Skip to content

chore(deps): bump transitive dependencies to latest patched versions#456

Merged
jasonpraful merged 4 commits into
mainfrom
worktree-dependabot-vuln-fixes
Jul 9, 2026
Merged

chore(deps): bump transitive dependencies to latest patched versions#456
jasonpraful merged 4 commits into
mainfrom
worktree-dependabot-vuln-fixes

Conversation

@jasonpraful

Copy link
Copy Markdown
Member

Why?

Several transitive dependencies across the root Yarn workspace, the expo-example and with-notifications example apps, and both Ruby lockfiles were behind their latest releases. All affected packages are development/build tooling or example-app dependencies — the published library has no runtime dependencies, so nothing here affects SDK consumers. (examples/example/e2e is intentionally left untouched in this PR.)

How?

Lockfile-level bumps to each package's latest patched version: in-range refreshes where the newer version already satisfies dependents, otherwise range-scoped Yarn resolutions / pnpm.overrides so each major line is bumped in-line without forcing consumers across majors. Ruby gems updated via bundle lock --update.

Decisions

  • Cross-major overrides only where every earlier major needed replacing: uuid →11.1.1, serialize-javascript →7.0.5, fast-xml-parser →5.7.0.
  • examples/with-notifications/Gemfile had a concurrent-ruby < 1.3.4 pin (upstream template workaround for a logger-require regression); lifted to >= 1.3.7 since the Gemfile already declares gem 'logger'. Its previously-uncommitted Gemfile.lock is now generated and committed; BUNDLED WITH moves 2.1.4 → 2.5.11 in both lockfiles.

Generated with Claude Code

Bump concurrent-ruby to 1.3.7 (root + with-notifications) and
activesupport to 7.2.3.1 (with-notifications). Also generated the
missing with-notifications/Gemfile.lock (never committed) and lifted
its Gemfile's `concurrent-ruby < 1.3.4` pin to `>= 1.3.7`: that pin
was an emergency workaround for a logger-require regression in 1.3.5
that broke activesupport outside Rails, but this Gemfile already
declares `gem 'logger'` explicitly, which covers the same gap.
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​@​babel/​core@​7.28.3 ⏵ 7.29.797100 +180 +196100
Updatednpm/​@​babel/​core@​7.28.3 ⏵ 7.29.697100 +180 +197 +1100
Addedgem/​cocoapods@​1.15.285100100100100
Addedgem/​xcodeproj@​1.25.193100100100100
Updatedgem/​concurrent-ruby@​1.3.6 ⏵ 1.3.794100 +18100100100
Addedgem/​bigdecimal@​4.1.2100100100100100
Addedgem/​mutex_m@​0.3.0100100100100100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: gem ffi under GPL-2.0-only

License: GPL-2.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/compile)

License: GPL-3.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/m4/ax_gcc_x86_cpuid.m4)

License: GPL-3.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/m4/ax_compiler_vendor.m4)

License: GPL-2.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/ltmain.sh)

License: GPL-3.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/config.sub)

License: GPL-2.0-or-later - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/man/Makefile.in)

License: GPL-2.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/libtool-ldflags)

License: GPL-2.0-or-later - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/testsuite/Makefile.in)

License: GPL-2.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/missing)

License: GPL-3.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/m4/ax_cc_maxopt.m4)

License: GPL-2.0-or-later - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/doc/Makefile.in)

License: GPL-3.0-only - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/config.guess)

License: GPL-2.0-or-later - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/include/Makefile.in)

License: GPL-2.0-or-later - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/Makefile.in)

License: GPL-2.0+ - The applicable license policy does not permit this license (5) (ext/ffi_c/libffi/LICENSE-BUILDTOOLS)

From: examples/with-notifications/Gemfile.lockgem/cocoapods@1.15.2gem/ffi@1.17.4

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/ffi@1.17.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm caniuse-lite under CC-BY-4.0

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json)

License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE)

From: examples/with-notifications/pnpm-lock.yamlnpm/expo@54.0.33npm/@babel/core@7.29.6npm/@babel/core@7.29.7npm/@babel/preset-env@7.28.3npm/@react-native/babel-preset@0.81.1npm/caniuse-lite@1.0.30001803

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001803. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm fast-xml-parser is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@wdio/mocha-framework@8.46.0npm/@react-native-community/cli@20.0.2npm/fast-xml-parser@4.5.7

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: examples/expo-example/pnpm-lock.yamlnpm/expo@54.0.33npm/eslint@9.34.0npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@jasonpraful jasonpraful marked this pull request as ready for review July 8, 2026 22:49
@jasonpraful jasonpraful merged commit 93b44fa into main Jul 9, 2026
8 checks passed
@jasonpraful jasonpraful deleted the worktree-dependabot-vuln-fixes branch July 9, 2026 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants