha-antonov merged 1 commit into
masterfrom
chore/security-dep-bumps
Jun 18, 2026
Merged

chore(deps): refresh lockfiles to clear Dependabot security alerts#2744
kesha-antonov merged 1 commit into
masterfrom
chore/security-dep-bumps

Conversation

@kesha-antonov

Copy link
Copy Markdown
Collaborator

What

Regenerates the root and example lockfiles so transitive dependencies resolve to their highest in-range (patched) versions.

Why

The repo had 31 open Dependabot alerts, all in dev / example transitive dependencies. None are runtime dependencies of the published package (which ships only lib with: @expo/react-native-action-sheet, dayjs, lodash.isequal, react-native-zoom-reanimated) - so there is no consumer-facing exposure. This is hygiene to clear the alert badge.

Cleared (in-range patches)

ws, minimatch (3/8/9/10.x), picomatch (2/4.x), node-forge, @xmldom/xmldom, flatted, js-yaml 4.x, @isaacs/brace-expansion, @babel/core.

Not fixed here (need a major bump a parent pins below)

  • js-yaml 3.14.2 - a parent pins ^3.13.1; patch is 4.2.0 (major).
  • uuid 7.0.3 - a parent pins ^7.0.3; patch is 11.1.1 (major).

These can't be upgraded without breaking their parents and will be dismissed (dev/example only, not shipped) or wait for the upstream parents to update.

Validation

Regenerated on top of latest master; CI (lint, type-check, build, test on Node 22 & 24, incl. example install) gates this PR.

Regenerate root and example lockfiles so transitive dependencies resolve
to their highest in-range (patched) versions, clearing Dependabot alerts
for ws, minimatch (3/8/9/10.x), picomatch (2/4.x), node-forge,
@xmldom/xmldom, flatted, js-yaml 4.x, @isaacs/brace-expansion and @babel/core.

All are dev / example transitive dependencies; none are runtime
dependencies of the published package (which ships only `lib`).

js-yaml 3.x and uuid 7.x are not bumped: their parents pin a major below
the patched release, so they can't be upgraded without breaking them.
@kesha-antonov kesha-antonov merged commit 44802f3 into master Jun 18, 2026
2 checks passed
@kesha-antonov kesha-antonov deleted the chore/security-dep-bumps branch June 18, 2026 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant