From 6f74489381c29b02075c7aa5c9ece2241b0c32ab Mon Sep 17 00:00:00 2001 From: Nicola Corti Date: Thu, 4 Jun 2026 06:23:20 -0700 Subject: [PATCH] Fix security vulnerabilities in transitive dependencies (#57066) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Summary: Pull Request resolved: https://github.com/facebook/react-native/pull/57066 Add yarn resolutions and update lockfiles to fix security vulnerabilities in five transitive dependencies: - `xmldom/xmldom` 0.8.10 → 0.8.13 (CVE-2026-41672, XML injection) - `fast-xml-parser` 4.5.4 → 4.5.6 (CVE-2026-33349, CVE-2026-33036, entity expansion bypass) - `yaml` 2.5.0/2.8.1 → 2.9.0 (CVE-2026-33532, stack overflow via deep nesting) - `fast-uri` 3.0.6 → 3.1.2 (CVE-2026-6322, host confusion; CVE-2026-6321, path traversal) - `addressable` 2.8.5/2.8.7 → 2.9.0 (CVE-2026-35611, ReDoS) All bumps are within semver range of their parent constraints and are patch or minor version updates. - Fixes https://github.com/facebook/react-native/pull/56364 - Fixes https://github.com/facebook/react-native/pull/56365 - Fixes https://github.com/facebook/react-native/pull/56570 - Fixes https://github.com/facebook/react-native/pull/56393 - Fixes https://github.com/facebook/react-native/pull/56231 - Fixes https://github.com/facebook/react-native/pull/56741 Changelog: [General][Security] - Fix security vulnerabilities in `xmldom/xmldom`, `fast-xml-parser`, `yaml`, `fast-uri`, and `addressable` transitive dependencies Differential Revision: D107405946 --- Gemfile.lock | 4 ++-- package.json | 6 +++++- private/helloworld/Gemfile.lock | 4 ++-- yarn.lock | 37 ++++++++++++++------------------- 4 files changed, 25 insertions(+), 26 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e304f8287968..8eb0039d4c08 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,8 +8,8 @@ GEM i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) - addressable (2.8.5) - public_suffix (>= 2.0.2, < 6.0) + addressable (2.9.0) + public_suffix (>= 2.0.2, < 8.0) algoliasearch (1.27.5) httpclient (~> 2.8, >= 2.8.3) json (>= 1.5.1) diff --git a/package.json b/package.json index f1ec9c177468..fc1855bc3982 100644 --- a/package.json +++ b/package.json @@ -125,6 +125,10 @@ "compression": "1.8.1", "@microsoft/api-extractor/minimatch": "3.1.4", "metro-babel-register/babel-plugin-syntax-hermes-parser": "0.36.1", - "lodash": "4.18.1" + "lodash": "4.18.1", + "@xmldom/xmldom": "^0.8.13", + "fast-xml-parser": "^4.5.6", + "yaml": "^2.8.3", + "fast-uri": "^3.1.2" } } diff --git a/private/helloworld/Gemfile.lock b/private/helloworld/Gemfile.lock index dc0c892f686b..30ada298ab8a 100644 --- a/private/helloworld/Gemfile.lock +++ b/private/helloworld/Gemfile.lock @@ -10,8 +10,8 @@ GEM i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) - addressable (2.8.7) - public_suffix (>= 2.0.2, < 7.0) + addressable (2.9.0) + public_suffix (>= 2.0.2, < 8.0) algoliasearch (1.27.5) httpclient (~> 2.8, >= 2.8.3) json (>= 1.5.1) diff --git a/yarn.lock b/yarn.lock index 36a6c026505e..b2ce8ccc5a22 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2584,10 +2584,10 @@ resolved "https://registry.yarnpkg.com/@vscode/sudo-prompt/-/sudo-prompt-9.3.1.tgz#c562334bc6647733649fd42afc96c0eea8de3b65" integrity sha512-9ORTwwS74VaTn38tNbQhsA5U44zkJfcb0BdTSyyG6frP4e8KMtHuTXYmwefe5dpL8XB1aGSIVTaLjD3BbWb5iA== -"@xmldom/xmldom@^0.8.8": - version "0.8.10" - resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.8.10.tgz#a1337ca426aa61cef9fe15b5b28e340a72f6fa99" - integrity sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw== +"@xmldom/xmldom@^0.8.13", "@xmldom/xmldom@^0.8.8": + version "0.8.13" + resolved "https://registry.yarnpkg.com/@xmldom/xmldom/-/xmldom-0.8.13.tgz#00d1dd940b218dff2e49309d410d8bb212159225" + integrity sha512-KRYzxepc14G/CEpEGc3Yn+JKaAeT63smlDr+vjB8jRfgTBBI9wRj/nkQEO+ucV8p8I9bfKLWp37uHgFrbntPvw== abort-controller@^3.0.0: version "3.0.0" @@ -4643,15 +4643,15 @@ fast-levenshtein@^2.0.6: resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917" integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw== -fast-uri@^3.0.1: - version "3.0.6" - resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-3.0.6.tgz#88f130b77cfaea2378d56bf970dea21257a68748" - integrity sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw== +fast-uri@^3.0.1, fast-uri@^3.1.2: + version "3.1.2" + resolved "https://registry.yarnpkg.com/fast-uri/-/fast-uri-3.1.2.tgz#8af3d4fc9d3e71b11572cc2673b514a7d1a8c8ec" + integrity sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ== -fast-xml-parser@^4.4.1: - version "4.5.4" - resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.5.4.tgz#64e52ddf1308001893bd225d5b1768840511c797" - integrity sha512-jE8ugADnYOBsu1uaoayVl1tVKAMNOXyjwvv2U6udEA2ORBhDooJDWoGxTkhd4Qn4yh59JVVt/pKXtjPwx9OguQ== +fast-xml-parser@^4.4.1, fast-xml-parser@^4.5.6: + version "4.5.6" + resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-4.5.6.tgz#4ff57d4aca13a2d11aa42ad460495cf00f32b655" + integrity sha512-Yd4vkROfJf8AuJrDIVMVmYfULKmIJszVsMv7Vo71aocsKgFxpdlpSHXSaInvyYfgw2PRuObQSW2GFpVMUjxu9A== dependencies: strnum "^1.0.5" @@ -9661,15 +9661,10 @@ yallist@^4.0.0: resolved "https://registry.yarnpkg.com/yallist/-/yallist-4.0.0.tgz#9bb92790d9c0effec63be73519e11a35019a3a72" integrity sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A== -yaml@^2.2.1: - version "2.5.0" - resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.5.0.tgz#c6165a721cf8000e91c36490a41d7be25176cf5d" - integrity sha512-2wWLbGbYDiSqqIKoPjar3MPgB94ErzCtrNE1FdqGuaO0pi2JGjmE8aW8TDZwzU7vuxcGRdL/4gPQwQ7hD5AMSw== - -yaml@^2.6.1: - version "2.8.1" - resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.8.1.tgz#1870aa02b631f7e8328b93f8bc574fac5d6c4d79" - integrity sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw== +yaml@^2.2.1, yaml@^2.6.1, yaml@^2.8.3: + version "2.9.0" + resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.9.0.tgz#78274afd93598a1dfdd6130df6a566defcbf9aa4" + integrity sha512-2AvhNX3mb8zd6Zy7INTtSpl1F15HW6Wnqj0srWlkKLcpYl/gMIMJiyuGq2KeI2YFxUPjdlB+3Lc10seMLtL4cA== yargs-parser@^18.1.2: version "18.1.3"