Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MINIMATCH-15309438 - https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-15316031 - https://snyk.io/vuln/SNYK-JS-SYSTEMINFORMATION-15315971 - https://snyk.io/vuln/SNYK-JS-BNJS-15274301
revan-zhang
requested review from
ezailWang,
huhuanming,
originalix and
sidmorizon
as code owners
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "node-gyp": "^11.5.0", | ||
| "openpgp": "5.11.3", | ||
| "node-gyp": "^12.0.0", | ||
| "openpgp": "6.1.1", |
There was a problem hiding this comment.
🔴 openpgp major version bump (v5→v6) breaks PGP signature verification API
Upgrading openpgp from 5.11.3 to 6.1.1 is a major version bump with breaking API changes that will break the desktop app's PGP signature verification for updates.
Root Cause and Impact
The codebase uses openpgp v5 API patterns in two critical files:
apps/desktop/app/bundle.ts:24-30— usessignedMessage.verify([publicKey])andresult[0].verifiedpackages/kit-bg/src/desktopApis/DesktopApiAppUpdate.ts:470-476— same pattern
In openpgp v6, the API was significantly restructured:
verify()is no longer a method on the message object; it became a standalone top-level function (openpgp.verify({ message, verificationKeys }))- The return type and structure of verification results changed
readCleartextMessageparametercleartextMessagewas renamed toarmoredMessagein v6
When yarn install is run after merging (since the yarn.lock wasn't updated), openpgp 6.1.1 will be installed, and calls like signedMessage.verify([publicKey]) at apps/desktop/app/bundle.ts:28 will fail because verify is no longer a method on the CleartextMessage object.
Impact: This breaks the PGP signature verification used to validate desktop app update bundles — a critical security feature. The readMetadataFileSha256 function in bundle.ts and getSha256 in DesktopApiAppUpdate.ts will throw runtime errors, preventing users from verifying and installing desktop updates.
| "openpgp": "6.1.1", | |
| "openpgp": "5.11.3", |
Was this helpful? React with 👍 or 👎 to provide feedback.
| "react-dom": "19.1.0", | ||
| "react-mobile-cropper": "^0.10.0", | ||
| "react-native": "0.81.5", | ||
| "react-native": "0.84.0", |
There was a problem hiding this comment.
🔴 react-native version conflict: dependencies says 0.84.0 but resolutions pins 0.81.5
The dependencies field was updated to react-native: 0.84.0 but the resolutions field at line 329 still pins react-native to 0.81.5. In Yarn, resolutions take precedence over dependencies, so the actual installed version will remain 0.81.5.
Root Cause and Impact
At package.json:175, the dependency is declared as "react-native": "0.84.0", but at package.json:329, the resolution is "react-native": "0.81.5". Yarn resolutions override all version specifications in the dependency tree, meaning:
- The version bump in
dependenciesis completely ineffective —0.81.5will always be installed. - The
package.jsonis now in an inconsistent/misleading state: it claims to use0.84.0but actually uses0.81.5. - If someone later removes the resolution thinking the dependency is already at
0.84.0, they'd get a 3-minor-version jump (0.81→0.84) that could introduce breaking changes across the entire React Native stack (metro, native modules, etc.) without proper testing. - React Native 0.84.0 is a significant jump from 0.81.5 and would require updating many companion packages (
@react-native/*, metro, etc.) that are currently pinned to 0.81.x-compatible versions.
Impact: The security fix this PR intends (fixing the minimatch ReDoS via react-native upgrade) will not take effect because the resolution overrides the dependency version.
Prompt for agents
The react-native version in dependencies (0.84.0 at package.json:175) conflicts with the resolutions field (0.81.5 at package.json:329). The resolutions field takes precedence in Yarn, making this upgrade ineffective. Either:
1. Revert the dependency back to 0.81.5 to keep consistency, OR
2. Also update the resolution at package.json:329 to 0.84.0 AND update all companion react-native packages (@react-native/*, metro versions, etc.) to be compatible with 0.84.0.
Option 1 is safer since react-native 0.84.0 is a major upgrade requiring extensive testing across iOS, Android, and web platforms.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 4 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-MINIMATCH-15309438
SNYK-JS-SYSTEMINFORMATION-15316031
SNYK-JS-SYSTEMINFORMATION-15315971
SNYK-JS-BNJS-15274301
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection