fix(deps): resolve remaining Dependabot alerts

[kherembourg]

Summary

• resolve the 6 remaining Dependabot alerts in a single branch/PR
• bump the root Yarn resolutions for flatted and picomatch so yarn.lock resolves to patched versions
• remove the direct activesupport declaration from example/Gemfile so the example no longer advertises the vulnerable dependency directly

Root cause

The repository already fixed the earlier JavaScript advisories in PR #231, but GitHub still reported 6 open alerts:

• flatted in yarn.lock
• picomatch in yarn.lock (2 advisories on the same vulnerable resolution)
• activesupport in example/Gemfile (3 advisories on the direct gem declaration)

Changes

• package.json
  • raise flatted resolution from >=3.3.4 to >=3.4.2
  • add explicit Yarn resolutions for picomatch@npm:^4.0.2 and picomatch@npm:^4.0.3 to 4.0.4
• yarn.lock
  • resolve flatted to 3.4.2
  • resolve the vulnerable picomatch entry to 4.0.4
• example/Gemfile
  • remove the direct activesupport gem declaration
  • keep the explicit cocoapods, xcodeproj, and concurrent-ruby constraints

Validation

• corepack yarn test --maxWorkers=2
• corepack yarn typecheck
• corepack yarn lint
  • completed with existing warnings from the untracked local packages/purchasely/coverage/ directory, not from the changed files

Notes

• gh auth status succeeds outside the sandbox via the macOS keyring. The earlier failure came from running gh inside the sandboxed environment, not from a broken GitHub login.

[greptile-apps]

Greptile Summary

This PR resolves 6 remaining Dependabot security alerts by bumping flatted and picomatch resolutions in package.json/yarn.lock, and by removing the direct activesupport gem declaration from example/Gemfile. The JS dependency changes are clean and correctly applied.

• The activesupport removal also silently drops a documented != 7.1.0 exclusion that was guarding against an activesupport version known to cause CocoaPods build failures. If Bundler resolves to exactly 7.1.0 as a transitive dep of cocoapods, the iOS build may break.

Confidence Score: 4/5

Safe to merge with one minor caveat: the dropped activesupport 7.1.0 exclusion could break iOS builds if Bundler resolves to that version.

All JS dependency changes are correct and well-targeted. The only concern is the Gemfile change, which while fixing the Dependabot alerts, removes a previously-intentional != 7.1.0 guard without explanation. Since there's no committed Gemfile.lock we can't verify what Bundler would actually resolve to, and the risk is speculative but documented by the original code comment.

example/Gemfile — verify that Bundler no longer resolves activesupport to 7.1.0 after removing the direct gem declaration.

Important Files Changed

Filename	Overview
example/Gemfile	Removes direct activesupport gem declaration (resolving 3 Dependabot alerts), but also silently drops the != 7.1.0 exclusion that was documented as preventing build failures.
package.json	Bumps flatted resolution from >=3.3.4 to >=3.4.2 and adds explicit picomatch@npm:^4.0.2/^4.0.3 resolutions to 4.0.4 — correct Yarn Berry syntax, resolves targeted advisories.
yarn.lock	Lock file correctly reflects flatted@3.4.2 and picomatch@4.0.4 resolutions; existing picomatch@^2.x entries remain unaffected.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot Alerts] --> B{Alert Type}
    B --> C[JS: flatted in yarn.lock]
    B --> D[JS: picomatch v4 in yarn.lock\n2 advisories]
    B --> E[Ruby: activesupport in Gemfile\n3 advisories]

    C --> F[package.json: raise flatted\nresolution to >=3.4.2]
    D --> G[package.json: add picomatch\nresolutions ^4.0.2 & ^4.0.3 → 4.0.4]
    E --> H[Gemfile: remove direct\nactivesupport declaration]

    F --> I[yarn.lock: flatted@3.4.2 ✓]
    G --> J[yarn.lock: picomatch@4.0.4 ✓]
    H --> K[Bundler resolves activesupport\nas transitive dep of cocoapods]

    K --> L{Risk: activesupport 7.1.0\nexclusion also removed}
    L -->|7.1.0 resolved| M[⚠️ Possible iOS build failure]
    L -->|>7.1.0 resolved| N[✅ Build succeeds]

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: example/Gemfile
Line: 7-9

Comment:
**`activesupport 7.1.0` exclusion silently dropped**

The previous Gemfile held `gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0'` with a comment that explicitly called out activesupport 7.1.0 as causing build failures. Removing the entire line also removes the `!= 7.1.0` guard. If Bundler resolves activesupport to exactly 7.1.0 (still technically possible if the cocoapods gem's own gemspec allows it), iOS CocoaPods-dependent builds could break. Consider adding a scoped re-exclusion if the 7.1.0 bug is still relevant:

```suggestion
gem 'cocoapods', '>= 1.13', '!= 1.15.0', '!= 1.15.1'
gem 'activesupport', '!= 7.1.0'
gem 'xcodeproj', '< 1.26.0'
gem 'concurrent-ruby', '< 1.3.4'
```
This removes the lower-bound that was triggering Dependabot alerts (by no longer declaring a range that covers vulnerable versions) while still protecting against the known broken release.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(deps): resolve remaining Dependabot ..." | Re-trigger Greptile}

[greptile-apps]

activesupport 7.1.0 exclusion silently dropped

The previous Gemfile held gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0' with a comment that explicitly called out activesupport 7.1.0 as causing build failures. Removing the entire line also removes the != 7.1.0 guard. If Bundler resolves activesupport to exactly 7.1.0 (still technically possible if the cocoapods gem's own gemspec allows it), iOS CocoaPods-dependent builds could break. Consider adding a scoped re-exclusion if the 7.1.0 bug is still relevant:

Suggested change

	gem 'cocoapods', '>= 1.13', '!= 1.15.0', '!= 1.15.1'
	gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0'
	gem 'xcodeproj', '< 1.26.0'
	gem 'concurrent-ruby', '< 1.3.4'
	gem 'cocoapods', '>= 1.13', '!= 1.15.0', '!= 1.15.1'
	gem 'activesupport', '!= 7.1.0'
	gem 'xcodeproj', '< 1.26.0'
	gem 'concurrent-ruby', '< 1.3.4'

This removes the lower-bound that was triggering Dependabot alerts (by no longer declaring a range that covers vulnerable versions) while still protecting against the known broken release.

Prompt To Fix With AI

This is a comment left during a code review.
Path: example/Gemfile
Line: 7-9

Comment:
**`activesupport 7.1.0` exclusion silently dropped**

The previous Gemfile held `gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0'` with a comment that explicitly called out activesupport 7.1.0 as causing build failures. Removing the entire line also removes the `!= 7.1.0` guard. If Bundler resolves activesupport to exactly 7.1.0 (still technically possible if the cocoapods gem's own gemspec allows it), iOS CocoaPods-dependent builds could break. Consider adding a scoped re-exclusion if the 7.1.0 bug is still relevant:

```suggestion
gem 'cocoapods', '>= 1.13', '!= 1.15.0', '!= 1.15.1'
gem 'activesupport', '!= 7.1.0'
gem 'xcodeproj', '< 1.26.0'
gem 'concurrent-ruby', '< 1.3.4'
```
This removes the lower-bound that was triggering Dependabot alerts (by no longer declaring a range that covers vulnerable versions) while still protecting against the known broken release.

How can I resolve this? If you propose a fix, please make it concise.