[Snyk] Security upgrade react-native from 0.72.6 to 0.74.0

[revan-zhang]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• example/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	XML Entity Expansion SNYK-JS-FASTXMLPARSER-15677840	710

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

---

Note

Medium Risk
Upgrades the core React Native dependency, which may introduce native build/runtime regressions or require aligned tooling changes despite being a simple manifest edit.

Overview
Updates the example app’s package.json to upgrade react-native from 0.72.6 to 0.74.0 (Snyk-driven) to address a reported dependency vulnerability.

^{Written by Cursor Bugbot for commit f4db8b1. This will update automatically on new commits. Configure here.}

---

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🟡 Incomplete version upgrade: @react-native/metro-config left at 0.72.x after react-native bumped to 0.74.0

The PR bumps react-native from 0.72.6 to 0.74.0 but leaves @react-native/metro-config at ^0.72.11 (line 20). These packages are versioned in lockstep with React Native (note both were previously aligned at 0.72.x). Using the 0.72.x metro-config with react-native@0.74.0 is a version mismatch that can cause build or bundling failures in the example app. The metro-react-native-babel-preset at 0.76.8 (line 22) also likely needs updating for RN 0.74 compatibility.

Prompt for agents

In example/package.json, update the devDependencies to match react-native 0.74.0. Specifically:
1. At line 20, change @react-native/metro-config from ^0.72.11 to ^0.74.0
2. At line 22, update or replace metro-react-native-babel-preset 0.76.8 with the appropriate version for RN 0.74 (likely @react-native/babel-preset ^0.74.0)

These packages are versioned in lockstep with React Native and should be kept aligned.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Incompatible @react-native/metro-config version after upgrade

High Severity

Upgrading react-native to 0.74.0 without updating @react-native/metro-config from ^0.72.11 breaks the build. The ^0.72.11 semver range only resolves to >=0.72.11 <0.73.0, which is incompatible with react-native 0.74.0. The metro-config package is versioned in lockstep with react-native and needs to be ^0.74.0. Similarly, metro-react-native-babel-preset at 0.76.8 may need updating to match the metro version bundled with react-native 0.74.

Additional Locations (1)

• example/package.json#L19-L20