[Snyk] Fix for 1 vulnerabilities

[Dargon789]

Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project.

Snyk changed the following file(s):

• apps/mobile/Gemfile
• apps/mobile/Gemfile.lock

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') SNYK-RUBY-REXML-12878608	49

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to resolve a medium-severity security vulnerability by updating RubyGems dependencies. It specifically targets an XML Entity Expansion issue in the rexml gem and includes updates to core development tools like fastlane, cocoapods, and xcodeproj, along with numerous other transitive dependency version bumps reflected in the Gemfile.lock. The overall purpose is to enhance the project's security posture and maintain up-to-date dependencies.

Highlights

• Security Vulnerability Fix: This pull request addresses a medium-severity vulnerability (SNYK-RUBY-REXML-12878608) related to 'Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)' in the rexml gem.
• Dependency Upgrades: The Gemfile has been updated to upgrade fastlane from 2.215.0 to 2.215.1, cocoapods from 1.14.3 to 1.15.0, and xcodeproj from 1.25.1 to 1.26.0.
• Transitive Dependency Updates: The Gemfile.lock reflects numerous transitive dependency updates across various gems, including aws-sdk components, google-apis components, bigdecimal, connection_pool, drb, ffi, json, minitest, multi_json, nanaimo, signet, and typhoeus.
• Bundler Version Change: The BUNDLED WITH version in Gemfile.lock has been updated from 2.4.10 to 2.3.26.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[cloudflare-workers-and-pages]

Deploying uniswap with    Cloudflare Pages

Latest commit:	4908042
Status:	✅  Deploy successful!
Preview URL:	https://7d117d41.uniswap-omj.pages.dev
Branch Preview URL:	https://snyk-fix-5c866ca698c31a526e9.uniswap-omj.pages.dev

View logs

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, updates several Ruby gem dependencies to resolve a security vulnerability (SNYK-RUBY-REXML-12878608). The core change is upgrading fastlane, cocoapods, and xcodeproj in the Gemfile, which transitively updates rexml and patches the vulnerability. While the dependency updates are generally minor and seem safe, I've identified a couple of issues related to dependency management consistency. The Podfile.lock has not been updated to reflect the new cocoapods version, and the Bundler version used to generate Gemfile.lock has been downgraded. Both issues should be addressed to ensure consistent builds and reduce repository churn.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​wallet@​0.0.1
	gem/​fastlane@​2.215.0 ⏵ 2.215.1	+1
	npm/​utilities@​1.0.6
	gem/​cocoapods@​1.14.3 ⏵ 1.15.0	-1
	npm/​react@​18.3.1
	npm/​typescript@​5.3.3
	gem/​xcodeproj@​1.25.1 ⏵ 1.26.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		gem/ffi@1.17.2 has a License Policy Violation. License: GPL-2.0+ (ext/ffi_c/libffi/LICENSE-BUILDTOOLS) License: GPL-2.0-only (ext/ffi_c/libffi/libtool-ldflags) License: GPL-2.0-only (ext/ffi_c/libffi/compile) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/powerpc-eabisim.exp) License: GPL-3.0-only (ext/ffi_c/libffi/testsuite/libffi.bhaible/test-call.c) License: GPL-3.0-only (ext/ffi_c/libffi/m4/ax_gcc_x86_cpuid.m4) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/libffi.bhaible/alignof.h) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/ar-lib) License: GPL-3.0-only (ext/ffi_c/libffi/testsuite/libffi.bhaible/test-callback.c) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/lib/target-libpath.exp) License: GPL-3.0-only (ext/ffi_c/libffi/m4/ax_compiler_vendor.m4) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/moxie-sim.exp) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/libffi.closures/closure.exp) License: GPL-2.0-only (ext/ffi_c/libffi/missing) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/compile) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/lib/wrapper.exp) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/libffi.bhaible/bhaible.exp) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/lib/libffi.exp) License: GPL-2.0-only (ext/ffi_c/libffi/ltmain.sh) License: GPL-3.0-only (ext/ffi_c/libffi/m4/ax_cc_maxopt.m4) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/libffi.call/call.exp) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/bfin-sim.exp) License: GPL-3.0-only (ext/ffi_c/libffi/testsuite/libffi.bhaible/testcases.c) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/wine-sim.exp) License: FSFAP (ext/ffi_c/libffi/Makefile.in) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/m32r-sim.exp) License: FSFAP (ext/ffi_c/libffi/doc/Makefile.in) License: FSFAP (ext/ffi_c/libffi/include/Makefile.in) License: GPL-3.0-only (ext/ffi_c/libffi/config.guess) License: GPL-3.0-only (ext/ffi_c/libffi/config.sub) License: GPL-2.0-only (ext/ffi_c/libffi/.ci/or1k-sim.exp) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/libffi.complex/complex.exp) License: FSFAP (ext/ffi_c/libffi/man/Makefile.in) License: FSFAP (ext/ffi_c/libffi/testsuite/Makefile.in) License: GPL-2.0-only (ext/ffi_c/libffi/testsuite/libffi.go/go.exp) From: apps/mobile/Gemfile.lock → gem/cocoapods@1.15.0 → gem/ffi@1.17.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/ffi@1.17.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/safer-buffer@2.1.2 has Obfuscated code. Confidence: 0.94 Location: Package overview From: ? → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/typescript@3.9.10 has a License Policy Violation. License: MIT-Khronos-old (package/ThirdPartyNoticeText.txt) License: CC-BY-4.0 (package/ThirdPartyNoticeText.txt) From: ? → npm/typescript@3.9.10 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@3.9.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/typescript@4.9.5 has a License Policy Violation. License: MIT-Khronos-old (package/ThirdPartyNoticeText.txt) License: CC-BY-4.0 (package/ThirdPartyNoticeText.txt) From: ? → npm/typescript@4.9.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@4.9.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/typescript@5.3.3 has a License Policy Violation. License: MIT-Khronos-old (package/ThirdPartyNoticeText.txt) License: CC-BY-4.0 (package/ThirdPartyNoticeText.txt) From: apps/mobile/package.json → npm/typescript@5.3.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/utilities@1.0.6 has a High CVE. CVE: GHSA-wxfj-84xf-7gxv mde utilities contains Prototype Pollution (HIGH) Affected versions: <= 1.0.6 Patched version: No patched versions From: apps/mobile/package.json → npm/utilities@1.0.6 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/utilities@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		gem/google-logging-utils@0.2.0 is an Unpopular package. Location: Package overview From: apps/mobile/Gemfile.lock → gem/fastlane@2.215.1 → gem/google-logging-utils@0.2.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/google-logging-utils@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/utilities@1.0.6 is Deprecated. Reason: This package is no longer maintained and vulnerability exists. From: apps/mobile/package.json → npm/utilities@1.0.6 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/utilities@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/wallet@0.0.1 is an Unpopular package. Location: Package overview From: apps/mobile/package.json → npm/wallet@0.0.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/wallet@0.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report