fix(MSDK-3374): resolve npm dependency vulnerabilities

[islameldesoky95]

User description

…ackage.json

• Upgrade @react-native-community/cli to ^20.1.3 (was ^18.0.0, had CISA known exploit)
• Upgrade cli-platform-android and cli-platform-ios to ^20.1.3
• Remove deprecated metro-react-native-babel-preset (@react-native/babel-preset already present)
• Remove @types/react-native (types now bundled in react-native itself)
• Add npm overrides for transitive vulnerable deps: fast-xml-parser >=4.5.4, braces >=3.0.3, micromatch >=4.0.8, flatted >=3.4.2, lodash >=4.18.1, picomatch >=4.0.4, yaml >=2.8.3 (minimatch resolved via CLI v20 upgrade)
• npm audit: 0 vulnerabilities | 32 tests passing

Summary by CodeRabbit

Chores

• Upgraded React Native CLI and platform-specific tooling to version 20.1.3
• Removed outdated development-time type declarations and Babel presets
• Added minimum version constraints for transitive dependencies (fast-xml-parser, braces, micromatch, flatted, lodash, picomatch, yaml)

---

CodeAnt-AI Description

Update project dependencies to remove known security vulnerabilities

What Changed

• Upgraded the React Native CLI packages to a newer release to remove a known vulnerable version
• Removed deprecated and redundant React Native type packages from the root setup
• Added package overrides so vulnerable transitive dependencies are replaced with safer versions
• Added a lockfile to pin the updated dependency set

Impact

✅ Fewer dependency vulnerability alerts
✅ Safer installs for the app build setup
✅ Reduced risk from vulnerable transitive packages

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[qodo-code-review]

Review Summary by Qodo

Resolve npm dependency vulnerabilities and security exploits

🐞 Bug fix

Walkthroughs

Description

• Upgrade @react-native-community/cli to ^20.1.3 (CISA known exploit fix)
• Upgrade cli-platform-android and cli-platform-ios to ^20.1.3
• Remove deprecated metro-react-native-babel-preset and @types/react-native
• Add npm overrides for seven transitive vulnerable dependencies
• Achieves zero npm audit vulnerabilities with all tests passing

Diagram

flowchart LR
  A["package.json"] -->|"Upgrade CLI versions"| B["@react-native-community/cli ^20.1.3"]
  A -->|"Remove deprecated"| C["metro-react-native-babel-preset"]
  A -->|"Remove bundled types"| D["@types/react-native"]
  A -->|"Add overrides"| E["7 transitive deps"]
  B --> F["Zero vulnerabilities"]
  E --> F

Loading

File Changes

1. package.json Security, dependencies +12/-5

Upgrade CLI and add security overrides

• Upgraded @react-native-community/cli from ^18.0.0 to ^20.1.3 to address CISA known exploit
• Upgraded cli-platform-android and cli-platform-ios to ^20.1.3 for consistency
• Removed deprecated metro-react-native-babel-preset (functionality provided by
 @react-native/babel-preset)
• Removed @types/react-native (types now bundled in react-native package itself)
• Added npm overrides section with seven transitive vulnerable dependencies (fast-xml-parser,
 braces, micromatch, flatted, lodash, picomatch, yaml)

package.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2)   📘 Rule violations (0)   📎 Requirement gaps (0)

🐞\ ⛨ Security (2)

1. Yarn ignores npm overrides 🐞 ⛨

Description

The PR adds npm overrides to force patched transitive versions, but CI installs SDK dependencies
using yarn install, so the dependency graph used in CI/Yarn environments is not constrained by
these overrides. This makes the vulnerability remediation incomplete for a documented/supported
install path.

Code

package.json[R66-74]

+  "overrides": {
+    "fast-xml-parser": ">=4.5.4",
+    "braces": ">=3.0.3",
+    "micromatch": ">=4.0.8",
+    "flatted": ">=3.4.2",
+    "lodash": ">=4.18.1",
+    "picomatch": ">=4.0.4",
+    "yaml": ">=2.8.3"
+  },

Evidence

package.json introduces npm overrides, while CI and documentation explicitly use/support Yarn
installs; therefore the new override-based remediation won’t be applied in those flows.

.github/workflows/ci.yml[15-34]
README.md[31-34]
package.json[66-74]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR uses npm `overrides` to force patched transitive dependencies, but CI installs dependencies using Yarn and the README documents Yarn as supported. As a result, the override-based remediation is not applied in CI/Yarn installs.

## Issue Context
- CI runs `yarn install --frozen-lockfile` for the SDK.
- The PR adds an `overrides` block in `package.json`.

## Fix Focus Areas
Choose one consistent approach:
- **Option A (npm-only):** Switch CI SDK install steps to `npm ci` (and update docs/scripts to prefer npm), ensuring `package-lock.json` is the source of truth.
- **Option B (keep Yarn):** Add Yarn-equivalent constraints (e.g., `resolutions`) and commit a lockfile appropriate for Yarn; ensure CI uses that lock.

Fix Focus Areas (files/lines):
- package.json[66-74]
- .github/workflows/ci.yml[23-33]
- README.md[31-34]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Sample still uses old CLI 🐞 ⛨

Description

Root devDependencies were upgraded to React Native CLI v20, but the sample app still pins
@react-native-community/cli and platform packages to 18.0.0 and CI installs the sample via `npm
ci`. This leaves the sample’s dependency tree on the older CLI version this PR is trying to move
away from.

Code

package.json[R49-51]

+    "@react-native-community/cli": "^20.1.3",
+    "@react-native-community/cli-platform-android": "^20.1.3",
+    "@react-native-community/cli-platform-ios": "^20.1.3",

Evidence

The root package moves to CLI v20, but the sample’s package.json/lock remain on CLI 18, and CI
explicitly installs the sample with npm, so the sample continues to pull the older CLI during CI
runs.

package.json[49-51]
sample/package.json[29-36]
.github/workflows/ci.yml[73-82]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PR upgrades the root React Native CLI dependencies to v20, but the sample app still pins the CLI and platform packages to 18.0.0. CI installs the sample with `npm ci`, so the sample continues to use the older CLI dependency set.

## Issue Context
The sample app is installed in CI and is part of the repo’s supported development/testing flow, so it should follow the same security remediation approach as the root.

## Fix Focus Areas
- Bump `@react-native-community/cli`, `@react-native-community/cli-platform-android`, and `@react-native-community/cli-platform-ios` in `sample/package.json` to the same major/minor as root (or otherwise align with the sample’s RN version constraints).
- Regenerate `sample/package-lock.json` accordingly.
- If you rely on npm `overrides` for patching, consider adding equivalent constraints in the sample as well (or ensure the upgraded CLI removes the need).

Fix Focus Areas (files/lines):
- package.json[49-51]
- sample/package.json[29-36]
- sample/package-lock.json[20-40]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated React Native CLI tooling from version 18.0.0 to 20.1.3 across all platform packages. Removed two development-time dependencies and added an overrides block to enforce minimum versions for seven transitive dependencies.

Changes

Cohort / File(s)	Summary
Dependency Management package.json	Upgraded @react-native-community/cli and platform packages to ^20.1.3. Removed @types/react-native and metro-react-native-babel-preset from devDependencies. Added transitive dependency overrides for fast-xml-parser, braces, micromatch, flatted, lodash, picomatch, and yaml using minimum version constraints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

Review effort 2/5, size:XS

Suggested reviewers

• uc-brunosouza

Poem

🐰 Hopping through the versioning trees,
CLI tools updated with ease,
From eighteen to twenty we've sprung,
Dependencies cleaned and wrung,
Overrides set, transitive paths sung! 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: resolving npm dependency vulnerabilities through version upgrades and overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/MSDK-3374-security-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pantoaibot]

PR Summary:

Update dev/devtooling dependencies to remediate npm vulnerabilities and add overrides to pin safe transitive dependency versions.

• Bumped devDependencies: "@react-native-community/cli", "cli-platform-android", "cli-platform-ios" -> ^20.1.3 (from 18.x).
• Removed devDependencies: "@types/react-native" and "metro-react-native-babel-preset".
• Added an "overrides" section to force safe versions for vulnerable transitive packages: fast-xml-parser, braces, micromatch, flatted, lodash, picomatch, yaml.
• No source code or runtime dependency changes; scripts, tests and peerDependencies unchanged.
• Note: This is a developer-tooling/security change — run npm/yarn install and verify local dev tasks (build, codegen, run-android/ios, and tests) as CLI-major bumps may affect developer workflows.

Reviewed by Panto AI

[pantoaibot]

Reviewed up to commit:f2eb6ce4f08bfe4b50744e893db39bdc117f4726

Additional Suggestion

package.json, line:55

You removed @types/react-native from devDependencies. Modern react-native ships types, but ensure TypeScript compile/tests still work without that package (tsconfig, typeRoots, and any code referencing older @types APIs). Run `yarn/npm run compile` and jest to confirm no missing type errors and re-add the types package only if required.

package.json, line:60

metro-react-native-babel-preset was removed. Confirm that your Babel and Metro configuration rely on @react-native/babel-preset (already present) and that metro config does not explicitly require the removed preset. Run Metro dev server and verify transforms for both iOS and Android to avoid runtime JS transform regressions.

Reviewed by Panto AI

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 66-74: The overrides block currently uses open-ended ranges like
"fast-xml-parser": ">=4.5.4" which permit major upgrades; update each entry in
the overrides object (fast-xml-parser, braces, micromatch, flatted, lodash,
picomatch, yaml) to use bounded caret ranges (e.g. "^4.5.4") so you lock to
compatible major versions while allowing minor/patch updates; keep the same
version numbers but replace the ">=" prefix with "^" for all listed packages in
the overrides object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bcb62a95-1528-47db-98e1-d8101a52249f

📥 Commits

Reviewing files that changed from the base of the PR and between cd01f6d and f2eb6ce.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• sample/Gemfile.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json

[codeant-ai]

CodeAnt AI finished reviewing your PR.