fix(deps): resolve all open Dependabot alerts (#659-#680)

[kherembourg]

Summary

Resolves all 22 currently open Dependabot alerts (#659 → #680) across the monorepo and both test-projects.

Changes

Root (yarn.lock)

• Bump turbo to ^2.9.14 in packages/{amazon,google,huawei,android-player}/package.json (closes #669–#676, #679–#680 — login callback CSRF + Yarn Berry detection RCE)
• Add/bump root resolutions:
  • @babel/plugin-transform-modules-systemjs >=7.29.4 (#667, high)
  • basic-ftp >=5.3.1 (#659, high)
  • fast-xml-builder >=1.1.7 (#660, #662)
  • ip-address >=10.1.1 (#665, medium)

test-projects/expo-purchasely-test (npm overrides)

• uuid >=11.1.1 (#678, medium)
• ws >=8.20.1 (#677, medium)
• fast-uri >=3.1.2 (#664, #666, high)

test-projects/rn-purchasely-test (npm overrides)

• @babel/plugin-transform-modules-systemjs >=7.29.4 (#668, high)
• fast-xml-builder >=1.1.7 (#661, #663)

Resolved versions (lockfiles)

Package	Version
turbo	2.9.14
@babel/plugin-transform-modules-systemjs	7.29.4
basic-ftp	6.0.1
fast-xml-builder	1.2.0
ip-address	10.2.0
uuid (expo)	14.0.0
ws (expo)	8.20.1
fast-uri (expo)	3.1.2

Test plan

• yarn install regenerates yarn.lock cleanly
• npm install --package-lock-only regenerates both test-projects lockfiles (0 vulnerabilities)
• yarn lint (0 errors)
• yarn typecheck (0 errors)
• yarn test — 4 suites, 139 tests pass
• CI: lint, test, build-android, build-ios pass
• Confirm Dependabot closes alerts #659–#680 after merge

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR resolves 22 open Dependabot alerts across the monorepo and both test projects by bumping vulnerable transitive dependencies via Yarn resolutions and npm overrides, and upgrading turbo from v1 to v2 in all four sub-packages.

• Root package.json: Adds/bumps resolutions for @babel/plugin-transform-modules-systemjs, basic-ftp, fast-xml-builder, and ip-address to close high/medium Dependabot alerts.
• Sub-packages (amazon, android-player, google, huawei): Bumps turbo devDependency from ^1.10.7 to ^2.9.14 — but their turbo.json files still use the v1 pipeline key (renamed to tasks in Turbo v2), which will silently break build:android and build:ios tasks.
• Test projects: Adds fast-uri, uuid, ws, and fast-xml-builder overrides in both test project package.json files and regenerates their lockfiles cleanly.

Confidence Score: 3/5

Merging will fix all 22 Dependabot alerts, but the Turbo v1→v2 major bump will break the native build tasks in all four sub-packages until their turbo.json files are migrated.

The security fixes and lockfile changes are correct and well-scoped. However, bumping turbo to v2 while leaving all four turbo.json files using the v1 pipeline key (which Turbo v2 no longer recognizes — it expects tasks) means build:android and build:ios won't execute via the pipeline after this lands. The CI build jobs that depend on those tasks could silently do nothing or error.

packages/amazon/turbo.json, packages/android-player/turbo.json, packages/google/turbo.json, packages/huawei/turbo.json — all need pipeline renamed to tasks to be compatible with Turbo v2.

Important Files Changed

Filename	Overview
package.json	Adds four new Yarn resolutions (@babel/plugin-transform-modules-systemjs, bumps basic-ftp, adds fast-xml-builder, ip-address) to address Dependabot alerts; no logic issues.
packages/amazon/package.json	Bumps turbo devDependency from ^1.10.7 to ^2.9.14, but the package's turbo.json still uses the v1 pipeline key (removed in Turbo v2), which will break build:android and build:ios tasks.
packages/android-player/package.json	Same turbo v1→v2 bump as amazon; same turbo.json pipeline compatibility issue applies.
packages/google/package.json	Same turbo v1→v2 bump; turbo.json pipeline key still present and incompatible with v2.
packages/huawei/package.json	Same turbo v1→v2 bump; turbo.json pipeline key still present and incompatible with v2.
test-projects/expo-purchasely-test/package.json	Adds npm overrides for fast-uri >=3.1.2, uuid >=11.1.1, and ws >=8.20.1 to address Dependabot alerts; straightforward security fix.
test-projects/rn-purchasely-test/package.json	Adds npm overrides for @babel/plugin-transform-modules-systemjs >=7.29.4 and fast-xml-builder >=1.1.7; straightforward security fix.
test-projects/expo-purchasely-test/package-lock.json	Lockfile regenerated: removes vulnerable ws 6.x sub-installs and old async-limiter, upgrades fast-uri to 3.1.2, adds uuid 14.0.0.
test-projects/rn-purchasely-test/package-lock.json	Lockfile regenerated: upgrades @babel/plugin-transform-modules-systemjs to 7.29.4, fast-xml-builder to 1.2.0, adds new transitive dep xml-naming.
yarn.lock	Root lockfile regenerated with Turbo 2.9.14 binaries added and all new resolution overrides resolved correctly.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Root package.json resolutions] -->|basic-ftp, babel, fast-xml-builder, ip-address| B[yarn.lock]
    C[sub-packages amazon/google/huawei/android-player] -->|turbo v2.9.14| B
    D[expo-purchasely-test overrides] -->|fast-uri, uuid, ws| E[expo package-lock.json]
    F[rn-purchasely-test overrides] -->|babel, fast-xml-builder| G[rn package-lock.json]
    C -->|turbo.json still uses pipeline key| H[Build broken in Turbo v2]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
packages/amazon/package.json:56
**Turbo v2 `pipeline` key no longer recognized**

All four sub-packages (`amazon`, `android-player`, `google`, `huawei`) bump `turbo` from `^1.10.7` to `^2.9.14`, but their `turbo.json` files still use the v1 `pipeline` key, which was removed in Turbo 2.0 (renamed to `tasks`). Turbo v2 will silently ignore or error on the stale `pipeline` config, meaning `build:android` and `build:ios` tasks defined in those files won't execute as part of the pipeline. The same issue applies to `packages/android-player/turbo.json`, `packages/google/turbo.json`, and `packages/huawei/turbo.json`. Each of those files needs `"pipeline"` renamed to `"tasks"` to work with Turbo v2.

_{Reviews (1): Last reviewed commit: "fix(deps): resolve all open Dependabot a..." | Re-trigger Greptile}

[greptile-apps]

Turbo v2 pipeline key no longer recognized

All four sub-packages (amazon, android-player, google, huawei) bump turbo from ^1.10.7 to ^2.9.14, but their turbo.json files still use the v1 pipeline key, which was removed in Turbo 2.0 (renamed to tasks). Turbo v2 will silently ignore or error on the stale pipeline config, meaning build:android and build:ios tasks defined in those files won't execute as part of the pipeline. The same issue applies to packages/android-player/turbo.json, packages/google/turbo.json, and packages/huawei/turbo.json. Each of those files needs "pipeline" renamed to "tasks" to work with Turbo v2.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/amazon/package.json
Line: 56

Comment:
**Turbo v2 `pipeline` key no longer recognized**

All four sub-packages (`amazon`, `android-player`, `google`, `huawei`) bump `turbo` from `^1.10.7` to `^2.9.14`, but their `turbo.json` files still use the v1 `pipeline` key, which was removed in Turbo 2.0 (renamed to `tasks`). Turbo v2 will silently ignore or error on the stale `pipeline` config, meaning `build:android` and `build:ios` tasks defined in those files won't execute as part of the pipeline. The same issue applies to `packages/android-player/turbo.json`, `packages/google/turbo.json`, and `packages/huawei/turbo.json`. Each of those files needs `"pipeline"` renamed to `"tasks"` to work with Turbo v2.

How can I resolve this? If you propose a fix, please make it concise.