[Snyk] Upgrade react-native from 0.74.5 to 0.76.5

[yingbull]

Snyk has created this PR to upgrade react-native from 0.74.5 to 0.76.5.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 185 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	479	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	479	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-AXIOS-6671926	479	No Known Exploit
	Improper Input Validation SNYK-JS-NANOID-8492085	479	No Known Exploit

Release notes

Package name: react-native

• 0.76.5 - 2024-12-09
  

  v0.76.5

  Fixed

  • Better support filtering out non linked platforms (fcbcf80d1c by @ cipolleschi)

  Android specific

  • Fix crash on HeadlessJsTaskService on old architecture (4560fc0497 by @ cortinico)

  ---

  Hermes dSYMS:

  • Debug
  • Release

  ---

  You can file issues or pick requests against this release here.

  ---

  To help you upgrade to this version, you can use the Upgrade Helper ⚛️.

  ---

  View the whole changelog in the CHANGELOG.md file.

• 0.76.4 - 2024-12-06
  

  v0.76.4

  Added

  • Sync debugger-frontend to latest 0.76-stable (fix Expo node_modules entry points in Sources panel) (43fe69c315 by @ huntie)
  • Exclude unlinked libs from codegen (3cedb09a65 by @ cipolleschi)

  Android specific

  • Avoid NPE when touch event is triggered before SurfaceManager is initiated (b8095f4692 by @ CHOIMINSEOK)

  ---

  Hermes dSYMS:

  • Debug
  • Release

  ---

  You can file issues or pick requests against this release here.

  ---

  To help you upgrade to this version, you can use the Upgrade Helper ⚛️.

  ---

  View the whole changelog in the CHANGELOG.md file.

• 0.76.3 - 2024-11-21
  

  Fixed

  Android specific

  • Look for sdkmanager.bat (6460d2b3e7 by @ blakef)
  • CMake Windows path normalization (9946838bedd by @ blakef)
  • Fix build failure on windows in android (08b83005481 by @ FouadMagdy01)

  ---

  Hermes dSYMS:

  • Debug
  • Release

  ---

  You can file issues or pick requests against this release here.

  ---

  To help you upgrade to this version, you can use the Upgrade Helper ⚛️.

  ---

  View the whole changelog in the CHANGELOG.md file.

• 0.76.2 - 2024-11-14
  

  Added

  • TypeScript Add CodegenTypes for TS (20b141508b by @ cipolleschi)

  Changed

  • infra Bump CLI to 15.0.1 (51b98c24bd by @ szymonrybczak)

  iOS specific

  • TextInput Include existing attributes in newly typed text (557e3447f5 by @ NickGerleman)

  Fixed

  • Hermes Update Hermes to support Intl (94d4bfd7c8 by @ blakef)
  • infra Skip hermes-parser under Babel for non-Flow JS code (ff1261e7dc by @ huntie)
  • infra fix semver not being found in pnpm setups (0def73d1a6 by @ tido64)
  • Error Handling Fix setUpErrorHandling to show early JS errors (dac6d508af by @ cipolleschi)

  Android specific

  • infra Use absolute path when compiling appmodules.so sources (3956955eaa by @ cortinico)
  • infra Properly handle paths with spaces in autolinking (1f62529dc4 by @ cortinico)
  • Modal Fix Regression - Modal content rendering below system bar on < API 30 when activity is edge-to-edge (2cd48ef351 by @ alanleedev)
  • runtime Fix timers in headless tasks on bridgeless mode (ee7b4e2763 by @ j-piasecki)

  iOS specific

  • Codegen Properly stop generating component registration for components defined in app. (97a4234b6e by @ cipolleschi)
  • infra Give apps access to Yoga headers (e851e73c18 by @ cipolleschi)
  • TextInput Fix missing emitter attributes on iOS TextInput when controlled component value specified using value instead of children (52cdedb40e by @ NickGerleman)
  • TextInput Fix cursor moving in iOS controlled single line TextInput on Autocorrection (New Arch) (36fd5533f6 by @ NickGerleman)

  ---

  Hermes dSYMS:

  • Debug
  • Release

  ---

  You can file issues or pick requests against this release here.

  ---

  To help you upgrade to this version, you can use the Upgrade Helper ⚛️.

  ---

  View the whole changelog in the CHANGELOG.md file.

• 0.76.1 - 2024-10-29
  

  Fixed

  Android specific

  • runtime Made AppRegistry callable from Native code in Bridgeless (fixes headless tasks) (f3fee67c54 by @ robik)
  • runtime Add jsBundleFile to DefaultReactNativeHost.kt (e56bd89ef)

  iOS specific

  • infra Pin Xcodeproj to < 1.26.0 (e8776240b41)
  • runtime Fixes regression of RCTWindowFrameDidChangeNotification not fired (e271b23fad by @ zhongwuzw)
  • runtime Fixed bug where background colors would sometimes animate when changing on Views (1d6ac09530 by @ joevilches)
  • codegen Do not generate the ComponentCls function in the RCTThirdPartyFabricComponentsProvider for components deined in the app. (dc7e9e2d83 by @ cipolleschi)
  • infra Generated NODE_BINARY in .xcode.env.local now supports paths with a space (eeaa3ff458 by @ blakef)

  ---

  Hermes dSYMS:

  • Debug
  • Release

  ---

  You can file issues or pick requests against this release here.

  ---

  To help you upgrade to this version, you can use the Upgrade Helper ⚛️.

  ---

  View the whole changelog in the CHANGELOG.md file.

• 0.76.0 - 2024-10-23
  

  0.76 stable is out!

  This release of React Native enables the New Architecture by default. You can read more about it in this dedicated blog-post: the New Architecture is here.

  This release also includes over 1491 commits from 165 contributors! Thank you to all our contributors new and old!

  You can see all the highlights of the release in our release blog post.

  ---

  Hermes dSYMS:

  • Debug
  • Release

  ---

  You can file pick requests against this release here.

  ---

  To help you upgrade to this version, you can use the Upgrade Helper ⚛️.

  ---

  View the whole changelog in the CHANGELOG.md file

• 0.76.0-rc.6 - 2024-10-17
• 0.76.0-rc.5 - 2024-10-15
• 0.76.0-rc.4 - 2024-10-08
• 0.76.0-rc.3 - 2024-10-01
• 0.76.0-rc.2 - 2024-09-24
• 0.76.0-rc.1 - 2024-09-16
• 0.76.0-rc.0 - 2024-09-10
• 0.76.0-nightly-20240910-84f2d2512 - 2024-09-10
• 0.76.0-nightly-20240909-d424c2443 - 2024-09-09
• 0.76.0-nightly-20240909-143f1ad29 - 2024-09-09
• 0.76.0-nightly-20240908-d687d3898 - 2024-09-08
• 0.76.0-nightly-20240907-79e4ed2b0 - 2024-09-07
• 0.76.0-nightly-20240906-5fe766043 - 2024-09-06
• 0.76.0-nightly-20240905-62ee5c9b8 - 2024-09-05
• 0.76.0-nightly-20240904-0a1ba0227 - 2024-09-04
• 0.76.0-nightly-20240903-4ddb12c5e - 2024-09-03
• 0.76.0-nightly-20240902-305b4357e - 2024-09-02
• 0.76.0-nightly-20240901-305b4357e - 2024-09-01
• 0.76.0-nightly-20240831-f00e8baff - 2024-08-31
• 0.76.0-nightly-20240830-435124765 - 2024-08-30
• 0.76.0-nightly-20240829-20e3f4518 - 2024-08-29
• 0.76.0-nightly-20240828-cf356bd19 - 2024-08-28
• 0.76.0-nightly-20240827-851037d14 - 2024-08-27
• 0.76.0-nightly-20240826-6cfe51ded - 2024-08-26
• 0.76.0-nightly-20240825-6cfe51ded - 2024-08-25
• 0.76.0-nightly-20240824-09e88448c - 2024-08-24
• 0.76.0-nightly-20240823-858ad5e9c - 2024-08-23
• 0.76.0-nightly-20240822-81a41ec97 - 2024-08-22
• 0.76.0-nightly-20240821-387560a9a - 2024-08-21
• 0.76.0-nightly-20240820-1a49892d5 - 2024-08-20
• 0.76.0-nightly-20240819-d4d5ab0bb - 2024-08-19
• 0.76.0-nightly-20240818-25d6a152c - 2024-08-18
• 0.76.0-nightly-20240817-3e6b4fa23 - 2024-08-17
• 0.76.0-nightly-20240816-17017d2b8 - 2024-08-16
• 0.76.0-nightly-20240815-9bc32a010 - 2024-08-15
• 0.76.0-nightly-20240801-TEMP - 2024-08-01
• 0.76.0-nightly-20240731-TEMP - 2024-07-31
• 0.76.0-nightly-20240730-TEMP - 2024-07-30
• 0.76.0-nightly-20240729-TEMP - 2024-07-29
• 0.76.0-nightly-20240728-TEMP - 2024-07-28
• 0.76.0-nightly-20240727-TEMP - 2024-07-27
• 0.76.0-nightly-20240726-TEMP - 2024-07-26
• 0.76.0-nightly-20240723-700b403e0 - 2024-07-23
• 0.76.0-nightly-20240722-9af63956d - 2024-07-22
• 0.76.0-nightly-20240721-9af63956d - 2024-07-21
• 0.76.0-nightly-20240720-3a5eb1973 - 2024-07-20
• 0.76.0-nightly-20240719-6d56cea28 - 2024-07-19
• 0.76.0-nightly-20240715-2eb7bcb8d - 2024-07-15
• 0.76.0-nightly-20240710-9a1ae97c2 - 2024-07-10
• 0.76.0-nightly-20240709-12b64b782 - 2024-07-09
• 0.76.0-nightly-20240706-8c8c77b97 - 2024-07-06
• 0.76.0-nightly-20240705-62cca7acc - 2024-07-05
• 0.76.0-nightly-20240704-af506372b - 2024-07-04
• 0.76.0-nightly-20240702-ad3df8466 - 2024-07-02
• 0.76.0-nightly-20240701-9f6cb21ed - 2024-07-01
• 0.76.0-nightly-20240630-TEMP - 2024-06-30
• 0.76.0-nightly-20240629-TEMP - 2024-06-29
• 0.76.0-nightly-20240628-TEMP - 2024-06-28
• 0.76.0-nightly-20240627-TEMP - 2024-06-27
• 0.75.4 - 2024-10-02
• 0.75.3 - 2024-09-11
• 0.75.2 - 2024-08-20
• 0.75.1 - 2024-08-15
• 0.75.0 - 2024-08-14
• 0.75.0-rc.7 - 2024-08-06
• 0.75.0-rc.6 - 2024-07-29
• 0.75.0-rc.5 - 2024-07-15
• 0.75.0-rc.4 - 2024-07-08
• 0.75.0-rc.3 - 2024-07-01
• 0.75.0-rc.2 - 2024-06-26
• 0.75.0-rc.1 - 2024-06-25
• 0.75.0-rc.0 - 2024-06-19
• 0.75.0-nightly-20240618-5df5ed1a8 - 2024-06-18
• 0.75.0-nightly-20240617-9435097b1 - 2024-06-17
• 0.75.0-nightly-20240616-2f8d4f0c2 - 2024-06-16
• 0.75.0-nightly-20240614-8b53d41a8 - 2024-06-14
• 0.75.0-nightly-20240613-f7aea0c8e - 2024-06-13
• 0.75.0-nightly-20240612-fd618819c - 2024-06-12
• 0.75.0-nightly-20240611-5b3a32142 - 2024-06-11
• 0.75.0-nightly-20240610-ced076210 - 2024-06-10
• 0.75.0-nightly-20240610-6937c7044 - 2024-06-10
• 0.75.0-nightly-20240609-2483c6301 - 2024-06-09
• 0.75.0-nightly-20240608-61de7da03 - 2024-06-08
• 0.75.0-nightly-20240606-cf8b25ead - 2024-06-06
• 0.75.0-nightly-20240606-4324f0874 - 2024-06-06
• 0.75.0-nightly-20240605-a569c82eb - 2024-06-05
• 0.75.0-nightly-20240605-TEMP - 2024-06-05
• 0.75.0-nightly-20240604-744024be7 - 2024-06-04
• 0.75.0-nightly-20240603-a6a7cdf0b - 2024-06-03
• 0.75.0-nightly-20240602-033a55f7f - 2024-06-02
• 0.75.0-nightly-20240601-033a55f7f - 2024-06-01
• 0.75.0-nightly-20240531-c046198cc - 2024-05-31
• 0.75.0-nightly-20240530-0bea4cd0c - 2024-05-30
• 0.75.0-nightly-20240529-5fbebb485 - 2024-05-29
• 0.75.0-nightly-20240528-a93a15aca - 2024-05-28
• 0.75.0-nightly-20240527-c207708c4 - 2024-05-27
• 0.75.0-nightly-20240525-840c31c3a - 2024-05-25
• 0.75.0-nightly-20240524-91d12d9b9 - 2024-05-24
• 0.75.0-nightly-20240523-1343313dc - 2024-05-23
• 0.75.0-nightly-20240522-95de14dc5 - 2024-05-22
• 0.75.0-nightly-20240521-644facd19 - 2024-05-21
• 0.75.0-nightly-20240520-2a96dba07 - 2024-05-20
• 0.75.0-nightly-20240519-93c079b92 - 2024-05-19
• 0.75.0-nightly-20240518-93c079b92 - 2024-05-18
• 0.75.0-nightly-20240517-044aadbaf - 2024-05-17
• 0.75.0-nightly-20240516-1aabefc5b - 2024-05-16
• 0.75.0-nightly-20240515-ad4c39ec9 - 2024-05-15
• 0.75.0-nightly-20240514-734ac42d6 - 2024-05-14
• 0.75.0-nightly-20240512-a37111a4d - 2024-05-12
• 0.75.0-nightly-20240511-3f17c8b5f - 2024-05-11
• 0.75.0-nightly-20240510-1db50a37d - 2024-05-10
• 0.75.0-nightly-20240509-f4996e0b6 - 2024-05-09
• 0.75.0-nightly-20240508-88ab1ceea - 2024-05-08
• 0.75.0-nightly-20240507-be09d1266 - 2024-05-07
• 0.75.0-nightly-20240506-362abb9ff - 2024-05-06
• 0.75.0-nightly-20240503-1d2221ab4 - 2024-05-03
• 0.75.0-nightly-20240502-88de74b2d - 2024-05-02
• 0.75.0-nightly-20240501-90663081d - 2024-05-01
• 0.75.0-nightly-20240430-c96c89337 - 2024-04-30
• 0.75.0-nightly-20240429-b7de91666 - 2024-04-29
• 0.75.0-nightly-20240428-bb2c13af5 - 2024-04-28
• 0.75.0-nightly-20240427-e2ad6696d - 2024-04-27
• 0.75.0-nightly-20240426-9c4ee6df0 - 2024-04-26
• 0.75.0-nightly-20240425-2876fae8d - 2024-04-25
• 0.75.0-nightly-20240424-132563d81 - 2024-04-24
• 0.75.0-nightly-20240423-41f525cca - 2024-04-23
• 0.75.0-nightly-20240422-876914be5 - 2024-04-22
• 0.75.0-nightly-20240420-03a51da72 - 2024-04-20
• 0.75.0-nightly-20240419-73b4d67a7 - 2024-04-19
• 0.75.0-nightly-20240418-4fbc1f2ef - 2024-04-18
• 0.75.0-nightly-20240417-fe9942a19 - 2024-04-17
• 0.75.0-nightly-20240416-8c53ac607 - 2024-04-16
• 0.75.0-nightly-20240415-e7154bdd9 - 2024-04-15
• 0.75.0-nightly-20240414-a5eeea814 - 2024-04-14
• 0.75.0-nightly-20240413-1b152f6ec - 2024-04-13
• 0.75.0-nightly-20240412-b72f5e998 - 2024-04-12
• 0.75.0-nightly-20240411-46b6453eb - 2024-04-11
• 0.75.0-nightly-20240410-f7eaf6388 - 2024-04-10
• 0.75.0-nightly-20240409-881c0bc89 - 2024-04-09
• 0.75.0-nightly-20240408-eae5d9711 - 2024-04-08
• 0.75.0-nightly-20240407-592716582 - 2024-04-07
• 0.75.0-nightly-20240406-a05466c5b - 2024-04-06
• 0.75.0-nightly-20240405-3f05ad6e8 - 2024-04-05
• 0.75.0-nightly-20240404-70c3158b6 - 2024-04-04
• 0.75.0-nightly-20240403-3559a6c58 - 2024-04-03
• 0.75.0-nightly-20240329-3f8882116 - 2024-03-29
• 0.75.0-nightly-20240328-af309127a - 2024-03-28
• 0.75.0-nightly-20240327-2af1da42f - 2024-03-27
• 0.75.0-nightly-20240325-ac714b1c3 - 2024-03-25
• 0.75.0-nightly-20240324-4c8e253d8 - 2024-03-24
• 0.75.0-nightly-20240323-37e362699 - 2024-03-23
• 0.75.0-nightly-20240322-b13e9f8f7 - 2024-03-22
• 0.75.0-nightly-20240321-7d180d712 - 2024-03-21
• 0.75.0-nightly-20240320-0267ca0a4 - 2024-03-20
• 0.75.0-nightly-20240319-d97741af6 - 2024-03-19
• 0.75.0-nightly-20240318-a87fb56ef - 2024-03-18
• 0.75.0-nightly-20240317-06dc448d8 - 2024-03-17
• 0.75.0-nightly-20240316-06dc448d8 - 2024-03-16
• 0.75.0-nightly-20240315-f2f62cdf5 - 2024-03-15
• 0.75.0-nightly-20240315-e180f805e - 2024-03-15
• 0.75.0-nightly-20240312-41b637194 - 2024-03-12
• 0.75.0-nightly-20240311-3706bf077 - 2024-03-11
• 0.75.0-nightly-20240310-e2157f063 - 2024-03-10
• 0.75.0-nightly-20240309-e2157f063 - 2024-03-09
• 0.75.0-nightly-20240308-6c28c87c4 - 2024-03-08
• 0.75.0-nightly-20240308-208be5000 - 2024-03-08
• 0.75.0-nightly-20240307-ff03b149e - 2024-03-07
• 0.75.0-nightly-20240306-c645646a2 - 2024-03-06
• 0.75.0-nightly-20240305-9aeb9f2f9 - 2024-03-05
• 0.75.0-nightly-20240304-ec928d7a6 - 2024-03-04
• 0.75.0-nightly-20240303-7d4778104 - 2024-03-03
• 0.75.0-nightly-20240302-7d4778104 - 2024-03-02
• 0.75.0-nightly-20240229-21171222e - 2024-02-29
• 0.75.0-nightly-20240228-252ef19c8 - 2024-02-28
• 0.75.0-nightly-20240227-8317325fb - 2024-02-27
• 0.75.0-nightly-20240223-c7bacf610 - 2024-02-23
• 0.75.0-nightly-20240222-2dc39c26e - 2024-02-22
• 0.75.0-nightly-20240221-a1171f79f - 2024-02-21
• 0.74.6 - 2024-10-02
• 0.74.5 - 2024-08-05

from react-native GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Upgrade React Native from 0.74.5 to 0.76.5.

New Features:

• Enable the New Architecture by default.
• Add CodegenTypes for TS.

Bug Fixes:

• Fix crash on HeadlessJsTaskService on old architecture.
• Avoid NPE when touch event is triggered before SurfaceManager is initiated.
• Fix build failure on windows in android.
• Made AppRegistry callable from Native code in Bridgeless (fixes headless tasks).
• Add jsBundleFile to DefaultReactNativeHost.kt.
• Pin Xcodeproj to < 1.26.0.
• Fixes regression of RCTWindowFrameDidChangeNotification not fired.
• Fixed bug where background colors would sometimes animate when changing on Views.
• Give apps access to Yoga headers.

Enhancements:

• Better support filtering out non linked platforms.
• Exclude unlinked libs from codegen.
• Sync debugger-frontend to latest 0.76-stable (fix Expo node_modules entry points in Sources panel).
• Bump CLI to 15.0.1.
• Include existing attributes in newly typed text.
• Update Hermes to support Intl.
• Skip hermes-parser under Babel for non-Flow JS code.
• Fix semver not being found in pnpm setups.
• Fix setUpErrorHandling to show early JS errors.
• Use absolute path when compiling appmodules.so sources.
• Properly handle paths with spaces in autolinking.
• Fix Regression - Modal content rendering below system bar on < API 30 when activity is edge-to-edge.
• Fix timers in headless tasks on bridgeless mode.
• Properly stop generating component registration for components defined in app.
• Fix missing emitter attributes on iOS TextInput when controlled component value specified using value instead of children.
• Fix cursor moving in iOS controlled single line TextInput on Autocorrection (New Arch).

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR upgrades react-native from version 0.74.5 to 0.76.5. This addresses several security vulnerabilities, including two high-severity ReDoS vulnerabilities and two medium-severity vulnerabilities related to XSS and improper input validation. The upgrade also brings in numerous bug fixes and improvements from various 0.76.x releases, including better platform filtering, crash fixes on Android, and improved support for Hermes and TypeScript. Notably, React Native 0.76 enables the New Architecture by default.

State diagram for security vulnerability fixes in 0.76.5

stateDiagram-v2
    [*] --> Vulnerable
    Vulnerable --> Fixed: Upgrade to 0.76.5

    state Vulnerable {
        ReDoS1: ReDoS in cross-spawn
        ReDoS2: ReDoS in cross-spawn
        XSS: XSS in axios
        InputVal: Input validation in nanoid
    }

    state Fixed {
        PatchedReDoS: Fixed ReDoS vulnerabilities
        PatchedXSS: Fixed XSS vulnerability
        PatchedInput: Fixed input validation
    }

    Fixed --> [*]

Loading

File-Level Changes

Change	Details	Files
Upgraded react-native to 0.76.5	Changed the react-native dependency version from "0.74.5" to "0.76.5".	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.