Skip to content

Security: Update dev dependencies and fix npm packaging #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jaredmixpanel merged 7 commits into from
Jan 16, 2026
Merged

Security: Update dev dependencies and fix npm packaging #353

jaredmixpanel merged 7 commits into from
Jan 16, 2026

Conversation

@jaredmixpanel
Copy link
Collaborator

@jaredmixpanel jaredmixpanel commented Jan 14, 2026
edited
Loading

Summary

  • Address customer security assessment findings by updating dev tooling
  • Add "files" field to package.json to whitelist only SDK code (34 files, 35.2 kB)
  • Update uuid from 3.3.2 to ^9.0.1 with new named import pattern
  • Update devDependencies: react-native 0.63→0.76, jest 26→29, babel 7.12→7.26
  • Clean up sample apps: remove outdated samples, modernize remaining ones

Context

A customer security scan flagged vulnerabilities in dev dependencies and sample apps. While these don't affect SDK users (they're not shipped), this PR cleans them up to satisfy security requirements.

Results

Metric Before After
npm vulnerabilities 14 flagged 0 found
Package files ~150+ 34
Package size - 35.2 kB
Tests passing - 119/119

Changes

Core SDK:

  • package.json: Added files field, updated dependencies
  • javascript/mixpanel-persistent.js: Updated uuid import from default to named export
  • babel.config.js: Added for Jest compatibility with modern RN
  • Test files: Fixed mocks to return promises for async methods

Sample Apps:

  • Removed ContextAPIMixpanel, MixpanelDemo, SimpleMixpanel (outdated RN 0.64)
  • Updated MixpanelExpo to React Native 0.81 with new architecture enabled
  • Added Podfile.lock and xcworkspace for MixpanelExample (reproducible iOS builds)

CI & Docs:

  • Updated CI workflow to use MixpanelExample instead of deleted SimpleMixpanel
  • Updated .github/copilot-instructions.md to reflect current sample apps

Remaining Sample Apps

  • MixpanelExample - Core integration patterns (used in CI)
  • MixpanelExpo - Expo project with full API reference
  • MixpanelStarter - Production-ready architecture with TypeScript

Test plan

  • Run npm test - all 119 tests pass across 7 suites
  • Run npm audit - 0 vulnerabilities
  • Run npm pack --dry-run - verify only 34 SDK files included
  • CI passes with MixpanelExample
  • Verify SDK works in a sample app after installation

@jaredmixpanel
Security: Update dev dependencies and fix npm packaging
a473e31 
Address security assessment findings by updating dev tooling:

- Add "files" field to package.json to whitelist only SDK code (34 files)
- Update uuid from 3.3.2 to ^9.0.1 with new named import pattern
- Update devDependencies: react-native 0.63→0.76, jest 26→29, babel 7.12→7.26
- Remove outdated sample apps (ContextAPIMixpanel, MixpanelDemo) using RN 0.64
- Add babel.config.js for Jest compatibility with modern RN
- Fix test mocks to return promises for async native module methods

npm audit now reports 0 vulnerabilities.
Package size reduced from 150+ files to 34 files (35.2 kB).
All 119 tests pass across 7 test suites.
@jaredmixpanel jaredmixpanel requested a review from Copilot January 14, 2026 23:44
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security vulnerabilities by updating dev dependencies and optimizing the npm package by adding a files whitelist. The core changes include upgrading uuid from 3.3.2 to ^9.0.1 with the appropriate named import pattern, updating dev tooling (React Native 0.63→0.76, Jest 26→29, Babel 7.12→7.26), and removing two outdated sample apps.

Changes:

  • Updated uuid dependency from 3.3.2 to ^9.0.1 with named import pattern (import { v4 as uuidv4 })
  • Added files field to package.json to whitelist only SDK code (34 files, 35.2 kB)
  • Updated devDependencies to modern versions and fixed test mocks for async methods
  • Removed MixpanelDemo and ContextAPIMixpanel sample apps (both using outdated RN 0.64.4)

Reviewed changes

Copilot reviewed 109 out of 137 changed files in this pull request and generated no comments.

Show a summary per file
File Description
package.json Added files whitelist, updated uuid to ^9.0.1, modernized dev dependencies, updated Jest config
javascript/mixpanel-persistent.js Changed uuid import from default to named export pattern
babel.config.js Added Babel config for Jest 29 compatibility
tests/persistent.test.js Simplified UUID mocking tests, updated for uuid v9
tests/main.test.js Removed unused react-native imports
tests/jest_setup.js Fixed mocks to return promises for async methods
Samples/MixpanelDemo/* Removed entire outdated sample app
Samples/ContextAPIMixpanel/* Removed entire outdated sample app
Files not reviewed (2)
  • Samples/ContextAPIMixpanel/ios/ContextAPIMixpanel.xcworkspace/contents.xcworkspacedata: Language not supported
  • Samples/MixpanelDemo/ios/MixpanelDemo.xcworkspace/contents.xcworkspacedata: Language not supported

@jaredmixpanel
Address PR review findings and document pre-existing issues
e4e12a2 
- Add backward compatibility test for loading existing device IDs
- Add README.md, LICENSE.md, CHANGELOG.md to package.json files field
- Remove redundant android/*.gradle pattern from files field
- Fix missing await in initializationCompletePromise (pre-existing bug)
- Document pre-existing error handling issues for follow-up PR
@jaredmixpanel
Remove PRE_EXISTING_ISSUES.md from branch
74bd1d5
@jaredmixpanel
Copy link
Collaborator Author

jaredmixpanel commented Jan 15, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

@scotmatson
Copy link
Contributor

scotmatson commented Jan 16, 2026

A quick note on commons-collections and htmlunit. These are found as a sub-dependency of selendroid under the /acceptance directory. Are we able to delete this? It is no longer maintained and shouldn't be used.

@jaredmixpanel
Remove SimpleMixpanel sample app
e1fc1c3 
SimpleMixpanel provided minimal value over MixpanelExample and
MixpanelStarter. MixpanelExample covers the same basic use case
with proper initialization patterns, while MixpanelStarter
provides production-ready architecture. This reduces maintenance
burden as part of the security cleanup effort.
@jaredmixpanel
Add iOS workspace and Podfile.lock for MixpanelExample
5a6ff90 
Matches MixpanelStarter pattern for reproducible iOS builds.
@jaredmixpanel
Update MixpanelExpo to React Native 0.81 and enable new architecture
dfbad32 
- Upgrade React to 19.1.0 and React Native to 0.81.5
- Enable new architecture (newArchEnabled: true)
- Update react-native-web to 0.20.0
- Fix SDK reference to use file:../.. instead of .yalc
@jaredmixpanel
Update CI to use MixpanelExample instead of deleted SimpleMixpanel
e924b1f
@jaredmixpanel jaredmixpanel added enhancement New feature or request dependencies Pull requests that update a dependency file labels Jan 16, 2026
@jaredmixpanel jaredmixpanel merged commit e01298c into master Jan 16, 2026
9 checks passed
@jaredmixpanel jaredmixpanel deleted the security/update-dev-dependencies-and-npm-packaging branch January 16, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@scotmatson scotmatson scotmatson approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jaredmixpanel @scotmatson