Skip to content

npm audit fix: resolve security vulnerabilities in RNMapsSampleApp#167

Merged
coliff merged 2 commits into
mainfrom
copilot/npm-audit-fix
Apr 10, 2026
Merged

npm audit fix: resolve security vulnerabilities in RNMapsSampleApp#167
coliff merged 2 commits into
mainfrom
copilot/npm-audit-fix

Conversation

Copilot AI commented Apr 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

8 known vulnerabilities (5 high, 3 moderate) in the React Native sample app's dependency tree. Running npm audit fix updates package-lock.json to pull in patched transitive versions.

Fixed

Package Severity Issue
lodash High Code injection / prototype pollution
flatted High Unbounded recursion DoS / prototype pollution
glob High CLI command injection
picomatch High Method injection / ReDoS
fast-xml-parser High → resolved Numeric entity expansion bypass
ajv Moderate ReDoS via $data option
brace-expansion Moderate Zero-step sequence DoS
yaml Moderate Stack overflow on deeply nested collections

Remaining (7 moderate)

fast-xml-parser via @react-native-community/cli chain still has one moderate CVE (GHSA-jp2q-39xq-3w4g). The fix requires npm audit fix --force, which bumps @react-native-community/cli to v20 — a breaking change deferred intentionally.

Only package-lock.json changed — no production source modifications.

Copilot AI linked an issue Apr 3, 2026 that may be closed by this pull request
npm audit fix #166
Closed
Copilot AI changed the title [WIP] Run npm audit fix for security vulnerabilities npm audit fix: resolve security vulnerabilities in RNMapsSampleApp Apr 3, 2026
Copilot AI requested a review from coliff April 3, 2026 13:22
@coliff coliff marked this pull request as ready for review April 3, 2026 13:23
Copilot AI review requested due to automatic review settings April 3, 2026 13:23
Copilot AI reviewed Apr 3, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • react_native/trimblemaps-mobile-sdk-demo-reactnative/react_native/RNMapsSampleApp/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coliff coliff requested a review from jjimenezTrimble April 6, 2026 06:18
@coliff coliff merged commit 7a40b00 into main Apr 10, 2026
10 of 11 checks passed
@coliff coliff deleted the copilot/npm-audit-fix branch April 10, 2026 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jjimenezTrimble jjimenezTrimble jjimenezTrimble approved these changes

@jschultzTrimble jschultzTrimble Awaiting requested review from jschultzTrimble

@akennedyTrimble akennedyTrimble Awaiting requested review from akennedyTrimble

+1 more reviewer

@coliff coliff coliff approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@coliff coliff

Copilot code review Copilot

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npm audit fix

4 participants

@coliff @jjimenezTrimble