Skip to content

fix(deps): upgrade @react-native-community/cli-server-api to fix command injection#602

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1777470460-fix-cli-server-api-cve
Open

fix(deps): upgrade @react-native-community/cli-server-api to fix command injection#602
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1777470460-fix-cli-server-api-cve

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented Apr 29, 2026
edited
Loading

Summary

Upgrades @react-native-community/cli-server-api from ^17.0.0 to ^17.0.1 to fix critical vulnerability SNYK-JS-REACTNATIVECOMMUNITYCLISERVERAPI-13836141 (Command Injection, CVSS 9.8).

This is a patch version bump with minimal risk. The only transitive dependency change is @react-native-community/cli-tools moving from 17.0.0 to 17.0.1.

Changes:

  • package.json: Updated version range from ^17.0.0 to ^17.0.1
  • yarn.lock: Updated resolved versions for cli-server-api (17.0.0 → 17.0.1) and cli-tools (17.0.0 → 17.0.1)

Review & Testing Checklist for Human

  • Verify the yarn.lock integrity hashes match the npm registry for @react-native-community/cli-server-api@17.0.1 and @react-native-community/cli-tools@17.0.1
  • Confirm the React Native dev server starts correctly with the updated package

Notes

  • yarn install cannot be run locally due to a pre-existing 404 on react-native-tcp GitHub tarball (unrelated to this change). The yarn.lock was updated manually with correct registry data from npm.
  • The dependency list for 17.0.1 is identical to 17.0.0 except for the cli-tools version bump.

Link to Devin session: https://app.devin.ai/sessions/335753ae5c74455d892df17e5036782d
Requested by: @abhay-codeium

Devin Review

Status Commit
⚪ Not started

💡 Connect your GitHub account to enable automatic code reviews.

Open in Devin Review (Staging)
Open in Devin Review

@devin-ai-integration @abhay-codeium
fix(deps): upgrade @react-native-community/cli-server-api to 17.0.1
8cdda00 
Fixes SNYK-JS-REACTNATIVECOMMUNITYCLISERVERAPI-13836141 (Command Injection, CVSS 9.8).

- Updated @react-native-community/cli-server-api from ^17.0.0 to ^17.0.1
- Updated @react-native-community/cli-tools from 17.0.0 to 17.0.1 (transitive)

Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Apr 29, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration[bot]
devin-ai-integration Bot commented Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

Open in Devin Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@abhay-codeium abhay-codeium

Labels

No E2E Smoke Needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abhay-codeium