[Snyk] Security upgrade react-native from 0.81.5 to 0.85.0

[revan-zhang]

Snyk has created this PR to fix 4 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• apps/mobile/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-15309438	660
	Inefficient Algorithmic Complexity SNYK-JS-MINIMATCH-15353389	660
	Infinite loop SNYK-JS-BRACEEXPANSION-15789759	555
	Missing Release of Resource after Effective Lifetime SNYK-JS-INFLIGHT-6095116	535

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

---

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7aad2426b4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update lockfile for the react-native version bump

This change updates apps/mobile/package.json but does not update yarn.lock, so CI jobs that run yarn install --immutable (for example in .github/workflows/lint.yml and .github/workflows/react-native-unittest.yml) will fail with YN0028 because the lockfile would need to change from react-native: npm:0.81.5 to npm:0.85.0 in the workspace entry.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Align root resolution with the react-native upgrade

Changing this dependency alone does not actually upgrade the installed runtime because the root package.json still pins resolutions.react-native to 0.81.5; yarn why react-native still resolves @onekeyhq/mobile to react-native@0.81.5, so the security-remediation intent of this commit is not achieved.

Useful? React with 👍 / 👎.

[devin-ai-integration]

Devin Review found 3 potential issues.

View 3 additional findings in Devin Review.

[devin-ai-integration]

🔴 Version bump ineffective: root resolutions pin react-native to 0.81.5

The root package.json:370 has "react-native": "0.81.5" in the resolutions field. In Yarn Berry (v4), resolutions override all version specifications across all workspaces. This means the apps/mobile/package.json change from 0.81.5 to 0.85.0 will be silently overridden — the actually-installed version will remain 0.81.5. This creates a misleading discrepancy between the declared version (0.85.0) and the resolved version (0.81.5). Additionally, the root package.json:206 lists "react-native": "0.81.5" in its own dependencies. If the intent is to upgrade react-native for the mobile app, both the root resolution and root dependency must also be updated.

Prompt for agents

The change to react-native 0.85.0 in apps/mobile/package.json is overridden by the root package.json resolutions field (line 370: "react-native": "0.81.5") and the root dependencies (line 206: "react-native": "0.81.5"). In Yarn Berry (v4, used by this project per packageManager field), resolutions force all workspaces to use the specified version.

To actually upgrade react-native:
1. Update root package.json resolutions (line 370) from 0.81.5 to 0.85.0
2. Update root package.json dependencies (line 206) from 0.81.5 to 0.85.0
3. Update @react-native/metro-config in apps/mobile/package.json devDependencies (line 38) to the version matching react-native 0.85.0
4. Create or rename the patch file patches/react-native+0.81.5.patch to patches/react-native+0.85.0.patch (and verify the patch still applies cleanly to the new version)
5. Verify all native dependencies are compatible with react-native 0.85.0

Alternatively, if this was an automated PR (e.g. Snyk) that doesn't account for monorepo constraints, the version in apps/mobile/package.json should be reverted to 0.81.5 to keep it consistent with the rest of the monorepo.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 @react-native/metro-config version not updated to match react-native 0.85.0

@react-native/metro-config is still pinned to 0.81.5 in devDependencies (apps/mobile/package.json:38) while react-native is being bumped to 0.85.0. The @react-native/metro-config package is a companion package that must match the react-native version — it provides the default Metro configuration (resolver defaults, transformer defaults, etc.) that is tightly coupled to the specific React Native version. Using a mismatched version can cause build failures, incorrect Metro resolver behavior, or subtle bundling issues.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 Version-specific patch for react-native will not be applied after upgrade

The react-native version is bumped from 0.81.5 to 0.85.0, but the existing patches/react-native+0.81.5.patch file is not renamed to patches/react-native+0.85.0.patch. patch-package matches patch files by exact version (pattern: <package-name>+<version>.patch), so the 635-line patch will silently not be applied after the upgrade. This patch contains critical customizations including image paste support for TextInput (iOS), modal transition animation fixes, null safety for JSI convertNSStringToJSIString / convertObjCObjectToJSIValue, an Android NullPointerException guard in ReactViewGroup.dispatchDraw, and a fmt podspec version bump. Losing these patches will cause regressions in paste functionality, potential JSI crashes on nil values, and visual glitches during modal transitions.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @polkadot/util-crypto is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/@polkadot/util-crypto@13.5.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@polkadot/util-crypto@13.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 11 additional findings in Devin Review.

[devin-ai-integration]

🔴 react 19.1.0 does not satisfy react-native 0.85.0's peer dependency of ^19.2.3

react-native 0.85.0 declares a peer dependency of react: ^19.2.3, but the package.json still pins react at 19.1.0 (line 123). This version mismatch will produce peer dependency warnings/errors during install and can cause runtime incompatibilities since RN 0.85 may rely on React 19.2+ APIs or internals.

Verified peer dependency via npm registry

npm view react-native@0.85.0 peerDependencies returns { react: '^19.2.3' }, while npm view react-native@0.81.5 peerDependencies returns { react: '^19.1.0' }. The PR bumps RN but does not bump React to match.

Prompt for agents

react-native 0.85.0 requires react ^19.2.3 as a peer dependency. The react version at apps/mobile/package.json:123 needs to be bumped from 19.1.0 to at least 19.2.3. Note that react is likely also pinned in other app packages (desktop, web, ext) and in the root package.json, so all occurrences should be updated consistently. Also check if @types/react needs updating (RN 0.85.0 requires @types/react ^19.1.1).

---

Was this helpful? React with 👍 or 👎 to provide feedback.