[Snyk] Security upgrade react-native from 0.57.3 to 0.60.0

[titanism]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • example/package.json
  • example/yarn.lock

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	461/1000 Why? Recently disclosed, Has a fix available, CVSS 3.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-DEBUG-3227433	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[socket-security[bot]]

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
[email protected] (upgraded)	install	example/package.json

😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package	Bin script	Source
[email protected] (upgraded)	react-native	example/package.json via [email protected]
@cnakazawa/[email protected] (added)	watch	example/package.json via [email protected], @react-native-community/[email protected], [email protected], [email protected], [email protected]
[email protected] (added)	watch	example/package.json via [email protected], [email protected], [email protected]

🦀 Bin script shell injection

This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack

Packages should not export bin scripts which conflict with well known shell commands

Package	Bin script	Source
@cnakazawa/[email protected] (added)	watch	example/package.json via [email protected], @react-native-community/[email protected], [email protected], [email protected], [email protected]

Pull request report summary

Issue	Status
Install scripts	⚠️ 1 issue
Native code	✅ 0 issues
Bin script confusion	⚠️ 3 issues
Bin script shell injection	⚠️ 1 issue
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] [email protected]

• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore @cnakazawa/[email protected]
• @SocketSecurity ignore [email protected]

⚠️ Please accept the latest app permissions to ensure bot commands work properly. Accept the new permissions here.

Powered by socket.dev