fix(deps): resolve all open Dependabot alerts (#659-#681)#241
Merged
Conversation
|
| Filename | Overview |
|---|---|
| package.json | Adds five new Yarn workspace resolutions to fix high/medium Dependabot vulnerabilities; all entries are correctly scoped with >= lower-bounds |
| packages/amazon/turbo.json | Renames pipeline to tasks key to match Turbo v2 schema; correctly migrated |
| packages/amazon/package.json | Bumps turbo devDependency from ^1.10.7 to ^2.9.14 to address CSRF and Yarn Berry RCE alerts |
| test-projects/expo-purchasely-test/package.json | Adds npm overrides for fast-uri, uuid, and ws; uuid resolves to v14.0.0 (7 major versions above xcode's declared ^7.0.3 requirement), and ws resolves to 8.x for packages that previously nested ws@6 |
| test-projects/rn-purchasely-test/package.json | Adds npm overrides for @babel/plugin-transform-modules-systemjs and fast-xml-builder; both resolve within compatible minor/patch ranges |
| test-projects/expo-purchasely-test/package-lock.json | Lockfile regenerated cleanly; ws@6 nested installs removed and hoisted to 8.20.1, xcode nested uuid@7.0.3 removed and replaced by hoisted uuid@14.0.0 |
| test-projects/rn-purchasely-test/package-lock.json | Lockfile regenerated; @babel/plugin-transform-modules-systemjs updated to 7.29.4 and fast-xml-builder to 1.2.0 with new xml-naming peer dep |
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
test-projects/expo-purchasely-test/package.json:35-36
**`uuid >=11.1.1` override removes xcode's pinned v7 install**
The lockfile shows that `xcode`'s previously-nested `uuid@7.0.3` install is eliminated by this override, and `xcode` will now consume the hoisted `uuid@14.0.0`. The `xcode` package declares `"uuid": "^7.0.3"` — a range far below v14. If `xcode` relies on any API surface that changed between major versions (e.g. the default export was dropped in v7, and further breaking changes may exist in v9+), iOS builds via `npx expo run:ios` could silently fail. Worth verifying locally that `npx expo run:ios` still compiles after `npm install`.
### Issue 2 of 2
test-projects/expo-purchasely-test/package.json:37
**`ws >=8.20.1` override forces 2 major-version jump on dev-server packages**
The lockfile shows that `@react-native/dev-middleware` and `react-native` each had a nested `ws@6.2.3` install, which are now removed in favour of the hoisted `ws@8.20.1`. This is a jump across two major versions for those consumers. While the primary WebSocket `message`/`send` API is stable, ws@7 and ws@8 introduced breaking changes to the `Server` constructor and event internals. If either package uses those changed APIs, Metro's hot-reload websocket connection will break in the dev environment. Consider validating with `npx expo start` after install.
Reviews (2): Last reviewed commit: "fix(deps): resolve tmp <0.2.6 alert (#68..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Bump direct deps and add yarn resolutions / npm overrides to patch 22
open Dependabot alerts across the monorepo and the two test-projects.
Root (yarn.lock):
- turbo ^2.9.14 in packages/{amazon,google,huawei,android-player}
(GHSA login callback CSRF #673-#676 + Yarn Berry detection RCE #669-#672 +
root yarn.lock #679-#680)
- resolutions added/bumped:
- @babel/plugin-transform-modules-systemjs >=7.29.4 (#667 high)
- basic-ftp >=5.3.1 (#659 high)
- fast-xml-builder >=1.1.7 (#660, #662 high+medium)
- ip-address >=10.1.1 (#665 medium)
test-projects/expo-purchasely-test (npm overrides):
- uuid >=11.1.1 (#678 medium)
- ws >=8.20.1 (#677 medium)
- fast-uri >=3.1.2 (#664, #666 high)
test-projects/rn-purchasely-test (npm overrides):
- @babel/plugin-transform-modules-systemjs >=7.29.4 (#668 high)
- fast-xml-builder >=1.1.7 (#661, #663 high+medium)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
kherembourg
force-pushed
the
fix/dependabot-alerts-batch-may-2026
branch
from
6ed157a to
252fef7
Compare
The turbo bump to ^2.9.14 (#669-#676, #679-#680) makes the v1 `pipeline` key invalid — Turbo 2.0 renamed it to `tasks`. Rename it in the amazon, android-player, google and huawei turbo.json files so the config is valid for the installed major version. Addresses Greptile review (P1). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
New high-severity Dependabot alert #681: tmp <0.2.6 (arbitrary file/dir write via symlink), pulled transitively through external-editor. Add a root `tmp` resolution forcing >=0.2.6; yarn.lock now resolves tmp 0.2.7 and drops the obsolete os-tmpdir dependency. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
kherembourg
changed the title
Contributor
Author
Review follow-ups addressed in
|
| # | Source | Finding | Resolution |
|---|---|---|---|
| 1 | Greptile P1 | Turbo v2 no longer recognizes the v1 pipeline key |
b6886ae — renamed pipeline → tasks in packages/{amazon,android-player,google,huawei}/turbo.json. (No script/CI in this repo invokes turbo run, so there was no live breakage; the config is now valid for the installed v2 major.) |
| 2 | Dependabot (new) | Alert #681 — tmp <0.2.6 (high, arbitrary file/dir write via symlink) appeared after the initial batch |
8889328 — added tmp >=0.2.6 root resolution; yarn.lock now resolves tmp 0.2.7 and drops obsolete os-tmpdir. |
Local verification: yarn lint ✅ · yarn typecheck ✅ · yarn test → 4 suites / 139 tests ✅.
This PR now closes all 23 open Dependabot alerts (#659–#681).
Contributor
Author
|
@greptileai review |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses Dependabot security alerts across the monorepo by updating vulnerable transitive dependencies via Yarn resolutions / npm overrides, and by upgrading turbo to the v2 line with the corresponding config migration in affected packages.
Changes:
- Bump
turboto^2.9.14in the Amazon/Google/Huawei/Android-player packages and migrate theirturbo.jsonconfig key frompipeline→tasks. - Add/adjust root Yarn
resolutionsto force patched versions of vulnerable transitive dependencies (e.g.,basic-ftp,tmp,ip-address,fast-xml-builder,@babel/plugin-transform-modules-systemjs) and regenerateyarn.lock. - Add npm
overridesin both test projects to enforce patched versions (e.g.,ws,uuid,fast-uri,fast-xml-builder) and regeneratepackage-lock.jsonfiles.
Reviewed changes
Copilot reviewed 11 out of 14 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| yarn.lock | Regenerated lockfile reflecting patched transitive dependencies and the Turbo v2 upgrade. |
| package.json | Adds/bumps Yarn resolutions to enforce secure minimum versions (incl. tmp, ip-address, fast-xml-builder, Babel plugin). |
| test-projects/expo-purchasely-test/package.json | Adds npm overrides to force patched fast-uri, uuid, and ws. |
| test-projects/expo-purchasely-test/package-lock.json | Regenerated to reflect override-driven dependency upgrades (incl. ws / uuid / fast-uri). |
| test-projects/rn-purchasely-test/package.json | Adds npm overrides for patched @babel/plugin-transform-modules-systemjs and fast-xml-builder. |
| test-projects/rn-purchasely-test/package-lock.json | Regenerated to reflect override-driven upgrades (incl. fast-xml-builder and Babel plugin). |
| packages/amazon/package.json | Bumps turbo devDependency to ^2.9.14. |
| packages/amazon/turbo.json | Migrates Turbo config key from pipeline to tasks for Turbo v2 compatibility. |
| packages/google/package.json | Bumps turbo devDependency to ^2.9.14. |
| packages/google/turbo.json | Migrates Turbo config key from pipeline to tasks for Turbo v2 compatibility. |
| packages/huawei/package.json | Bumps turbo devDependency to ^2.9.14. |
| packages/huawei/turbo.json | Migrates Turbo config key from pipeline to tasks for Turbo v2 compatibility. |
| packages/android-player/package.json | Bumps turbo devDependency to ^2.9.14. |
| packages/android-player/turbo.json | Migrates Turbo config key from pipeline to tasks for Turbo v2 compatibility. |
Files not reviewed (2)
- test-projects/expo-purchasely-test/package-lock.json: Language not supported
- test-projects/rn-purchasely-test/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
chouaibMo
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 23 currently open Dependabot alerts (#659 → #681) across the monorepo and both test-projects.
Changes
Root (
yarn.lock)turboto^2.9.14inpackages/{amazon,google,huawei,android-player}/package.json(closes #669–#676, #679–#680 — login callback CSRF + Yarn Berry detection RCE)turbo.jsonfiles from the v1pipelinekey to the v2taskskey (Turbo 2.0 renamed it) so the config is valid for the bumped major versionresolutions:@babel/plugin-transform-modules-systemjs>=7.29.4(#667, high)basic-ftp>=5.3.1(#659, high)fast-xml-builder>=1.1.7(#660, #662)ip-address>=10.1.1(#665, medium)tmp>=0.2.6(#681, high — arbitrary file/dir write via symlink, pulled viaexternal-editor)test-projects/expo-purchasely-test (npm overrides)
uuid>=11.1.1(#678, medium)ws>=8.20.1(#677, medium)fast-uri>=3.1.2(#664, #666, high)test-projects/rn-purchasely-test (npm overrides)
@babel/plugin-transform-modules-systemjs>=7.29.4(#668, high)fast-xml-builder>=1.1.7(#661, #663)Resolved versions (lockfiles)
Review follow-ups
pipelinekey: renamedpipeline→tasksin all four sub-packageturbo.jsonfiles. Note: no script or CI job in this repo invokesturbo run, so there was no runtime breakage, but the config is now valid for the installed v2 major.tmp): appeared after the initial batch; added atmp >=0.2.6resolution.Test plan
yarn installregeneratesyarn.lockcleanlynpm install --package-lock-onlyregenerates both test-projects lockfiles (0 vulnerabilities)yarn lint(0 errors)yarn typecheck(0 errors)yarn test— 4 suites, 139 tests pass🤖 Generated with Claude Code