Skip to content

build(deps): bump the production-dependencies group across 1 directory with 8 updates#617

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/production-dependencies-c4ff36b144
Open

build(deps): bump the production-dependencies group across 1 directory with 8 updates#617
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/production-dependencies-c4ff36b144

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the production-dependencies group with 8 updates in the / directory:

Package From To
@react-navigation/bottom-tabs 7.18.3 7.18.8
@react-navigation/native 7.3.4 7.3.8
@react-navigation/native-stack 7.17.6 7.17.10
expo-modules-core 56.0.17 57.0.3
i18next 26.3.3 26.3.5
react-native-reanimated 4.5.0 4.5.1
react-native-toast-message 2.3.3 2.4.0
react-native-worklets 0.10.0 0.10.2

Updates @react-navigation/bottom-tabs from 7.18.3 to 7.18.8

Release notes

Sourced from @​react-navigation/bottom-tabs's releases.

@​react-navigation/bottom-tabs@​7.18.8

7.18.8 (2026-07-07)

Bug Fixes

@​react-navigation/bottom-tabs@​7.18.5

7.18.5 (2026-07-01)

Bug Fixes

  • bottom-tabs: pop nested stack to top on blur even when animation is interrupted (#13123) (6baf55b) - by @
Changelog

Sourced from @​react-navigation/bottom-tabs's changelog.

7.18.8 (2026-07-07)

Bug Fixes

7.18.7 (2026-07-03)

Note: Version bump only for package @​react-navigation/bottom-tabs

7.18.6 (2026-07-03)

Note: Version bump only for package @​react-navigation/bottom-tabs

7.18.5 (2026-07-01)

Bug Fixes

  • bottom-tabs: pop nested stack to top on blur even when animation is interrupted (#13123) (6baf55b) - by @

7.18.4 (2026-06-30)

Note: Version bump only for package @​react-navigation/bottom-tabs

Commits
  • 239bf71 chore: publish
  • 9bfc8d0 fix: don't derive screen detach state from animated value
  • 361ea71 fix: set native tab screen background
  • 8a86329 chore: publish
  • 207ce5a chore: publish
  • 7d664cb chore: publish
  • 6baf55b fix(bottom-tabs): pop nested stack to top on blur even when animation is inte...
  • ce68b20 chore: publish
  • See full diff in compare view

Updates @react-navigation/native from 7.3.4 to 7.3.8

Release notes

Sourced from @​react-navigation/native's releases.

@​react-navigation/native@​7.3.8

7.3.8 (2026-07-07)

Bug Fixes

@​react-navigation/native@​7.3.6

7.3.6 (2026-07-03)

Bug Fixes

Changelog

Sourced from @​react-navigation/native's changelog.

7.3.8 (2026-07-07)

Bug Fixes

7.3.7 (2026-07-03)

Note: Version bump only for package @​react-navigation/native

7.3.6 (2026-07-03)

Bug Fixes

7.3.5 (2026-06-30)

Note: Version bump only for package @​react-navigation/native

Commits
  • 239bf71 chore: publish
  • 788d7c5 fix: handle hash in URLs and delayed browser history sync
  • 8a86329 chore: publish
  • 207ce5a chore: publish
  • 7f427b7 fix: track history delta from popstate to detect browser-caused changes
  • 0c9b2d4 fix: handle interrupted rollback when browser back is prevented
  • 172e319 fix: keep syncing history after an error during sync
  • ce68b20 chore: publish
  • 913ed5d test: add tests and typechecks for standard navigator integration
  • See full diff in compare view

Updates @react-navigation/native-stack from 7.17.6 to 7.17.10

Changelog

Sourced from @​react-navigation/native-stack's changelog.

7.17.10 (2026-07-07)

Note: Version bump only for package @​react-navigation/native-stack

7.17.9 (2026-07-03)

Note: Version bump only for package @​react-navigation/native-stack

7.17.8 (2026-07-03)

Note: Version bump only for package @​react-navigation/native-stack

7.17.7 (2026-06-30)

Note: Version bump only for package @​react-navigation/native-stack

Commits

Updates expo-modules-core from 56.0.17 to 57.0.3

Commits

Updates i18next from 26.3.3 to 26.3.5

Release notes

Sourced from i18next's releases.

v26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

v26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). Thanks to zx (Jace) for the responsible disclosure.
Changelog

Sourced from i18next's changelog.

26.3.5

  • fix: $t() nesting options blocks that span multiple lines are now parsed. nest() decided where the nested key ends by testing match[1] with /{.*}/, whose dot does not cross line breaks — so a $t(key, { ... }) options object containing a newline was treated as having no options, mis-split as formatters, and the nested lookup ran without its options (placeholders stayed unresolved). The nesting regexp itself already matches newlines inside $t(...); adding the s (dotAll) flag makes multiline options behave like the single-line form. Thanks @​spokodev (#2440).
  • fix: getUsedParamsDetails (the returnDetails: true path) no longer mutates the passed replace object. It wrote count straight onto options.replace so the returned usedParams would include it — a caller reusing one replace object across t() calls then carried a stale count into later interpolations (e.g. a previous call's count: 5 rendered instead of the current call's value). The details are now built from a copy; usedParams still includes count. Thanks @​spokodev (#2441).
  • fix: with the default skipOnVariables: true + escapeValue: true, a {{placeholder}} carried inside an interpolated value now stays literal even when the value contains escapable characters. The skip logic advanced the regex lastIndex by the raw value length, but the escaped text written into the string is longer, so lastIndex landed inside the inserted value and a trailing {{placeholder}} in it got interpolated — leaking another in-scope variable that should have stayed literal (values without escapable characters were already skipped correctly). The advance now uses the escaped length that is actually written, and the regex-safe $-doubling is applied only at the String.replace call so it can't distort the length arithmetic. Thanks @​spokodev (#2442).

26.3.4

  • fix(security): deepExtend (used by addResourceBundle(..., deep, overwrite)) no longer recurses into inherited properties. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in (e.g. hasOwnProperty, toString) caused recursion into the shared Object.prototype function and, with overwrite: true, could overwrite e.g. Object.prototype.hasOwnProperty.call with a non-callable value — corrupting a shared built-in process-wide (DoS). Existence is now checked with Object.prototype.hasOwnProperty.call, so such keys are copied as plain own data instead. This complements the existing __proto__/constructor guard and is also strictly more correct for an own-property merge. Only affects applications that pass attacker-controlled data with deep: true and overwrite: true; no standard backend/integration does this. Distinct from CVE-2026-48713 / CVE-2026-48714 (different packages, setPath mechanism). See advisory GHSA-6jcc-5g8w-32mx, CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). Thanks to zx (Jace) @​manus-use for the responsible disclosure.
Commits
  • 573ae73 26.3.5
  • cc54b05 docs(changelog): 26.3.5 — multiline $t() options, replace mutation, escaped-l...
  • 3180d67 fix: skip interpolation of placeholders inside escaped values (#2442)
  • d16f5a2 fix: stop mutating the passed replace object when returning details (#2441)
  • bed56c1 fix: parse $t() nesting options block that spans multiple lines (#2440)
  • c19e458 docs(changelog): link GHSA advisory for deepExtend fix
  • 7bb87d0 docs(changelog): reference security advisory for deepExtend fix
  • df9b799 docs(changelog): update security disclosure credit
  • 817ede5 26.3.4
  • 46d0dd8 build
  • Additional commits viewable in compare view

Updates react-native-reanimated from 4.5.0 to 4.5.1

Release notes

Sourced from react-native-reanimated's releases.

Reanimated - 4.5.1

What's Changed

Full Changelog: software-mansion/react-native-reanimated@4.5.0...4.5.1

Commits
  • 04a7c40 release(Reanimated): 4.5.1 (#9834)
  • b8ea72a cherry-pick(4.5-stable): Android crash on empty CSS strokeDasharray from the ...
  • d58c7e2 cherry-pick(4.5-stable): prevent useAnimatedKeyboard crash "Can't change in...
  • b19e4ec cherry-pick(4.5-stable): restore opacity for flaky entering animations under ...
  • dfd49fa cherry-pick(4.5-stable): Pass -fno-pch-timestamp so ccache can reuse the Andr...
  • 726430d cherry-pick(4.5-stable): animate react-native-svg via CSS on web in minified ...
  • 210b203 cherry-pick(4.5-stable): prevent recursive loops when setting values in callb...
  • ee13640 cherry-pick(4.5-stable): Re-register pseudo selectors after a component remou...
  • 429ff56 cherry-pick(4.5-stable): Only reject empty-object style values for supported ...
  • See full diff in compare view

Updates react-native-toast-message from 2.3.3 to 2.4.0

Release notes

Sourced from react-native-toast-message's releases.

v2.4.0

What's Changed

New Contributors

Full Changelog: calintamas/react-native-toast-message@v2.3.3...v2.4.0

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for react-native-toast-message since your current version.


Updates react-native-worklets from 0.10.0 to 0.10.2

Release notes

Sourced from react-native-worklets's releases.

Worklets - 0.10.2

What's Changed

Full Changelog: software-mansion/react-native-reanimated@worklets-0.10.1...worklets-0.10.2

Worklets - 0.10.1

What's Changed

Full Changelog: software-mansion/react-native-reanimated@worklets-0.10.0...worklets-0.10.1

Commits
  • 3c04eb6 release(Worklets): 0.10.2
  • 1d2942f removed warn
  • 10a5625 Changed error to warning in createSerializable unserializable code branch
  • 570e6f7 fix: read from path which starts with '/' in ScriptBufferWrapper.kt (#9503)
  • b4dfd65 release(Worklets): 0.10.1
  • ced2953 fix(Worklets): time-of-check and time-of-use destructor safety (#9790)
  • 7dc7ff6 fix(Worklets): tie RNR remote function lifetime to TurboModule invalidate sta...
  • 967bd2b fix(Worklets): Normalize Windows paths in bundle mode module IDs (#9721)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…y with 8 updates

Bumps the production-dependencies group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@react-navigation/bottom-tabs](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/bottom-tabs) | `7.18.3` | `7.18.8` |
| [@react-navigation/native](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/native) | `7.3.4` | `7.3.8` |
| [@react-navigation/native-stack](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/native-stack) | `7.17.6` | `7.17.10` |
| [expo-modules-core](https://github.com/expo/expo/tree/HEAD/packages/expo-modules-core) | `56.0.17` | `57.0.3` |
| [i18next](https://github.com/i18next/i18next) | `26.3.3` | `26.3.5` |
| [react-native-reanimated](https://github.com/software-mansion/react-native-reanimated/tree/HEAD/packages/react-native-reanimated) | `4.5.0` | `4.5.1` |
| [react-native-toast-message](https://github.com/calintamas/react-native-toast-message) | `2.3.3` | `2.4.0` |
| [react-native-worklets](https://github.com/software-mansion/react-native-reanimated/tree/HEAD/packages/react-native-worklets) | `0.10.0` | `0.10.2` |



Updates `@react-navigation/bottom-tabs` from 7.18.3 to 7.18.8
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/bottom-tabs@7.18.8/packages/bottom-tabs/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/bottom-tabs@7.18.8/packages/bottom-tabs)

Updates `@react-navigation/native` from 7.3.4 to 7.3.8
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/native@7.3.8/packages/native/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/native@7.3.8/packages/native)

Updates `@react-navigation/native-stack` from 7.17.6 to 7.17.10
- [Release notes](https://github.com/react-navigation/react-navigation/releases)
- [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/native-stack@7.17.10/packages/native-stack/CHANGELOG.md)
- [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/native-stack@7.17.10/packages/native-stack)

Updates `expo-modules-core` from 56.0.17 to 57.0.3
- [Changelog](https://github.com/expo/expo/blob/main/CHANGELOG.md)
- [Commits](https://github.com/expo/expo/commits/HEAD/packages/expo-modules-core)

Updates `i18next` from 26.3.3 to 26.3.5
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](i18next/i18next@v26.3.3...v26.3.5)

Updates `react-native-reanimated` from 4.5.0 to 4.5.1
- [Release notes](https://github.com/software-mansion/react-native-reanimated/releases)
- [Changelog](https://github.com/software-mansion/react-native-reanimated/blob/main/packages/react-native-reanimated/RELEASE.md)
- [Commits](https://github.com/software-mansion/react-native-reanimated/commits/4.5.1/packages/react-native-reanimated)

Updates `react-native-toast-message` from 2.3.3 to 2.4.0
- [Release notes](https://github.com/calintamas/react-native-toast-message/releases)
- [Commits](calintamas/react-native-toast-message@v2.3.3...v2.4.0)

Updates `react-native-worklets` from 0.10.0 to 0.10.2
- [Release notes](https://github.com/software-mansion/react-native-reanimated/releases)
- [Commits](https://github.com/software-mansion/react-native-reanimated/commits/worklets-0.10.2/packages/react-native-worklets)

---
updated-dependencies:
- dependency-name: "@react-navigation/bottom-tabs"
  dependency-version: 7.18.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@react-navigation/native"
  dependency-version: 7.3.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: "@react-navigation/native-stack"
  dependency-version: 7.17.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: expo-modules-core
  dependency-version: 57.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: i18next
  dependency-version: 26.3.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: react-native-reanimated
  dependency-version: 4.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
- dependency-name: react-native-toast-message
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
- dependency-name: react-native-worklets
  dependency-version: 0.10.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 8, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 8, 2026
@github-actions github-actions Bot enabled auto-merge July 8, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

Status: Backlog

Development

Successfully merging this pull request may close these issues.

0 participants