Skip to content

Spike/RN-85 #32888

Open
adnxy wants to merge 7 commits into
mainfrom
feat/rn-0.85
Open

Spike/RN-85 #32888
adnxy wants to merge 7 commits into
mainfrom
feat/rn-0.85

Conversation

@adnxy

@adnxy adnxy commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Draft - Spike for RN.0.85 - No need for a review

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

Performance checks (if applicable)

  • I've tested on Android
    • Ideally on a mid-range device; emulator is acceptable
  • I've tested with a power user scenario
    • Use these power-user SRPs to import wallets with many accounts and tokens
  • I've instrumented key operations with Sentry traces for production performance metrics

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

High Risk
Major React Native and Metro/Hermes toolchain jump with Gradle 9 and removed RN yarn patch; runtime/build risk from documented native-module and Expo SDK gaps not addressed in this spike alone.

Overview
Draft spike to move from React Native 0.81.5/0.83.x toward 0.85.0, not a production-ready upgrade. The PR is explicitly marked as no review needed.

Dependency & tooling: react-native goes to 0.85.0 (drops the prior 0.83.6 yarn patch), React / react-test-renderer to 19.2.3, and locks @react-native/* (babel-preset, metro-config, eslint-config, typescript-config) plus new @react-native/jest-preset at 0.85.0. @react-native-community/cli (+ platform packages) bumps to 20.1.0. jest.config.js switches from preset: 'react-native' to @react-native/jest-preset (RN 0.85 requirement).

Native build: Android Gradle wrapper 8.14.3 → 9.3.1, Gradle wrapper script updates (Windows -jar invocation; Cygwin CLASSPATH handling), and a comment tweak for debuggable variants. iOS adds nkf to the Gemfile (Ruby 3.4 / RN template), sets SUPPORTED_PLATFORMS / TARGETED_DEVICE_FAMILY on the main target, and splits iPad vs iPhone orientation keys in Info.plist.

Docs: Adds large RN 0.85 upgrade spike/plan write-ups (breaking changes, native-module audit, phased PR ladder, Expo SDK 56 coupling, patch regeneration, blockers like absoluteFillObject, screens, reanimated, etc.).

Not in this diff: No StyleSheet.absoluteFillObjectabsoluteFill codemod despite docs calling it out; Expo packages in package.json still appear on SDK 55 while docs target SDK 56—full upgrade likely needs additional PRs per the included plans.

Reviewed by Cursor Bugbot for commit fbf4a4f. Bugbot is set up for automated code reviews on this repo. Configure here.

adnxy added 2 commits June 26, 2026 14:03
  - Bump react-native to 0.85.0, react to 19.2.3, react-test-renderer to 19.2.3
  - Update @react-native/* packages to 0.85.0 (babel-preset, eslint-config, metro-config,
  typescript-config)
  - Add @react-native/jest-preset 0.85.0; update jest.config.js preset accordingly
  - Bump @react-native-community/cli and platform packages to 20.1.0
  - Upgrade Gradle wrapper to 9.3.1; remove legacy CLASSPATH-based invocation in
  gradlew/gradlew.bat
  - Add gem 'nkf' to ios/Gemfile for Ruby 3.4 compatibility
  - Add SUPPORTED_PLATFORMS and TARGETED_DEVICE_FAMILY to Xcode Debug/Release configs
  - Split UISupportedInterfaceOrientations into phone/iPad variants in Info.plist
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@adnxy adnxy changed the title Spike/rn ].85 Spike/RN-85 Jul 7, 2026
@mm-token-exchange-service

mm-token-exchange-service Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

PR template — items to address before "Ready for review"

Warnings — informational, address before merging:

  • Related issues section is empty. Add Fixes: #123 / Closes: <URL> / Refs: <Jira key>, or write a short rationale after the colon.
  • Manual testing steps still contain template content (the Gherkin example title or a [...] placeholder). Replace with real steps, or write N/A — <reason>.
  • Screenshots/Recordings section is empty. Add an image/video for user-facing changes, logs/console output for non-user-facing changes, or write N/A if no evidence is applicable.
  • Pre-merge author checklist has unchecked items (e.g. "I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards."). Every box must be consciously checked — see docs/readme/ready-for-review.md.

See docs/readme/ready-for-review.md for the full Definition of Ready for Review.

@adnxy adnxy added the no-changelog no-changelog Indicates no external facing user changes, therefore no changelog documentation needed label Jul 7, 2026
@adnxy adnxy marked this pull request as ready for review July 7, 2026 13:25
@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm @react-native/debugger-frontend is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/react-native@0.85.0npm/@react-native/debugger-frontend@0.85.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.85.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Obfuscated code: npm @react-native/debugger-frontend is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/react-native@0.85.0npm/@react-native/debugger-frontend@0.85.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.85.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm @react-native-community/cli-server-api is 66.0% likely risky

Notes: No direct signs of classic malware (exfiltration, persistence, crypto-mining, hidden payloads) are present in this snippet. However, the middleware exposes a powerful local side effect—invoking @react-native-community/cli-tools’ launchEditor—with file path and line number taken directly from unauthenticated, unvalidated HTTP POST input. This is a significant security risk and should be protected with authentication/authorization and strict input validation/allowlisting (and ideally constrained to safe file/path contexts).

Confidence: 0.66

Severity: 0.78

From: ?npm/@react-native-community/cli@20.1.0npm/@react-native-community/cli-server-api@20.1.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native-community/cli-server-api@20.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm metro-runtime is 70.0% likely risky

Notes: No overt stealthy malware behavior is present in this snippet, but the module implements a high-impact remote code execution mechanism: it executes JavaScript strings delivered via WebSocket updates using eval/globalEvalWithSourceUrl, without any message authentication/integrity checks in this file. If the HMR server or connection can be tampered with, this becomes a straightforward RCE vector; otherwise, risk is primarily tied to deployment/trust configuration rather than hidden malicious logic.

Confidence: 0.70

Severity: 0.74

From: ?npm/@react-native/metro-config@0.85.0npm/react-native@0.85.0npm/metro-runtime@0.84.4

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/metro-runtime@0.84.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm react-native is 66.0% likely risky

Notes: This module performs runtime JavaScript execution by evaluating a provided code string (body) via eval() or a sourceURL-attributed evaluator. Because the snippet shows no validation/integrity checks for body, any attacker influence over body (or over the URL/content feeding it) would enable arbitrary code execution, which is a serious supply-chain/runtime injection risk. No direct malicious exfiltration/persistence behavior is visible in the provided fragment, so malware is not confirmed, but the security risk from the eval-based design is high.

Confidence: 0.66

Severity: 0.78

From: package.jsonnpm/react-native@0.85.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native@0.85.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @react-native/debugger-frontend is 77.0% likely to have a medium risk anomaly

Notes: The code fragment appears to be a standard Markdown parser/renderer with extension support (similar to Marked). There is no evidence of malware, data exfiltration, or external communications within the fragment itself. The principal security concern is safe handling of generated HTML: ensure the consuming application sanitizes or escapes content appropriately or uses a renderer that enforces safe output. Monitor any extensions for unsafe renderers/tokenizers that could bypass sanitization or introduce insecure output paths.

Confidence: 0.77

Severity: 0.60

From: ?npm/react-native@0.85.0npm/@react-native/debugger-frontend@0.85.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.85.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm react-native is 62.0% likely to have a medium risk anomaly

Notes: This module is an interception/monitoring utility that monkey-patches native WebSocket networking methods and forwards connection/message/error/close data to consumer-provided callbacks. It does not directly exfiltrate data or execute suspicious behaviors within this fragment, but it creates a high-sensitivity capability (WebSocket payload visibility) that could be abused for privacy-invasive surveillance if the callback registration and interception enabling are reachable by malicious or untrusted code. Review who can call enableInterception() and set*Callback(), and ensure callbacks do not forward captured traffic to untrusted destinations.

Confidence: 0.62

Severity: 0.55

From: package.jsonnpm/react-native@0.85.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native@0.85.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions github-actions Bot added the size-L label Jul 7, 2026
Comment thread package.json
Comment thread package.json
Comment thread package.json
Comment thread package.json
@github-actions github-actions Bot added the risk:high AI analysis: high risk label Jul 7, 2026
@adnxy adnxy added the team-mobile-platform Mobile Platform team label Jul 7, 2026
@github-actions github-actions Bot added risk:critical AI analysis: critical risk and removed risk:high AI analysis: high risk labels Jul 7, 2026
Comment thread yarn.lock
@github-actions github-actions Bot added size-XL risk:high AI analysis: high risk and removed size-L risk:critical AI analysis: critical risk labels Jul 7, 2026
@github-actions github-actions Bot added risk:critical AI analysis: critical risk and removed risk:high AI analysis: high risk labels Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🔍 Smart E2E Test Selection

  • Selected E2E tags: None (no tests recommended)
  • Selected Performance tags: None (no tests recommended)
  • Risk Level: low
  • AI Confidence: 88%
click to see 🤖 AI reasoning details

E2E Test Selection:
This PR is a "spike/planning" PR for a future React Native 0.85 upgrade. After thorough investigation of all changed files, the actual code changes are:

  1. Documentation only (docs/rn-0.85-upgrade-spike.md, docs/rn-0.85-upgrade-spike.txt, rn-0.85-upgrade-*.txt at root) — Pure planning/spike documents with no functional impact.

  2. Build infrastructure (android/gradle/wrapper/gradle-wrapper.properties: Gradle 8.14.3 → 9.3.1; android/gradlew, android/gradlew.bat) — Android build tooling update only. Does not affect app runtime behavior or E2E test execution.

  3. android/app/build.gradle — Cosmetic comment change only (no functional change).

  4. ios/Gemfile + ios/Gemfile.lock — Added nkf gem (Ruby build dependency for iOS builds, required by RN 0.85 template for Ruby 3.4). No app runtime impact.

  5. ios/MetaMask.xcodeproj/project.pbxproj — Added SUPPORTED_PLATFORMS and TARGETED_DEVICE_FAMILY settings for iPad support. Build configuration only.

  6. ios/MetaMask/Info.plist — Added iPad-specific orientation support (UISupportedInterfaceOrientations~ipad key). This is a native iOS configuration change but only affects iPad orientation behavior, not the core app flows tested by E2E tests.

  7. jest.config.js — Already contains preset: '@react-native/jest-preset' (the RN 0.85 Jest preset change). This affects unit tests only, not Detox E2E tests.

  8. yarn.lock — Lock file changes (minor, likely from nkf gem or other tooling changes).

  9. .vscode/settings.json — IDE settings, no functional impact.

  10. package.json — Marked critical but actual diff was not accessible; current file shows no major version changes to app dependencies.

No app source code (app/) was changed. No E2E test infrastructure (tests/) was changed. No controllers, Engine, or core modules were changed. The changes are entirely build infrastructure, iOS/Android project configuration, and documentation. None of these changes affect user-facing flows, navigation, confirmations, accounts, networks, or any other feature area covered by E2E tests. Therefore, no E2E test tags should be selected.

Performance Test Selection:
No app source code was changed in this PR. All changes are build infrastructure (Gradle wrapper bump, iOS Xcode project settings, Gemfile gem addition), documentation (RN 0.85 upgrade spike docs), and IDE settings. None of these changes affect app launch time, asset loading, account list rendering, onboarding flows, login, swaps, or any other performance-sensitive user flow. No performance tests are warranted.

View GitHub Actions results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

no-changelog no-changelog Indicates no external facing user changes, therefore no changelog documentation needed risk:critical AI analysis: critical risk size-XL team-mobile-platform Mobile Platform team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant