Skip to content

Bump undici, @react-native-firebase/app and @react-native-firebase/messaging#6051

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/multi-7b5809e71b
Open

Bump undici, @react-native-firebase/app and @react-native-firebase/messaging#6051
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/multi-7b5809e71b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown
Contributor

Bumps undici to 6.27.0 and updates ancestor dependencies undici, @react-native-firebase/app and @react-native-firebase/messaging. These dependencies need to be updated together.

Updates undici from 6.21.3 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.


Updates @react-native-firebase/app from 20.5.0 to 25.0.1

Release notes

Sourced from @​react-native-firebase/app's releases.

v24.1.1

Bug Fixes

  • ios: revert to firebase-ios-sdk 12.10.0 to avoid startup crash (b97bc26)

v24.1.0

Features

  • analytics: add Expo config plugin for withoutAdIdSupport (#8969) (5af7a6a)
  • analytics: add support for googleAppMeasurementOnDeviceConversion in iOS Expo plugin (#9014) (a7a5125)
  • firestore: add 'source' option to enable local cache firestore listeners (e3ce410)

Bug Fixes

  • analytics: cast item INDEX param to integer (915dc8a)
  • analytics: coerce all number params from js double to native integral (760ddd2)
  • analytics: success param type now boolean - never worked before, now works (7e122b2)
  • android: catch RejectedExecutionException on executor-backed Tasks (375ade9)
  • database, android: remove RTDB listeners before shutting down executors (25ed605)
  • docs: workflow to generate+publish API docs, call same on publish (8222a96)
  • firebase-android-sdk 34.14.0, firebase-ios-sdk 12.11.0, firebase-js-sdk 12.14.0 (65bbe94)
  • firestore, android: catch RejectedExecutionException in sendOnSnapshotEvent (602d7ad)
  • firestore: restore generic root type exports for DocumentSnapshot, Transaction, and WriteBatch (#8997) (9809622)

v24.0.0

⚠ BREAKING CHANGES

  • firestore: migrate to TypeScript and match firebase-js-sdk (#8892)
  • firestore: typescript - firestore types now match modular firebase-js-sdk - see migration guide

Please see https://rnfirebase.io/migrating-to-v24 for a guide on updating your types if you were using the previous firestore typescript types.

In general everything should behave the same as v23 but the typescript types have changed. It is our hope you as a developer can adopt these changes easily and your app works exactly the same.

It is always our goal to be a drop-in replacement for firebase-js-sdk, type for type, API for API. In general all firestore types should now be the same as the firestore modular types from firebase-js-sdk

  • functions: you must enable new architecture to use the functions module All modules will be converted to new architecture soon, old architecture support is deprecated in general for react-native-firebase

Features

  • firestore: Support for Firestore pipelines API (#8931) (54021c4)
  • firestore: implement withConverter (#8744) (13d6bb3)
  • ai: CodeExecutionTool types for allowing model to run code (#8866) (81a0f19)

... (truncated)

Changelog

Sourced from @​react-native-firebase/app's changelog.

25.0.1 (2026-06-23)

Bug Fixes

  • auth: export revokeToken in modular API for Sign in with Apple (a05fa66), closes #9070

25.0.0 (2026-06-23)

⚠ BREAKING CHANGES

  • auth: migrate to TypeScript and bring auth closer in alignment with firebase-js-sdk API (#8991)
  • messaging: deprecate permissions APIs, use react-native-permissions or expo-notifications (#9053)
  • installations: installations modular types now match firebase-js-sdk

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed.

react-native-firebase has a goal to be a drop-in replacement for firebase-js-sdk, with native extensions and performance. It has always worked that way at the javascript level but the typescript types have been divergent.

We are fixing that as we refactor to typescript. Please bear with us as we get closer to our goal of react-native-firebase matching firebase-js-sdk both in functionality where possible, but also in exact typescript typing.

Specifics for Installations:

changed modular getInstallations() to return the firebase-js-sdk-style Installations type, which only exposes app; TypeScript consumers should use the modular helpers getId(installations), getToken(installations), and deleteInstallations(installations) instead of calling .getId(), .getToken(), or .delete() on the returned instance. changed modular deleteInstallations(installations) so the installations argument is required in the TypeScript surface, matching firebase-js-sdk. Code that previously relied on the old optional typing should pass getInstallations() explicitly. preserved the namespaced API surface: installations(), firebase.installations(), firebase.app().installations(), and FirebaseInstallationsTypes.Module remain available for compatibility, with deprecation annotations added. added explicit modular public types including Installations, IdChangeCallbackFn, and IdChangeUnsubscribeFn.

  • perf: perf types now match firebase-js-sdk as closely as possible

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed.

react-native-firebase has a goal to be a drop-in replacement for firebase-js-sdk, with native extensions and performance. It has always worked that way at the javascript level but the typescript types have been divergent.

We are fixing that as we refactor to typescript. Please bear with us as we get closer to our goal of react-native-firebase matching firebase-js-sdk both in functionality where possible, but also in exact typescript typing.

Specifics for Performance:

  • changed modular initializePerformance(app, settings) to return FirebasePerformance synchronously instead of Promise<Performance>, matching firebase-js-sdk; TypeScript consumers that call .then(...) on it will need to use the returned instance directly.
  • aligned the modular FirebasePerformance type with firebase-js-sdk, so it no longer exposes older namespaced instance-style methods such as newTrace, startTrace, newHttpMetric, newScreenTrace, startScreenTrace, or setPerformanceCollectionEnabled in the modular typings; use trace(perf, name), httpMetric(perf, url, method), newScreenTrace(perf, name), startScreenTrace(perf, name), and the dataCollectionEnabled property instead.
  • changed PerformanceSettings to the firebase-js-sdk shape, with optional dataCollectionEnabled and instrumentationEnabled.
  • changed modular trace and metric getAttribute(...) typings from string | null to string | undefined, matching firebase-js-sdk.
  • kept React Native-only modular exports for native functionality: httpMetric, newScreenTrace, startScreenTrace, plus HttpMethod, HttpMetric, and ScreenTrace.
  • kept the deprecated namespaced API under FirebasePerformanceTypes, but split it from the modular public types and marked it as deprecated for compatibility.
  • analytics: as anyone that relied on this param previously is hopefully happy to have it actually work now versus silently fail
  • database: database types now match firebase-js-sdk as closely as possible

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed

... (truncated)

Commits
  • 8c1c22f chore(release): release packages
  • a05fa66 fix(auth): export revokeToken in modular API for Sign in with Apple
  • eac5bf5 chore(release): release packages
  • 9d81bb9 docs: use page#fragment anchors, not just bare #fragment anchors
  • f375acf docs(ai): document Live API, grounding, and image config usage
  • 03c4590 test: verify types in full test runs
  • 7eb76f3 feat(ai): implement Firebase JS SDK 12.15.0 portable API parity
  • 5c7a21a build(deps): adopt Firebase SDK 12.15.0 / Android BOM 34.15.0
  • 1e58f0e build(scripts): harden update-firebase-sdk-versions for mdx and age gate
  • ced0325 docs: Remove "Building an analytics funnel"
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​react-native-firebase/app since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @react-native-firebase/messaging from 20.5.0 to 25.0.1

Release notes

Sourced from @​react-native-firebase/messaging's releases.

v24.1.1

Bug Fixes

  • ios: revert to firebase-ios-sdk 12.10.0 to avoid startup crash (b97bc26)

v24.1.0

Features

  • analytics: add Expo config plugin for withoutAdIdSupport (#8969) (5af7a6a)
  • analytics: add support for googleAppMeasurementOnDeviceConversion in iOS Expo plugin (#9014) (a7a5125)
  • firestore: add 'source' option to enable local cache firestore listeners (e3ce410)

Bug Fixes

  • analytics: cast item INDEX param to integer (915dc8a)
  • analytics: coerce all number params from js double to native integral (760ddd2)
  • analytics: success param type now boolean - never worked before, now works (7e122b2)
  • android: catch RejectedExecutionException on executor-backed Tasks (375ade9)
  • database, android: remove RTDB listeners before shutting down executors (25ed605)
  • docs: workflow to generate+publish API docs, call same on publish (8222a96)
  • firebase-android-sdk 34.14.0, firebase-ios-sdk 12.11.0, firebase-js-sdk 12.14.0 (65bbe94)
  • firestore, android: catch RejectedExecutionException in sendOnSnapshotEvent (602d7ad)
  • firestore: restore generic root type exports for DocumentSnapshot, Transaction, and WriteBatch (#8997) (9809622)

v24.0.0

⚠ BREAKING CHANGES

  • firestore: migrate to TypeScript and match firebase-js-sdk (#8892)
  • firestore: typescript - firestore types now match modular firebase-js-sdk - see migration guide

Please see https://rnfirebase.io/migrating-to-v24 for a guide on updating your types if you were using the previous firestore typescript types.

In general everything should behave the same as v23 but the typescript types have changed. It is our hope you as a developer can adopt these changes easily and your app works exactly the same.

It is always our goal to be a drop-in replacement for firebase-js-sdk, type for type, API for API. In general all firestore types should now be the same as the firestore modular types from firebase-js-sdk

  • functions: you must enable new architecture to use the functions module All modules will be converted to new architecture soon, old architecture support is deprecated in general for react-native-firebase

Features

  • firestore: Support for Firestore pipelines API (#8931) (54021c4)
  • firestore: implement withConverter (#8744) (13d6bb3)
  • ai: CodeExecutionTool types for allowing model to run code (#8866) (81a0f19)

... (truncated)

Changelog

Sourced from @​react-native-firebase/messaging's changelog.

25.0.1 (2026-06-23)

Bug Fixes

  • auth: export revokeToken in modular API for Sign in with Apple (a05fa66), closes #9070

25.0.0 (2026-06-23)

⚠ BREAKING CHANGES

  • auth: migrate to TypeScript and bring auth closer in alignment with firebase-js-sdk API (#8991)
  • messaging: deprecate permissions APIs, use react-native-permissions or expo-notifications (#9053)
  • installations: installations modular types now match firebase-js-sdk

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed.

react-native-firebase has a goal to be a drop-in replacement for firebase-js-sdk, with native extensions and performance. It has always worked that way at the javascript level but the typescript types have been divergent.

We are fixing that as we refactor to typescript. Please bear with us as we get closer to our goal of react-native-firebase matching firebase-js-sdk both in functionality where possible, but also in exact typescript typing.

Specifics for Installations:

changed modular getInstallations() to return the firebase-js-sdk-style Installations type, which only exposes app; TypeScript consumers should use the modular helpers getId(installations), getToken(installations), and deleteInstallations(installations) instead of calling .getId(), .getToken(), or .delete() on the returned instance. changed modular deleteInstallations(installations) so the installations argument is required in the TypeScript surface, matching firebase-js-sdk. Code that previously relied on the old optional typing should pass getInstallations() explicitly. preserved the namespaced API surface: installations(), firebase.installations(), firebase.app().installations(), and FirebaseInstallationsTypes.Module remain available for compatibility, with deprecation annotations added. added explicit modular public types including Installations, IdChangeCallbackFn, and IdChangeUnsubscribeFn.

  • perf: perf types now match firebase-js-sdk as closely as possible

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed.

react-native-firebase has a goal to be a drop-in replacement for firebase-js-sdk, with native extensions and performance. It has always worked that way at the javascript level but the typescript types have been divergent.

We are fixing that as we refactor to typescript. Please bear with us as we get closer to our goal of react-native-firebase matching firebase-js-sdk both in functionality where possible, but also in exact typescript typing.

Specifics for Performance:

  • changed modular initializePerformance(app, settings) to return FirebasePerformance synchronously instead of Promise<Performance>, matching firebase-js-sdk; TypeScript consumers that call .then(...) on it will need to use the returned instance directly.
  • aligned the modular FirebasePerformance type with firebase-js-sdk, so it no longer exposes older namespaced instance-style methods such as newTrace, startTrace, newHttpMetric, newScreenTrace, startScreenTrace, or setPerformanceCollectionEnabled in the modular typings; use trace(perf, name), httpMetric(perf, url, method), newScreenTrace(perf, name), startScreenTrace(perf, name), and the dataCollectionEnabled property instead.
  • changed PerformanceSettings to the firebase-js-sdk shape, with optional dataCollectionEnabled and instrumentationEnabled.
  • changed modular trace and metric getAttribute(...) typings from string | null to string | undefined, matching firebase-js-sdk.
  • kept React Native-only modular exports for native functionality: httpMetric, newScreenTrace, startScreenTrace, plus HttpMethod, HttpMetric, and ScreenTrace.
  • kept the deprecated namespaced API under FirebasePerformanceTypes, but split it from the modular public types and marked it as deprecated for compatibility.
  • analytics: as anyone that relied on this param previously is hopefully happy to have it actually work now versus silently fail
  • database: database types now match firebase-js-sdk as closely as possible

Please see https://rnfirebase.io/migrating-to-v25 for help migrating if needed

... (truncated)

Commits
  • 8c1c22f chore(release): release packages
  • a05fa66 fix(auth): export revokeToken in modular API for Sign in with Apple
  • eac5bf5 chore(release): release packages
  • 9d81bb9 docs: use page#fragment anchors, not just bare #fragment anchors
  • f375acf docs(ai): document Live API, grounding, and image config usage
  • 03c4590 test: verify types in full test runs
  • 7eb76f3 feat(ai): implement Firebase JS SDK 12.15.0 portable API parity
  • 5c7a21a build(deps): adopt Firebase SDK 12.15.0 / Android BOM 34.15.0
  • 1e58f0e build(scripts): harden update-firebase-sdk-versions for mdx and age gate
  • ced0325 docs: Remove "Building an analytics funnel"
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​react-native-firebase/messaging since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

High Risk
Major react-native-firebase jump (20→25) affects the push/FCM path used by messaging().getToken() and native SDK versions; regressions in notifications or iOS/Android builds are the main concern despite the small diff.

Overview
Dependency-only upgrade for @react-native-firebase/app and @react-native-firebase/messaging from 20.5.0 to 25.0.1 in package.json, with the lockfile pulling firebase 12.15.0 and refreshed @firebase/* packages (including new @firebase/ai and @firebase/data-connect). @react-native-firebase/app no longer depends on superstruct.

The resolved graph also moves undici to 6.27.0 (security release) and bumps related networking pieces (e.g. websocket-driver, http-parser-js). There are no changes to application source in this diff; push behavior still goes through existing JS (NotificationActions, DeepLinkingManager) and native Firebase messaging.

Reviewers should plan for native rebuilds (pod install, Gradle) and be aware of react-native-firebase v25 breaking/type changes (notably deprecated messaging permission APIs—this repo already uses react-native-permissions in places) per the v25 migration guide. Android still pins an older firebase-messaging artifact in android/app/build.gradle with a comment to keep it in sync with react-native-firebase—that may need a follow-up outside this lockfile-only change.

Reviewed by Cursor Bugbot for commit ed3776b. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump undici, @react-native-firebase/app and @react-native-firebase/me…
ed3776b 
…ssaging

Bumps [undici](https://github.com/nodejs/undici) to 6.27.0 and updates ancestor dependencies [undici](https://github.com/nodejs/undici), [@react-native-firebase/app](https://github.com/invertase/react-native-firebase) and [@react-native-firebase/messaging](https://github.com/invertase/react-native-firebase). These dependencies need to be updated together.


Updates `undici` from 6.21.3 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.21.3...v6.27.0)

Updates `@react-native-firebase/app` from 20.5.0 to 25.0.1
- [Release notes](https://github.com/invertase/react-native-firebase/releases)
- [Changelog](https://github.com/invertase/react-native-firebase/blob/main/CHANGELOG.md)
- [Commits](invertase/react-native-firebase@v20.5.0...v25.0.1)

Updates `@react-native-firebase/messaging` from 20.5.0 to 25.0.1
- [Release notes](https://github.com/invertase/react-native-firebase/releases)
- [Changelog](https://github.com/invertase/react-native-firebase/blob/main/CHANGELOG.md)
- [Commits](invertase/react-native-firebase@v20.5.0...v25.0.1)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
- dependency-name: "@react-native-firebase/app"
  dependency-version: 25.0.1
  dependency-type: direct:production
- dependency-name: "@react-native-firebase/messaging"
  dependency-version: 25.0.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 23, 2026
@dependabot dependabot Bot mentioned this pull request Jun 23, 2026
Closed
@socket-security

socket-security Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​react-native-firebase/​app@​20.5.0 ⏵ 25.0.1100 +110089 +198 +780
Updated@​react-native-firebase/​messaging@​20.5.0 ⏵ 25.0.110010090 +198 +880

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants