Skip to content

build(deps): bump @react-navigation/drawer from 7.5.8 to 7.12.2#5

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/react-navigation/drawer-7.12.0
Closed

build(deps): bump @react-navigation/drawer from 7.5.8 to 7.12.2#5
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/react-navigation/drawer-7.12.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown

Bumps @react-navigation/drawer from 7.5.8 to 7.12.2.

Release notes

Sourced from @​react-navigation/drawer's releases.

@​react-navigation/drawer@​7.12.0

7.12.0 (2026-06-11)

Features

@​react-navigation/drawer@​7.11.0

7.11.0 (2026-06-07)

Bug Fixes

Features

@​react-navigation/drawer@​7.10.0

7.10.0 (2026-05-11)

Features

Changelog

Sourced from @​react-navigation/drawer's changelog.

7.12.2 (2026-06-15)

Note: Version bump only for package @​react-navigation/drawer

7.12.1 (2026-06-14)

Note: Version bump only for package @​react-navigation/drawer

7.12.0 (2026-06-11)

Features

7.11.2 (2026-06-09)

Note: Version bump only for package @​react-navigation/drawer

7.11.1 (2026-06-08)

Note: Version bump only for package @​react-navigation/drawer

7.11.0 (2026-06-07)

Bug Fixes

Features

7.10.3 (2026-05-25)

Note: Version bump only for package @​react-navigation/drawer

7.10.2 (2026-05-14)

Note: Version bump only for package @​react-navigation/drawer

7.10.1 (2026-05-13)

Note: Version bump only for package @​react-navigation/drawer

7.10.0 (2026-05-11)

Features

... (truncated)

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: client, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot changed the title Bump @react-navigation/drawer from 7.5.8 to 7.12.0 build(deps): Bump @react-navigation/drawer from 7.5.8 to 7.12.0 Jun 14, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/react-navigation/drawer-7.12.0 branch 2 times, most recently from b06d661 to 8abe599 Compare June 14, 2026 05:42
miningtheblocks added a commit that referenced this pull request Jun 17, 2026
… distribuido

Tres CRIT del audit Round 2 que comparten el área del mint processor + feed
realtime multiplayer. Eran independientes pero juntos cierran el bloque
"robustez onchain + realtime":

1. Schema canónico `minedAt` en mineCube.

   Antes se escribía `ts: Date.now()` en mined/{cubeId}, pero
   firestore.indexes.json declara mined[K, minedAt DESC] y DynamicCube201.js
   subscribe con orderBy('minedAt', 'desc'). El index quedaba unused y el
   feed multiplayer recibía snapshot vacío — solo aparentaba funcionar
   por el optimistic local update del usuario que minó.
   (Agentes #2 CRIT + #5 CRIT-1 + #12 cross-ref)

2. tx.wait(SAFE_CONFIRMATIONS=30) en runMintProcessing.

   Polygon PoS confirma checkpoints cada ~30min y reorgs de hasta 100
   bloques se observaron históricamente. tx.wait() sin parámetro vuelve al
   primer block include — un reorg posterior puede revertir el mint
   mientras Firestore ya tiene status:completed. User queda sin NFT
   on-chain y sin trail para reclamo.

   30 bloques @ ~2.2s ≈ 66s extra de espera por mint. Aceptable para un
   cron 5min con queue chica; reduce a ~0% el riesgo de "NFT fantasma".
   (Agentes #3 CRIT-6 + #8 CRIT-1)

3. Lock distribuido en `runtime/mintProcessor` con TTL 10min.

   Antes, `processPendingMints` (onCall admin manual) y
   `mintProcessorScheduled` (onSchedule cron 5min) podían correr
   concurrentes y enviaban mintGem() con el MISMO nonce de la company
   wallet → una falla con "nonce too low", MATIC quemado en gas, race
   en doc.status=processing, backlog stuck.

   Lock pattern: TX read snapshot, check expiresAt, write si libre.
   Auto-release en finally + TTL backup si el worker crashea. Las rules
   son default-deny para /runtime/* — cliente no puede tocarlo.
   (Agentes #3 CRIT-4 + #8 CRIT-3)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 17, 2026
…ecesarias)

Cierra Agente #4 MED-FE-17 + Agente #5 MEDIUM (dead code confirmados por
grep como NO importados desde ningún módulo activo).

Archivos eliminados (verificados vía `grep -rn from.*Name` → 0 matches en
src/ y App.js):

  - src/components/MassiveCube.js       (169 LOC) — usaba @react-three/fiber
  - src/components/Layer100Renderer.js  (250 LOC) — exp del renderer alterno
  - src/components/FaceGrid201.js       (484 LOC) — renderer de cara alterno
  - src/utils/ThreeSetup.js             (104 LOC) — helper de three.js sin uso
  - src/utils/CubeCalculations.js       (150 LOC) — math helpers ahora en helpers.js backend
  - src/utils/ads.js                    ( 66 LOC) — RewardedAd manual; el flow real está inline en GetPeaks.js

Total: ~1223 LOC eliminadas del bundle JS del cliente.

Deps removidas de package.json (solo usadas por MassiveCube.js):
  - @react-three/fiber  (^9.3.0)
  - @react-three/drei   (^10.7.6)

Reducción de bundle estimada: ~650KB (deps no minificadas) según Agente #4.
APK más liviano → install rate más alto + cold-start más rápido.

NO ELIMINADO (deferred por scope — refactor de DynamicCube201.js requiere
test browser):
  - State `miningAnimations` + `setMiningAnimations` en DynamicCube201.js:1505
    (state nunca actualizado pero referenciado en 4+ lugares — necesita
    revisión cuidadosa para evitar regresiones en animaciones).
  - Ref `minedPollRef` en DynamicCube201.js:1514 (mismo).

Próximo paso operacional (no código): `npm install` para actualizar
package-lock.json + sacar @react-three/{fiber,drei} de node_modules.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 17, 2026
Cierra 6 hallazgos críticos pendientes pre-launch. Cambios localizados, sin
refactor estructural.

1. activityFeed TTL `expiresAt` (Agente #12 + #11 HIGH-11-40).
   writeActivity ahora agrega expiresAt = now + 7d. Firestore TTL Console
   borrará docs viejos automáticamente (después de activar la policy —
   pendiente operacional en RUNBOOK).
   Pre-fix: feed crecía infinito → cost amplification + PII histórica.

2. mineCube docId `${K}_${cubeNumber}` (Agente #1 CRIT-1).
   Pre-fix: `mined/${cubeNumber}` colisionaba entre layers. K=100 mina N=5;
   cuando K decrementa a 99 y otro user mina N=5 en K=99, el docId "5"
   colisiona → data mixing.
   Pre-launch: 0 mines reales en producción → forward-only safe.

3. processPendingMints audit log en adminActions (Agente #6 HIGH).
   La invocación manual del cron de mints no quedaba en adminActions, solo
   en Cloud Logging (retención 30d). Para forensic post-incidente esencial.

4. Override global de console.log REMOVIDO (Agente #4 CRIT-FE-06).
   Pre-fix: console.log = wrapper que filtraba un warning de expo-gl.
   Anti-pattern: HMR re-importa el módulo → wrappea otra vez → cadena
   infinita de wrappers. Plus dead code en prod (babel strippea console.log).

5. miningAnimations dead state REMOVIDO (Agente #5).
   const [miningAnimations, setMiningAnimations] = useState(new Map())
   declarado pero setMiningAnimations nunca se llamaba. 3 sites
   referenciaban este state muerto: useEffect cleanup forEach (no-op,
   removido), render loop check hasActiveAnimations (siempre false), comments
   documentan migración a useRef si vuelve la necesidad.

6. getFaceRange() lee del cache faceRangesRef (Agente #5 CRIT-4).
   Pre-fix: iteraba 240k cubeNumbers por call. JSX lo llamaba en cada
   re-render = 15-60×/seg × 240k = 14M iter/seg = stutter Android low-end.
   Fix: cache hit primero (faceRangesRef ya populated por
   recomputeFaceRanges en buildLayer). Loop solo en cache miss.

Bonus: setCorsHeaders unused import removido (post Commit K).

Tests: helpers OK, lint clean, parse OK.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 17, 2026
…store cap)

Cierra 2 leaks del Agente #5 sin tocar la lógica de rendering activo.

1. MinedCubesRewardStore cap a 20k entries con LRU eviction.

   Pre-fix: el Map de rewards crecía sin cota. En endgame (capa K minada
   completa, ~50k cells), residente ~10MB en RAM. Sesiones largas con
   múltiples servers progresados acumulaban sin liberar — ~50MB+ después
   de horas de juego.

   Fix: maxEntries=20000 + LRU eviction al exceder el cap. El delete+set
   pattern asegura que la entrada accedida queda al final del insertion
   order (Map preserva insertion order); eviction borra el head (más
   viejo). Trade-off: si el user re-visualiza una celda evicted, se pierde
   el reward indicator hasta el próximo snapshot. Acceptable porque las
   celdas evicted son las menos probables de re-aparecer en viewport.

   Bonus: método stats() agregado para debugging post-deploy.

2. Timer refs cleanup en unmount (DynamicCube201).

   Pre-fix: si user navega a otra screen DURANTE un mining flow activo
   (mid-watchdog, hud-toast visible, pre-hold counting), los setTimeout
   quedaban corriendo + sus callbacks disparaban contra árbol React
   desmontado → "Can't perform a React state update on an unmounted
   component" warning + retención de memoria por closures.

   Timer refs cleanedup ahora en el useEffect cleanup principal:
   - hudToastTimerRef (toast notifications)
   - gridExitTimerRef (transición grid → cube mode)
   - preHoldTimerRef (long-press indicator ~300ms)
   - miningWatchdogRef (modal congelado timeout)
   - miningProgressTimerRef (progress bar setInterval 120ms)

   longPressTimer y minedPollRef ya estaban en este cleanup pre-fix.

Tests: parse OK. helpers 24/24 OK.

NO HECHO (defer fundamentado):
- BoxGeometry dedup (6 → shared): el código de fragments + addDarkPatch
  es complejo (lifecycle de meshes, dispose patterns). Requiere browser
  test sobre Android real device. Defer.
- _intersectablesCache cleanup: requiere review del raycaster intersection
  pattern; refs a meshes disposed podrían causar GL crash si no se hace
  bien. Defer.
- LRU textureCache evict: similar — defer hasta poder testear.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [@react-navigation/drawer](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/drawer) from 7.5.8 to 7.12.2.
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/drawer@7.12.2/packages/drawer/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/drawer@7.12.2/packages/drawer)

---
updated-dependencies:
- dependency-name: "@react-navigation/drawer"
  dependency-version: 7.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): Bump @react-navigation/drawer from 7.5.8 to 7.12.0 build(deps): bump @react-navigation/drawer from 7.5.8 to 7.12.2 Jun 17, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/react-navigation/drawer-7.12.0 branch from 8abe599 to c3ee6e4 Compare June 17, 2026 16:32
@dependabot @github

dependabot Bot commented on behalf of github Jun 17, 2026

Copy link
Copy Markdown
Author

Superseded by #22.

@dependabot dependabot Bot closed this Jun 17, 2026
@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/react-navigation/drawer-7.12.0 branch June 17, 2026 16:33
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Smart contract V2 (cierra CRIT-S1/S2/S3 + MED-S1 + HIGH-S1):
- Deploy: 0x2933Ff14AdeC0a4D74aD8380E5c491321bBd3195 (Polygon mainnet, verified)
- AccessControl 2-of-3 Safe (0x83a3F5...86aCD) ADMIN+PAUSER, EOA nftv2 MINTER
- Supply caps inmutables por tier [1,1,5,50,100,500,1000,4000,10000]
- tokenURI canónico por tier (caller no controla URI)
- renounceRole(ADMIN) bloqueado (anti-bricking)
- functions/index.js: ABI actualizado (mintGem 3 args sin tokenURI_)

Backend fixes (batch 3):
- #2 HIGH-1 cross-attribution USDC: senderWalletAddress opt-in + match con event.args.from
- #4 HIGH-M1 gem-loss window: gem + pendingMint dentro del TX con docIds determinísticos
- #4 HIGH-R1 cap referrer bonus: 50 invitados rewarded max (campo referralsRewarded)
- #2 HIGH-2 rateLimits TTL: expiresAt usa Timestamp.fromMillis
- #3 MED-4 Sentry PII scrubber: beforeSend + beforeBreadcrumb sobre email/wallet/phone

Build / Deploy (batch 1):
- #9 HIGH-1 credentialsSource:local en eas.json production
- #9 HIGH-3 versionCode:5 en app.json
- #9 HIGH-4 runtimeVersion appVersion en app.json
- #9 HIGH-7 MTB-v1.1.0.apk.sha256 copiado a docs/
- #9 HIGH-8 download URL -> releases/latest

Supply chain (batch 1+2):
- #5 HIGH-2 nodemailer ^8.0.10 -> ^9.0.1
- #5 HIGH-3 npm overrides ws@^8.21.0 + undici@^6.27.0
- #5 HIGH-4 npm audit en root agregado al CI
- #5 HIGH-5 @cyclonedx/cdxgen pinned a 11.5.0 (no @latest)

Privacy / Legal (batch 1+2):
- #8 HIGH-1 retention 5y AML/KYC explícito (EN + ES)
- #8 HIGH-2 governing law: Argentina/Buenos Aires (EN + ES)
- #8 HIGH-8 clarificado solo email+password sin OAuth Apple/Google (EN + ES)

Frontend security (batch 2):
- #3 HIGH-1 verify.html inline script -> public/verify.js + removido unsafe-inline
- #3 HIGH-2 el() helper sin innerHTML

Web / SEO / a11y (batch 1+2):
- #10 HIGH-5 frame-buster JS anti-clickjacking
- #10 HIGH-6 docs/robots.txt + docs/sitemap.xml
- #10 HIGH-7 OG + Twitter Card + canonical en docs/index.html
- #10 HIGH-8 label for=... en form inputs + .sr-only utility

Smart contract tooling:
- contracts/MTBGemsV2.sol (source) + contracts_build/ (hardhat 0.8.27 cancun, 17/17 tests)

Pre-commit hook: refinado patrón anti-secret para no flagear tx hashes públicos
en docs y constantes role de OpenZeppelin.

Pendiente acción manual (documentado en PENDING_FIXES.md):
- cd functions && npm install
- firebase deploy --only functions / --only hosting
- GitHub Settings -> Pages -> Enforce HTTPS
- DNS records SPF/DMARC/CAA en Cloudflare

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
#5 HIGH-1)

- src/components/DynamicCube201.js: nuevo helper createGLRenderer(gl) que
  wrapea el context de expo-gl con un canvas-mock mínimo y construye un
  THREE.WebGLRenderer nativo. Reemplaza `new Renderer({gl})` de expo-three.
- package.json: removed expo-three ^8.0.0.
- npm uninstall removió 27 paquetes (toda la cadena abandonada).

Pre-fix: expo-three arrastraba 8 paquetes con CVEs (node-fetch@1.7.3 CVSS 8.8,
fbjs, fbemitter, isomorphic-fetch, uuid@8.3.2, etc.). Las CVEs no eran
explotables en RN runtime (el polyfill no corre), pero la cadena entera era
deuda y dependía de un package deprecado upstream.

Three.js 0.166+ acepta un canvas-mock + el gl context de expo-gl directamente.
El render loop ya llamaba gl.endFrameEXP() manualmente (línea ~3678), así que
no perdemos nada del wrapper.

Testing: requiere validación on-device del cube (mining + raycast + viewport
en distintos pixel ratios). Mismo setSize/setViewport/setClearColor que antes
+ setPixelRatio(1) — comportamiento esperado idéntico.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
… MED-2)

expo-av está deprecated por Expo desde 2025 y se va a eliminar en Expo
SDK 55 (~Q1 2026). expo-audio es el reemplazo oficial para sonidos
(expo-video para video).

Cambios al audioManager:
- import { Audio } from 'expo-av' -> import { createAudioPlayer,
  setAudioModeAsync } from 'expo-audio'
- Audio.Sound.createAsync(src, opts) -> createAudioPlayer(src) + player.volume = vol
  (la nueva API expone el player directo, no { sound })
- play/pause/seekTo: ahora son síncronos (no async)
- volume: ahora es propiedad asignable (no setVolumeAsync)
- getStatusAsync(): ahora .currentStatus (sync property)
- setOnPlaybackStatusUpdate(cb): ahora addListener('playbackStatusUpdate', cb)
  devuelve subscription con .remove(). Mantenemos refs a las subs para
  cleanup explícito (anti-leak en interrupts).
- setAudioModeAsync: flags renombrados (allowsRecording, playsInSilentMode,
  shouldPlayInBackground, interruptionMode='duckOthers').

package.json: expo-av ~16.0.7 -> expo-audio ~1.0.10. npm install removed
1 / added 1.

Compatibilidad: API funcional 100% preservada. Tests on-device requeridos
para validar mining sound, mining_ok, background music + crescendo,
playSound (rotura/explosion/win/lose), pause/resume al toggle de settings,
cleanup en logout.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Version bump por features nuevas de la sesión 2026-06-23 (audit R2):
- Swap flow 2-step con verificación on-chain del NFT (#8 HIGH-3)
- Cookie consent banner GDPR/LGPD/CCPA (#8 HIGH-6)
- Email notifications al user al completar canje
- TOS sin lista 13 países (geo-blocking decision)
- Smart Contract V2 deployed + activo (functions/constants.js apunta acá)
- expo-three -> THREE.WebGLRenderer nativo (#5 HIGH-1)
- expo-av -> expo-audio (SDK 55 prep, #5 MED-2)
- Icon optimize 1.1MB -> 8.5KB WebP (#10 HIGH-9)
- Sentry source maps pipeline
- Keystore rotation + 3 backups offline
- DNS records (SPF + DMARC + CAA)
- Web hardening: frame-buster, robots, sitemap, OG meta, form labels

Bumps:
- app.json: version 1.1.0 -> 1.2.0, versionCode 5 -> 6
- package.json: 1.1.0 -> 1.2.0
- src/constants.js: FALLBACK_APP_VERSION 1.1.0 -> 1.2.0
- docs/index.html: download link y label -> v1.2.0
- MTB-v1.1.0.apk.sha256 archivos eliminados (se regeneran post-build)

PENDING_FIXES.md actualizado con estado final completo.

10 commits previos cerraron: 5 CRIT smart contract + 3 CRIT web + 31 HIGH
técnicos. Single HIGH legal pendiente (#8 HIGH-7 MICA + Howey) por consulta
externa, no técnico.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants