[Snyk] Fix for 40 vulnerabilities

[snyk-bot]

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/mobile/package.json
  • packages/mobile/.snyk

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-CSSWHAT-1298035	Yes	No Known Exploit
	479/1000 Why? Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-DATEANDTIME-1054430	No	No Known Exploit
	554/1000 Why? Has a fix available, CVSS 6.8	Cryptographic Issues SNYK-JS-ELLIPTIC-1064899	No	No Known Exploit
	509/1000 Why? Has a fix available, CVSS 5.9	Timing Attack SNYK-JS-ELLIPTIC-511941	No	No Known Exploit
	706/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.7	Cryptographic Issues SNYK-JS-ELLIPTIC-571484	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-I18NEXT-1065979	Yes	No Known Exploit
	459/1000 Why? Has a fix available, CVSS 4.9	Buffer Overflow SNYK-JS-I18NEXT-575536	Yes	No Known Exploit
	561/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.8	Prototype Pollution SNYK-JS-I18NEXT-585930	Yes	Proof of Concept
	429/1000 Why? Has a fix available, CVSS 4.3	Reverse Tabnabbing SNYK-JS-ISTANBULREPORTS-2328088	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-JSONBIGINT-608659	No	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-1018905	No	Proof of Concept
	681/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.2	Command Injection SNYK-JS-LODASH-1040724	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-450202	No	Proof of Concept
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-608086	No	Proof of Concept
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-LODASH-73638	No	Proof of Concept
	541/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 4.4	Regular Expression Denial of Service (ReDoS) SNYK-JS-LODASH-73639	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Prototype Pollution SNYK-JS-MERGE-1040469	No	No Known Exploit
	686/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.3	Prototype Pollution SNYK-JS-MERGE-1042987	No	Proof of Concept
	539/1000 Why? Has a fix available, CVSS 6.5	Information Exposure SNYK-JS-NODEFETCH-2342118	Yes	No Known Exploit
	520/1000 Why? Has a fix available, CVSS 5.9	Denial of Service SNYK-JS-NODEFETCH-674311	Yes	No Known Exploit
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Open Redirect SNYK-JS-NODEFORGE-2330875	No	Proof of Concept
	529/1000 Why? Has a fix available, CVSS 6.3	Prototype Pollution SNYK-JS-NODEFORGE-2331908	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430337	No	No Known Exploit
	579/1000 Why? Has a fix available, CVSS 7.3	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430339	No	No Known Exploit
	494/1000 Why? Has a fix available, CVSS 5.6	Improper Verification of Cryptographic Signature SNYK-JS-NODEFORGE-2430341	No	No Known Exploit
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-NTHCHECK-1586032	Yes	Proof of Concept
	671/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7	Prototype Pollution SNYK-JS-PLIST-2405644	No	Proof of Concept
	589/1000 Why? Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-REACTNATIVE-1298632	No	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Cross-site Scripting (XSS) SNYK-JS-REACTNATIVEWEBVIEW-1011954	Yes	Proof of Concept
	619/1000 Why? Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	No	No Known Exploit
	596/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.5	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	Yes	Proof of Concept
	586/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.3	Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	No	Proof of Concept
	484/1000 Why? Has a fix available, CVSS 5.4	XML External Entity (XXE) Injection SNYK-JS-XMLDOM-1084960	No	No Known Exploit
	601/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.6	Prototype Pollution SNYK-JS-YARGSPARSER-560381	Yes	Proof of Concept
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Regular Expression Denial of Service (ReDoS) npm:braces:20180219	No	Proof of Concept
	636/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 6.3	Prototype Pollution npm:lodash:20180130	No	Proof of Concept
	469/1000 Why? Has a fix available, CVSS 5.1	Denial of Service (DoS) npm:mem:20180117	Yes	No Known Exploit
	676/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.1	Regular Expression Denial of Service (ReDoS) npm:plist:20180219	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: i18next

The new version differs by 250 commits.

• aeab3ca 19.8.5
• f58c423 new version
• 932f5f6 fix potential prototype pollution when backend plugin resolves a malicious language value
• 2dc8267 Merge pull request [iOS/Android] Request payment is not received for user B when user A send the payment request to user B  celo-org/celo-monorepo#1533 from pravi/update-rollup-plugin-babel
• dae2b32 chore: update build dependency (use @ rollup/plugin-babel)
• 4f9ef14 Merge pull request [iOS] Toast message “Backup Key copied” is not shown when taps on “Copy” button from “Your Backup Key” screen  celo-org/celo-monorepo#1532 from pravi/update-node-resolve-plugin
• a90fb69 chore: update rollup and plugins
• ad88092 use fallbackLng as default lng
• ba564b3 19.8.4
• 1816290 prepare new release
• 1ed5a71 Updated FormatFunction signature to match codebase (Status bar changes background color for no clear reason when scrolling in feed celo-org/celo-monorepo#1520)
• 2516e89 Update config.yml
• 94dd384 Update config.yml
• 877e250 commit build result
• fa98508 Merge pull request Enable Celo Lite has some UI problems celo-org/celo-monorepo#1518 from KristjanESPERANTO/patch-1
• 749519e Update URLs
• 03ef4ed 19.8.3
• ed6169f fix prototype pollution with constructor
• 5d808cd updated @ babel/runtime to ^7.12.0, runtime file extensions issue resolved (Remove ContractKit/Protocol building from Transaction Metrics Exporter Docker Image celo-org/celo-monorepo#1513)
• cb780ad 19.8.2
• d736006 allow nesting recursively with context (could theoretically generate infinite loop, prevented in [Wallet] Remove QR debouncing to improve responsiveness celo-org/celo-monorepo#1480)
• 685aa0f 19.8.1
• b44f64c log optimizations for clone instances
• ba2613b 19.8.0

See the full diff

Package name: react-i18next

The new version differs by 8 commits.

• 0bf4437 rebuild
• fd0582c update travis react versions
• 71ecbfc prepare v9
• 58d531c Merge branch 'master' of github.com:i18next/react-i18next
• 0b89efc Merge pull request [Snyk] Fix for 1 vulnerabilities #652 from adrai/master
• b4e4faf Warn if i18next instance is a promise
• eb678f7 Merge pull request [Snyk] Security upgrade react-native from 0.59.10 to 0.64.0 #650 from jleclanche/master
• 478020e Add hooks stub types

See the full diff

Package name: react-native

The new version differs by 250 commits.

• 7473ce1 [0.65.0] Bump version numbers
• 5f0b805 [0.65.0-rc.4] Bump version numbers
• 83d9b9b [LOCAL] yarn lock update
• e775957 Revert "fix: Move react-native-codegen to be a direct dependency of react-native (fix for 0.65-stable)"
• 5f7deb5 [LOCAL] reintroduce generated codegen files
• c0df3e0 [LOCAL] autogenerated files
• 54fbe0d - Bump CLI to ^6.0.0 (#31971)
• 5efad92 Codegen: Always prepare filesystem
• dfd324e Extend codegen script to take library name, output dir arguments
• 1b7f95b Reorganize codegen script for clarity
• 041365e fix: codegen - project paths with spaces (#31141)
• 98e1734 fix: Move react-native-codegen to be a direct dependency of react-native (fix for 0.65-stable)
• e8d725a [0.65.0-rc.3] Bump version numbers
• e40f582 fix(deps): bump metro to 0.66.2 + dedup (#31886)
• e53745e Bump Flipper + Bump hermes (#31872)
• 4476fbc Allow PlatformColor to work with RCTView border colors (#29728)
• 49253dc Fix support for blobs larger than 64 KB on Android (#31789)
• 626d25c Android: upgrading to OkHttp from 4.9.0 to 4.9.1 to fix java.lang.NullPointerException: bio == null crash (#31822)
• db7aa7b [0.65.0-rc.2] Bump version numbers
• 121a6a4 Fix Android build sequencing
• ba4424f Revert "Revert "bump buildToolsVersion to 30.0.2 (#31627)""
• be9a669 Revert "Revert "Gradle 6.9, Android Gradle Plugin 4.2.1 (#31593)""
• 0e08b25 [0.65.0-rc.1] Bump version numbers
• ca5b943 [LOCAL] lock files update for 065 branch

See the full diff

Package name: react-native-qrcode-svg

The new version differs by 48 commits.

• a594e11 Merge branch 'release/6.0.6'
• 0fb5e76 Bump version
• 0ef10e1 Update `Example`
• 00ee76d Add `react-native-svg` to `Example`
• 351d72b Add new version of example
• d197d58 Update pre-commit
• e12097a Update babel and other setup
• 0bcc78c Update `devDependencies`
• 88a03b3 Merge branch 'gbhasha-master'
• 7116e66 Merge branch 'master' of https://github.com/gbhasha/react-native-qrcode-svg into gbhasha-master
• f3123c9 Merge tag '6.0.5' into develop
• 3824a93 Merge branch 'release/6.0.5'
• 94c1d69 Bump version
• 7599f7c Update test cases
• 37f12e4 fix: Updated qrcode package to 1.3.2 to fix security issues
• ebbaa4a Allow user to resolve to version without any vulnerability
• d3170fc Merge tag '6.0.4' into develop
• 2b4aaa7 Merge branch 'release/6.0.4'
• 253a806 Bump version
• fd6e3a7 Merge pull request [Snyk] Security upgrade httplib2 from 0.11.3 to 0.18.0 #89 from Emad-salah/no-stroke
• 4f1d0af Removed stroke from QR Code
• 8b185bb Merge tag '6.0.3' into develop
• 1c2c464 Merge branch 'release/6.0.3'
• adb4794 Bump version

See the full diff

Package name: react-native-svg

The new version differs by 165 commits.

• b2c86c7 feat: add release-it (Deploy new version of Celostats and minnor change from celo-blockchain celo-org/celo-monorepo#1714)
• 69ff5f0 fix#1471: every element is focusable on web (Adjust e2e transfer and governance tests to match new fee distribution and eliminate ProposerFraction celo-org/celo-monorepo#1585)
• 2484baa feat: move Example to TS (Unit test for reading Celo validator history in Blockscout celo-org/celo-monorepo#1712)
• 59a48e7 Fix low-quality masks on iOS (App upgrade screen needs to be styled celo-org/celo-monorepo#1658)
• f277c27 Fixed typo in README.md (Move from let's encrypt v1 API to v2; kube-lego to cert-manager celo-org/celo-monorepo#1448)
• cbc6d58 Fix typo in README (Celotool testnet deploy should default to the latest master commit of celo-blockchain celo-org/celo-monorepo#1427)
• 39c8332 Adding mavenCentral() as jcenter() is shutting (Support governance proposals/hotfixes in contractkit celo-org/celo-monorepo#1570)
• 2826fd9 Updated README.md (Support celotool running on any GCP account celo-org/celo-monorepo#1690)
• bac4986 feat: add macos CI ([Wallet] Users SBAT see Security Fee in exchange confirmation card celo-org/celo-monorepo#1704)
• 5b519c1 feat: add empty CI job so it runs on PR then ([Wallet] Users SBAT review exchange without scrolling celo-org/celo-monorepo#1705)
• b007efe fix: PlatformColor crashes on iOS and Android ([Wallet] Users SBAT choose country corresponding to phone number if it is incorrect celo-org/celo-monorepo#1703)
• d35878b Support PlatformColor (Celotool deploy for notification-service should check if the user is logged in to firebase celo-org/celo-monorepo#1561)
• 8681303 chore: add example with test cases (Developers SBAT read % of C Labs attestation requests completed by a validator celo-org/celo-monorepo#1702)
• 3bc3338 Update to css-select to avoid security warnings (celostats shows correct info under key rotation celo-org/celo-monorepo#1692)
• f6ab25c Merge pull request [Wallet] Users SBAT enter own phone number on Welcome screen without error being thrown celo-org/celo-monorepo#1699 from react-native-svg/@ wolewicki/fix-android-ci
• 14c1124 fix: try add gradle-wrapper
• c42c9eb feat: add Example app build workflows
• bcc9e1d fix: add newlines at the end of files
• 29fbc51 fix: change ios to apple
• 1296a2c Merge branch 'develop' into @ wolewicki/add-example-build-workflows
• 25a6eb5 chore: add Example to repo
• eb5543b feat: add example build workflows
• 522c2e3 chore: add Example to repo
• fa71673 Release v12.2.0

See the full diff

Package name: react-native-webview

The new version differs by 250 commits.

• aaf7881 chore(release): 11.0.0 [skip ci]
• 194c6a2 feat(android): Introduce setSupportMultipleWindows to mitigate CVE-2020-6506 (Point end-to-end tests back to master celo-org/celo-monorepo#1747 by @ mrcoinbase and @ kelset -- THANK YOU!)
• 1b009dd chore(release): 10.10.2 [skip ci]
• c95c0ea fix(android): Unset mWebChromeClient on WebViewManager rather than WebView (New design for redeem invite screen celo-org/celo-monorepo#1720)
• 4ec290d chore(release): 10.10.1 [skip ci]
• 8bd0b41 fix(windows): Resolve Missing Deploy Target (Reset isRedeemingInvite on rehydrate celo-org/celo-monorepo#1716 by @ chiaramooney)
• 74872a1 chore(release): 10.10.0 [skip ci]
• b930e25 feat(windows): JS-WebView messaging bridge & multiple WebViews fixes (Reserve SBAT list addresses that should be included in reserve ratio, voting gold calculations celo-org/celo-monorepo#1617)
• 6398415 chore(release): 10.9.3 [skip ci]
• ef48d35 fix(android): Update SSL error handling (Aaronmgdr/airtable upgrade celo-org/celo-monorepo#1466)
• 1bc38da docs: update injectedJavascript ios docs ([Wallet] Users SBAT see Security Fee in exchange confirmation card celo-org/celo-monorepo#1704 bu @ Crisfole)
• 4d8a76f chore(release): 10.9.2 [skip ci]
• dbf4659 fix(macOS): Don't include iOS pull-to-refresh control (User SBAT decline payment requests celo-org/celo-monorepo#1636)
• f204195 fix(podspec): Lowered deployment target for MacOS to 10.13 ([Suggestion] Reset security PIN option should be shown as if user forgot the created security PIN they won't change it in the app.  celo-org/celo-monorepo#1673)
• 2d24131 chore(release): 10.9.1 [skip ci]
• 08b7099 fix(ios): Xcode 12 compatibility (Fix support for validator key rotation, add end-to-end test celo-org/celo-monorepo#1643)
• a83596e chore(docs): Add other breaking changes to README
• a482a74 chore(release): 10.9.0 [skip ci]
• 22a60fd feat(iOS): Add prop autoManageStatusBarEnabled (Devs SNBAT reference Reserve.burnToken celo-org/celo-monorepo#914)
• 4081410 chore(docs): remove hash url change note (Prettify Solidity files celo-org/celo-monorepo#1622)
• 4c4399c Fix(types): Update Typescript definition file, declaring WebView class as a generic class (Internal audit of parameter validation in contract initialization celo-org/celo-monorepo#1604)
• 4840eeb chore(release): 10.8.3 [skip ci]
• 9dcd108 fix(types): Update Typescript definition file (Stability fee should be zero then kick in automatically after ~18months celo-org/celo-monorepo#1597)
• 4d4b5e2 Synchronously decide if Android WebView should load a URL or not. (Everyone SBAT reference a Governance constitution celo-org/celo-monorepo#1590)

See the full diff

With a Snyk patch:

Severity	Priority Score (*)	Issue	Exploit Maturity
	731/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.2	Prototype Pollution SNYK-JS-LODASH-567746	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Open Redirect
🦉 Prototype Pollution
🦉 More lessons are available in Snyk Learn