Skip to content

[Snyk] Security upgrade expo from 50.0.21 to 53.0.0 #696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
revan-zhang wants to merge 1 commit into
base: onekey
Choose a base branch
from
Open

[Snyk] Security upgrade expo from 50.0.21 to 53.0.0 #696

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/connect-examples/expo-example/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
"burnt": "^0.13.0",
"compressorjs": "^1.1.1",
"elliptic": "^6.5.5",
"expo": "^50.0.20",
"expo": "^53.0.0",
Copy link

@devin-ai-integration devin-ai-integration bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Expo SDK 53 upgrade without updating companion expo- packages and React Native*

The expo package is bumped from ^50.0.20 to ^53.0.0, but none of the companion Expo packages or React Native were updated to compatible versions. Expo SDK 53 requires specific versions of all expo-* sub-packages and a matching React Native version (0.76+), but the package.json still has react-native at 0.73.7 (package.json:68), react at 18.2.0 (package.json:65), and all expo sub-packages pinned to their SDK 50 versions: expo-clipboard: ~5.0.0 (line 51), expo-document-picker: ~11.10.1 (line 52), expo-image-manipulator: ~11.8.0 (line 53), expo-image-picker: ~14.7.1 (line 54), expo-linking: ~6.2.2 (line 55), expo-localization: ~14.8.4 (line 56), expo-splash-screen: ~0.26.5 (line 57), expo-status-bar: ~1.11.1 (line 58). Additionally, @expo/webpack-config at ^19.0.1 (line 16) is deprecated in favor of Metro bundler in newer Expo SDKs. This will cause installation failures, build errors, or runtime crashes due to version incompatibility between the core Expo SDK and its ecosystem packages.

Prompt for agents 
In packages/connect-examples/expo-example/package.json, either revert the expo version back to ^50.0.20 (if the vulnerability fix can be addressed differently), or perform a full Expo SDK 53 upgrade by updating ALL companion packages to their SDK 53-compatible versions. This includes:

1. react-native (line 68): update from 0.73.7 to the version required by Expo 53 (0.76+)
2. react and react-dom (lines 65-66): update to 18.3.1 or the version required by Expo 53
3. expo-clipboard (line 51): update from ~5.0.0 to the SDK 53-compatible version
4. expo-document-picker (line 52): update from ~11.10.1 to the SDK 53-compatible version
5. expo-image-manipulator (line 53): update from ~11.8.0 to the SDK 53-compatible version
6. expo-image-picker (line 54): update from ~14.7.1 to the SDK 53-compatible version
7. expo-linking (line 55): update from ~6.2.2 to the SDK 53-compatible version
8. expo-localization (line 56): update from ~14.8.4 to the SDK 53-compatible version
9. expo-splash-screen (line 57): update from ~0.26.5 to the SDK 53-compatible version
10. expo-status-bar (line 58): update from ~1.11.1 to the SDK 53-compatible version
11. @expo/webpack-config (line 16): may need to be removed or replaced with Metro bundler config
12. react-native-reanimated (line 73): update from ~3.6.2 to SDK 53-compatible version
13. react-native-safe-area-context (line 75): update from 4.8.2 to SDK 53-compatible version
14. react-native-screens (line 76): update from ~3.29.0 to SDK 53-compatible version
15. @react-native-async-storage/async-storage (line 28): update from 1.21.0 to SDK 53-compatible version

The recommended approach is to run 'npx expo install --fix' after updating the expo version to automatically resolve compatible versions, or use 'npx expo-doctor' to check compatibility.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link

@cursor cursor bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expo 53 incompatible with React Native 0.73 and React 18

High Severity

Upgrading expo to ^53.0.0 while keeping react at 18.2.0 and react-native at 0.73.7 creates a fatal incompatibility. Expo SDK 53 requires React Native 0.79 and React 19. Additionally, all expo sub-packages (expo-clipboard ~5.0.0, expo-document-picker ~11.10.1, expo-image-picker ~14.7.1, expo-splash-screen ~0.26.5, etc.) remain pinned to SDK 50-era versions, which are incompatible with expo 53. This will cause peer dependency failures and likely runtime crashes. The yarn.lock also wasn't updated, as noted in the PR warning.

Additional Locations (2)

Fix in Cursor Fix in Web

"expo-clipboard": "~5.0.0",
"expo-document-picker": "~11.10.1",
"expo-image-manipulator": "~11.8.0",
Expand Down
Loading