[Snyk] Security upgrade react-native from 0.81.5 to 0.84.0

[revan-zhang]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• apps/mobile/package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Inefficient Algorithmic Complexity SNYK-JS-MINIMATCH-15353389	710

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

Devin Review found 3 potential issues.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Version-specific patch file react-native+0.81.5.patch will not apply to react-native 0.84.0

Upgrading react-native to 0.84.0 without renaming/porting the patch file patches/react-native+0.81.5.patch means patch-package will silently skip it (it matches patches by packageName+version). This patch contains critical native code modifications that will be lost.

Detailed impact of lost patches

The react-native+0.81.5.patch file contains ~546 lines of native code changes across iOS (Objective-C++), Android (Kotlin), and C++ renderer code:

1. Image paste support for TextInput (iOS): Custom onPaste event handler enabling image paste in both RCTUITextView and RCTUITextField, including async clipboard processing, MIME type detection, and temp file creation.

2. Null safety fix in RCTTurboModule.mm: Guards against nil values in convertNSStringToJSIString and convertObjCObjectToJSIValue that would otherwise cause crashes.

3. Android crash prevention in ReactViewGroup.kt: A try/catch around super.dispatchDraw(canvas) to handle a NullPointerException race condition with react-native-reanimated (tracking issue: Crashes with the error: java.lang.NullPointerException: Attempt to read from field 'int android.view.View.mViewFlags' on a null object reference in method 'void android.view.ViewGroup.dispatchGetDisplayList()' software-mansion/react-native-reanimated#8422).

4. Fabric renderer onPaste event in TextInputEventEmitter.cpp/.h: C++ event emitter for the custom paste event.

The postinstall script at development/scripts/postinstall.js runs patch-package which will look for react-native+0.84.0.patch but only find react-native+0.81.5.patch. All these customizations will be silently dropped, causing loss of image paste functionality, potential nil-dereference crashes on iOS, and SIGSEGV crashes on Android.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 @react-native/metro-config pinned at 0.81.5 is incompatible with react-native 0.84.0

The @react-native/metro-config devDependency remains pinned at 0.81.5 while react-native is bumped to 0.84.0. In the React Native ecosystem, @react-native/* packages are versioned in lockstep with the core react-native package.

Root cause and impact

At apps/mobile/package.json:38, @react-native/metro-config is 0.81.5. This package pulls in version-matched dependencies like @react-native/js-polyfills@0.81.5 and @react-native/metro-babel-transformer@0.81.5 (visible in the yarn.lock). When react-native is 0.84.0, these mismatched internal packages can cause:

• Metro bundler configuration incompatibilities
• Mismatched JS polyfills between what Metro injects and what the runtime expects
• Babel transformer version mismatches leading to build failures or subtle runtime errors

The metro config is actively used in apps/mobile/metro.config.js:10:

const { getDefaultConfig, mergeConfig } = require('@react-native/metro-config');

This version should be updated to 0.84.0 (or whatever the matching version is for react-native 0.84.0) to maintain compatibility.

Prompt for agents

Update @react-native/metro-config in apps/mobile/package.json (line 38) from version 0.81.5 to the version that matches react-native 0.84.0. In the React Native ecosystem, @react-native/* packages are versioned in lockstep with the core react-native package. Check the react-native 0.84.0 release notes or its package.json dependencies to find the correct @react-native/metro-config version, then update line 38 of apps/mobile/package.json accordingly.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 yarn.lock not updated — react-native 0.84.0 will not actually be installed

The yarn.lock file was not updated as part of this PR. It still resolves react-native to version 0.81.5 with no entry for 0.84.0.

Root cause and impact

The PR description itself warns: "Failed to update the yarn.lock, please update manually before merging." The yarn.lock currently contains:

"react-native@npm:0.81.5":
  version: 0.81.5
  resolution: "react-native@npm:0.81.5"

There is no react-native@npm:0.84.0 entry. Depending on the Yarn version and CI configuration:

• If yarn install is run with --frozen-lockfile (common in CI), the build will fail because package.json requests 0.84.0 but the lockfile only has 0.81.5.
• If yarn install is run without --frozen-lockfile, it will regenerate the lockfile, potentially pulling in many unexpected transitive dependency changes that haven't been reviewed.

Either way, merging this PR as-is will cause CI failures or unreviewed dependency changes.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 8 additional findings in Devin Review.

[devin-ai-integration]

🔴 Root resolutions field pins react-native to 0.81.5, completely nullifying the upgrade to 0.84.0

The PR changes react-native from 0.81.5 to 0.84.0 in apps/mobile/package.json, but the root package.json contains "react-native": "0.81.5" in both resolutions and dependencies. In Yarn workspaces, the resolutions field forces all instances of a package across the entire workspace to resolve to the specified version, overriding any version declared in child workspace package.json files.

Root Cause & Impact

The root package.json has two conflicting declarations that were not updated:

• package.json:337 — "react-native": "0.81.5" in resolutions
• package.json:179 — "react-native": "0.81.5" in dependencies

The resolutions field is the critical one: Yarn will resolve react-native to 0.81.5 for every workspace, regardless of what apps/mobile/package.json declares. The yarn.lock confirms this — there is no entry for react-native@0.84.0, only for react-native@npm:0.81.5.

Impact: The stated security fix (upgrading react-native to 0.84.0 to address SNYK-JS-MINIMATCH-15353389) is completely ineffective. The mobile app will continue to use react-native 0.81.5 at runtime, leaving the vulnerability unpatched.

Prompt for agents

To actually upgrade react-native to 0.84.0, you must also update the root package.json in at least these locations:

1. package.json line 179: Change "react-native": "0.81.5" to "react-native": "0.84.0" in the root dependencies
2. package.json line 337: Change "react-native": "0.81.5" to "react-native": "0.84.0" in the root resolutions
3. apps/mobile/package.json line 38: Update "@react-native/metro-config": "0.81.5" to the version matching react-native 0.84.0
4. Run yarn install to regenerate yarn.lock with the react-native 0.84.0 resolution

Additionally, verify that all other react-native ecosystem packages (listed in both apps/mobile/package.json and the root) are compatible with react-native 0.84.0, particularly the @react-native/* packages, expo, and native module dependencies.

---

Was this helpful? React with 👍 or 👎 to provide feedback.