Patch dependencies to the latest

[Jexsie]

Patch dependencies to the latest following the latest react vulnerability https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

[najuna-brian]

Thanks @Jexsie
There is a reported risk to the React Server Components that requires updgrade to the latest.
This is super helpful!!

[najuna-brian]

Thanks @Jexsie for being proactive about security! 🙏

I've had a look like the React security advisory and our codebase, and it looks like our codebase is not directly affected by CVE-2025-55182. The vulnerability specifically affects:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

These packages are only used with React Server Components (RSC), which we don't use in any of our projects:

• formulus: React Native app (client-side only)
• formulus-formplayer: Standard React web app (client-side rendering)
• docs: Docusaurus static site (doesn't use RSC)
• synkronus: Go backend (not React)

As stated in the advisory: "If your app's React code does not use a server, your app is not affected by this vulnerability."

What do you think?

[najuna-brian]

About This PR, the changes in this PR are good but may be not directly linked to the security vulnerability?

• React update (19.0.0 → 19.2.3): The vulnerability isn't in React core, so this doesn't fix it?
• React Native upgrade (0.79.2 → 0.83.0): This is a major version jump (4 minor versions) that we can hopefully do later following good migration guides
• Other dependency updates are actually good as well.

Thanks again for being security-conscious! This is really key to keeping our project running securely

[r0ssing]

Thanks a lot for pointing this out. I agree that we're not directly affected. However perhaps this is an opportunity to consider implementing static code analysis and regular dependency checks (like dependabot) into our CI/CD setup?

[najuna-brian]

Great suggestion! I agree, we could look into setting up Dependabot for automated dependency checks. I see we can enable it directly in GitHub Settings, and then add a config file later for more control over schedules and grouping?
What do you think of this approach @r0ssing

@Jexsie - since you're already thinking about dependency management, would you be interested in writing the Dependabot config file?

[Jexsie]

About This PR, the changes in this PR are good but may be not directly linked to the security vulnerability?

• React update (19.0.0 → 19.2.3): The vulnerability isn't in React core, so this doesn't fix it?
• React Native upgrade (0.79.2 → 0.83.0): This is a major version jump (4 minor versions) that we can hopefully do later following good migration guides
• Other dependency updates are actually good as well.

Thanks again for being security-conscious! This is really key to keeping our project running securely

Currently most are minor version bumps, the critical to look at might be;

react-native 
@react-native-community/cli and related packages
eslint
jest 

[Jexsie]

Great suggestion! I agree, we could look into setting up Dependabot for automated dependency checks. I see we can enable it directly in GitHub Settings, and then add a config file later for more control over schedules and grouping? What do you think of this approach @r0ssing

@Jexsie - since you're already thinking about dependency management, would you be interested in writing the Dependabot config file?

I would suggest we first handle package upgrade then add the dependatbot in a follow up issue. And yeah, am ready to handle that @najuna-brian, if no one is willing to take it up

[najuna-brian]

I would suggest we first handle package upgrade then add the dependatbot in a follow up issue.

That makes sense @Jexsie! I'll ping @r0ssing for their thoughts on that 😊

[r0ssing]

That sounds like a great approach! Thank you so much

[Ndacyayisenga-droid]

Thanks a lot for pointing this out. I agree that we're not directly affected. However perhaps this is an opportunity to consider implementing static code analysis and regular dependency checks (like dependabot) into our CI/CD setup?

Thanks @r0ssing for highlighting this (it’s something I’ve also been considering). Given that we’re working in a monorepo setup, I would strongly recommend using Renovate over Dependabot, as Renovate provides more advanced functionality and finer-grained control for managing dependencies in monorepos. https://dev.to/alex_aslam/renovate-vs-dependabot-which-bot-will-rule-your-monorepo-4431