Skip to content

build(deps): bump the production-dependencies group with 5 updates#614

Closed
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/production-dependencies-2f380a9ae4
Closed

build(deps): bump the production-dependencies group with 5 updates#614
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/production-dependencies-2f380a9ae4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 5 updates:

Package From To
@react-navigation/bottom-tabs 7.18.3 7.18.4
@react-navigation/native 7.3.4 7.3.5
@react-navigation/native-stack 7.17.6 7.17.7
expo-modules-core 56.0.17 57.0.1
i18next 26.3.3 26.3.4

Updates @react-navigation/bottom-tabs from 7.18.3 to 7.18.4

Changelog

Sourced from @​react-navigation/bottom-tabs's changelog.

7.18.4 (2026-06-30)

Note: Version bump only for package @​react-navigation/bottom-tabs

Commits

Updates @react-navigation/native from 7.3.4 to 7.3.5

Changelog

Sourced from @​react-navigation/native's changelog.

7.3.5 (2026-06-30)

Note: Version bump only for package @​react-navigation/native

Commits

Updates @react-navigation/native-stack from 7.17.6 to 7.17.7

Changelog

Sourced from @​react-navigation/native-stack's changelog.

7.17.7 (2026-06-30)

Note: Version bump only for package @​react-navigation/native-stack

Commits

Updates expo-modules-core from 56.0.17 to 57.0.1

Commits

Updates i18next from 26.3.3 to 26.3.4

Release notes

Sourced from i18next's releases.

v26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). Thanks to zx (Jace) for the responsible disclosure.
Changelog

Sourced from i18next's changelog.

26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the production-dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@react-navigation/bottom-tabs](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/bottom-tabs) | `7.18.3` | `7.18.4` |
| [@react-navigation/native](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/native) | `7.3.4` | `7.3.5` |
| [@react-navigation/native-stack](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/native-stack) | `7.17.6` | `7.17.7` |
| [expo-modules-core](https://github.com/expo/expo/tree/HEAD/packages/expo-modules-core) | `56.0.17` | `57.0.1` |
| [i18next](https://github.com/i18next/i18next) | `26.3.3` | `26.3.4` |


Updates `@react-navigation/bottom-tabs` from 7.18.3 to 7.18.4
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/bottom-tabs@7.18.4/packages/bottom-tabs/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/bottom-tabs@7.18.4/packages/bottom-tabs)

Updates `@react-navigation/native` from 7.3.4 to 7.3.5
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/native@7.3.5/packages/native/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/native@7.3.5/packages/native)

Updates `@react-navigation/native-stack` from 7.17.6 to 7.17.7
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/native-stack@7.17.7/packages/native-stack/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/native-stack@7.17.7/packages/native-stack)

Updates `expo-modules-core` from 56.0.17 to 57.0.1
- [Changelog](https://github.com/expo/expo/blob/main/CHANGELOG.md)
- [Commits](https://github.com/expo/expo/commits/HEAD/packages/expo-modules-core)

Updates `i18next` from 26.3.3 to 26.3.4
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.3.3...v26.3.4)

---
updated-dependencies:
- dependency-name: "@react-navigation/bottom-tabs"
  dependency-version: 7.18.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@react-navigation/native"
  dependency-version: 7.3.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@react-navigation/native-stack"
  dependency-version: 7.17.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: expo-modules-core
  dependency-version: 57.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: i18next
  dependency-version: 26.3.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 1, 2026
@github-actions github-actions Bot enabled auto-merge July 1, 2026 08:27
@dependabot @github

dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 1, 2026
auto-merge was automatically disabled July 1, 2026 21:08

Pull request was closed

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/production-dependencies-2f380a9ae4 branch July 1, 2026 21:08
@github-project-automation github-project-automation Bot moved this from Backlog to Done in OpenDTU-App Releases Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

0 participants