Fix React Native audit vulnerabilities

[ChiragAgg5k]

Summary

• add React Native npm overrides for patched ws and brace-expansion versions
• regenerate the React Native package-lock template with the lockfile update script

Tests

• php example.php react-native client
• npm ci --prefix examples/react-native
• npm audit --prefix examples/react-native
• npm run build --prefix examples/react-native
• npm pack ./examples/react-native --dry-run

[greptile-apps]

Greptile Summary

This PR addresses React Native audit vulnerabilities by adding ws@^8.20.1 and brace-expansion@^5.0.6 to the overrides field in package.json.twig and regenerating the lockfile to pick up those pinned versions alongside routine Expo/Babel/toolchain patch bumps.

• The ws override correctly replaces react-devtools-core's nested ws@7.5.10 with ws@8.20.1; the v7\u2192v8 API surface is compatible for the usage patterns in that package.
• The brace-expansion@^5.0.6 override is over-broad: it forces an ESM-only package onto serve-handler's CJS dependency chain, removing the previously-safe nested brace-expansion@1.1.14 and risking ERR_REQUIRE_ESM at runtime.

Confidence Score: 3/5

Needs a targeted fix before merging — the blanket brace-expansion override breaks serve-handler at runtime by substituting an ESM-only package where a CJS one is required.

The ws override and lockfile regeneration are correct. The brace-expansion override is over-broad: serve-handler was already running a patched v1 release and did not need upgrading, yet the override removes its nested CJS installation and forces an ESM-only v5 in its place — a failure the stated build/audit tests do not catch.

templates/react-native/package.json.twig — the brace-expansion override should be scoped to only the packages that require v5 (e.g. glob) rather than applied globally.

Important Files Changed

Filename	Overview
templates/react-native/package.json.twig	Adds ws@^8.20.1 and brace-expansion@^5.0.6 to npm overrides; the blanket brace-expansion override forces an ESM-only package onto CJS transitive consumers like serve-handler, which was already running a safe v1 version.
templates/react-native/package-lock.json.twig	Lockfile regenerated with updated package versions; removes serve-handler nested brace-expansion@1.1.14 and react-devtools-core nested ws@7.5.10 as a consequence of the overrides, and bumps many Expo/Babel/toolchain packages to latest patch releases.

_{Reviews (1): Last reviewed commit: "Fix React Native audit vulnerabilities" | Re-trigger Greptile}

[greptile-apps]

Blanket brace-expansion override breaks CJS packages at runtime

brace-expansion@4+ is ESM-only and does not support require(). The override forces this on serve-handler's transitive dependency chain (minimatch CJS → brace-expansion), which caused npm to remove the previously-installed serve-handler/node_modules/brace-expansion@1.1.14 (CJS) in the lockfile. Any code path that invokes serve-handler at runtime will throw ERR_REQUIRE_ESM. This pattern is confirmed by a known NestJS issue with the same error: require() of ES Module .../brace-expansion/index.js from .../minimatch/dist/commonjs/index.js not supported. The stated tests (npm run build, npm pack) don't exercise serve-handler at runtime, so this failure goes undetected. Notably, serve-handler's pre-existing brace-expansion@1.1.14 was already patched (CVE-2025-5889/GHSA-v6h2-p8h4-qcjw requires ≥1.1.12), so the override wasn't needed for that package anyway. Consider scoping the override to only the packages that actually need it (e.g. glob), or alternatively adding a specific override for serve-handler's chain pointing to a CJS-safe version like ^1.1.15.