chore(SEC-11595): security upgrades for react-native-webview

[phantom-autopilot]

Summary

Pins fast-xml-parser to ^4.5.4 via yarn resolutions to address GHSA-m7jm-9gc2-mpf2 (CRITICAL).

The lockfile now resolves to 4.5.6 for all instances of fast-xml-parser (previously 4.3.5), pulled in transitively via @react-native-community/cli-platform-android, @react-native-community/cli-platform-ios, and @react-native-community/cli-platform-apple.

Advisory	Severity	Package	Installed → Resolved
GHSA-m7jm-9gc2-mpf2	CRITICAL	fast-xml-parser	4.3.5 → 4.5.6

Linear: SEC-11595

Test plan

• yarn install succeeds and lockfile updates
• yarn lint (tsc + eslint) passes
• yarn list --pattern fast-xml-parser confirms only 4.5.6 resolved

Summary by CodeRabbit

• Chores
  • Updated package dependencies to ensure consistent versions across installations.

[phantom-autopilot]

PR opened by agent

Execution log

#45

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4c89587e-c12d-40e6-b1d2-fc8c12e89760

📥 Commits

Reviewing files that changed from the base of the PR and between 413d5ea and 8d3a9d1.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

This PR adds a Yarn resolutions block to package.json that forces the fast-xml-parser dependency to version ^4.5.4, overriding any other versions specified by transitive dependencies.

Dependency Resolution Override

Layer / File(s)	Summary
fast-xml-parser version pin package.json	A resolutions block pins fast-xml-parser to ^4.5.4, ensuring a consistent version across the dependency tree regardless of what other packages request.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title mentions 'security upgrades for react-native-webview' but the actual change is a dependency resolution override for fast-xml-parser, not a direct security upgrade to react-native-webview itself.	Clarify whether this is upgrading react-native-webview or just addressing a transitive dependency issue. Consider a more specific title like 'chore(SEC-11595): pin fast-xml-parser to ^4.5.4 via Yarn resolutions' to accurately reflect the change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot2/sec-11595_critical-upgrade-fast-xml-parser-in-phantom-react-native-web

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phantom-autopilot]

PR opened by agent

Execution log

Draft PR: #45