From 73128a1876adc56b143ec47bd15d107d5b4b1fbb Mon Sep 17 00:00:00 2001 From: Christoph Purrer Date: Sun, 28 Jun 2026 10:48:29 -0700 Subject: [PATCH] Fix Dependabot security update for concurrent-ruby in react-native (#57355) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Summary: The Dependabot GitHub Action on `react/react-native` `main` has been failing repeatedly because of `concurrent-ruby`. A security advisory marks `concurrent-ruby < 1.3.7` as affected (patched in `1.3.7`), but all three RN Gemfiles pin `gem 'concurrent-ruby', '<= 1.3.4'`. Dependabot cannot satisfy the advisory under that pin, so it opens a security PR to bump to `1.3.7` and then, on every subsequent run, reports `pull_request_exists_for_latest_version` as a hard error — failing the check and regenerating the internal CI task. The `<= 1.3.4` upper bound was originally added because `concurrent-ruby 1.3.5` dropped its `logger` dependency, which broke older `activesupport`/CocoaPods setups. That cause is already mitigated: every Gemfile now explicitly lists `gem 'logger'`. The upper-bound pin is therefore obsolete. This change relaxes the constraint from `<= 1.3.4` to `>= 1.3.7` in all three Gemfiles (root, `private/helloworld`, `packages/rn-tester`) and updates the two corresponding `Gemfile.lock` files to resolve `concurrent-ruby 1.3.7`. `1.3.7` introduces no new transitive dependencies over `1.3.4`, so no other lockfile entries change. With the advisory satisfied on `main`, Dependabot stops recreating the security PR and the recurring check failure stops. Differential Revision: D109967250 --- Gemfile | 2 +- Gemfile.lock | 4 ++-- packages/rn-tester/Gemfile | 2 +- private/helloworld/Gemfile | 2 +- private/helloworld/Gemfile.lock | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Gemfile b/Gemfile index e9b4cc2be6d7..3c490b9cd997 100644 --- a/Gemfile +++ b/Gemfile @@ -6,7 +6,7 @@ ruby ">= 2.6.10" gem 'cocoapods', '~> 1.13', '!= 1.15.0', '!= 1.15.1' gem 'activesupport', '>= 6.1.7.5', '< 7.1.0' gem 'xcodeproj', '< 1.26.0' -gem 'concurrent-ruby', '<= 1.3.4' +gem 'concurrent-ruby', '>= 1.3.7' # Ruby 3.4.0 has removed some libraries from the standard library. gem 'bigdecimal' diff --git a/Gemfile.lock b/Gemfile.lock index 8eb0039d4c08..cc3096498876 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -55,7 +55,7 @@ GEM netrc (~> 0.11) cocoapods-try (1.2.0) colored2 (3.1.2) - concurrent-ruby (1.2.2) + concurrent-ruby (1.3.7) escape (0.0.4) ethon (0.16.0) ffi (>= 1.15.0) @@ -97,7 +97,7 @@ DEPENDENCIES benchmark bigdecimal cocoapods (~> 1.13, != 1.15.1, != 1.15.0) - concurrent-ruby (<= 1.3.4) + concurrent-ruby (>= 1.3.7) logger mutex_m xcodeproj (< 1.26.0) diff --git a/packages/rn-tester/Gemfile b/packages/rn-tester/Gemfile index c8b1aad6c2f3..47b77ec24c4a 100644 --- a/packages/rn-tester/Gemfile +++ b/packages/rn-tester/Gemfile @@ -9,7 +9,7 @@ gem 'cocoapods', '~> 1.13', '!= 1.15.0', '!= 1.15.1' gem 'rexml' gem 'activesupport', '>= 6.1.7.5', '< 7.1.0' gem 'xcodeproj', '< 1.26.0' -gem 'concurrent-ruby', '<= 1.3.4' +gem 'concurrent-ruby', '>= 1.3.7' # Ruby 3.4.0 has removed some libraries from the standard library. gem 'bigdecimal' diff --git a/private/helloworld/Gemfile b/private/helloworld/Gemfile index 4fbe0d436d40..0e4955415fbc 100644 --- a/private/helloworld/Gemfile +++ b/private/helloworld/Gemfile @@ -5,7 +5,7 @@ ruby ">= 2.6.10" gem 'cocoapods', '~> 1.13', '!= 1.15.0', '!= 1.15.1' gem 'activesupport', '>= 6.1.7.5', '< 7.1.0' gem 'xcodeproj', '< 1.26.0' -gem 'concurrent-ruby', '<= 1.3.4' +gem 'concurrent-ruby', '>= 1.3.7' # Ruby 3.4.0 has removed some libraries from the standard library. gem 'bigdecimal' diff --git a/private/helloworld/Gemfile.lock b/private/helloworld/Gemfile.lock index 30ada298ab8a..18811995a299 100644 --- a/private/helloworld/Gemfile.lock +++ b/private/helloworld/Gemfile.lock @@ -58,7 +58,7 @@ GEM netrc (~> 0.11) cocoapods-try (1.2.0) colored2 (3.1.2) - concurrent-ruby (1.3.4) + concurrent-ruby (1.3.7) escape (0.0.4) ethon (0.16.0) ffi (>= 1.15.0) @@ -101,7 +101,7 @@ DEPENDENCIES benchmark bigdecimal cocoapods (~> 1.13, != 1.15.1, != 1.15.0) - concurrent-ruby (<= 1.3.4) + concurrent-ruby (>= 1.3.7) ffi (>= 1.17.2) logger mutex_m