[Snyk] Security upgrade react-native from 0.57.3 to 0.60.0

[titanism]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • example/package.json
  • example/yarn.lock

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	461/1000 Why? Recently disclosed, Has a fix available, CVSS 3.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-DEBUG-3227433	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[socket-security]

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
fsevents@1.2.13 (upgraded)	install	example/package.json

😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package	Bin script	Source
react-native@0.57.8 (upgraded)	react-native	example/package.json via haul@1.0.0-rc.8
@cnakazawa/watch@1.0.4 (added)	watch	example/package.json via react-native@0.60.0, @react-native-community/cli@2.10.0, metro@0.54.1, jest-haste-map@24.9.0, sane@4.1.0
watch@0.18.0 (added)	watch	example/package.json via metro-core@0.48.5, jest-haste-map@23.5.0, sane@2.5.2

🦀 Bin script shell injection

This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack

Packages should not export bin scripts which conflict with well known shell commands

Package	Bin script	Source
@cnakazawa/watch@1.0.4 (added)	watch	example/package.json via react-native@0.60.0, @react-native-community/cli@2.10.0, metro@0.54.1, jest-haste-map@24.9.0, sane@4.1.0

Pull request report summary

Issue	Status
Install scripts	⚠️ 1 issue
Native code	✅ 0 issues
Bin script confusion	⚠️ 3 issues
Bin script shell injection	⚠️ 1 issue
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

• @SocketSecurity ignore fsevents@1.2.13
• @SocketSecurity ignore react-native@0.57.8
• @SocketSecurity ignore @cnakazawa/watch@1.0.4
• @SocketSecurity ignore watch@0.18.0

⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.

Powered by socket.dev