security(MSDK-3377): resolve OSS vulnerabilities in sample app depend…#208
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan Review Summary by QodoResolve 51 OSS vulnerabilities in sample app dependencies
WalkthroughsDescription• Upgraded ESLint from 8.x (EOL) to 9.39.4 with flat config migration • Upgraded @react-native-community/cli from 18.0.0 to ^20.1.3 (CISA known exploit) • Added ESLint 9 compatible dependencies and plugins for TypeScript support • Resolved 51 OSS vulnerabilities across sample directories via dependency upgrades • Removed npx prefix from npm scripts for direct CLI invocation Diagramflowchart LR
A["ESLint 8.x EOL"] -->|upgrade to 9.39.4| B["ESLint 9 flat config"]
C[".eslintrc.js"] -->|migrate to| D["eslint.config.js"]
E["CLI 18.0.0 CISA exploit"] -->|upgrade to 20.1.3| F["Secure CLI tooling"]
G["51 OSS vulnerabilities"] -->|resolved via upgrades| H["0 vulnerabilities"]
File Changes1. sample/.eslintrc.js
|
Code Review by Qodo
1.
|
|
PR Summary: Update sample app to address OSS vulnerabilities: replace legacy ESLint config with new flat config and bump/pin several dev & runtime dependencies (adds many ESLint/TypeScript packages and updates React Native CLI). Changes aim to remove vulnerable packages and align tooling with ESLint v9+. Key changes:
|
📝 WalkthroughWalkthroughReplaces legacy ESLint config ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
codeant-ai
Bot
added
the
size:XXL
![pantoaibot[bot]](https://avatars.githubusercontent.com/in/934356?s=60&v=4){kind=small}
|
Reviewed up to commit:8124ab373539861bf3824c5c4717678537f86559 Additional Suggestionsample/package.json, line:11The postinstall still runs 'patch-package && ./scripts/fix-react-logger.sh'. You changed react-native-screens to a different version (see lines 25-26) while there is an existing patch file named 'sample/patches/react-native-screens+4.24.0.patch'. If the installed package version no longer matches the patch filename, patch-package will not apply the patch and postinstall may warn/fail. Update or remove the patch file to match the dependency version or restore the dependency version expected by the patch. (Reference: sample/patches/react-native-screens+4.24.0.patch, lines 1-13 of the patch file.)Given the dependency change, either restore the version to keep the existing patch working, or update both the dependency and the patch together. For example, to keep using the current patch file: {
"dependencies": {
"@react-navigation/native": "^6.1.18",
"@react-navigation/native-stack": "^6.11.0",
"react": "19.1.0",
"react-native": "0.81.4",
"react-native-safe-area-context": "^5.7.0",
"react-native-screens": "^4.24.0",
"react-native-webview": "^13.16.1"
}
}If you intend to keep the new versions instead, also rename and adjust the patch, for example: mv sample/patches/react-native-screens+4.24.0.patch \
sample/patches/react-native-screens+4.16.0.patchand update its contents to match the |
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
|
CodeAnt AI finished reviewing your PR. |
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@sample/eslint.config.js`:
- Around line 11-18: Add the eslint-plugin-simple-import-sort dependency to
sample/package.json devDependencies (use version ^10.0.0) and update the ESLint
config block that defines plugins and rules: in the object that currently sets
plugins: { "@typescript-eslint": typescriptEslint } and rules: {
"@typescript-eslint/no-unused-vars": "warn" }, add the simple-import-sort plugin
to plugins and enable "simple-import-sort/imports" and
"simple-import-sort/exports" rules (set to "error" or your desired level) so all
sample **/*.{ts,tsx,js,jsx} files enforce sorted imports.
In `@sample/package.json`:
- Line 25: The dependency "react-native-safe-area-context" is exact-pinned to
"5.6.1"; update its version specifier in package.json to a range (e.g., change
"react-native-safe-area-context": "5.6.1" to "react-native-safe-area-context":
"^5.6.1" or "~5.6.1") so that patch/minor updates are allowed; locate the
dependency entry in package.json and replace the exact version string
accordingly and run your lockfile install to update package-lock/yarn.lock.
- Around line 47-49: The package.json lists `@typescript-eslint/eslint-plugin` and
`@typescript-eslint/parser` at ^7.18.0 which require eslint ^8.x while eslint is
pinned to ^9.39.4 and engines.node is ">=18"; update package.json to use
`@typescript-eslint/eslint-plugin` and `@typescript-eslint/parser` v8 (compatible
with ESLint 9) and adjust the engines.node constraint to a version range
supported by ESLint 9 (e.g., ">=18.12" or the project’s minimum supported Node
that ESLint 9 supports) so peer deps align and npm install/lint won’t fail;
update the dependency entries "@typescript-eslint/eslint-plugin" and
"@typescript-eslint/parser" and the "engines.node" field accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0ad24e4d-80c0-4ab7-93ac-6c2596678204
⛔ Files ignored due to path filters (1)
sample/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (3)
sample/.eslintrc.jssample/eslint.config.jssample/package.json
💤 Files with no reviewable changes (1)
- sample/.eslintrc.js
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XXL
|
A review was recently triggered for this PR. Please wait 47s before retriggering. |
Sequence DiagramThis PR raises the minimum Node.js version for the samples and updates npm scripts to rely on the local React Native CLI instead of npx when building or starting the sample app. sequenceDiagram
participant Developer
participant RequirementsScript
participant Npm
participant ReactNativeCLI
participant SampleApp
Developer->>RequirementsScript: run check-requirements.sh
RequirementsScript->>RequirementsScript: verify Node version >= 20.19.4
RequirementsScript-->>Developer: environment ok
Developer->>Npm: npm run android or ios or start
Npm->>ReactNativeCLI: run command via local cli dependency
ReactNativeCLI->>SampleApp: build and launch sample app
Generated by CodeAnt AI |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XXL
Sequence DiagramThis PR raises the minimum Node.js version for running the sample tooling and updates linting and React Native CLI usage. The diagram shows how developers now interact with the requirements script, React Native CLI scripts, and the new ESLint flat config. sequenceDiagram
participant Developer
participant RequirementsScript
participant NodeRuntime
participant ReactNativeCLI
participant ESLint
Developer->>RequirementsScript: Run check-requirements.sh
RequirementsScript->>NodeRuntime: node --version
NodeRuntime-->>RequirementsScript: Current Node version
RequirementsScript-->>Developer: Enforce Node >= 20.19.4
Developer->>ReactNativeCLI: npm run android or ios or start
ReactNativeCLI-->>Developer: Build and run sample app
Developer->>ESLint: npm run lint
ESLint-->>Developer: Lint results using React Native and TypeScript rules
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@sample/package.json`:
- Around line 36-38: Update the Node version validation in check-requirements.sh
to require Node >=20.19.4 to match engines.node in sample/package.json; locate
the version check logic in check-requirements.sh (the function or block that
parses `node --version` and compares it to a hardcoded "18.0" threshold) and
replace the threshold with "20.19.4" or use a semver-aware comparison if
available, ensuring the script exits non-zero when the installed Node <20.19.4
so the prereq check matches the `@react-native-community/cli` dependency
requirement.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ba9edd6c-043f-4fb3-b452-785e512d25d5
⛔ Files ignored due to path filters (1)
sample/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (2)
sample/eslint.config.jssample/package.json
✅ Files skipped from review due to trivial changes (1)
- sample/eslint.config.js
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XXL
Sequence DiagramThis PR upgrades the sample app's tooling to use the latest React Native community CLI and an ESLint 9 flat config, changing how linting and platform run scripts resolve dependencies while addressing OSS vulnerabilities. sequenceDiagram
participant Developer
participant NpmScripts
participant ESLint
participant ReactNativeCLI
Developer->>NpmScripts: npm run lint
NpmScripts->>ESLint: Run ESLint with eslint.config.js
ESLint->>ESLint: Load React Native and TypeScript rules
ESLint-->>Developer: Report lint results
Developer->>NpmScripts: npm run android
NpmScripts->>ReactNativeCLI: Invoke updated CLI to run Android
ReactNativeCLI-->>Developer: Build and launch debug app
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running Incremental review Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XXL
|
CodeAnt AI Incremental review completed. |
asadraza-usercentrics
force-pushed
the
bugfix/MSDK-3377-resolve-sample-oss-vulnerabilities
branch
from
579ea96 to
3ce2af7
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
sample/package.json (1)
50-50:eslint-config-prettieris installed but not wired into the flat config.In ESLint 9's flat config, installing the package alone has no effect — it must be explicitly imported and added to the config array to actually disable conflicting stylistic rules. Without this, Prettier and ESLint rules can conflict.
♻️ Suggested change to
sample/eslint.config.jsconst { FlatCompat } = require("@eslint/eslintrc"); const js = require("@eslint/js"); const typescriptEslint = require("@typescript-eslint/eslint-plugin"); const tsParser = require("@typescript-eslint/parser"); +const prettier = require("eslint-config-prettier/flat"); @@ module.exports = [ ...compat.extends("@react-native"), { files: ["**/*.ts", "**/*.tsx"], ... }, + prettier, ];🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@sample/package.json` at line 50, The project has eslint-config-prettier installed but not imported into the ESLint flat config, so Prettier conflicts aren't suppressed; update sample/eslint.config.js to import or require "eslint-config-prettier" and include it in the exported config array (e.g., add the Prettier config entry alongside other configs or plugins) so that eslint-config-prettier's rules override stylistic ESLint rules; ensure the import references "eslint-config-prettier" and the exported array/order places it last to disable conflicting rules.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@sample/package.json`:
- Line 50: The project has eslint-config-prettier installed but not imported
into the ESLint flat config, so Prettier conflicts aren't suppressed; update
sample/eslint.config.js to import or require "eslint-config-prettier" and
include it in the exported config array (e.g., add the Prettier config entry
alongside other configs or plugins) so that eslint-config-prettier's rules
override stylistic ESLint rules; ensure the import references
"eslint-config-prettier" and the exported array/order places it last to disable
conflicting rules.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 71f9b34a-ead4-49f8-93dc-3f8fd1564308
⛔ Files ignored due to path filters (1)
sample/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (3)
sample/.eslintrc.jssample/eslint.config.jssample/package.json
💤 Files with no reviewable changes (1)
- sample/.eslintrc.js
✅ Files skipped from review due to trivial changes (1)
- sample/eslint.config.js
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XXL
Sequence DiagramThis PR updates the sample app to use ESLint 9 flat config with TypeScript support and a locally installed React Native CLI v20, changing how linting and platform commands are executed. sequenceDiagram
participant Developer
participant NpmScripts
participant ESLint
participant TypeScriptLintPlugin
participant ReactNativeCLI
participant AndroidProject
Developer->>NpmScripts: run lint
NpmScripts->>ESLint: start ESLint with flat config
ESLint->>TypeScriptLintPlugin: lint TypeScript files with new parser and rules
TypeScriptLintPlugin-->>ESLint: lint results
ESLint-->>Developer: lint report
Developer->>NpmScripts: run android
NpmScripts->>ReactNativeCLI: invoke local react-native run-android
ReactNativeCLI->>AndroidProject: build and deploy Android app
AndroidProject-->>Developer: app running on device
Generated by CodeAnt AI |
| "@react-native-community/cli": "^20.1.3", | ||
| "@react-native-community/cli-platform-android": "^20.1.3", | ||
| "@react-native-community/cli-platform-ios": "^20.1.3", | ||
| "@react-native/babel-preset": "0.81.4", | ||
| "@react-native/eslint-config": "0.81.4", | ||
| "@react-native/eslint-plugin": "^0.85.2", | ||
| "@react-native/metro-config": "0.81.4", | ||
| "@react-native/typescript-config": "0.81.4", | ||
| "@types/jest": "^29.5.13", | ||
| "@types/react": "^19.0.0", | ||
| "@types/react-test-renderer": "^19.0.0", | ||
| "eslint": "^8.19.0", | ||
| "@typescript-eslint/eslint-plugin": "^8.0.0", | ||
| "@typescript-eslint/parser": "^8.0.0", | ||
| "eslint": "^9.39.4", | ||
| "eslint-config-prettier": "^10.1.8", | ||
| "eslint-plugin-eslint-comments": "^3.2.0", | ||
| "eslint-plugin-ft-flow": "^3.0.11", | ||
| "eslint-plugin-jest": "^29.15.2", | ||
| "eslint-plugin-react": "^7.37.5", | ||
| "eslint-plugin-react-hooks": "^7.1.1", | ||
| "eslint-plugin-react-native": "^5.0.0", | ||
| "jest": "^29.6.3", | ||
| "patch-package": "^8.0.0", | ||
| "prettier": "2.8.8", | ||
| "react-test-renderer": "19.1.0", | ||
| "typescript": "~5.3.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=18" | ||
| "node": ">=20.19.4" |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The sample app now declares "engines.node": ">=20.19.4" while the root README and environment scripts (scripts/check-requirements.sh and scripts/auto-setup.sh) still validate and install Node.js >=18.0 as sufficient. This creates an inconsistent setup contract where npm run check-requirements can report a passing environment on Node 18 even though the sample project's declared minimum Node version is 20.19.4.
Suggestion: Align the Node.js minimum version across the sample package.json engines field, README requirements, and check-requirements.sh/auto-setup.sh scripts—either raise all to Node 20.19.4+ or keep the sample engines requirement at the documented Node 18 baseline so the checks and documentation reflect the actual supported version.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** sample/package.json
**Line:** 36:64
**Comment:**
*HIGH: The sample app now declares "engines.node": ">=20.19.4" while the root README and environment scripts (`scripts/check-requirements.sh` and `scripts/auto-setup.sh`) still validate and install Node.js >=18.0 as sufficient. This creates an inconsistent setup contract where `npm run check-requirements` can report a passing environment on Node 18 even though the sample project's declared minimum Node version is 20.19.4.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
4 participants
User description
Summary
Resolves 51 Apiiro OSS vulnerability findings across the three sample directories (
legacy-sample,example,sample) in the public GitHub repository.package.jsonalready absent from HEAD; no npm surface for scanners to flagandroid/only; no npm packages remaineslint 8.x (EOL)→9.39.4with ESLint 9 flat config migration (.eslintrc.jsremoved,eslint.config.jsadded)@react-native-community/cli 18.0.0(CISA known exploit) →^20.1.3fast-xml-parser 4.5.3→5.7.1(resolved transitively via cli upgrade)minimatch,tar,glob,@isaacs/brace-expansion,js-yamland all remaining Low findings resolved transitivelynpm audit post-fix: 0 vulnerabilities in all directories.
Impact
sample/is not included in npm publishdependenciesis emptycli 20.1.3) and ESLint 9Test Plan
npm auditinsample/— expect 0 vulnerabilitiesnpm run androidornpm run iosinsample/to verify app still builds and runsnpm run lintinsample/to verify ESLint 9 flat config worksCodeAnt-AI Description
Update the sample app to remove vulnerable dependencies and work with newer tooling
What Changed
Impact
✅ Fewer security warnings in the sample app✅ Cleaner sample app setup on newer Node versions✅ Reliable linting after dependency upgrades🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.