From 97932022ffe283d23586d3a840ec917918394613 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Tue, 3 Mar 2026 09:56:02 +0100
Subject: [PATCH 1/2] chore(deps): bump minimatch to fix ReDoS vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Uses scoped yarn resolutions to patch minimatch across all affected major
versions present in the dependency tree:
- 3.x: 3.1.2/3.0.5 → 3.1.5 (fixes alert #441)
- 5.x: 5.1.6 → 5.1.9 (fixes alert #440)
- 8.x: 8.0.4 → 8.0.7 (fixes alert #439)
- 9.x: 9.0.1/9.0.3/9.0.5 → 9.0.9 (fixes alert #438)
- 10.x: 10.1.1 → 10.2.4 (fixes alerts #428, #432, #437)

All fixes are dev-only dependencies.

https://github.com/getsentry/sentry-react-native/security/dependabot/441
https://github.com/getsentry/sentry-react-native/security/dependabot/440
https://github.com/getsentry/sentry-react-native/security/dependabot/439
https://github.com/getsentry/sentry-react-native/security/dependabot/438
https://github.com/getsentry/sentry-react-native/security/dependabot/437
https://github.com/getsentry/sentry-react-native/security/dependabot/432
https://github.com/getsentry/sentry-react-native/security/dependabot/428

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package.json |  50 ++++++++++++++++++++++
 yarn.lock    | 118 ++++++++++++++++++++++-----------------------------
 2 files changed, 100 insertions(+), 68 deletions(-)

diff --git a/package.json b/package.json
index fc1d965d63..3fcb853829 100644
--- a/package.json
+++ b/package.json
@@ -75,6 +75,56 @@
     "eslint@npm:8.57.1/ajv": "^6.14.0",
     "eslint@npm:9.39.2/ajv": "^6.14.0",
     "express@npm:4.19.2/path-to-regexp": "0.1.12",
+    "@eslint/config-array@npm:0.21.1/minimatch": "^3.1.3",
+    "@eslint/eslintrc@npm:2.1.4/minimatch": "^3.1.3",
+    "@eslint/eslintrc@npm:3.3.3/minimatch": "^3.1.3",
+    "@expo/fingerprint@npm:0.6.1/minimatch": "^3.1.3",
+    "@humanwhocodes/config-array@npm:0.11.14/minimatch": "^3.1.3",
+    "@humanwhocodes/config-array@npm:0.13.0/minimatch": "^3.1.3",
+    "@lerna/create@npm:8.1.8/minimatch": "^3.1.3",
+    "eslint-plugin-import@npm:2.31.0/minimatch": "^3.1.3",
+    "eslint-plugin-import@npm:2.32.0/minimatch": "^3.1.3",
+    "eslint-plugin-node@npm:11.1.0/minimatch": "^3.1.3",
+    "eslint-plugin-react@npm:7.35.0/minimatch": "^3.1.3",
+    "eslint-plugin-react@npm:7.37.5/minimatch": "^3.1.3",
+    "eslint@npm:8.57.0/minimatch": "^3.1.3",
+    "eslint@npm:8.57.1/minimatch": "^3.1.3",
+    "eslint@npm:9.39.2/minimatch": "^3.1.3",
+    "glob@npm:6.0.4/minimatch": "^3.1.3",
+    "glob@npm:7.1.6/minimatch": "^3.1.3",
+    "glob@npm:7.2.3/minimatch": "^3.1.3",
+    "jake@npm:10.9.2/minimatch": "^3.1.3",
+    "lerna@npm:8.1.8/minimatch": "^3.1.3",
+    "multimatch@npm:5.0.0/minimatch": "^3.1.3",
+    "node-dir@npm:0.1.17/minimatch": "^3.1.3",
+    "test-exclude@npm:6.0.0/minimatch": "^3.1.3",
+    "filelist@npm:1.0.4/minimatch": "^5.1.8",
+    "glob@npm:8.1.0/minimatch": "^5.1.8",
+    "readdir-glob@npm:1.1.3/minimatch": "^5.1.8",
+    "glob@npm:9.3.5/minimatch": "^8.0.6",
+    "@expo/cli@npm:0.24.11/minimatch": "^9.0.7",
+    "@expo/cli@npm:54.0.22/minimatch": "^9.0.7",
+    "@expo/fingerprint@npm:0.12.4/minimatch": "^9.0.7",
+    "@expo/fingerprint@npm:0.15.4/minimatch": "^9.0.7",
+    "@expo/metro-config@npm:0.20.13/minimatch": "^9.0.7",
+    "@expo/metro-config@npm:54.0.14/minimatch": "^9.0.7",
+    "@npmcli/arborist@npm:7.5.4/minimatch": "^9.0.7",
+    "@npmcli/map-workspaces@npm:3.0.6/minimatch": "^9.0.7",
+    "@nx/devkit@npm:19.6.4/minimatch": "^9.0.7",
+    "@sentry/node@npm:10.31.0/minimatch": "^9.0.7",
+    "@tufjs/models@npm:2.0.1/minimatch": "^9.0.7",
+    "@typescript-eslint/typescript-estree@npm:6.21.0/minimatch": "^9.0.7",
+    "@typescript-eslint/typescript-estree@npm:7.18.0/minimatch": "^9.0.7",
+    "@typescript-eslint/typescript-estree@npm:8.50.0/minimatch": "^9.0.7",
+    "@typescript-eslint/typescript-estree@npm:8.54.0/minimatch": "^9.0.7",
+    "editorconfig@npm:1.0.4/minimatch": "^9.0.7",
+    "glob@npm:10.4.1/minimatch": "^9.0.7",
+    "glob@npm:10.4.5/minimatch": "^9.0.7",
+    "ignore-walk@npm:6.0.5/minimatch": "^9.0.7",
+    "npm-run-all2@npm:6.2.2/minimatch": "^9.0.7",
+    "nx@npm:19.6.4/minimatch": "^9.0.7",
+    "webdriverio@npm:8.40.5/minimatch": "^9.0.7",
+    "glob@npm:13.0.0/minimatch": "^10.2.3",
     "axios": "^1.13.5",
     "fast-xml-parser": "^5.3.6",
     "form-data": "4.0.5",
diff --git a/yarn.lock b/yarn.lock
index 50aca5110f..077a232477 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6921,22 +6921,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@isaacs/balanced-match@npm:^4.0.1":
-  version: 4.0.1
-  resolution: "@isaacs/balanced-match@npm:4.0.1"
-  checksum: 102fbc6d2c0d5edf8f6dbf2b3feb21695a21bc850f11bc47c4f06aa83bd8884fde3fe9d6d797d619901d96865fdcb4569ac2a54c937992c48885c5e3d9967fe8
-  languageName: node
-  linkType: hard
-
-"@isaacs/brace-expansion@npm:^5.0.0":
-  version: 5.0.1
-  resolution: "@isaacs/brace-expansion@npm:5.0.1"
-  dependencies:
-    "@isaacs/balanced-match": ^4.0.1
-  checksum: 21f8192f022c320f7acf899730feb419b1a5f4ccc741481ef8f4b3111e97a41c06e5783871bb240da2e87de909c7fc5b0d07f73818db521fee06541c086ea351
-  languageName: node
-  linkType: hard
-
 "@isaacs/cliui@npm:^8.0.2":
   version: 8.0.2
   resolution: "@isaacs/cliui@npm:8.0.2"
@@ -15030,6 +15014,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"balanced-match@npm:^4.0.2":
+  version: 4.0.4
+  resolution: "balanced-match@npm:4.0.4"
+  checksum: fb07bb66a0959c2843fc055838047e2a95ccebb837c519614afb067ebfdf2fa967ca8d712c35ced07f2cd26fc6f07964230b094891315ad74f11eba3d53178a0
+  languageName: node
+  linkType: hard
+
 "bare-events@npm:^2.2.0":
   version: 2.4.2
   resolution: "bare-events@npm:2.4.2"
@@ -15310,6 +15301,24 @@ __metadata:
   languageName: node
   linkType: hard
 
+"brace-expansion@npm:^2.0.2":
+  version: 2.0.2
+  resolution: "brace-expansion@npm:2.0.2"
+  dependencies:
+    balanced-match: ^1.0.0
+  checksum: 01dff195e3646bc4b0d27b63d9bab84d2ebc06121ff5013ad6e5356daa5a9d6b60fa26cf73c74797f2dc3fbec112af13578d51f75228c1112b26c790a87b0488
+  languageName: node
+  linkType: hard
+
+"brace-expansion@npm:^5.0.2":
+  version: 5.0.4
+  resolution: "brace-expansion@npm:5.0.4"
+  dependencies:
+    balanced-match: ^4.0.2
+  checksum: ded86c0f0b138734110d67437fee52c1f97bc19175644788b1d71afec2d87d405cf05424ce428f88ae3abe8e09e13ee55f2675534b38076ef70e1e583ed75686
+  languageName: node
+  linkType: hard
+
 "braces@npm:^3.0.3, braces@npm:~3.0.2":
   version: 3.0.3
   resolution: "braces@npm:3.0.3"
@@ -26368,75 +26377,48 @@ __metadata:
   languageName: node
   linkType: hard
 
-"minimatch@npm:2 || 3, minimatch@npm:^3.0.2, minimatch@npm:^3.0.4, minimatch@npm:^3.0.5, minimatch@npm:^3.1.1, minimatch@npm:^3.1.2":
-  version: 3.1.2
-  resolution: "minimatch@npm:3.1.2"
+"minimatch@npm:^10.2.3":
+  version: 10.2.4
+  resolution: "minimatch@npm:10.2.4"
   dependencies:
-    brace-expansion: "npm:^1.1.7"
-  checksum: c154e566406683e7bcb746e000b84d74465b3a832c45d59912b9b55cd50dee66e5c4b1e5566dba26154040e51672f9aa450a9aef0c97cfc7336b78b7afb9540a
+    brace-expansion: ^5.0.2
+  checksum: 56dce6b04c6b30b500d81d7a29822c108b7d58c46696ec7332d04a2bd104a5cb69e5c7ce93e1783dc66d61400d831e6e226ca101ac23665aff32ca303619dc3d
   languageName: node
   linkType: hard
 
-"minimatch@npm:3.0.5":
-  version: 3.0.5
-  resolution: "minimatch@npm:3.0.5"
+"minimatch@npm:^3.1.3":
+  version: 3.1.5
+  resolution: "minimatch@npm:3.1.5"
   dependencies:
-    brace-expansion: "npm:^1.1.7"
-  checksum: a3b84b426eafca947741b864502cee02860c4e7b145de11ad98775cfcf3066fef422583bc0ffce0952ddf4750c1ccf4220b1556430d4ce10139f66247d87d69e
+    brace-expansion: ^1.1.7
+  checksum: 47ef6f412c08be045a7291d11b1c40777925accf7252dc6d3caa39b1bfbb3a7ea390ba7aba464d762d783265c644143d2c8a204e6b5763145024d52ee65a1941
   languageName: node
   linkType: hard
 
-"minimatch@npm:9.0.1":
-  version: 9.0.1
-  resolution: "minimatch@npm:9.0.1"
+"minimatch@npm:^5.1.8":
+  version: 5.1.9
+  resolution: "minimatch@npm:5.1.9"
   dependencies:
-    brace-expansion: "npm:^2.0.1"
-  checksum: 97f5f5284bb57dc65b9415dec7f17a0f6531a33572193991c60ff18450dcfad5c2dad24ffeaf60b5261dccd63aae58cc3306e2209d57e7f88c51295a532d8ec3
+    brace-expansion: ^2.0.1
+  checksum: 418438bd7701ba811f1108f28fcd3a638a6065c7b1245b85e25bcdb674410b4bebd8763c90c91bc8d22d93260c02cc129b354267a463c3399be5732d6e11e120
   languageName: node
   linkType: hard
 
-"minimatch@npm:9.0.3":
-  version: 9.0.3
-  resolution: "minimatch@npm:9.0.3"
+"minimatch@npm:^8.0.6":
+  version: 8.0.7
+  resolution: "minimatch@npm:8.0.7"
   dependencies:
-    brace-expansion: "npm:^2.0.1"
-  checksum: 253487976bf485b612f16bf57463520a14f512662e592e95c571afdab1442a6a6864b6c88f248ce6fc4ff0b6de04ac7aa6c8bb51e868e99d1d65eb0658a708b5
+    brace-expansion: ^2.0.1
+  checksum: edaefeb16297f4f3969287913adb04c12c5683f2bd8610c6d6bfd5aa5b98bbbfd6013a2d0bb24df62e8add9c265128df1bfdbb61bb043ef4aa86b449fc2a9c76
   languageName: node
   linkType: hard
 
-"minimatch@npm:^10.1.1":
-  version: 10.1.1
-  resolution: "minimatch@npm:10.1.1"
-  dependencies:
-    "@isaacs/brace-expansion": ^5.0.0
-  checksum: 8820c0be92994f57281f0a7a2cc4268dcc4b610f9a1ab666685716b4efe4b5898b43c835a8f22298875b31c7a278a5e3b7e253eee7c886546bb0b61fb94bca6b
-  languageName: node
-  linkType: hard
-
-"minimatch@npm:^5.0.1, minimatch@npm:^5.1.0":
-  version: 5.1.6
-  resolution: "minimatch@npm:5.1.6"
-  dependencies:
-    brace-expansion: "npm:^2.0.1"
-  checksum: 7564208ef81d7065a370f788d337cd80a689e981042cb9a1d0e6580b6c6a8c9279eba80010516e258835a988363f99f54a6f711a315089b8b42694f5da9d0d77
-  languageName: node
-  linkType: hard
-
-"minimatch@npm:^8.0.2":
-  version: 8.0.4
-  resolution: "minimatch@npm:8.0.4"
-  dependencies:
-    brace-expansion: "npm:^2.0.1"
-  checksum: 2e46cffb86bacbc524ad45a6426f338920c529dd13f3a732cc2cf7618988ee1aae88df4ca28983285aca9e0f45222019ac2d14ebd17c1edadd2ee12221ab801a
-  languageName: node
-  linkType: hard
-
-"minimatch@npm:^9.0.0, minimatch@npm:^9.0.4, minimatch@npm:^9.0.5":
-  version: 9.0.5
-  resolution: "minimatch@npm:9.0.5"
+"minimatch@npm:^9.0.7":
+  version: 9.0.9
+  resolution: "minimatch@npm:9.0.9"
   dependencies:
-    brace-expansion: "npm:^2.0.1"
-  checksum: 2c035575eda1e50623c731ec6c14f65a85296268f749b9337005210bb2b34e2705f8ef1a358b188f69892286ab99dc42c8fb98a57bde55c8d81b3023c19cea28
+    brace-expansion: ^2.0.2
+  checksum: 5292681ba1e14544ca9214ba5e412bb346214fb783354b22752f2d1e5c176e4a2c0bfcafeb1046389b816009ab73ba5410b176ce605632e8aa695db25f87f6b9
   languageName: node
   linkType: hard
 

From 77455f26650b2042f84f4ce1b83151c03b3d3156 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Tue, 3 Mar 2026 11:45:05 +0100
Subject: [PATCH 2/2] chore(deps): bump tmp to ^0.2.4 (#5711)

* chore(deps): bump tmp to ^0.2.4

Addresses Dependabot alert for tmp insecure temporary file creation.
Uses yarn resolutions to force tmp >=0.2.4 across all consumers.

https://github.com/getsentry/sentry-react-native/security/dependabot/329

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing comma in package.json resolutions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json |  3 ++-
 yarn.lock    | 25 +------------------------
 2 files changed, 3 insertions(+), 25 deletions(-)

diff --git a/package.json b/package.json
index 3fcb853829..b01a627328 100644
--- a/package.json
+++ b/package.json
@@ -133,7 +133,8 @@
     "tar-fs": "^3.1.1",
     "on-headers": "^1.1.0",
     "diff": "^5.2.2",
-    "tar": "^7.5.8"
+    "tar": "^7.5.8",
+    "tmp": "^0.2.4"
   },
   "version": "0.0.0",
   "name": "sentry-react-native",
diff --git a/yarn.lock b/yarn.lock
index 077a232477..654ff0a7fa 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -27689,13 +27689,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"os-tmpdir@npm:~1.0.2":
-  version: 1.0.2
-  resolution: "os-tmpdir@npm:1.0.2"
-  checksum: 5666560f7b9f10182548bf7013883265be33620b1c1b4a4d405c25be2636f970c5488ff3e6c48de75b55d02bde037249fe5dbfbb4c0fb7714953d56aed062e6d
-  languageName: node
-  linkType: hard
-
 "outvariant@npm:^1.2.1, outvariant@npm:^1.4.0":
   version: 1.4.3
   resolution: "outvariant@npm:1.4.3"
@@ -32913,29 +32906,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tmp@npm:^0.0.33":
-  version: 0.0.33
-  resolution: "tmp@npm:0.0.33"
-  dependencies:
-    os-tmpdir: "npm:~1.0.2"
-  checksum: 902d7aceb74453ea02abbf58c203f4a8fc1cead89b60b31e354f74ed5b3fb09ea817f94fb310f884a5d16987dd9fa5a735412a7c2dd088dd3d415aa819ae3a28
-  languageName: node
-  linkType: hard
-
-"tmp@npm:^0.2.1":
+"tmp@npm:^0.2.4":
   version: 0.2.5
   resolution: "tmp@npm:0.2.5"
   checksum: 9d18e58060114154939930457b9e198b34f9495bcc05a343bc0a0a29aa546d2c1c2b343dae05b87b17c8fde0af93ab7d8fe8574a8f6dc2cd8fd3f2ca1ad0d8e1
   languageName: node
   linkType: hard
 
-"tmp@npm:^0.2.3, tmp@npm:~0.2.1":
-  version: 0.2.3
-  resolution: "tmp@npm:0.2.3"
-  checksum: 73b5c96b6e52da7e104d9d44afb5d106bb1e16d9fa7d00dbeb9e6522e61b571fbdb165c756c62164be9a3bbe192b9b268c236d370a2a0955c7689cd2ae377b95
-  languageName: node
-  linkType: hard
-
 "tmpl@npm:1.0.5":
   version: 1.0.5
   resolution: "tmpl@npm:1.0.5"