From 2464df2c8c441335c7a217eab0a6a259be3f1795 Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 28 Apr 2026 16:07:14 +0200 Subject: [PATCH 1/2] fix(deps): resolve Dependabot alerts #657 and #658 Add overrides in expo-purchasely-test to enforce patched floors: - postcss >=8.5.10 (GHSA-qx2v-qp2m-jg93, XSS via unescaped ) - uuid >=14.0.0 (GHSA-w5hq-g745-h8pq, buffer bounds check) Lockfile resolves to postcss 8.5.12 and uuid 14.0.0; npm audit reports 0 vulnerabilities. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../expo-purchasely-test/package-lock.json | 20 +++++++++++-------- .../expo-purchasely-test/package.json | 2 ++ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/test-projects/expo-purchasely-test/package-lock.json b/test-projects/expo-purchasely-test/package-lock.json index 3172f99..1cb65d8 100644 --- a/test-projects/expo-purchasely-test/package-lock.json +++ b/test-projects/expo-purchasely-test/package-lock.json @@ -7113,9 +7113,9 @@ } }, "node_modules/postcss": { - "version": "8.4.49", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz", - "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==", + "version": "8.5.12", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz", + "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==", "funding": [ { "type": "opencollective", @@ -7132,7 +7132,7 @@ ], "license": "MIT", "dependencies": { - "nanoid": "^3.3.7", + "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, @@ -8435,12 +8435,16 @@ } }, "node_modules/uuid": { - "version": "7.0.3", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-7.0.3.tgz", - "integrity": "sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==", + "version": "14.0.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-14.0.0.tgz", + "integrity": "sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==", + "funding": [ + "https://github.com/sponsors/broofa", + "https://github.com/sponsors/ctavan" + ], "license": "MIT", "bin": { - "uuid": "dist/bin/uuid" + "uuid": "dist-node/bin/uuid" } }, "node_modules/validate-npm-package-name": { diff --git a/test-projects/expo-purchasely-test/package.json b/test-projects/expo-purchasely-test/package.json index f17db40..c7dcaa7 100644 --- a/test-projects/expo-purchasely-test/package.json +++ b/test-projects/expo-purchasely-test/package.json @@ -31,8 +31,10 @@ "flatted": ">=3.3.4", "minimatch": ">=3.1.3", "node-forge": ">=1.4.0", + "postcss": ">=8.5.10", "tar": ">=7.5.10", "undici": ">=6.24.0", + "uuid": ">=14.0.0", "yaml": ">=2.8.3" } } \ No newline at end of file From 91e32cdf3f512130702ef3e9e1c35e189ed633bb Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 28 Apr 2026 16:21:47 +0200 Subject: [PATCH 2/2] fix(deps): drop uuid override (incompatible with xcode CJS) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Greptile flagged that uuid v10+ dropped CommonJS support and v14 requires Node ≥20, which would break the only consumer in this tree: xcode@3.0.1 declares uuid ^7.0.3 and uses require('uuid') (CJS). GHSA-w5hq-g745-h8pq has no patched version in the v7 range, so we cannot satisfy both xcode and the advisory. Per Greptile's second recommendation, accept the audit finding for this build-time dev dependency that never processes user-supplied buf arguments. Dependabot alert #657 will be dismissed as tolerable_risk. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../expo-purchasely-test/package-lock.json | 22 ++++++++----------- .../expo-purchasely-test/package.json | 1 - 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/test-projects/expo-purchasely-test/package-lock.json b/test-projects/expo-purchasely-test/package-lock.json index 1cb65d8..644f7ab 100644 --- a/test-projects/expo-purchasely-test/package-lock.json +++ b/test-projects/expo-purchasely-test/package-lock.json @@ -8434,19 +8434,6 @@ "node": ">= 0.4.0" } }, - "node_modules/uuid": { - "version": "14.0.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-14.0.0.tgz", - "integrity": "sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==", - "funding": [ - "https://github.com/sponsors/broofa", - "https://github.com/sponsors/ctavan" - ], - "license": "MIT", - "bin": { - "uuid": "dist-node/bin/uuid" - } - }, "node_modules/validate-npm-package-name": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/validate-npm-package-name/-/validate-npm-package-name-5.0.1.tgz", @@ -8642,6 +8629,15 @@ "node": ">=10.0.0" } }, + "node_modules/xcode/node_modules/uuid": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-7.0.3.tgz", + "integrity": "sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==", + "license": "MIT", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/xml2js": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/xml2js/-/xml2js-0.6.0.tgz", diff --git a/test-projects/expo-purchasely-test/package.json b/test-projects/expo-purchasely-test/package.json index c7dcaa7..023e594 100644 --- a/test-projects/expo-purchasely-test/package.json +++ b/test-projects/expo-purchasely-test/package.json @@ -34,7 +34,6 @@ "postcss": ">=8.5.10", "tar": ">=7.5.10", "undici": ">=6.24.0", - "uuid": ">=14.0.0", "yaml": ">=2.8.3" } } \ No newline at end of file