chore: prep for 2.0.5 release#568
Conversation
main to dev
Replace `*` wildcards with bounded ranges in published packages and pin the root tsconfig devDependency: - packages/ethers, packages/wagmi: peerDependencies `@react-native-community/netinfo` and `react-native-get-random-values` changed from `*` to `>=11.0.0` / `>=1.11.0` - root tsconfig devDependency `*` -> `7.0.0` Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore: pin peer dependency version ranges
Patches 34 of 39 open Dependabot alerts via resolution/override bumps to the first patched release; no source changes. Root (resolutions + turbo devDep): - shell-quote -> 1.8.4 (critical) - @xmldom/xmldom 0.8.12 -> 0.8.13, fast-uri -> 3.1.2, @babel/plugin-transform-modules-systemjs -> 7.29.4 (high) - tmp 0.2.4 -> 0.2.6 (high) - ws ^8.18.1 -> ^8.20.1, qs 6.14.2 -> 6.15.2, postcss 8.4.31 -> 8.5.10 (medium) - turbo 2.5.5 -> 2.9.14 (medium/low) Example app (examples/expo-multichain overrides): - hono 4.12.12 -> 4.12.21 (10 alerts) - @xmldom/xmldom 0.8.13, fast-uri 3.1.2, shell-quote 1.8.4 (critical/high) - ws 8.20.1, postcss 8.5.10, brace-expansion 5.0.5 -> 5.0.6 (medium) The remaining 5 alerts are dismissed separately (not exploitable in this tree, or no published patch): uuid x2, ip-address, bigint-buffer x2. Verified: yarn build, yarn test, yarn lint all pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Forcing ws to a single hoisted version (8.20.1) changed Metro module
resolution so the example bundles ws's Node build (which does
`require('stream')`) instead of the React-Native/browser shim it used
before. This broke `expo export`/`expo run` for the example with:
"Unable to resolve module stream from .../ws/lib/stream.js".
The example has no metro.config.js to shim Node core modules (unlike
apps/native), so the ws security bump can't be applied here without
breaking the bundle. Dropping the override restores a clean bundle
(verified: `expo export --platform ios` -> 4060 modules, exit 0).
The example's ws alert (#272) is dismissed separately as tolerable_risk
(sample app, not published; patched ws breaks Metro resolution).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore(security): bump dependencies to resolve Dependabot alerts
🦋 Changeset detectedLatest commit: c1b28b1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 9 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Claude finished @ignaciosantise's task in 34s —— View job
Found 3 issue(s)Issue 1: Narrowing netinfo peer dep from
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
1 participant
This pull request primarily updates and pins dependency versions across the monorepo and example projects, with a focus on improving compatibility and stability.
Dependency version pinning and updates:
@reown/appkit-*React Native packages to ensure consistent and predictable installs. (.changeset/cuddly-heads-type.md)Peer dependency range tightening:
@react-native-community/netinfoandreact-native-get-random-valuesinpackages/ethers/package.jsonandpackages/wagmi/package.jsonto require minimum versions, improving compatibility guarantees. [1] [2]Tooling and dev dependency maintenance:
tsconfigandturboto newer versions in the rootpackage.json, helping maintain build and test tooling.Overall, these changes help ensure the project uses compatible and up-to-date dependencies, reducing the risk of version conflicts and improving overall stability.