Skip to content

chore(deps): bump deps to clear dependabot alerts#1040

Merged
boorad merged 2 commits into
mainfrom
fix/dependabot-alerts
May 12, 2026
Merged

chore(deps): bump deps to clear dependabot alerts#1040
boorad merged 2 commits into
mainfrom
fix/dependabot-alerts

Conversation

@boorad
Copy link
Copy Markdown
Collaborator

@boorad boorad commented May 12, 2026
edited
Loading

Summary

Lockfile-only bumps to silence open Dependabot alerts. No library code is touched — alerts are scoped to the docs site (docs/, Next.js) and the example app's CocoaPods toolchain (example/Gemfile.lock). The published library has no vulnerable deps.

Changes

  • docs/: next 16.0.10 → 16.2.6 (clears ~22 Next.js alerts: SSRF, cache poisoning, middleware/proxy bypass, DoS, XSS — see Dependabot tab on default branch)
  • example/: addressable 2.8.7 → 2.9.0 (clears 1 ReDoS alert, lifts public_suffix ceiling to < 8.0)
  • example/: activesupport 7.2.2 → 7.2.3.1 (clears 3 alerts: SafeBuffer XSS, number_to_delimited ReDoS, number helpers DoS)
  • example/: transitive bumps to base64, benchmark, bigdecimal, concurrent-ruby, connection_pool, drb, i18n, logger, minitest, securerandom (downstream of the above)
  • example/ios/Podfile.lock: refreshed PODFILE CHECKSUM after the Gemfile bumps

concurrent-ruby lands at 1.3.5, still under the existing Gemfile ceiling of < 1.3.6 (which exists because 1.3.6 introduced build breakage).

Test plan

  • bun tsc passes (workspace)
  • bob build passes (pre-commit hook)
  • CI green
  • Dependabot alert count drops on merge

boorad added 2 commits May 12, 2026 12:54
@boorad
chore(deps): bump deps to clear dependabot alerts
0aae94c 
- docs: next 16.0.10 -> 16.2.6 (clears 22 alerts)
- example: addressable 2.8.7 -> 2.9.0 (clears 1 alert)
- example: activesupport 7.2.2 -> 7.2.3.1 (clears 3 alerts)

All open alerts are in docs/ (Next.js docs site) and example/
(CocoaPods deps). The published library has no vulnerable deps.
@boorad
chore(deps): refresh ios Podfile.lock checksum
a53350e 
Downstream of the Gemfile bumps in the previous commit.
@boorad boorad self-assigned this May 12, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
react-native-quick-crypto Ready Ready Preview, Comment May 12, 2026 5:10pm

Request Review

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

🤖 End-to-End Test Results - iOS

Status: ✅ Passed
Platform: iOS
Run: 25750064399

📸 Final Test Screenshot

Maestro Test Results - ios

Screenshot automatically captured from End-to-End tests and will expire in 30 days

This comment is automatically updated on each test run.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

🤖 End-to-End Test Results - Android

Status: ✅ Passed
Platform: Android
Run: 25750064428

📸 Final Test Screenshot

Maestro Test Results - android

Screenshot automatically captured from End-to-End tests and will expire in 30 days

This comment is automatically updated on each test run.

@boorad boorad merged commit 7460d55 into main May 12, 2026
7 checks passed
@boorad boorad deleted the fix/dependabot-alerts branch May 12, 2026 18:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@boorad boorad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@boorad