[Snyk] Upgrade react-native from 0.11.4 to 0.64.1 #1

snyk-bot · 2021-06-19T05:00:48Z

Snyk has created this PR to upgrade react-native from 0.11.4 to 0.64.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 302 versions ahead of your current version.
The recommended version was released a month ago, on 2021-05-05.

The recommended version fixes:

Issue	PriorityScore (*)	Exploit Maturity
Regular Expression Denial of Service (ReDoS) npm:underscore.string:20170908	375/1000 Why? CVSS 7.5	No Known Exploit
Improper minification of non-boolean comparisons npm:uglify-js:20150824	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Override Protection Bypass npm:qs:20170213	375/1000 Why? CVSS 7.5	No Known Exploit
Denial of Service (DoS) npm:qs:20140806	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:fresh:20170908	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Pollution npm:deep-extend:20180409	375/1000 Why? CVSS 7.5	No Known Exploit
Denial of Service (DoS) npm:ws:20171108	375/1000 Why? CVSS 7.5	Mature
Denial of Service (DoS) npm:ws:20160624	375/1000 Why? CVSS 7.5	No Known Exploit
Denial of Service (DoS) SNYK-JS-TRIMNEWLINES-1298042	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:minimatch:20160620	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-1019388	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Pollution SNYK-JS-MERGE-1042987	375/1000 Why? CVSS 7.5	Proof of Concept
Prototype Pollution SNYK-JS-MERGE-1040469	375/1000 Why? CVSS 7.5	No Known Exploit
Command Injection SNYK-JS-LODASHTEMPLATE-1088054	375/1000 Why? CVSS 7.5	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-73638	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Pollution SNYK-JS-LODASH-608086	375/1000 Why? CVSS 7.5	Proof of Concept
Prototype Pollution SNYK-JS-LODASH-590103	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Pollution SNYK-JS-LODASH-450202	375/1000 Why? CVSS 7.5	Proof of Concept
Command Injection SNYK-JS-LODASH-1040724	375/1000 Why? CVSS 7.5	Proof of Concept
Regular Expression Denial of Service (ReDoS) npm:uglify-js:20151024	375/1000 Why? CVSS 7.5	No Known Exploit
Uninitialized Memory Exposure npm:tunnel-agent:20170305	375/1000 Why? CVSS 7.5	Proof of Concept
Root Path Disclosure npm:send:20151103	375/1000 Why? CVSS 7.5	No Known Exploit
Directory Traversal npm:send:20140912	375/1000 Why? CVSS 7.5	No Known Exploit
Denial of Service (DoS) npm:qs:20140806-1	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:ms:20151024	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Pollution npm:hoek:20180212	375/1000 Why? CVSS 7.5	No Known Exploit
Non-Constant Time String Comparison npm:cookie-signature:20160804	375/1000 Why? CVSS 7.5	No Known Exploit
Insecure Randomness npm:ws:20160920	375/1000 Why? CVSS 7.5	No Known Exploit
Remote Memory Exposure npm:ws:20160104	375/1000 Why? CVSS 7.5	No Known Exploit
Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	375/1000 Why? CVSS 7.5	Proof of Concept
Prototype Pollution SNYK-JS-MINIMIST-559764	375/1000 Why? CVSS 7.5	Proof of Concept
Prototype Pollution npm:lodash:20180130	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	375/1000 Why? CVSS 7.5	No Known Exploit
Prototype Pollution SNYK-JS-LODASH-567746	375/1000 Why? CVSS 7.5	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	375/1000 Why? CVSS 7.5	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	375/1000 Why? CVSS 7.5	No Known Exploit
Arbitrary Code Injection SNYK-JS-EJS-1049328	375/1000 Why? CVSS 7.5	Proof of Concept
Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESSTAR-559095	375/1000 Why? CVSS 7.5	Proof of Concept
Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JS-DECOMPRESS-557358	375/1000 Why? CVSS 7.5	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-1298035	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:mime:20170907	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:debug:20170905	375/1000 Why? CVSS 7.5	No Known Exploit
Regular Expression Denial of Service (ReDoS) npm:braces:20180219	375/1000 Why? CVSS 7.5	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: react-native

0.64.1 - 2021-05-05
This patch release is specifically targetted towards fixing iOS build problems in Xcode 12.5. If it doesn't help, please refer to this issue.

Aside from bumping your version from 0.64.0 to 0.64.1, please check your podfile.lock and make sure that Flipper is on 0.75 or higher, and Flipper-Folly is 2.5.3 or higher; if not, add this line to your podfile (or modify it if you already had it):
```
use_flipper!('Flipper' => '0.75.1', 'Flipper-Folly' => '2.5.3', 'Flipper-RSocket' => '1.3.1')
```
After which, do all the classic necessary cleans (node_modules, caches, pod folders, etc)(react-native-clean-project is your ally) then do yarn install and a pod install --repo-update (if pod install fails on an error about a Flipper package, just remove the relevant lines from the podfile.lock and run the pod install again).

The only other commit picked & released along the Xcode 12.5 fixes is:
- Update validateBaseUrl to use latest regex (commit) which fixes CVE-2020-1920, GHSL-2020-293.
You can participate in the conversation on the status of this release at this issue.

To help you upgrade to this version, you can use the upgrade helper ⚛️

You can find the whole changelog history over at react-native-releases.
0.64.0 - 2021-03-12
0.64 stable is here 🎉

Thanks to everyone who contributed and helped to get this together, everyone worked really hard and we hope you are as excited as we are 🤗

Some of the most important highlights of this version:
- Hermes opt-in on iOS
- Inline Requires enabled by default
- React 17
Among many others - please refer to the blog post for more details.

You can participate in the conversation on the status of this release at this issue.

You can upgrade to this version using the upgrade helper webtool ⚛️
And if you are having trouble, please refer to the new Upgrade Support repository by our awesome community.

You can find the whole changelog history over at react-native-releases.
0.64.0-rc.4 - 2021-03-01
THIS IS A RELEASE CANDIDATE: this means it's not stable yet, so proceed with care.

Please only upgrade or create new apps with 0.64.0-rc.4 if you'd like to help us test this before the stable release - which would be super useful 🤗

To test it, run:
```
npx react-native init RN064 --version 0.64.0-rc.4
```
We're working on the changelog right now and will update this release as soon as the draft is ready. Meanwhile, you may want to look at the most important changes that we have decided to highlight:
- Hermes opt-in iOS
- Inline requires enabled by default
- New profile-hermes CLI command for converting Hermes tracing profile to Chrome format
- Hermes with Proxy support (will now support react-native-firebase, mobx)
- React 17
- Minimum supported Node version changed to 12
- Remove support of Android API levels 16 through 20. The new minSDK version will be 21+ moving forward
- Use of Xcode 12 is recommended to ensure no errors on iOS
You can participate in the conversation on the RC status this issue for updates, where you can post your bug reports and cherry-pick suggestions.

You can find the whole changelog history over at react-native-releases.
0.64.0-rc.3 - 2021-02-05
THIS IS A RELEASE CANDIDATE: this means it's not stable yet, so proceed with care.

Please only upgrade or create new apps with 0.64.0-rc.3 if you'd like to help us test this before the stable release - which would be super useful 🤗

To test it, run:
```
npx react-native init RN064 --version 0.64.0-rc.3
```
We're working on the changelog right now and will update this release as soon as the draft is ready. Meanwhile, you may want to look at the most important changes that we have decided to highlight:
- Hermes opt-in iOS
- Inline requires enabled by default
- New profile-hermes CLI command for converting Hermes tracing profile to Chrome format
- Hermes with Proxy support (will now support react-native-firebase, mobx)
- React 17
- Minimum supported Node version changed to 12
- Remove support of Android API levels 16 through 20. The new minSDK version will be 21+ moving forward
- Use of Xcode 12 is recommended to ensure no errors on iOS
You can participate in the conversation on the RC status this issue for updates, where you can post your bug reports and cherry-pick suggestions.

You can find the whole changelog history over at react-native-releases.
0.64.0-rc.2 - 2020-12-18
0.64.0-rc.1 - 2020-11-25
0.64.0-rc.0 - 2020-11-23
0.63.4 - 2020-11-30
0.63.3 - 2020-09-29
0.63.2 - 2020-07-22
0.63.1 - 2020-07-14
0.63.0 - 2020-07-08
0.63.0-rc.1 - 2020-05-04
0.63.0-rc.0 - 2020-04-16
0.62.3 - 2021-05-05
This patch release is specifically targetted towards Xcode 12.5. The changes done are tailored to unblock developers still relying on v0.62 of RN.

Aside from bumping your version from 0.62.2 to 0.62.3, please make sure to add this line to your podfile (or modify it if you already had it):
```
use_flipper!('Flipper' => '0.75.1', 'Flipper-Folly' => '2.5.3', 'Flipper-RSocket' => '1.3.1')
```
After which, do all the classic necessary cleans (node_modules, caches, pod folders, etc)(react-native-clean-project is your ally) then do yarn install and a pod install --repo-update (if pod install fails on an error about a Flipper package, just remove the relevant lines from the podfile.lock and run the pod install again).

The only other commit picked & released along the Xcode 12.5 fixes is:
- Update validateBaseUrl to use latest regex (commit) which fixes CVE-2020-1920, GHSL-2020-293.
To help you upgrade to this version, you can use the upgrade helper ⚛️

You can find the whole changelog history over at react-native-releases.
0.62.2 - 2020-04-08
0.62.1 - 2020-04-03
0.62.0 - 2020-03-26
0.62.0-rc.5 - 2020-03-07
0.62.0-rc.4 - 2020-03-06
0.62.0-rc.3 - 2020-02-25
0.62.0-rc.2 - 2020-02-13
0.62.0-rc.1 - 2020-01-21
0.62.0-rc.0 - 2019-12-18
0.61.5 - 2019-11-23
0.61.4 - 2019-11-04
0.61.3 - 2019-10-29
0.61.2 - 2019-10-02
0.61.1 - 2019-09-25
0.61.0 - 2019-09-24
0.61.0-rc.3 - 2019-09-10
0.61.0-rc.2 - 2019-09-04
0.61.0-rc.0 - 2019-08-27
0.60.6 - 2019-09-24
0.60.5 - 2019-08-13
0.60.4 - 2019-07-18
0.60.3 - 2019-07-11
0.60.2 - 2019-07-11
0.60.1 - 2019-07-11
0.60.0 - 2019-07-03
0.60.0-rc.3 - 2019-06-28
0.60.0-rc.2 - 2019-06-20
0.60.0-rc.1 - 2019-06-10
0.60.0-rc.0 - 2019-05-30
0.59.10 - 2019-07-02
0.59.9 - 2019-06-05
0.59.8 - 2019-05-08
0.59.7 - 2019-05-08
0.59.6 - 2019-04-18
0.59.5 - 2019-04-17
0.59.4 - 2019-04-08
0.59.3 - 2019-04-01
0.59.2 - 2019-03-25
0.59.1 - 2019-03-14
0.59.0 - 2019-03-12
0.59.0-rc.3 - 2019-02-27
0.59.0-rc.2 - 2019-02-18
0.59.0-rc.1 - 2019-02-15
0.59.0-rc.0 - 2019-02-13
0.58.6 - 2019-02-28
0.58.5 - 2019-02-19
0.58.4 - 2019-02-06
0.58.3 - 2019-01-28
0.58.2 - 2019-01-28
0.58.1 - 2019-01-25
0.58.0 - 2019-01-24
0.58.0-rc.3 - 2019-01-17
0.58.0-rc.2 - 2018-12-18
0.58.0-rc.1 - 2018-12-06
0.58.0-rc.0 - 2018-11-22
0.57.8 - 2018-12-13
0.57.7 - 2018-11-27
0.57.6 - 2018-11-26
0.57.5 - 2018-11-13
0.57.4 - 2018-10-25
0.57.3 - 2018-10-12
0.57.2 - 2018-10-04
0.57.1 - 2018-09-21
0.57.0 - 2018-09-12
0.57.0-rc.4 - 2018-09-06
0.57.0-rc.3 - 2018-08-24
0.57.0-rc.2 - 2018-08-22
0.57.0-rc.1 - 2018-08-22
0.57.0-rc.0 - 2018-08-16
0.56.1 - 2018-09-10
0.56.0 - 2018-07-04
0.56.0-rc.5 - 2018-07-04
0.56.0-rc.4 - 2018-06-27
0.56.0-rc.3 - 2018-06-22
0.56.0-rc.2 - 2018-06-15
0.56.0-rc.1 - 2018-06-13
0.56.0-rc - 2018-06-11
0.55.4 - 2018-05-08
0.55.3 - 2018-04-17
0.55.2 - 2018-04-09
0.55.1 - 2018-04-05
0.55.0 - 2018-04-03
0.55.0-rc.2 - 2018-03-29
0.55.0-rc.1 - 2018-03-21
0.55.0-rc.0 - 2018-03-13
0.54.4 - 2018-03-29
0.54.3 - 2018-03-26
0.54.2 - 2018-03-12
0.54.1 - 2018-03-10
0.54.0 - 2018-03-01
0.54.0-rc.4 - 2018-02-27
0.54.0-rc.3 - 2018-02-13
0.54.0-rc.2 - 2018-02-12
0.54.0-rc.0 - 2018-02-12
0.53.3 - 2018-02-20
0.53.2 - 2018-02-19
0.53.0 - 2018-02-05
0.53.0-rc.0 - 2018-01-10
0.52.3 - 2018-02-19
0.52.2 - 2018-01-26
0.52.1 - 2018-01-22
0.52.0 - 2018-01-08
0.52.0-rc.0 - 2017-12-18
0.51.1 - 2018-02-19
0.51.0 - 2017-12-06
0.51.0-rc.3 - 2017-12-04
0.51.0-rc.2 - 2017-11-22
0.50.4 - 2017-11-24
0.50.3 - 2017-11-08
0.50.2 - 2017-11-07
0.50.1 - 2017-11-04
0.50.0 - 2017-11-03
0.50.0-rc.2 - 2017-10-30
0.50.0-rc.1 - 2017-10-19
0.50.0-rc.0 - 2017-10-11
0.49.5 - 2017-10-27
0.49.3 - 2017-10-09
0.49.2 - 2017-10-07
0.49.1 - 2017-10-04
0.49.0 - 2017-10-03
0.49.0-rc.6 - 2017-09-28
0.49.0-rc.5 - 2017-09-19
0.49.0-rc.4 - 2017-09-14
0.49.0-rc.2 - 2017-09-08
0.48.4 - 2017-09-23
0.48.3 - 2017-09-11
0.48.2 - 2017-09-07
0.48.1 - 2017-09-04
0.48.0 - 2017-09-01
0.48.0-rc.1 - 2017-08-16
0.48.0-rc.0 - 2017-08-01
0.47.2 - 2017-08-22
0.47.1 - 2017-08-02
0.47.0 - 2017-08-01
0.47.0-rc.5 - 2017-07-27
0.47.0-rc.4 - 2017-07-17
0.47.0-rc.3 - 2017-07-13
0.47.0-rc.2 - 2017-07-11
0.47.0-rc.1 - 2017-07-07
0.47.0-rc.0 - 2017-07-05
0.46.4 - 2017-07-17
0.46.3 - 2017-07-14
0.46.2 - 2017-07-13
0.46.1 - 2017-07-07
0.46.0 - 2017-07-05
0.46.0-rc.2 - 2017-06-09
0.46.0-rc.1 - 2017-06-07
0.46.0-rc.0 - 2017-06-07
0.45.1 - 2017-06-09
0.45.0 - 2017-06-07
0.45.0-rc.3 - 2017-06-06
0.45.0-rc.2 - 2017-05-26
0.45.0-rc.1 - 2017-05-26
0.45.0-rc.0 - 2017-05-11
0.44.3 - 2017-06-06
0.44.2 - 2017-05-26
0.44.1 - 2017-05-26
0.44.0 - 2017-05-01
0.44.0-rc.0 - 2017-04-03
0.43.4 - 2017-04-20
0.43.3 - 2017-04-10
0.43.2 - 2017-04-06
0.43.1 - 2017-04-05
0.43.0 - 2017-04-03
0.43.0-rc.4 - 2017-03-20
0.43.0-rc.3 - 2017-03-17
0.43.0-rc.2 - 2017-03-11
0.43.0-rc.1 - 2017-03-06
0.43.0-rc.0 - 2017-03-02
0.42.3 - 2017-03-18
0.42.2 - 2017-03-17
0.42.0 - 2017-03-01
0.42.0-rc.3 - 2017-02-14
0.42.0-rc.2 - 2017-02-08
0.42.0-rc.1 - 2017-02-03
0.42.0-rc.0 - 2017-02-02
0.41.2 - 2017-02-06
0.41.1 - 2017-02-03
0.41.0 - 2017-02-02
0.41.0-rc.1 - 2017-01-30
0.41.0-rc.0 - 2017-01-04
0.40.0 - 2017-01-04
0.40.0-rc.2 - 2016-12-08
0.40.0-rc.1 - 2016-12-05
0.40.0-rc.0 - 2016-12-02
0.39.2 - 2016-12-11
0.39.1 - 2016-12-08
0.39.0 - 2016-12-02
0.39.0-rc.0 - 2016-11-23
0.38.1 - 2016-12-05
0.38.0 - 2016-11-23
0.38.0-rc.1 - 2016-11-21
0.38.0-rc.0 - 2016-11-08
0.37.0 - 2016-11-08
0.37.0-rc.4 - 2016-11-05
0.37.0-rc.3 - 2016-11-03
0.37.0-rc.2 - 2016-11-03
0.37.0-rc.0 - 2016-10-28
0.36.1 - 2016-11-01
0.36.0 - 2016-10-25
0.36.0-rc.1 - 2016-10-13
0.36.0-rc.0 - 2016-10-10
0.35.0 - 2016-10-11
0.35.0-rc.0 - 2016-09-23
0.34.1 - 2016-09-27
0.34.0 - 2016-09-23
0.34.0-rc.0 - 2016-09-09
0.33.1 - 2016-09-23
0.33.0 - 2016-09-09
0.33.0-rc.1 - 2016-09-06
0.33.0-rc.0 - 2016-08-21
0.32.1 - 2016-09-07
0.32.0 - 2016-08-25
0.32.0-rc.0 - 2016-08-05
0.31.0 - 2016-08-05
0.31.0-rc.1 - 2016-08-01
0.31.0-rc.0 - 2016-07-21
0.30.0 - 2016-07-21
0.30.0-rc.0 - 2016-07-05
0.29.2 - 2016-07-17
0.29.1 - 2016-07-13
0.29.0 - 2016-07-06
0.29.0-rc.3 - 2016-07-05
0.29.0-rc.2 - 2016-07-02
0.29.0-rc.1 - 2016-07-02
0.29.0-rc.0 - 2016-06-22
0.28.0 - 2016-06-21
0.28.0-rc.0 - 2016-06-06
0.27.2 - 2016-06-09
0.27.1 - 2016-06-07
0.27.0 - 2016-06-06
0.27.0-rc3 - 2016-06-05
0.27.0-rc2 - 2016-05-27
0.27.0-rc1 - 2016-05-25
0.27.0-rc - 2016-05-20
0.26.3 - 2016-06-01
0.26.2 - 2016-05-24
0.26.1 - 2016-05-21
0.26.0 - 2016-05-18
0.26.0-rc - 2016-05-04
0.25.1 - 2016-05-04
0.25.0-rc - 2016-04-18
0.24.1 - 2016-04-19
0.24.0 - 2016-04-19
0.24.0-rc5 - 2016-04-13
0.24.0-rc4 - 2016-04-11
0.24.0-rc3 - 2016-04-07
0.24.0-rc2 - 2016-04-06
0.24.0-rc1 - 2016-04-05
0.24.0-rc - 2016-04-04
0.23.1 - 2016-04-07
0.23.0 - 2016-04-06
0.23.0-rc4 - 2016-04-01
0.23.0-rc3 - 2016-03-31
0.23.0-rc1 - 2016-03-23
0.22.2 - 2016-03-21
0.22.1 - 2016-03-21
0.22.0 - 2016-03-21
0.22.0-rc5 - 2016-03-21
0.22.0-rc4 - 2016-03-16
0.22.0-rc3 - 2016-03-16
0.22.0-rc - 2016-03-08
0.21.0 - 2016-03-01
0.21.0-rc - 2016-02-21
0.20.0 - 2016-02-16
0.20.0-rc1 - 2016-02-06
0.19.0 - 2016-01-31
0.19.0-rc - 2016-01-22
0.18.1 - 2016-01-20
0.18.0 - 2016-01-18
0.18.0-rc - 2016-01-06
0.17.0 - 2015-12-19
0.17.0-rc - 2015-12-14
0.16.0 - 2015-12-04
0.16.0-rc - 2015-11-24
0.15.0 - 2015-11-24
0.15.0-rc - 2015-11-07
0.14.2 - 2015-11-10
0.14.1 - 2015-11-06
0.14.0 - 2015-11-05
0.14.0-rc - 2015-10-27
0.13.2 - 2015-10-26
0.13.1 - 2015-10-24
0.13.0 - 2015-10-23
0.13.0-rc - 2015-10-13
0.12.0 - 2015-10-08
0.12.0-rc - 2015-09-24
0.11.4 - 2015-09-28

from react-native GitHub release notes

Commit messages

Package name: react-native

787567a [0.64.1] Bump version numbers
cf8a364 [local] change post-install to patch RTC-Folly
1c4ac48 [local] yarn lock update (?)
76f45d3 [local] update RNTester files for 0.64
3912fef Update validateBaseUrl to use latest regex
ace025d [0.64.0] Bump version numbers
728d55a Fixing the git attrs for all the people and all the files and all future 🙌
8a6ac1f chore: Update React.podspec to require cocoapods >= 1.10.1
138fdbc fix: restore refresh control fix
7f3f80f Fix RefreshControl layout when removed from window (#31024)
1aa4f47 [0.64.0-rc.4] Bump version numbers
48a97d7 chore: fix conflict in Podfile.lock
e7e4b00 fix: disable fabric
14db556 fix: React Native CodeGen integration for 0.64-stable (#31027)
4b68734 Generalize node search logic
7159bcb Update flipper in RNTester and template (#31010)
e846740 [0.64.0-rc.3] Bump version numbers
c023a40 chore: bump codegen script
7004cac Invoke `node` directly in generate-specs.sh (#30781)
5ada078 Make codegen more reliable on iOS (#30792)
937ced3 Optionally override codegen script defaults via envvars
e5888de Add use_react_native_codegen!
0636c45 Use Fabric builds in iOS tests (#30639)
224c85a Update iOS Fabric-related files to compile on OSS (#29810)