🚨 [security] Update @react-native-community/cli 19.1.1 → 20.1.3 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​react-native-community/cli (19.1.1 → 20.1.3) · Repo · Changelog

Security Advisories 🚨

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Release Notes

20.1.1

What's Changed

• fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

• @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

• [fix] Support Android Studio path that JetBrains Toolbox installs to on Windows by @matthargett in #2682
• chore(cli): Update macOS / windows docs links by @Saadnajmi in #2714
• Return to less intrusive way of starting server in a new window on macOS by @swrobel in #2715
• Fix plistPath when using a prebuilt binary (appPath) by @jenskuhrjorgensen in #2705
• Feature: Remove hardcoded index when selecting the correct build target by @jenskuhrjorgensen in #2707
• Fix destination in buildProject by @jenskuhrjorgensen in #2706
• chore: simplify glob patterns by @benmccann in #2711
• Update commands.md by @riteshshukla04 in #2723
• Adds @ to the docs by @riteshshukla04 in #2724
• Build sourceMappingURL constructs with relative paths by @MegaManSec in #2737
• fix: detect bun.lock by @patrickkabwe in #2726
• docs: Update init.md, add missed '@' by @Jongkeun in #2745
• chore: migrate from chalk to picocolors by @Rexogamer in #2631
• fix(init): Fix yarn + skip-install combo causing template copy failure by @azizbecha in #2748
• Remove @szymonrybczak from CODEOWNERS & active contributors by @szymonrybczak in #2751

New Contributors

• @matthargett made their first contribution in #2682
• @Saadnajmi made their first contribution in #2714
• @swrobel made their first contribution in #2715
• @jenskuhrjorgensen made their first contribution in #2705
• @benmccann made their first contribution in #2711
• @riteshshukla04 made their first contribution in #2723
• @MegaManSec made their first contribution in #2737
• @patrickkabwe made their first contribution in #2726
• @Jongkeun made their first contribution in #2745
• @Rexogamer made their first contribution in #2631
• @azizbecha made their first contribution in #2748

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ debug (4.4.1 → 4.4.3) · Repo · Changelog

Security Advisories 🚨

🚨 debug@4.4.2 contains malware after npm account takeover

Impact

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

• https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
• https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
• https://www.ox.security/blog/npm-packages-compromised/

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

• Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social
• debug repository, tracking issue (applies to all packages affected in the breach): #1005

Release Notes

4.4.3

Functionally identical release to 4.4.1.

Version 4.4.2 is compromised. Please see #1005.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 1 commit:

• 4.4.3

↗️ @​react-native-community/cli-platform-android (indirect, 19.1.1 → 20.1.3) · Repo · Changelog

Release Notes

20.1.1

What's Changed

• fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

• @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

• [fix] Support Android Studio path that JetBrains Toolbox installs to on Windows by @matthargett in #2682
• chore(cli): Update macOS / windows docs links by @Saadnajmi in #2714
• Return to less intrusive way of starting server in a new window on macOS by @swrobel in #2715
• Fix plistPath when using a prebuilt binary (appPath) by @jenskuhrjorgensen in #2705
• Feature: Remove hardcoded index when selecting the correct build target by @jenskuhrjorgensen in #2707
• Fix destination in buildProject by @jenskuhrjorgensen in #2706
• chore: simplify glob patterns by @benmccann in #2711
• Update commands.md by @riteshshukla04 in #2723
• Adds @ to the docs by @riteshshukla04 in #2724
• Build sourceMappingURL constructs with relative paths by @MegaManSec in #2737
• fix: detect bun.lock by @patrickkabwe in #2726
• docs: Update init.md, add missed '@' by @Jongkeun in #2745
• chore: migrate from chalk to picocolors by @Rexogamer in #2631
• fix(init): Fix yarn + skip-install combo causing template copy failure by @azizbecha in #2748
• Remove @szymonrybczak from CODEOWNERS & active contributors by @szymonrybczak in #2751

New Contributors

• @matthargett made their first contribution in #2682
• @Saadnajmi made their first contribution in #2714
• @swrobel made their first contribution in #2715
• @jenskuhrjorgensen made their first contribution in #2705
• @benmccann made their first contribution in #2711
• @riteshshukla04 made their first contribution in #2723
• @MegaManSec made their first contribution in #2737
• @patrickkabwe made their first contribution in #2726
• @Jongkeun made their first contribution in #2745
• @Rexogamer made their first contribution in #2631
• @azizbecha made their first contribution in #2748

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​react-native-community/cli-platform-ios (indirect, 19.1.1 → 20.1.3) · Repo · Changelog

Release Notes

20.1.1

What's Changed

• fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

• @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

• [fix] Support Android Studio path that JetBrains Toolbox installs to on Windows by @matthargett in #2682
• chore(cli): Update macOS / windows docs links by @Saadnajmi in #2714
• Return to less intrusive way of starting server in a new window on macOS by @swrobel in #2715
• Fix plistPath when using a prebuilt binary (appPath) by @jenskuhrjorgensen in #2705
• Feature: Remove hardcoded index when selecting the correct build target by @jenskuhrjorgensen in #2707
• Fix destination in buildProject by @jenskuhrjorgensen in #2706
• chore: simplify glob patterns by @benmccann in #2711
• Update commands.md by @riteshshukla04 in #2723
• Adds @ to the docs by @riteshshukla04 in #2724
• Build sourceMappingURL constructs with relative paths by @MegaManSec in #2737
• fix: detect bun.lock by @patrickkabwe in #2726
• docs: Update init.md, add missed '@' by @Jongkeun in #2745
• chore: migrate from chalk to picocolors by @Rexogamer in #2631
• fix(init): Fix yarn + skip-install combo causing template copy failure by @azizbecha in #2748
• Remove @szymonrybczak from CODEOWNERS & active contributors by @szymonrybczak in #2751

New Contributors

• @matthargett made their first contribution in #2682
• @Saadnajmi made their first contribution in #2714
• @swrobel made their first contribution in #2715
• @jenskuhrjorgensen made their first contribution in #2705
• @benmccann made their first contribution in #2711
• @riteshshukla04 made their first contribution in #2723
• @MegaManSec made their first contribution in #2737
• @patrickkabwe made their first contribution in #2726
• @Jongkeun made their first contribution in #2745
• @Rexogamer made their first contribution in #2631
• @azizbecha made their first contribution in #2748

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​react-native-community/cli-server-api (indirect, 19.1.1 → 20.1.3) · Repo · Changelog

Security Advisories 🚨

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

🚨 @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Release Notes

20.1.1

What's Changed

• fix: prevent RCE in openURLMiddleware via URL sanitization by @Copilot and @huntie in #2758

New Contributors

• @Copilot made their first contribution in #2758

Full Changelog: v20.1.0...v20.1.1

20.1.0

What's Changed

• [fix] Support Android Studio path that JetBrains Toolbox installs to on Windows by @matthargett in #2682
• chore(cli): Update macOS / windows docs links by @Saadnajmi in #2714
• Return to less intrusive way of starting server in a new window on macOS by @swrobel in #2715
• Fix plistPath when using a prebuilt binary (appPath) by @jenskuhrjorgensen in #2705
• Feature: Remove hardcoded index when selecting the correct build target by @jenskuhrjorgensen in #2707
• Fix destination in buildProject by @jenskuhrjorgensen in #2706
• chore: simplify glob patterns by @benmccann in #2711
• Update commands.md by @riteshshukla04 in #2723
• Adds @ to the docs by @riteshshukla04 in #2724
• Build sourceMappingURL constructs with relative paths by @MegaManSec in #2737
• fix: detect bun.lock by @patrickkabwe in #2726
• docs: Update init.md, add missed '@' by @Jongkeun in #2745
• chore: migrate from chalk to picocolors by @Rexogamer in #2631
• fix(init): Fix yarn + skip-install combo causing template copy failure by @azizbecha in #2748
• Remove @szymonrybczak from CODEOWNERS & active contributors by @szymonrybczak in #2751

New Contributors

• @matthargett made their first contribution in #2682
• @Saadnajmi made their first contribution in #2714
• @swrobel made their first contribution in #2715
• @jenskuhrjorgensen made their first contribution in #2705
• @benmccann made their first contribution in #2711
• @riteshshukla04 made their first contribution in #2723
• @MegaManSec made their first contribution in #2737
• @patrickkabwe made their first contribution in #2726
• @Jongkeun made their first contribution in #2745
• @Rexogamer made their first contribution in #2631
• @azizbecha made their first contribution in #2748

Full Changelog: v20.0.2...v20.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dayjs (indirect, 1.11.13 → 1.11.20) · Repo · Changelog

Release Notes

1.11.20

1.11.20 (2026-03-12)

Bug Fixes

• Update locale km.js to support meridiem (#3017) (9d2b6a1)
• update updateLocale plugin to merge nested object properties instead of replacing (#3012) (99691c5), closes #1118

1.11.19

1.11.19 (2025-10-31)

Bug Fixes

• added usage warnings for diff + updated unit tests (#2948) (269a7a9)
• dont instantiate regexes within ar locale functions to avoid performance overhead (#2898) (af5e9f0)
• replace italian locale "un' ora fa" with "un'ora fa", add tests for it (#2930) (9e9f76c)
• Updated Belarusian locale with relative time (#2656) (1d8746c)

1.11.18

1.11.18 (2025-08-30)

Bug Fixes

• error semantic-release dependency (8cfb313)

1.11.17

1.11.17 (2025-08-29)

Bug Fixes

• [en-AU] locale use the same ordinal as moment (#2878) (1b95ecd)

1.11.16

1.11.16 (2025-08-29)

Bug Fixes

• test release workflow (no code changes) (c38c428)

1.11.15

1.11.15 (2025-08-28)

Bug Fixes

• Fix misspellings in Irish or Irish Gaelic [ga] (#2861) (9c14a42)

1.11.14

1.11.14 (2025-08-27)

Bug Fixes

• .utcOffset(0, true) result and its clone are different bug (#2505) (fefdcd4)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ errorhandler (indirect, 1.5.1 → 1.5.2) · Repo · Changelog

Release Notes

1.5.2

What's Changed

• chore: add support for OSSF scorecard reporting by @inigomarquinez in #27
• docs: state assumption in readme examples by @dpopp07 in #29
• chore: upgrade scorecard workflow pinned action versions by @carpasse in #30
• ci: apply OSSF Scorecard security best practices by @UlisesGascon in #31
• chore: add funding to package.json by @bjohansebas in #43
• build(deps): bump github/codeql-action from 3.27.9 to 3.29.5 by @dependabot[bot] in #44
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #46
• build(deps): bump github/codeql-action from 3.29.7 to 3.29.11 by @dependabot[bot] in #45
• build(deps): bump github/codeql-action from 3.29.11 to 4.31.2 by @dependabot[bot] in #50
• build(deps): bump actions/upload-artifact from 4.5.0 to 5.0.0 by @dependabot[bot] in #49
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #52
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.5 by @dependabot[bot] in #51
• Migrate CI from Travis to GitHub Actions by @nanotower in #53
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 by @dependabot[bot] in #48
• Update patch version, dev dependencies, and CI workflow by @nanotower in #54
• build(deps-dev): bump mocha from 10.2.0 to 10.8.2 by @dependabot[bot] in #36
• build(deps-dev): bump eslint-plugin-import from 2.275 to 2.32.0 by @dependabot[bot] in #41
• chore: remove HISTORY.md from package files by @nanotower in #55
• chore: remove Travis CI configuration file by @nanotower in #57
• Release: 1.5.2 by @nanotower in #56

New Contributors

• @inigomarquinez made their first contribution in #27
• @dpopp07 made their first contribution in #29
• @carpasse made their first contribution in #30
• @UlisesGascon made their first contribution in #31
• @bjohansebas made their first contribution in #43
• @dependabot[bot] made their first contribution in #44
• @nanotower made their first contribution in #53

Full Changelog: 1.5.1...1.5.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 51 commits:

• Release: 1.5.2 (#56)
• ci: remove Travis CI configuration file (#57)
• chore: remove `HISTORY.md` from package files (#55)
• build(deps-dev): bump eslint-plugin-import from 2.275 to 2.32.0 (#41)
• build(deps-dev): bump mocha from 7.1.0 to 7.2.0 (#36)
• feat: update patch version, dev dependencies, and CI workflow (#54)
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#48)
• ci: migrate CI from Travis to GitHub Actions (#53)
• build(deps): bump github/codeql-action from 4.31.2 to 4.31.5 (#51)
• build(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#52)
• build(deps): bump actions/upload-artifact from 4.5.0 to 5.0.0 (#49)
• build(deps): bump github/codeql-action from 3.29.11 to 4.31.2 (#50)
• build(deps): bump github/codeql-action from 3.29.7 to 3.29.11 (#45)
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#46)
• build(deps): bump github/codeql-action from 3.27.9 to 3.29.5 (#44)
• chore: add funding to package.json (#43)
• ci: apply OSSF Scorecard security best practices (#31)
• chore: upgrade scorecard workflow pinned action versions (#30)
• docs: state assumption in readme examples (#29)
• ci: add support for OSSF scorecard reporting (#27)
• build: Node.js@13.10
• build: Node.js@12.16
• build: Node.js@10.19
• build: mocha@7.1.0
• build: eslint-plugin-markdown@1.0.2
• build: eslint-plugin-import@2.20.1
• build: remove deprecated Travis CI directive
• build: Node.js@13.7
• build: mocha@7.0.1
• build: eslint@6.8.0
• build: Node.js@13.5
• build: Node.js@12.14
• build: Node.js@10.18
• build: Node.js@8.17
• build: eslint-plugin-import@2.19.1
• build: eslint@6.7.2
• build: support Node.js 13.x
• build: eslint-plugin-node@9.2.0
• build: eslint-plugin-markdown@1.0.1
• build: eslint@6.7.1
• build: Node.js@12.12
• build: Node.js@10.17
• build: mocha@6.2.2
• lint: apply standard 14 style
• build: Node.js@12.8
• build: mocha@6.2.0
• lint: apply standard 13 style
• build: eslint-plugin-promise@4.2.1
• build: eslint-plugin-import@2.18.0
• build: Node.js@12.4
• build: Node.js@10.16

🆕 fast-xml-builder (added, 1.1.4)

🆕 path-expression-matcher (added, 1.2.0)

🆕 strict-url-sanitise (added, 0.0.1)

🆕 semver (added, 7.7.4)

🆕 body-parser (added, 2.2.2)

🆕 iconv-lite (added, 0.7.2)

🆕 qs (added, 6.15.0)

🆕 statuses (added, 2.0.2)

🆕 fast-xml-parser (added, 5.5.9)

🆕 http-errors (added, 2.0.1)

🆕 media-typer (added, 1.1.0)

🆕 mime-db (added, 1.54.0)

🆕 mime-types (added, 3.0.2)

🆕 raw-body (added, 3.0.2)

🆕 strnum (added, 2.2.2)

🆕 type-is (added, 2.0.1)

🗑️ @​jest/types (removed)

🗑️ @​types/yargs (removed)

🗑️ pretty-format (removed)

🗑️ react-is (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)