Skip to content

[CHORE] Solve dependabot-raised security issues#1171

Open
sbarrio wants to merge 1 commit intodevelopfrom
sbarrio/fix/solve-dependabot-dependency-security-issues
Open

[CHORE] Solve dependabot-raised security issues#1171
sbarrio wants to merge 1 commit intodevelopfrom
sbarrio/fix/solve-dependabot-dependency-security-issues

Conversation

@sbarrio
Copy link
Contributor

@sbarrio sbarrio commented Mar 4, 2026
edited
Loading

What does this PR do?

This PR updates versions os dev Dependencies that have been marked as having security issues by dependabot.

In particular, the fixes are as follows:

Package Previous Updated Severity Fix Applied
fast-xml-parser 4.4.1 4.5.4 Critical + High + Low Updated resolutions in package.json
basic-ftp 5.0.5 5.2.0 Critical Added resolutions entry in package.json
axios 1.12.0 1.13.5 High Updated resolutions in package.json + direct dep in example/package.json
tar 6.2.1 / 7.4.3 7.5.9 High Bumped lerna 9.0.3→9.0.5 (dropped tar@6 pin) + added resolutions entry
minimatch (3.x) 3.0.5 / 3.1.2 3.1.3 High Per-specifier resolutions entries in package.json
minimatch (5.x) 5.1.6 5.1.8 High Per-specifier resolutions entry in package.json
minimatch (9.x) 9.0.3 / 9.0.5 9.0.7 High Per-specifier resolutions entries in package.json
minimatch (10.x) 10.1.1 10.2.3 High Per-specifier resolutions entries in package.json
ajv 8.17.1 8.18.0 Medium Added resolutions entry in package.json
lodash 4.17.21 4.17.23 Medium Added resolutions entry in package.json
qs 6.14.0 6.15.0 Low Added resolutions entry in package.json

Also, on example and exmple-new-architecure I've added unstable_enablePackageExports: true and unstable_conditionNames with react-native so metro supports package exports and it is able to directly import axios without having to also import crypto, which is required on the old-style bundle. Since the example apps don't need it it's better to import just axios in this manner. The benchmark app is not affected by this.

Motivation

We should avoid security issues on the SDK, even for dev dependencies.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests
  • Make sure you discussed the feature or bugfix with the maintaining team in an Issue
  • Make sure each commit and the PR mention the Issue number (cf the CONTRIBUTING doc)
  • If this PR is auto-generated, please make sure also to manually update the code related to the change

@sbarrio sbarrio force-pushed the sbarrio/fix/solve-dependabot-dependency-security-issues branch from 3069881 to eb2a425 Compare March 4, 2026 11:31
@sbarrio sbarrio marked this pull request as ready for review March 4, 2026 11:43
@sbarrio sbarrio requested a review from a team as a code owner March 4, 2026 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbarrio