Skip to content

[Snyk] Security upgrade react-native from 0.81.5 to 0.84.0 #10282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
revan-zhang wants to merge 7 commits into
base: x
Choose a base branch
from
+1 −1
Open

[Snyk] Security upgrade react-native from 0.81.5 to 0.84.0 #10282

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
d196e2c
fix: apps/mobile/package.json to reduce vulnerabilities
snyk-bot Feb 19, 2026
678011b
Merge branch 'x' into snyk-fix-70ec7004d6ace4d6f73e0907e096839c
devin-ai-integration[bot] Mar 3, 2026
93f7e6b
Merge branch 'x' into snyk-fix-70ec7004d6ace4d6f73e0907e096839c
devin-ai-integration[bot] Mar 3, 2026
9d368c6
Merge branch 'x' into snyk-fix-70ec7004d6ace4d6f73e0907e096839c
devin-ai-integration[bot] Mar 3, 2026
077eaa5
Merge branch 'x' into snyk-fix-70ec7004d6ace4d6f73e0907e096839c
devin-ai-integration[bot] Mar 3, 2026
4381922
Merge branch 'x' into snyk-fix-70ec7004d6ace4d6f73e0907e096839c
devin-ai-integration[bot] Mar 3, 2026
19199c8
Merge branch 'x' into snyk-fix-70ec7004d6ace4d6f73e0907e096839c
originalix Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/mobile/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@
"lottie-react-native": "7.3.4",
"path-browserify": "^1.0.1",
"react": "19.1.0",
"react-native": "0.81.5",
"react-native": "0.84.0",
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Root workspace resolution still pins react-native to 0.81.5, making the upgrade ineffective or conflicting

The apps/mobile/package.json bumps react-native to 0.84.0, but the root package.json has a Yarn resolutions field that pins "react-native": "0.81.5" at package.json:329. Yarn resolutions override version specifications across the entire workspace, so the mobile app will still resolve to 0.81.5 despite requesting 0.84.0.

Root Cause and Impact

The root package.json contains:

  • dependencies["react-native"]: "0.81.5" at line 175
  • resolutions["react-native"]: "0.81.5" at line 329

Both of these force the entire monorepo to use 0.81.5. The change in apps/mobile/package.json to 0.84.0 is effectively a no-op — the security vulnerability (SNYK-JS-MINIMATCH-15309438) that this PR aims to fix will not actually be remediated.

Additionally, if the resolution were somehow bypassed, there would be a version mismatch between what the mobile app uses and what the rest of the monorepo expects, potentially causing runtime crashes from incompatible native modules.

Impact: The stated security fix is not applied. The package.json declares a version that won't actually be installed, creating a false sense of security.

Prompt for agents 
To actually upgrade react-native to 0.84.0, you must also update:
1. package.json line 175: change the root dependency from "react-native": "0.81.5" to "react-native": "0.84.0"
2. package.json line 329: change the resolution from "react-native": "0.81.5" to "react-native": "0.84.0"
3. apps/mobile/package.json line 36: update "@react-native/metro-config" from "0.81.5" to the version matching react-native 0.84.0
4. Rename patches/react-native+0.81.5.patch to patches/react-native+0.84.0.patch and verify the patch still applies cleanly against the new version (the patched files may have changed in 0.84.0)
5. Verify all native dependencies (react-native-reanimated, react-native-screens, etc.) are compatible with react-native 0.84.0
6. Run yarn install to regenerate the lockfile
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Version-specific patch file react-native+0.81.5.patch will not apply to 0.84.0

The repository has a patches/react-native+0.81.5.patch file containing significant custom functionality (onPaste support for TextInput, nil-safety fixes for JSI bridge). patch-package matches patches by exact package name and version. If react-native@0.84.0 were actually installed, this patch would silently not apply.

Detailed Explanation

patch-package (version 8.0.0, used in package.json:298) looks for patch files named {package}+{version}.patch. The existing patch at patches/react-native+0.81.5.patch contains ~400 lines of critical modifications:

  • Custom onPaste event support for both single-line and multi-line TextInput (iOS native code)
  • Image paste handling from clipboard
  • Nil-safety guards in RCTTurboModule.mm (convertNSStringToJSIString and convertObjCObjectToJSIValue)
  • Fabric renderer TextInputEventEmitter::onPaste implementation

If react-native 0.84.0 is installed, patch-package will skip this patch (or fail), and all of this custom functionality will be lost. The onPaste feature is likely used by @onekeyfe/react-native-text-input and other components in the app.

Impact: Loss of custom paste functionality and nil-safety fixes, potentially causing crashes when nil values reach the JSI bridge.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration bot Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 @react-native/metro-config left at 0.81.5, mismatched with react-native 0.84.0

The react-native dependency is upgraded from 0.81.5 to 0.84.0, but @react-native/metro-config in devDependencies (apps/mobile/package.json:38) remains pinned at 0.81.5. In the React Native ecosystem, @react-native/metro-config is version-aligned with react-native — each release of react-native ships a corresponding @react-native/metro-config at the same version. Using a mismatched metro-config can cause build failures, incorrect Metro bundler behavior, or missing transformations needed by the new RN version.

Version Alignment Detail

The @react-native/metro-config@0.81.5 pulls in @react-native/js-polyfills@0.81.5 and @react-native/metro-babel-transformer@0.81.5 (visible in the yarn.lock). These sub-packages handle polyfill injection and Babel transforms that must match the react-native runtime version. With react-native 0.84.0, the JS runtime may expect polyfills or transforms that only @react-native/metro-config@0.84.x provides.

Impact: Metro bundler may produce bundles incompatible with the react-native 0.84.0 runtime, causing crashes or subtle JS errors at runtime.

Prompt for agents 
In apps/mobile/package.json, update the @react-native/metro-config devDependency on line 38 from "0.81.5" to "0.84.0" to match the new react-native version. The two packages must be version-aligned.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

"react-native-aes-crypto": "3.2.1",
"react-native-awesome-slider": "^2.9.0",
"react-native-ble-plx": "3.5.1",
Expand Down
Loading