Update dependency @react-native-community/cli to v17 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@react-native-community/cli (source)	11.3.7 -> 17.0.1

GitHub Vulnerability Alerts

CVE-2025-11953

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

---

Release Notes

react-native-community/cli (@​react-native-community/cli)

v17.0.1

Compare Source

v17.0.0

Compare Source

What's Changed

• ci: disable running tests on Windows by @​szymonrybczak in #​2577
• chore: replace sudo-prompt with @vscode/sudo-prompt by @​szymonrybczak in #​2578
• fix: adjust log in install Cocoapods prompt by @​szymonrybczak in #​2580
• feat: Refresh cli-server-api index page by @​huntie in #​2582
• breaking: Remove secondary exports of cli-server-api by @​huntie in #​2584
• test: fix e2e test snapshot by @​thymikee in #​2586
• docs: update compatibility table by @​thymikee in #​2585
• breaking: Remove cli-debugger-ui package by @​huntie in #​2583
• breaking: Replace launchEditor implementation by @​huntie in #​2587
• breaking: Drop browser helpers from cli-tools, simplify middleware by @​huntie in #​2588
• fix: Remove hardcoded npm registry url by @​jasonjiicloud in #​2520
• refactor: replace strip-ansi with native module by @​stianjensen in #​2521
• fix(macCatalyst): construct correct path for executable by @​mikehardy in #​2510
• fix: run-android device not found on change from deviceId to device by @​High5Apps in #​2595
• chore: Link to test setup in PR template by @​huntie in #​2597
• Update maintainers to reflect current state of things by @​szymonrybczak in #​2598
• Improve and clarify error for missing scheme file by @​friederbluemle in #​2599
• fix(apple): include check if Podfile and Podfile.lock changed when deciding to install Cocoapods by @​szymonrybczak in #​2443
• feat: add RCT_IGNORE_PODS_DEPRECATION env variable to pod install by @​szymonrybczak in #​2601
• feat: Export createDevServerMiddleware from cli by @​robhogan in #​2605
• feat: install Cocoapods by default in all projects by @​szymonrybczak in #​2602
• fix: Use 'fallback simulator' for tvOS by @​cgoldsby in #​2608
• docs: add link-assets cli setup guides by @​Nova41 in #​2572
• docs: fix numbered lists and spelling in CONTRIBUTING.md by @​D-Gaspa in #​2613
• feat: replace ios-deploy with devicectl by @​cgoldsby in #​2614

New Contributors

• @​jasonjiicloud made their first contribution in #​2520
• @​High5Apps made their first contribution in #​2595
• @​cgoldsby made their first contribution in #​2608
• @​Nova41 made their first contribution in #​2572
• @​D-Gaspa made their first contribution in #​2613

Full Changelog: react-native-community/cli@v16.0.2...v17.0.0

v16.0.3

Compare Source

v16.0.2

Compare Source

What's Changed

• refactor: extract cli-config-android for linking by @​thymikee in #​2546
• chore: remove unused native_modules files by @​thymikee in #​2547
• fix: loadConfig() failing with "missing loader for extension" by @​tido64 in #​2549
• fix(config): fix loadConfig() failing with "missing loader for extension" by @​tido64 in #​2550
• chore: remove deprecated react legacy components from config by @​szymonrybczak in #​2554
• fix: be able to read more complex buildToolsVersion definitions by @​dloic in #​2531
• docs: update compat table by @​thymikee in #​2560
• fix: support linking of BaseReactPackage subclasses by @​vonovak in #​2563
• fix: config with --platform flag to work with platforms defined in multiple packages by @​thymikee in #​2562

New Contributors

• @​dloic made their first contribution in #​2531

Full Changelog: react-native-community/cli@v15.1.0...v16.0.2

v16.0.1

Compare Source

v16.0.0

Compare Source

v15.1.3

Compare Source

v15.1.2

Compare Source

v15.1.1

Compare Source

v15.1.0

Compare Source

Changes

• fix: Use 'fallback simulator' for tvOS @​cgoldsby (#​2608)
• Improve and clarify error for missing scheme file @​friederbluemle (#​2599)
• fix: run-android device not found on change from deviceId to device @​High5Apps (#​2595)
• fix(macCatalyst): construct correct path for executable @​mikehardy (#​2510)
• refactor: replace strip-ansi with native module @​stianjensen (#​2521)
• breaking: Drop browser helpers from cli-tools, simplify middleware @​huntie (#​2588)
• breaking: Replace launchEditor implementation @​huntie (#​2587)
• breaking: Remove secondary exports of cli-server-api @​huntie (#​2584)
• ci: disable running tests on Windows @​szymonrybczak (#​2577)
• fix: be able to read more complex buildToolsVersion definitions @​dloic (#​2531)
• fix(config): fix loadConfig() failing with "missing loader for extension" @​tido64 (#​2550)
• fix: loadConfig() failing with "missing loader for extension" @​tido64 (#​2549)

🚀 Features

• feat: install Cocoapods by default in all projects @​szymonrybczak (#​2602)
• feat: Export createDevServerMiddleware from cli @​robhogan (#​2605)
• feat: add RCT_IGNORE_PODS_DEPRECATION env variable to pod install @​szymonrybczak (#​2601)
• feat: Refresh cli-server-api index page @​huntie (#​2582)
• feat: support ESM in react-native.config @​szymonrybczak (#​2453)

🐛 Bug Fixes

• fix(apple): include check if Podfile and Podfile.lock changed when deciding to install Cocoapods @​szymonrybczak (#​2443)
• fix: Remove hardcoded npm registry url @​jasonjiicloud (#​2520)
• test: fix e2e test snapshot @​thymikee (#​2586)
• fix: adjust log in install Cocoapods prompt @​szymonrybczak (#​2580)
• fix: config with --platform flag to work with platforms defined in multiple packages @​thymikee (#​2562)
• fix: support linking of BaseReactPackage subclasses @​vonovak (#​2563)
• fix: handle libraries using build.gradle.kts files @​bang9 (#​2543)

🧰 Maintenance

12 changes

• docs: fix numbered lists and spelling in CONTRIBUTING.md @​D-Gaspa (#​2613)
• docs: add link-assets cli setup guides @​Nova41 (#​2572)
• feat: install Cocoapods by default in all projects @​szymonrybczak (#​2602)
• Update maintainers to reflect current state of things @​szymonrybczak (#​2598)
• chore: Link to test setup in PR template @​huntie (#​2597)
• breaking: Remove cli-debugger-ui package @​huntie (#​2583)
• docs: update compatibility table @​thymikee (#​2585)
• chore: replace sudo-prompt with @vscode/sudo-prompt @​szymonrybczak (#​2578)
• docs: update compat table @​thymikee (#​2560)
• chore: remove deprecated react legacy components from config @​szymonrybczak (#​2554)
• chore: remove unused native_modules files @​thymikee (#​2547)
• refactor: extract cli-config-android for linking @​thymikee (#​2546)

Full Changelog: react-native-community/cli@v15.0.1...v15.1.0

v15.0.1

Compare Source

What's Changed

• docs: update table of versions react native to new version 0.76 by @​imatheus-lucas in #​2534
• refactor: extract cli-config-apple for linking by @​thymikee in #​2536
• test: fix e2e test for 0.76 by @​thymikee in #​2537
• fix(init): install Cocoapods with New Architecture enabled by default by @​szymonrybczak in #​2540

New Contributors

• @​imatheus-lucas made their first contribution in #​2534

Full Changelog: react-native-community/cli@v15.0.0...v15.0.1

v15.0.0

Compare Source

What's Changed

• fix: Correctly display errors in react-native init by @​islandryu in #​2394
• ci: disable react-native-macos test by @​szymonrybczak in #​2500
• build(deps): bump serve-static from 1.14.1 to 1.16.0 by @​dependabot in #​2501
• chore: remove deprecated --npm flag by @​TMisiukiewicz in #​2504
• chore: set npm as default package manager to init by @​TMisiukiewicz in #​2503
• fix(cli-config): include peer dependencies when finding dependencies by @​tido64 in #​2423
• fix: use preferred device in default mode by @​szymonrybczak in #​2363
• chore: use fast-glob for link-assets and scripts by @​thymikee in #​2513
• fix(cli-tools): declare dependency on prompts by @​tido64 in #​2518
• fix: xcworkspaces parsing should handle many xcprojects by @​blakef in #​2522

New Contributors

• @​islandryu made their first contribution in #​2394

Full Changelog: react-native-community/cli@v14.1.0...v15.0.0

v14.1.2

Compare Source

v14.1.1

Compare Source

v14.1.0

Compare Source

What's Changed

• Put an upper bound on "**/Podfile" search depth by @​ephemer in #​2480
• test(e2e): update snapshots by @​szymonrybczak in #​2476
• fix: readConfigFromDisk should ignore package.json entries by @​vonovak in #​2472
• chore: bump fast-xml-parser from 4.2.4 and 4.3.2 to 4.4.1 by @​Romick2005 in #​2466
• build(deps): bump axios from 1.6.1 to 1.7.4 by @​dependabot in #​2478
• fix: add missing --device option to build-ios command by @​szymonrybczak in #​2482
• fix: typos in readme by @​szymonrybczak in #​2483
• build(deps-dev): bump micromatch from 4.0.4 to 4.0.8 by @​dependabot in #​2485
• perf: skip getting package class name inside expo module by @​szymonrybczak in #​2487
• feat: determine react-native → template from npm registry data by @​blakef in #​2475

New Contributors

• @​ephemer made their first contribution in #​2480
• @​Romick2005 made their first contribution in #​2466

Full Changelog: react-native-community/cli@v14.0.1...v14.1.0

v14.0.1

Compare Source

v14.0.0

Compare Source

v13.6.9

Compare Source

v13.6.8

Compare Source

v13.6.7

Compare Source

v13.6.6

Compare Source

v13.6.5

Compare Source

Fixes

• fix: downgrade ws package (#​2355) by @​szymonrybczak

Full Changelog: react-native-community/cli@v13.6.4...v13.6.5

v13.6.4

Compare Source

v13.6.3

Compare Source

v13.6.2

Compare Source

v13.6.1

Compare Source

This is the collective changelog for v13 of the CLI that's intended for use with React Native 0.74.

Features

• feat: update compatibility table by @​szymonrybczak in #​2192
• feat: add gradlew doctor check permissions by @​jeferson-sb in #​2191
• feat: add manual Cocoapods installation info by @​okwasniewski in #​2204
• feat(ios): show simulator version in prompt by @​szymonrybczak in #​2214
• feat(ios): cache last used device by @​szymonrybczak in #​2162
• feat: add platform-cli-apple with reusable utilities for OOT platforms by @​okwasniewski in #​2208
• feat: merge buildOptions to runOptions by @​okwasniewski in #​2222
• feat: add strict typing for supported platforms by @​okwasniewski in #​2218
• feat: convert command options and dependencyConfig into getters by @​okwasniewski in #​2226
• feat: warn about multiple podfiles only if provided platform is unsupported by @​okwasniewski in #​2223
• feat: fallback to OOT scheme by @​szymonrybczak in #​2233
• feat: use Yarn v3 with nodeLinker: node-modules for new projects by @​szymonrybczak in #​2134
• feat: adapt buildRun to properly open macOS apps by @​szymonrybczak in #​2232
• feat: log files in selected directory and add option to replace them by @​szymonrybczak in #​2100
• feat: allow overriding commands from react-native.config.js by @​szymonrybczak in #​2229
• feat: Deprecate unstable_reactLegacyComponentNames by @​cortinico in #​2264
• feat(init): add --yarn-config-options option by @​szymonrybczak in #​2273
• feat: Add support for C++ TurboModules Autolinking by @​cortinico in #​2296
• refactor: adapt getSimulators() for OOT platforms by @​okwasniewski in #​2239

Fixes

• fix(android): launching app on simulator with different appId than pa… by @​thymikee in #​2195
• fix: packager starting when using run-ios and run-android by @​janicduplessis in #​2198
• fix: launchEditor not working for JetBrains IDEs by @​tarunrajput in #​2197
• fix: remove automatic config file generation by @​okwasniewski in #​2203
• fix: add more guard conditions for retrieving buildConfig from XcScheme by @​AnnatarHe in #​2196
• fix(init): use yarn as package manager when calling init with npx by @​szymonrybczak in #​2216
• fix: only run app on booted and available devices by @​szymonrybczak in #​2225
• Fix for run-android on windows. by @​aajahid in #​2236
• fix: regression where run was executing multiple times by @​okwasniewski in #​2242
• fix(ios): properly pass port to env in xcodebuild by @​szymonrybczak in #​2245
• fix: do not block run-ios/android when failed to start packager by @​szymonrybczak in #​2252
• fix: replacing package name in Kotlin template by @​szymonrybczak in #​2209
• fix(cli-platform-apple): properly receive simulators by @​szymonrybczak in #​2251
• fix: allow users to specify --device without value by @​szymonrybczak in #​2263
• Fix: cleaning metro cache by @​TMisiukiewicz in #​2258
• fix: launching activity defined with fully qualified name by @​thymikee in #​2269
• fix: replace ip package with default value and --host flag by @​szymonrybczak in #​2299
• fix: execa phantom dependency in cli-tools by @​jbroma in #​2292
• fix: Do not have empty AUTOLINKED_LIBRARIES by @​cortinico in #​2306

Chore & Maintenance

• perf: replace glob with fast-glob by @​abejfehr in #​2280
• test: update snapshot for e2e config test by @​thymikee in #​2200
• chore(init): remove error when Git initialisation failed by @​szymonrybczak in #​2215
• refactor: extract duplicated code to getXcodeProjectAndDir by @​okwasniewski in #​2220
• chore: move devices prompt to prompts.ts by @​szymonrybczak in #​2224
• chore: disable flaky tests by @​szymonrybczak in #​2230
• Update getLatestRelease.ts to use currentVersion in diffUrl by @​kraenhansen in #​2231
• chore: disable editTemplate test on Node v20 by @​szymonrybczak in #​2235
• refactor(cli-platform-apple): move installing and launching app logic to separate function by @​szymonrybczak in #​2234
• Improve Quotation and Path Handling in CLI Tools by @​snowleopard17 in #​2238
• docs: projects.md to include type information by @​atomicpages in #​2250
• build(deps): bump follow-redirects from 1.15.2 to 1.15.4 by @​dependabot in #​2257
• build: support Gradle configuration cache by @​ahruss in #​2201
• ci: run tests on every branch by @​szymonrybczak in #​2256
• chore: remove cli-plugin-metro package remnants by @​szymonrybczak in #​2272
• chore: remove unused update-metro.js script by @​szymonrybczak in #​2281
• docs: update iOS auto-linking docs after adding support for PNPM and workspace setups by @​felipebrahm in #​2300
• docs: update --tasks option description by @​szymonrybczak in #​2290
• refactor: improved type safety of platformConfig in createRun function by @​hoonjoo-park in #​2286

New Contributors

• @​AnnatarHe made their first contribution in #​2196
• @​aajahid made their first contribution in #​2236
• @​snowleopard17 made their first contribution in #​2238
• @​atomicpages made their first contribution in #​2250
• @​ahruss made their first contribution in #​2201
• @​abejfehr made their first contribution in #​2280
• @​felipebrahm made their first contribution in #​2300
• @​jbroma made their first contribution in #​2292
• @​hoonjoo-park made their first contribution in #​2286

Full Changelog: react-native-community/cli@v12.3.6...v13.6.1

v13.6.0

Compare Source

v13.5.2

Compare Source

v13.5.1

Compare Source

v13.5.0

Compare Source

v13.4.0

Compare Source

v13.3.0

Compare Source

v13.2.0

Compare Source

v13.1.0: v12.3.0

Compare Source

What's Changed

• fix: remove automatic config file generation by @​okwasniewski in #​2203
• feat: add manual Cocoapods installation info by @​okwasniewski in #​2204

Full Changelog: react-native-community/cli@v13.0.1...v13.1.0

v13.0.1

Compare Source

v13.0.0

Compare Source

What's Changed

• fix: warning in README.md by @​szymonrybczak in #​2190
• ci: properly cache gradle by @​szymonrybczak in #​2150

Full Changelog: react-native-community/cli@v12.2.0...v13.0.0

v12.3.7

Compare Source

v12.3.6

Compare Source

What's Changed

• fix(12.x): replace ip package with default value and --host flag by @​szymonrybczak in #​2301

Full Changelog: react-native-community/cli@v12.3.5...v12.3.6

v12.3.5

Compare Source

What's changed

• fix(ios): types when passing port to env in xcodebuild (#​2245) @​szymonrybczak

Full Changelog: react-native-community/cli@v12.3.4...v12.3.5

v12.3.4

Compare Source

What's Changed

• fix: launching activity defined with fully qualified name (#​2269) by @​tido64 in #​2283

Full Changelog: react-native-community/cli@v12.3.3...v12.3.4

v12.3.3

Compare Source

What's Changed

• fix(12.x): allow users to specificy --device without value by @​szymonrybczak in #​2265

Full Changelog: react-native-community/cli@v12.3.2...v12.3.3

v12.3.2

Compare Source

What's Changed

• cherry pick "fix: replacing package name in Kotlin template (#​2209)" by @​thymikee in #​2255

Full Changelog: react-native-community/cli@v12.3.1...v12.3.2

v12.3.1

Compare Source

Fixes

• Fix for run-android on windows. (#​2236) @​aajahid
• fix(init): use yarn as package manager when calling init with npx (#​2216) @​szymonrybczak

Full Changelog: react-native-community/cli@v12.3.0...v12.3.1

v12.3.0

Compare Source

What's Changed

• fix: remove automatic config file generation by @​okwasniewski in #​2203
• feat: add manual Cocoapods installation info by @​okwasniewski in #​2204

Full Changelog: react-native-community/cli@v12.2.1...v12.3.0

v12.2.1

Compare Source

v12.2.0

Compare Source

Changes

🚀 Features

• feat: mention doctor command in issue template @​szymonrybczak (#​2186)
• feat: add --skip-git-init to opt out git init @​szymonrybczak (#​2177)

🐛 Bug Fixes

• fix: warning in README.md @​szymonrybczak (#​2190)
• fix: remove error when main activity not found in AndroidManifest.xml @​szymonrybczak (#​2187)
• fix(ios): run-ios command @​TMisiukiewicz (#​2173)
• fix(types): IOSScriptPhase accepts "always_out_of_date" @​mikehardy (#​2182)
• fix: check for main manifest if multiple are present @​WoLewicki (#​2174)

🧰 Maintenance

5 changes

• Add Android/iOS Sections to CODEOWNERS @​cortinico (#​2175)
• docs: mention running CLI from source @​szymonrybczak (#​2176)
• docs: sync init docs with current state @​szymonrybczak (#​2178)
• chore(android): remove root argument @​szymonrybczak (#​2164)
• chore(ios): remove deprecated param in use_native_modules @​szymonrybczak (#​2185)
• feat: mention doctor command in issue template @​szymonrybczak (#​2186)
• feat(docs): mention running CLI from source @​szymonrybczak (#​2176)
• feat(docs): sync init docs with current state @​szymonrybczak (#​2178)
• Fix native_modules.rb tests @​thymikee (#​2188)

Full Changelog: react-native-community/cli@v12.1.1...v12.2.0

v12.1.1

Compare Source

What's Changed

• fix: platform-name option causing regressions for other commands by @​okwasniewski in #​2171
• fix: make sure command is passed by @​szymonrybczak in #​2172

Full Changelog: react-native-community/cli@v12.1.0...v12.1.1

v12.1.0

Compare Source

🚀 Features

• feat(ios): sort simulators to get iOS first @​szymonrybczak (#​2153)
• feat: add --platform-name option to init for out of tree platforms init @​okwasniewski (#​2170)

🐛 Bug Fixes

• fix: remove hardcoded android path @​szymonrybczak (#​2158)

🧰 Maintenance

• fix(ci): setup global git user @​szymonrybczak (#​2157)
• fix: delete unused runUntil function @​szymonrybczak (#​2147)
• fix(e2e): correctly link packages @​szymonrybczak (#​2148)
• chore: replace fs.rmdir with fs.rm @​szymonrybczak (#​2160)
• Revert "chore(e2e): check for undefined code before printing fail" @​szymonrybczak (#​2152)
• chore: Changing node version missed during metro dependencies upgrade @​arushikesarwani94 (#​2015)
• ci: bump java to 17 @​szymonrybczak (#​2149)

Full Changelog: react-native-community/cli@v12.0.0...v12.1.0

v12.0.0

Compare Source

This version of React Native CLI targets React Native 0.73 and includes numerous bug fixes, features and performance improvements.

Breaking changes

• change default taskPrefix in build-android command from assemble to bundle by @​szymonrybczak in #​1913
• update Node minimum version to 18 by @​Shubham1429 in #​1986
• Fix ability to override commands via config by @​huntie in #​1999
• Remove fallback flow for Metro config defaults (0.73) by @​huntie in [#​1972](https://redirect.github.com/react-native-community/cli/pull/

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.