[Snyk] Security upgrade expo from 50.0.21 to 53.0.0

[revan-zhang]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• packages/connect-examples/expo-example/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Symlink Attack SNYK-JS-TAR-15416075	685

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Symlink Attack

---

---

Note

Medium Risk
Upgrades expo across major versions in the Expo example app, which can introduce breaking runtime/build changes even though the code diff is small. Also note the lockfile isn’t updated in this PR, so CI/dev installs may diverge until yarn.lock is regenerated.

Overview
Updates the Expo example app’s dependency on expo from ^50.x to ^53.0.0 (packages/connect-examples/expo-example/package.json) to remediate a reported security issue.

No other code changes are included; reviewers should ensure the dependency graph/lockfile is updated and the app still builds and runs under Expo 53.

^{Written by Cursor Bugbot for commit ea379b9. This will update automatically on new commits. Configure here.}

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	string_decoder@​1.3.0
	stream-browserify@​3.0.0

View full report

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 Expo SDK 53 upgrade without updating companion expo- packages and React Native*

The expo package is bumped from ^50.0.20 to ^53.0.0, but none of the companion Expo packages or React Native were updated to compatible versions. Expo SDK 53 requires specific versions of all expo-* sub-packages and a matching React Native version (0.76+), but the package.json still has react-native at 0.73.7 (package.json:68), react at 18.2.0 (package.json:65), and all expo sub-packages pinned to their SDK 50 versions: expo-clipboard: ~5.0.0 (line 51), expo-document-picker: ~11.10.1 (line 52), expo-image-manipulator: ~11.8.0 (line 53), expo-image-picker: ~14.7.1 (line 54), expo-linking: ~6.2.2 (line 55), expo-localization: ~14.8.4 (line 56), expo-splash-screen: ~0.26.5 (line 57), expo-status-bar: ~1.11.1 (line 58). Additionally, @expo/webpack-config at ^19.0.1 (line 16) is deprecated in favor of Metro bundler in newer Expo SDKs. This will cause installation failures, build errors, or runtime crashes due to version incompatibility between the core Expo SDK and its ecosystem packages.

Prompt for agents

In packages/connect-examples/expo-example/package.json, either revert the expo version back to ^50.0.20 (if the vulnerability fix can be addressed differently), or perform a full Expo SDK 53 upgrade by updating ALL companion packages to their SDK 53-compatible versions. This includes:

1. react-native (line 68): update from 0.73.7 to the version required by Expo 53 (0.76+)
2. react and react-dom (lines 65-66): update to 18.3.1 or the version required by Expo 53
3. expo-clipboard (line 51): update from ~5.0.0 to the SDK 53-compatible version
4. expo-document-picker (line 52): update from ~11.10.1 to the SDK 53-compatible version
5. expo-image-manipulator (line 53): update from ~11.8.0 to the SDK 53-compatible version
6. expo-image-picker (line 54): update from ~14.7.1 to the SDK 53-compatible version
7. expo-linking (line 55): update from ~6.2.2 to the SDK 53-compatible version
8. expo-localization (line 56): update from ~14.8.4 to the SDK 53-compatible version
9. expo-splash-screen (line 57): update from ~0.26.5 to the SDK 53-compatible version
10. expo-status-bar (line 58): update from ~1.11.1 to the SDK 53-compatible version
11. @expo/webpack-config (line 16): may need to be removed or replaced with Metro bundler config
12. react-native-reanimated (line 73): update from ~3.6.2 to SDK 53-compatible version
13. react-native-safe-area-context (line 75): update from 4.8.2 to SDK 53-compatible version
14. react-native-screens (line 76): update from ~3.29.0 to SDK 53-compatible version
15. @react-native-async-storage/async-storage (line 28): update from 1.21.0 to SDK 53-compatible version

The recommended approach is to run 'npx expo install --fix' after updating the expo version to automatically resolve compatible versions, or use 'npx expo-doctor' to check compatibility.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Expo 53 incompatible with React Native 0.73 and React 18

High Severity

Upgrading expo to ^53.0.0 while keeping react at 18.2.0 and react-native at 0.73.7 creates a fatal incompatibility. Expo SDK 53 requires React Native 0.79 and React 19. Additionally, all expo sub-packages (expo-clipboard ~5.0.0, expo-document-picker ~11.10.1, expo-image-picker ~14.7.1, expo-splash-screen ~0.26.5, etc.) remain pinned to SDK 50-era versions, which are incompatible with expo 53. This will cause peer dependency failures and likely runtime crashes. The yarn.lock also wasn't updated, as noted in the PR warning.

Additional Locations (2)

• packages/connect-examples/expo-example/package.json#L64-L68
• packages/connect-examples/expo-example/package.json#L50-L58