Skip to content

fix(MSK-147): upgrade React to 19.1.4 for critical security vulnerabilities#82

Merged
pleberre merged 2 commits intomasterfrom
feature/kotlin-2.1-agp-upgrade
Jan 27, 2026
Merged

fix(MSK-147): upgrade React to 19.1.4 for critical security vulnerabilities#82
pleberre merged 2 commits intomasterfrom
feature/kotlin-2.1-agp-upgrade

Conversation

@pleberre
Copy link
Contributor

@pleberre pleberre commented Jan 26, 2026

Summary

Upgrades React from 19.1.1 to 19.1.4 to address critical security vulnerabilities.

Security Issues Addressed

Changes

  • Root: React ^19.1.1 → 19.1.4 (devDependency, pinned)
  • example-expo: React 19.1.0 → 19.1.4 (dependency)
  • example-expo: react-dom 19.1.0 → 19.1.4 (devDependency)

Testing

  • All unit tests passing (88/88)
  • 94.17% code coverage maintained
  • Lint and typecheck clean
  • Library builds successfully
  • iOS build verification (manual)
  • Android build verification (manual)

Notes

  • Pinned React version (no caret) for security predictability
  • Conservative approach: 19.1.4 (security patches only, no 19.2 features)
  • Compatible with React Native 0.81.x and Expo SDK 54

References

  • Linear: MSK-147
  • Related: MSK-148 (future React 19.2.3 upgrade with RN 0.83)

🤖 Generated with Claude Code


Summary by cubic

Upgrades React to 19.1.4 to patch critical CVEs (CVE-2025-55182 and related) and aligns Android build tooling with Kotlin 2.1 and React Native 0.81. Meets the MSK-147 security requirements and keeps the Expo example in sync.

  • Dependencies

    • React: root ^19.1.1 → 19.1.4 (pinned, no caret)
    • example-expo: react 19.1.0 → 19.1.4; react-dom 19.1.0 → 19.1.4
    • Android: AGP 7.2.1 → 8.11.0; compile/target SDK 31 → 36; Java 1.8 → 17; replace deprecated lintOptions with lint
    • Updated yarn.lock to reflect React 19.1.4
  • Migration

    • Requires JDK 17 and Gradle plugin 8.x locally; ensure JAVA_HOME points to JDK 17
    • Clean rebuild recommended; verify iOS and Android builds in your environment

Written for commit caeb150. Summary will update on new commits.

pleberre and others added 2 commits October 30, 2025 13:14
- Update AGP from 7.2.1 to 8.11.0 (matches React Native 0.81)
- Update compileSdk and targetSdk from 31 to 36
- Update Java compatibility from 1.8 to 17 (required by AGP 8.x)
- Replace deprecated lintOptions with lint block
- Keep minSdkVersion at 26 for backward compatibility

This upgrade enables full Kotlin 2.1.0 language features support.
AGP 7.2.1 was incompatible with Kotlin 2.0+, requiring minimum AGP 7.3.0.

Tested:
- All unit tests pass (88 passed, 1 skipped)
- Library builds successfully with react-native-builder-bob

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Addresses critical security vulnerabilities:
- CVE-2025-55182 (CVSS 10.0) - Remote Code Execution
- CVE-2025-55184 (CVSS 7.5) - Denial of Service
- CVE-2025-55183 (CVSS 5.3) - Source Code Exposure
- CVE-2025-67779 - Additional vulnerability

Changes:
- Root: React ^19.1.1 → 19.1.4 (devDependency)
- example-expo: React 19.1.0 → 19.1.4 (dependency)

Testing:
- All unit tests passing (88/88)
- 94.17% code coverage maintained
- Lint and typecheck clean
- Library builds successfully

Refs: MSK-147

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@linear
Copy link

linear bot commented Jan 26, 2026

Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cubic analysis

No issues found across 5 files

Linked issue analysis

Linked issue: MSK-147: React Native SDK: Upgrade React to 19.1.4+ for critical security vulnerabilities (CVE-2025-55182)

Status Acceptance criteria Notes
React upgraded to 19.1.4 or 19.2.3 in all package.json files Root and example-expo package.json updated to 19.1.4
Upgrade React in root package.json (devDependency) Root package.json react changed to "19.1.4"
Upgrade React in example-expo/package.json example-expo react and react-dom set to 19.1.4
All tests passing No test run outputs or CI pass evidence in diffs
⚠️ Android build successful Android gradle/sdk settings updated but no build logs
iOS build successful No iOS build verification or logs in diffs
⚠️ Expo build successful (example-expo) example-expo react bumped but no Expo build verification
⚠️ No compatibility issues with existing dependencies Deps updated (react/react-dom) but compatibility tests not shown
Security scan confirms patched versions in use yarn.lock shows react resolved to 19.1.4
⚠️ Test for Expo version mismatch errors (known issue) example-expo updated but no explicit mismatch handling or tests
Test for react-native-svg compatibility (v15.12.2 issue) No changes addressing react-native-svg compatibility found
Test third-party library compatibility No compatibility testing or verification evidence in diffs

@pleberre pleberre merged commit 29d6105 into master Jan 27, 2026
4 checks passed
@pleberre pleberre deleted the feature/kotlin-2.1-agp-upgrade branch January 27, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant