[Snyk] Security upgrade react-native from 0.81.5 to 0.84.0

[revan-zhang]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• apps/mobile/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Infinite loop SNYK-JS-BRACEEXPANSION-15789759

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

---

Note

Medium Risk
Upgrades the core React Native runtime, which can introduce build/ABI and native module compatibility regressions despite being a single-line change.

Overview
Bumps the mobile app’s core framework dependency by upgrading react-native from 0.81.5 to 0.84.0 in apps/mobile/package.json (Snyk security upgrade).

No other code or dependency changes are included in this diff.

^{Written by Cursor Bugbot for commit 523f4b7. This will update automatically on new commits. Configure here.}

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

Devin Review found 2 potential issues.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 Root resolutions field pins react-native to 0.81.5, making the 0.84.0 bump ineffective

The root package.json has "react-native": "0.81.5" in the resolutions field (package.json:359), which in Yarn workspaces forces all workspace packages to resolve react-native to version 0.81.5, regardless of what individual workspace packages declare. This means the version bump to 0.84.0 in apps/mobile/package.json will be silently overridden and have no effect. The root package.json also declares react-native: "0.81.5" as a direct dependency (package.json:195). Both of these must be updated to 0.84.0 for the intended version change to take effect.

Prompt for agents

The react-native version bump in apps/mobile/package.json to 0.84.0 is overridden by the root package.json resolutions field. To make this change effective, update the following in the root package.json:

1. package.json line 195: Change "react-native": "0.81.5" to "react-native": "0.84.0" (in dependencies)
2. package.json line 359: Change "react-native": "0.81.5" to "react-native": "0.84.0" (in resolutions)

Additionally, update apps/mobile/package.json line 38: Change "@react-native/metro-config": "0.81.5" to match the new react-native version (the @react-native/metro-config package version should align with the react-native version).

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 @react-native/metro-config version not updated to match react-native 0.84.0

The @react-native/metro-config devDependency remains at 0.81.5 (apps/mobile/package.json:38) while react-native is bumped to 0.84.0. The @react-native/metro-config package is part of the React Native monorepo and its version must match the react-native version being used. A version mismatch can cause Metro bundler incompatibilities, build failures, or subtle runtime issues due to mismatched Metro configuration expectations.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Critical patch file will silently stop applying after upgrade

High Severity

Upgrading react-native to 0.84.0 without renaming the existing patches/react-native+0.81.5.patch file means patch-package (run during postinstall) will silently skip applying this patch. The patch contains substantial custom functionality — image paste handling for both single-line and multi-line text inputs, modal transition animation fixes, an Android NullPointerException guard in ReactViewGroup.dispatchDraw, nil-safety checks in RCTTurboModule, fmt podspec upgrades, and a new onPaste event emitter. All of these customizations will be lost at runtime.

 

[cursor]

Metro config version not updated to match react-native

High Severity

react-native is bumped to 0.84.0 but @react-native/metro-config in devDependencies remains at 0.81.5. These packages are versioned in lockstep and expected to match. React Native 0.84 includes breaking changes (Hermes V1 default, legacy architecture removal) that likely require the corresponding metro config version (0.84.x) to bundle correctly.

 

[cursor]

React Native 0.84 incompatible with Expo SDK 54

High Severity

Expo SDK 54 ("expo": "54.0.26") ships with and is designed for React Native 0.81. Bumping react-native to 0.84.0 without upgrading the Expo SDK creates a fundamental incompatibility — Expo SDK 55 only supports up to RN 0.83.2, and RN 0.84 requires Expo SDK 56 (currently only in canary). This will cause build failures or severe runtime errors since Expo's native modules, autolinking, and build tooling are tightly coupled to a specific React Native version.

 

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 523f4b7ffc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate lockfile for the react-native upgrade

After bumping react-native to 0.84.0 here, the lockfile is still pinned to react-native@npm:0.81.5 (yarn.lock:40517), so immutable installs fail before build/test; for example, the lint pipeline runs yarn install --immutable (.github/workflows/lint.yml:54) and this now exits with YN0028 because the lockfile would be modified. This means the security upgrade in this commit is not actually consumable in CI until yarn.lock is updated and committed.

Useful? React with 👍 / 👎.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @polkadot/util-crypto is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@polkadot/util-crypto@13.5.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@polkadot/util-crypto@13.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 Existing react-native+0.81.5.patch will not apply to the new 0.84.0 version

There is a substantial patches/react-native+0.81.5.patch (635 lines) that adds critical functionality: image paste support in TextInput, modal transition animation fixes, a NullPointerException crash guard in ReactViewGroup.dispatchDraw, nil-safety in RCTTurboModule, and an fmt podspec version bump. patch-package matches patches by exact name+version, so upgrading to 0.84.0 means this patch will silently stop being applied. This will cause loss of the image paste feature, re-introduce the reanimated NPE crash on Android, and potentially cause iOS build failures due to the missing fmt podspec fix. A new react-native+0.84.0.patch must be created (or the patches verified as already upstreamed in 0.84.0).

Prompt for agents

The file patches/react-native+0.81.5.patch contains critical patches (image paste support, modal transition fixes, NPE crash guard, nil-safety in TurboModules, fmt podspec version). Since react-native is being bumped from 0.81.5 to 0.84.0, patch-package will no longer apply this patch. You need to:
1. Check if each fix in the patch has been upstreamed into react-native 0.84.0
2. For any fixes not yet upstreamed, create a new patches/react-native+0.84.0.patch with the equivalent changes adapted to the 0.84.0 codebase
3. Remove the old patches/react-native+0.81.5.patch only after confirming all fixes are covered

---

Was this helpful? React with 👍 or 👎 to provide feedback.