From 4b79b83ce11985dfa9751736ea4ce4e2fb9bde75 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Thu, 26 Feb 2026 14:32:08 +0100
Subject: [PATCH 1/2] chore(deps): bump ajv to fix ReDoS vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Uses scoped yarn resolutions to bump ajv:
- eslint/eslintrc consumers: 6.12.6 → 6.14.0 (fixes alert #423)
- appium, detox, expo-dev-launcher: → 8.18.0 (fixes alert #424)

Parent-scoped resolutions avoid the unscoped override that would force
eslint onto incompatible ajv v8.

https://github.com/getsentry/sentry-react-native/security/dependabot/423
https://github.com/getsentry/sentry-react-native/security/dependabot/424

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json |  8 ++++++++
 yarn.lock    | 38 +++++++++++++++++++-------------------
 2 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/package.json b/package.json
index bd69d55849..523ef413e8 100644
--- a/package.json
+++ b/package.json
@@ -60,6 +60,14 @@
   ],
   "resolutions": {
     "appium-chromedriver@npm:5.6.73/@xmldom/xmldom": "0.8.10",
+    "appium@npm:2.4.1/ajv": "^8.18.0",
+    "detox@npm:20.46.0/ajv": "^8.18.0",
+    "expo-dev-launcher@npm:6.0.20/ajv": "^8.18.0",
+    "@eslint/eslintrc@npm:2.1.4/ajv": "^6.14.0",
+    "@eslint/eslintrc@npm:3.3.3/ajv": "^6.14.0",
+    "eslint@npm:8.57.0/ajv": "^6.14.0",
+    "eslint@npm:8.57.1/ajv": "^6.14.0",
+    "eslint@npm:9.39.2/ajv": "^6.14.0",
     "fast-xml-parser": "^5.3.6",
     "form-data": "4.0.4",
     "qs": "^6.14.2",
diff --git a/yarn.lock b/yarn.lock
index d9063b15cf..798bb93265 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -13682,31 +13682,19 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ajv@npm:8.12.0":
-  version: 8.12.0
-  resolution: "ajv@npm:8.12.0"
+"ajv@npm:^6.14.0":
+  version: 6.14.0
+  resolution: "ajv@npm:6.14.0"
   dependencies:
     fast-deep-equal: ^3.1.1
-    json-schema-traverse: ^1.0.0
-    require-from-string: ^2.0.2
+    fast-json-stable-stringify: ^2.0.0
+    json-schema-traverse: ^0.4.1
     uri-js: ^4.2.2
-  checksum: 4dc13714e316e67537c8b31bc063f99a1d9d9a497eb4bbd55191ac0dcd5e4985bbb71570352ad6f1e76684fb6d790928f96ba3b2d4fd6e10024be9612fe3f001
+  checksum: 7bb3ea97bb8af52521589079f427e799b6561acaa94f50e13410cb87588c51df8db1afe1157b3e48f1a829269adaa11116e0c2cafe2b998add1523789809a3c5
   languageName: node
   linkType: hard
 
-"ajv@npm:^6.12.4":
-  version: 6.12.6
-  resolution: "ajv@npm:6.12.6"
-  dependencies:
-    fast-deep-equal: "npm:^3.1.1"
-    fast-json-stable-stringify: "npm:^2.0.0"
-    json-schema-traverse: "npm:^0.4.1"
-    uri-js: "npm:^4.2.2"
-  checksum: 874972efe5c4202ab0a68379481fbd3d1b5d0a7bd6d3cc21d40d3536ebff3352a2a1fabb632d4fd2cc7fe4cbdcd5ed6782084c9bbf7f32a1536d18f9da5007d4
-  languageName: node
-  linkType: hard
-
-"ajv@npm:^8.0.0, ajv@npm:^8.11.0, ajv@npm:^8.6.3":
+"ajv@npm:^8.0.0":
   version: 8.17.1
   resolution: "ajv@npm:8.17.1"
   dependencies:
@@ -13718,6 +13706,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"ajv@npm:^8.18.0":
+  version: 8.18.0
+  resolution: "ajv@npm:8.18.0"
+  dependencies:
+    fast-deep-equal: ^3.1.3
+    fast-uri: ^3.0.1
+    json-schema-traverse: ^1.0.0
+    require-from-string: ^2.0.2
+  checksum: bcdf6c7b040ca488108e2b4e219b31cf9ed478331007d4dd1ed8acc3946dd6b84295817c0f4724207b8dd8589c9966168b2fd4c7f32109d4b8526cdd3743e936
+  languageName: node
+  linkType: hard
+
 "anser@npm:^1.4.9":
   version: 1.4.10
   resolution: "anser@npm:1.4.10"

From f99f8cd266833b4758a6c262d6a493af72f1ef59 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Thu, 26 Feb 2026 14:41:32 +0100
Subject: [PATCH 2/2] fix: add ajv-formats scoped resolution to cover remaining
 vulnerable ajv 8.17.1

ajv-formats@2.1.1 (via appium) depends on ajv@^8.0.0 which was still
resolving to vulnerable 8.17.1. Adding a scoped resolution for
ajv-formats ensures it also gets ajv 8.18.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json |  1 +
 yarn.lock    | 12 ------------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/package.json b/package.json
index 523ef413e8..2db675531d 100644
--- a/package.json
+++ b/package.json
@@ -60,6 +60,7 @@
   ],
   "resolutions": {
     "appium-chromedriver@npm:5.6.73/@xmldom/xmldom": "0.8.10",
+    "ajv-formats@npm:2.1.1/ajv": "^8.18.0",
     "appium@npm:2.4.1/ajv": "^8.18.0",
     "detox@npm:20.46.0/ajv": "^8.18.0",
     "expo-dev-launcher@npm:6.0.20/ajv": "^8.18.0",
diff --git a/yarn.lock b/yarn.lock
index 798bb93265..beb3d52a28 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -13694,18 +13694,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"ajv@npm:^8.0.0":
-  version: 8.17.1
-  resolution: "ajv@npm:8.17.1"
-  dependencies:
-    fast-deep-equal: "npm:^3.1.3"
-    fast-uri: "npm:^3.0.1"
-    json-schema-traverse: "npm:^1.0.0"
-    require-from-string: "npm:^2.0.2"
-  checksum: 1797bf242cfffbaf3b870d13565bd1716b73f214bb7ada9a497063aada210200da36e3ed40237285f3255acc4feeae91b1fb183625331bad27da95973f7253d9
-  languageName: node
-  linkType: hard
-
 "ajv@npm:^8.18.0":
   version: 8.18.0
   resolution: "ajv@npm:8.18.0"