…1692)

Bumps
[fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser)
from 4.5.4 to 4.5.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/releases">fast-xml-parser's
releases</a>.</em></p>
<blockquote>
<h2>Summary update on all the previous releases from v4.2.4</h2>
<ul>
<li>Multiple minor fixes provided in the validator and parser</li>
<li>v6 is added for experimental use.</li>
<li>ignoreAttributes support function, and array of string or regex</li>
<li>Add support for parsing HTML numeric entities</li>
<li>v5 of the application is ESM module now. However, JS is also
supported</li>
</ul>
<p><strong>Note</strong>: Release section in not updated frequently.
Please check <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">CHANGELOG</a>
or <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/tags">Tags</a>
for latest release information.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md">fast-xml-parser's
changelog</a>.</em></p>
<blockquote>
<p><!-- raw HTML omitted -->Note: If you find missing information about
particular minor version, that version must have been changed without
any functional change in this library.<!-- raw HTML omitted --></p>
<p>Note: Due to some last quick changes on v4, detail of v4.5.3 &amp;
v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github
repository. I'm extremely sorry for the confusion</p>
<p><strong>4.5.5 / 2026-03-22</strong></p>
<p>apply fixes from v5 (legacy maintenance branch v4-maintenance)</p>
<ul>
<li>support maxEntityCount</li>
<li>support onDangerousProperty</li>
<li>support maxNestedTags</li>
<li>handle prototype pollution</li>
<li>fix incorrect entity name replacement</li>
<li>fix incorrect condition for entity expansion</li>
</ul>
<p><strong>5.5.8 / 2026-03-20</strong></p>
<ul>
<li>pass read only matcher in callback</li>
</ul>
<p><strong>5.5.7 / 2026-03-19</strong></p>
<ul>
<li>fix: entity expansion limits</li>
<li>update strnum package to 2.2.0</li>
</ul>
<p><strong>5.5.6 / 2026-03-16</strong></p>
<ul>
<li>update builder dependency</li>
<li>fix incorrect regex to replace . in entity name</li>
<li>fix check for entitiy expansion for lastEntities and html entities
too</li>
</ul>
<p><strong>5.5.5 / 2026-03-13</strong></p>
<ul>
<li>sanitize dangerous tag or attribute name</li>
<li>error on critical property name</li>
<li>support onDangerousProperty option</li>
</ul>
<p><strong>5.5.4 / 2026-03-13</strong></p>
<ul>
<li>declare Matcher &amp; Expression as unknown so user is not forced to
install path-expression-matcher</li>
</ul>
<p><strong>5.5.3 / 2026-03-11</strong></p>
<ul>
<li>upgrade builder</li>
</ul>
<p><strong>5.5.2 / 2026-03-11</strong></p>
<ul>
<li>update dependency to fix typings</li>
</ul>
<p><strong>5.5.1 / 2026-03-10</strong></p>
<ul>
<li>fix dependency</li>
</ul>
<p><strong>5.5.0 / 2026-03-10</strong></p>
<ul>
<li>support path-expression-matcher</li>
<li>fix: stopNode should not be parsed</li>
<li>performance improvement for stopNode checking</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/88d0936a23dabe51bfbf42255e2ce912dfee2221"><code>88d0936</code></a>
apply all fixes from v5</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/d4eb6b4713a8d11e6730943392419040898ecbc0"><code>d4eb6b4</code></a>
update release version</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/b1b9f633ff30cb4708337355c2789f08bc0558d2"><code>b1b9f63</code></a>
update release info</li>
<li><a
href="https://github.com/NaturalIntelligence/fast-xml-parser/commit/faccca126e1db96b90084adda6fbe2ea2ed434e7"><code>faccca1</code></a>
sync with v5.3.9</li>
<li>See full diff in <a
href="https://github.com/NaturalIntelligence/fast-xml-parser/compare/v4.5.4...v4.5.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=fast-xml-parser&package-manager=npm_and_yarn&previous-version=4.5.4&new-version=4.5.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to
2.3.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/picomatch/releases">picomatch's
releases</a>.</em></p>
<blockquote>
<h2>2.3.2</h2>
<p>This is a security release fixing several security relevant
issues.</p>
<h2>What's Changed</h2>
<ul>
<li>fix: exception when glob pattern contains constructor by <a
href="https://github.com/Jason3S"><code>@​Jason3S</code></a> in <a
href="https://redirect.github.com/micromatch/picomatch/pull/144">micromatch/picomatch#144</a></li>
<li>Fix for <a
href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a></li>
<li>Fix for <a
href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md">picomatch's
changelog</a>.</em></p>
<blockquote>
<h1>Release history</h1>
<p><strong>All notable changes to this project will be documented in
this file.</strong></p>
<p>The format is based on <a
href="http://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>
and this project adheres to <a
href="http://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p>
<!-- raw HTML omitted -->
<ul>
<li>Changelogs are for humans, not machines.</li>
<li>There should be an entry for every single version.</li>
<li>The same types of changes should be grouped.</li>
<li>Versions and sections should be linkable.</li>
<li>The latest version comes first.</li>
<li>The release date of each versions is displayed.</li>
<li>Mention whether you follow Semantic Versioning.</li>
</ul>
<!-- raw HTML omitted -->
<!-- raw HTML omitted -->
<p>Changelog entries are classified using the following labels <em>(from
<a href="http://keepachangelog.com/">keep-a-changelog</a></em>):</p>
<ul>
<li><code>Added</code> for new features.</li>
<li><code>Changed</code> for changes in existing functionality.</li>
<li><code>Deprecated</code> for soon-to-be removed features.</li>
<li><code>Removed</code> for now removed features.</li>
<li><code>Fixed</code> for any bug fixes.</li>
<li><code>Security</code> in case of vulnerabilities.</li>
</ul>
<!-- raw HTML omitted -->
<h2>4.0.0 (2024-02-07)</h2>
<h3>Fixes</h3>
<ul>
<li>Fix bad text values in parse <a
href="https://redirect.github.com/micromatch/picomatch/issues/126">#126</a>,
thanks to <a
href="https://github.com/connor4312"><code>@​connor4312</code></a></li>
</ul>
<h3>Changed</h3>
<ul>
<li>Remove process global to work outside of node <a
href="https://redirect.github.com/micromatch/picomatch/issues/129">#129</a>,
thanks to <a
href="https://github.com/styfle"><code>@​styfle</code></a></li>
<li>Add sideEffects to package.json <a
href="https://redirect.github.com/micromatch/picomatch/issues/128">#128</a>,
thanks to <a
href="https://github.com/frandiox"><code>@​frandiox</code></a></li>
<li>Removed <code>os</code>, make compatible browser environment. See <a
href="https://redirect.github.com/micromatch/picomatch/issues/124">#124</a>,
thanks to <a
href="https://github.com/gwsbhqt"><code>@​gwsbhqt</code></a></li>
</ul>
<h2>3.0.1</h2>
<h3>Fixes</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/micromatch/picomatch/commit/81cba8d4b767cab3cb29d26eb4f691eed75b73b2"><code>81cba8d</code></a>
Publish 2.3.2</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/fc1f6b69006e9435caf8fb40d8aff378bc0b7bce"><code>fc1f6b6</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/eec17aee5428a7249e9ca5adbb8a0d28fa29619b"><code>eec17ae</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/78f8ca4362d9e66cadea97b93e292f10096452ed"><code>78f8ca4</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/picomatch/issues/156">#156</a>
from micromatch/backport-144</li>
<li><a
href="https://github.com/micromatch/picomatch/commit/3f4f10eaa65bf3a52e8f2999674cd27e11fa3c9b"><code>3f4f10e</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/picomatch/issues/144">#144</a>
from Jason3S/jdent-object-properties</li>
<li>See full diff in <a
href="https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=picomatch&package-manager=npm_and_yarn&previous-version=2.3.1&new-version=2.3.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Toni Rico <[email protected]>

Bumps [yaml](https://github.com/eemeli/yaml) from 2.8.2 to 2.8.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/eemeli/yaml/releases">yaml's
releases</a>.</em></p>
<blockquote>
<h2>v2.8.3</h2>
<ul>
<li>Add <code>trailingComma</code> ToString option for multiline flow
formatting (<a
href="https://redirect.github.com/eemeli/yaml/issues/670">#670</a>)</li>
<li>Catch stack overflow during node composition (1e84ebb)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/eemeli/yaml/commit/ce14587484822bffb0f7d31aefedcaf2dc0d0387"><code>ce14587</code></a>
2.8.3</li>
<li><a
href="https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b"><code>1e84ebb</code></a>
fix: Catch stack overflow during node composition</li>
<li><a
href="https://github.com/eemeli/yaml/commit/6b24090280eaaab5040112bba41ccef57f39c2d5"><code>6b24090</code></a>
ci: Include Prettier check in lint action</li>
<li><a
href="https://github.com/eemeli/yaml/commit/9424dee38c85163fad53ac27533c7c4bdaf7495d"><code>9424dee</code></a>
chore: Refresh lockfile</li>
<li><a
href="https://github.com/eemeli/yaml/commit/d1aca82bc15a4c261bdc58561d32189a5d3a45ef"><code>d1aca82</code></a>
Add trailingComma ToString option for multiline flow formatting (<a
href="https://redirect.github.com/eemeli/yaml/issues/670">#670</a>)</li>
<li><a
href="https://github.com/eemeli/yaml/commit/43215099f7fcdac422d778c15e70d83c691b0e41"><code>4321509</code></a>
ci: Drop the branch filter from GitHub PR actions</li>
<li><a
href="https://github.com/eemeli/yaml/commit/47207d0fc7d4f863cd5fbdcff1378637bd93e847"><code>47207d0</code></a>
chore: Update docs-slate</li>
<li><a
href="https://github.com/eemeli/yaml/commit/5212faeed5936d1fa291d2f28672e4a96e2c2c5d"><code>5212fae</code></a>
chore: Update docs-slate</li>
<li>See full diff in <a
href="https://github.com/eemeli/yaml/compare/v2.8.2...v2.8.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=yaml&package-manager=npm_and_yarn&previous-version=2.8.2&new-version=2.8.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[//]: # (dependabot-start)
⚠️  **Dependabot is rebasing this PR** ⚠️ 

Rebasing might not happen immediately, so don't worry if this takes some
time.

Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.

---

[//]: # (dependabot-end)

Bumps [yaml](https://github.com/eemeli/yaml) from 1.10.2 to 1.10.3.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/eemeli/yaml/commit/cfe8f0437054ff5fbfe6499894f55b3316a54959"><code>cfe8f04</code></a>
1.10.3</li>
<li><a
href="https://github.com/eemeli/yaml/commit/7abcf45dd63f0bc626890ad9a8cdeb397f92be73"><code>7abcf45</code></a>
fix: Catch stack overflow during CST composition</li>
<li><a
href="https://github.com/eemeli/yaml/commit/a0252f8b056f49875d1b79edb8709cff7d7d0dc6"><code>a0252f8</code></a>
chore: Add rules avoiding processing of tests/json-test-suite</li>
<li><a
href="https://github.com/eemeli/yaml/commit/a5e83b05f7124c31b4784b613f0c669959a5ed48"><code>a5e83b0</code></a>
style: Apply updates Prettier rules</li>
<li><a
href="https://github.com/eemeli/yaml/commit/b8ddca0a5d4794a3c60f252d3513e6ff7068fdf0"><code>b8ddca0</code></a>
chore: Refresh lockfile</li>
<li><a
href="https://github.com/eemeli/yaml/commit/395f892ec9a26b9038c8db388b675c3281ab8cd3"><code>395f892</code></a>
ci: Use a different (working) submodule checkout</li>
<li><a
href="https://github.com/eemeli/yaml/commit/6fd272052751775e48196024d4bed639cc1e0350"><code>6fd2720</code></a>
test-events: Add {} and [] indicators to flow maps &amp; sequences</li>
<li>See full diff in <a
href="https://github.com/eemeli/yaml/compare/v1.10.2...v1.10.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=yaml&package-manager=npm_and_yarn&previous-version=1.10.2&new-version=1.10.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…1699)

Bumps
[fastlane-plugin-revenuecat_internal](https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal)
from `9a6911b` to `f11fe40`.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/commit/f11fe4027ace451efa36c1bf6f4fc1742f5025d6"><code>f11fe40</code></a>
Add merge queue support to merge_pr action (<a
href="https://redirect.github.com/RevenueCat/fastlane-plugin-revenuecat_internal/issues/120">#120</a>)</li>
<li>See full diff in <a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/compare/9a6911be3659cd14fe62ada4cbae3a2f8792691c...f11fe4027ace451efa36c1bf6f4fc1742f5025d6">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [node-forge](https://github.com/digitalbazaar/forge) from 1.3.3 to
1.4.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/digitalbazaar/forge/blob/main/CHANGELOG.md">node-forge's
changelog</a>.</em></p>
<blockquote>
<h2>1.4.0 - 2026-03-24</h2>
<h3>Security</h3>
<ul>
<li><strong>HIGH</strong>: Denial of Service in
<code>BigInteger.modInverse()</code>
<ul>
<li>A Denial of Service (DoS) vulnerability exists due to an infinite
loop in
the <code>BigInteger.modInverse()</code> function (inherited from the
bundled jsbn
library). When <code>modInverse()</code> is called with a zero value as
input, the
internal Extended Euclidean Algorithm enters an unreachable exit
condition,
causing the process to hang indefinitely and consume 100% CPU.</li>
<li>Reported by Kr0emer.</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33891">CVE-2026-33891</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx">GHSA-5gfm-wpxj-wjgq</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: Signature forgery in RSA-PKCS due to ASN.1
extra field.
<ul>
<li>RSASSA PKCS#1 v1.5 signature verification accepts forged signatures
for low
public exponent keys (e=3). Attackers can forge signatures by stuffing
&quot;garbage&quot; bytes within the ASN.1 structure in order to
construct a
signature that passes verification, enabling Bleichenbacher style
forgery.
This issue is similar to CVE-2022-24771, but adds bytes in an addition
field within the ASN.1 structure, rather than outside of it.</li>
<li>Additionally, forge does not validate that signatures include a
minimum of
8 bytes of padding as defined by the specification, providing attackers
additional space to construct Bleichenbacher forgeries.</li>
<li>Reported as part of a U.C. Berkeley security research project by:
<ul>
<li>Austin Chu, Sohee Kim, and Corban Villa.</li>
</ul>
</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33894">CVE-2026-33894</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp">GHSA-ppp5-5v6c-4jwp</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: Signature forgery in Ed25519 due to missing S
&lt; L check.
<ul>
<li>Ed25519 signature verification accepts forged non-canonical
signatures
where the scalar S is not reduced modulo the group order (S &gt;= L). A
valid
signature and its S + L variant both verify in forge, while Node.js
crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by
the
specification. This class of signature malleability has been exploited
in
practice to bypass authentication and authorization logic (see
CVE-2026-25793, CVE-2022-35961). Applications relying on signature
uniqueness (i.e., dedup by signature bytes, replay tracking,
signed-object
canonicalization checks) may be bypassed.</li>
<li>Reported as part of a U.C. Berkeley security research project by:
<ul>
<li>Austin Chu, Sohee Kim, and Corban Villa.</li>
</ul>
</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33895">CVE-2026-33895</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-q67f-28xg-22rw">GHSA-q67f-28xg-22rw</a></li>
</ul>
</li>
<li><strong>HIGH</strong>: <code>basicConstraints</code> bypass in
certificate chain verification.
<ul>
<li><code>pki.verifyCertificateChain()</code> does not enforce RFC 5280
<code>basicConstraints</code>
requirements when an intermediate certificate lacks both the
<code>basicConstraints</code> and <code>keyUsage</code> extensions. This
allows any leaf
certificate (without these extensions) to act as a CA and sign other
certificates, which node-forge will accept as valid.</li>
<li>Reported by Doruk Tan Ozturk (<a
href="https://github.com/peaktwilight"><code>@​peaktwilight</code></a>)
- doruk.ch</li>
<li>CVE ID: <a
href="https://www.cve.org/CVERecord?id=CVE-2026-33896">CVE-2026-33896</a></li>
<li>GHSA ID: <a
href="https://github.com/digitalbazaar/forge/security/advisories/GHSA-2328-f5f3-gj25">GHSA-2328-f5f3-gj25</a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/digitalbazaar/forge/commit/fa385f92440879601240020f158bed68e444e83a"><code>fa385f9</code></a>
Release 1.4.0.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/07d4e162762ed4fdab5caca9ebf78237fcf85339"><code>07d4e16</code></a>
Update changelog.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/cb90fd92091ee34e4abab3ad0c835eeea3d06c3e"><code>cb90fd9</code></a>
Update changelog.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/963e7c5c7b0f03de1b28a1e5a42a6bafda4cf711"><code>963e7c5</code></a>
Add unit test for &quot;pseudonym&quot;</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/f0b6f5b7c5d1c918240e975e0cade4f47d005446"><code>f0b6f5b</code></a>
Add pseudonym OID</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/3df48a311d4b53dc6493b7a47a8d07f3669957d9"><code>3df48a3</code></a>
Fix missing CVE ID.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/2e492832fb25227e6b647cbe1ac981c123171e90"><code>2e49283</code></a>
Add x509 <code>basicConstraints</code> check.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85"><code>bdecf11</code></a>
Add canonical signature scaler check for S &lt; L.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/af094e69c60ac5f7b29f2b1957c53ae5e12fd4a0"><code>af094e6</code></a>
Add RSA padding and DigestInfo length checks.</li>
<li><a
href="https://github.com/digitalbazaar/forge/commit/796eeb1673f6ec636fda02dfc295047d9f7aefe0"><code>796eeb1</code></a>
Improve jsbn fix.</li>
<li>Additional commits viewable in <a
href="https://github.com/digitalbazaar/forge/compare/v1.3.3...v1.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=node-forge&package-manager=npm_and_yarn&previous-version=1.3.3&new-version=1.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ases-hybrid-common to 17.53.0 (#1684)

**This is an automatic bump.**

Updates purchases-hybrid-common to 17.53.0

## Changes

- Bumps purchases-hybrid-common to 17.53.0
- Implements `onPromotionalOfferSucceeded` callback for
`CustomerCenterView` on Android
- Fires when a promotional offer purchase completes successfully in the
Customer Center
- Available on both the view-based path (`CustomerCenterViewManager`)
and the modal path (`RNCustomerCenterModule`)
  - Callback receives `customerInfo`, `transaction`, and `offerId`

---------

Co-authored-by: RevenueCat CI <[email protected]>
Co-authored-by: Facundo Menzella <[email protected]>
Co-authored-by: Claude Sonnet 4.6 <[email protected]>
Co-authored-by: Facundo Menzella <[email protected]>

**This is an automatic release.**

## RevenueCat SDK
### ✨ New Features
* CustomerCenter: Adds onPromotionalOfferSucceeded callback, bump
purchases-hybrid-common to 17.53.0 (#1684) via RevenueCat Git Bot
(@RCGitBot)
* [Android
9.27.0](https://github.com/RevenueCat/purchases-android/releases/tag/9.27.0)
* [iOS
5.66.0](https://github.com/RevenueCat/purchases-ios/releases/tag/5.66.0)
### 📦 Dependency Updates
* [RENOVATE] Update dependency gradle to v9.4.1 (#1688) via RevenueCat
Git Bot (@RCGitBot)

### 🔄 Other Changes
* Bump node-forge from 1.3.3 to 1.4.0 (#1700) via dependabot[bot]
(@dependabot[bot])
* Bump fastlane-plugin-revenuecat_internal from `9a6911b` to `f11fe40`
(#1699) via dependabot[bot] (@dependabot[bot])
* Bump yaml from 1.10.2 to 1.10.3 (#1695) via dependabot[bot]
(@dependabot[bot])
* Bump yaml from 2.8.2 to 2.8.3 in /examples/MagicWeather (#1698) via
dependabot[bot] (@dependabot[bot])
* Bump picomatch from 2.3.1 to 2.3.2 (#1697) via dependabot[bot]
(@dependabot[bot])
* Bump picomatch from 2.3.1 to 2.3.2 in /examples/MagicWeather (#1696)
via dependabot[bot] (@dependabot[bot])
* Bump activesupport from 7.2.2.1 to 7.2.3.1 in
/examples/purchaseTesterTypescript (#1693) via dependabot[bot]
(@dependabot[bot])
* Bump fast-xml-parser from 4.5.4 to 4.5.5 in /examples/MagicWeather
(#1692) via dependabot[bot] (@dependabot[bot])
* security: pin GitHub Actions to SHA hashes (#1691) via Alfonso
Embid-Desmet (@alfondotnet)
* Bump activesupport from 7.2.2.2 to 7.2.3.1 (#1690) via dependabot[bot]
(@dependabot[bot])
* Bump activesupport from 7.2.2.1 to 7.2.3.1 in /examples/MagicWeather
(#1689) via dependabot[bot] (@dependabot[bot])
* Merge release PR after deploy (#1686) via Antonio Pallares
(@ajpallares)
* Require PR approval before release tagging (#1685) via Antonio
Pallares (@ajpallares)
* Bump flatted from 3.3.3 to 3.4.2 in /examples/MagicWeather (#1687) via
dependabot[bot] (@dependabot[bot])
* Bump json from 2.18.1 to 2.19.2 (#1683) via dependabot[bot]
(@dependabot[bot])

---------

Co-authored-by: RevenueCat CI <[email protected]>

…1702)

Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion)
from 1.1.12 to 1.1.13.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/juliangruber/brace-expansion/commit/6c353caf23beb9644f858eb3fe38d43a68b82898"><code>6c353ca</code></a>
1.1.13</li>
<li><a
href="https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2"><code>7fd684f</code></a>
Backport fix for GHSA-f886-m6hf-6m8v (<a
href="https://redirect.github.com/juliangruber/brace-expansion/issues/95">#95</a>)</li>
<li>See full diff in <a
href="https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.13">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=brace-expansion&package-manager=npm_and_yarn&previous-version=1.1.12&new-version=1.1.13)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…rm_purchase utility

Update purchase_through_paywall.yaml to assert Paywall V2, tap Yearly/Continue
(matching purchases-ios), and add utils/confirm_purchase.yaml with conditional
flows for iOS (app_store) and Android (test_store) purchase confirmation.

Made-with: Cursor

Made-with: Cursor

Made-with: Cursor

… alert text

Made-with: Cursor

Made-with: Cursor

## Summary
- Bumps `react-native` devDependency from 0.73.5 to 0.78.0 in root and
`react-native-purchases-ui`
- Removes `@types/react-native` resolution (not needed for RN 0.78+)
- Adds explicit `@react-native-community/cli` devDependencies to
purchaseTesterTypescript (RN 0.78+ no longer bundles CLI packages)

## Test plan
- [x] `yarn install` produces stable lockfile (no diff on second run)
- [x] `yarn test` — all 200 tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <[email protected]>

## Summary
- Add `AGENTS.md` with guidelines for AI coding agents working on this
SDK
- Add `.claude/` to `.gitignore`

The file includes:
- Project overview and architecture (including web support)
- Development setup commands
- Public API stability rules
- Code structure and architecture layers
- Constraints and support policy
- Testing and development workflow
- Pull request label conventions
- Guardrails for safe development

Based on [Callstack's
agent-skills](https://github.com/nickhudkins/agent-skills)
recommendations.

---------

Co-authored-by: Claude Opus 4.5 <[email protected]>
Co-authored-by: Cesar de la Vega <[email protected]>

**This is an automatic bump.**

Updates purchases-hybrid-common to 17.54.0

---------

Co-authored-by: RevenueCat CI <[email protected]>
Co-authored-by: Toni Rico <[email protected]>
Co-authored-by: Toni Rico <[email protected]>

…1707)

Bumps
[fastlane-plugin-revenuecat_internal](https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal)
from `f11fe40` to `b5a7159`.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/commit/b5a7159c662d288727df9e8d5d00bdc5df396b2c"><code>b5a7159</code></a>
Only append native release links to the latest phc_dependencies PR (<a
href="https://redirect.github.com/RevenueCat/fastlane-plugin-revenuecat_internal/issues/122">#122</a>)</li>
<li>See full diff in <a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/compare/f11fe4027ace451efa36c1bf6f4fc1742f5025d6...b5a7159c662d288727df9e8d5d00bdc5df396b2c">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

**This is an automatic release.**

## RevenueCat SDK
### 📦 Dependency Updates
* [AUTOMATIC BUMP] Updates purchases-hybrid-common to 17.54.0 (#1706)
via RevenueCat Git Bot (@RCGitBot)
* [Android
9.28.1](https://github.com/RevenueCat/purchases-android/releases/tag/9.28.1)
* [Android
9.28.0](https://github.com/RevenueCat/purchases-android/releases/tag/9.28.0)
* [iOS
5.67.0](https://github.com/RevenueCat/purchases-ios/releases/tag/5.67.0)

### 🔄 Other Changes
* Bump fastlane-plugin-revenuecat_internal from `f11fe40` to `b5a7159`
(#1707) via dependabot[bot] (@dependabot[bot])
* Add AGENTS.md for AI coding assistants (#1616) via Facundo Menzella
(@facumenzella)
* chore: bump react-native devDependency from 0.73.5 to 0.78.0 (#1704)
via Cesar de la Vega (@vegaro)
* Fix known security vulnerabilities in dependencies (#1703) via Cesar
de la Vega (@vegaro)
* Bump brace-expansion from 1.1.12 to 1.1.13 in /examples/MagicWeather
(#1702) via dependabot[bot] (@dependabot[bot])

---------

Co-authored-by: RevenueCat CI <[email protected]>

…1713)

Bumps
[fastlane-plugin-revenuecat_internal](https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal)
from `b5a7159` to `5d6e93f`.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/commit/5d6e93f4b0684ddc1ee65c993f747bc2adc82307"><code>5d6e93f</code></a>
Add filter_labels and exclude_labels to auto_generate_changelog (<a
href="https://redirect.github.com/RevenueCat/fastlane-plugin-revenuecat_internal/issues/121">#121</a>)</li>
<li>See full diff in <a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/compare/b5a7159c662d288727df9e8d5d00bdc5df396b2c...5d6e93f4b0684ddc1ee65c993f747bc2adc82307">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lodash/lodash/releases">lodash's
releases</a>.</em></p>
<blockquote>
<h2>4.18.1</h2>
<h2>Bugs</h2>
<p>Fixes a <code>ReferenceError</code> issue in <code>lodash</code>
<code>lodash-es</code> <code>lodash-amd</code> and
<code>lodash.template</code> when using the <code>template</code> and
<code>fromPairs</code> functions from the modular builds. See <a
href="https://redirect.github.com/lodash/lodash/issues/6167#issuecomment-4165269769">lodash/lodash#6167</a></p>
<p>These defects were related to how lodash distributions are built from
the main branch using <a
href="https://github.com/lodash-archive/lodash-cli">https://github.com/lodash-archive/lodash-cli</a>.
When internal dependencies change inside lodash functions, equivalent
updates need to be made to a mapping in the lodash-cli. (hey, it was
ahead of its time once upon a time!). We know this, but we missed it in
the last release. It's the kind of thing that passes in CI, but fails bc
the build is not the same thing you tested.</p>
<p>There is no diff on main for this, but you can see the diffs for each
of the npm packages on their respective branches:</p>
<ul>
<li><code>lodash</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm">https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm</a></li>
<li><code>lodash-es</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es">https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es</a></li>
<li><code>lodash-amd</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd">https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd</a></li>
<li><code>lodash.template</code><a
href="https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages">https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages</a></li>
</ul>
<h2>4.18.0</h2>
<h2>v4.18.0</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/lodash/lodash/compare/4.17.23...4.18.0">https://github.com/lodash/lodash/compare/4.17.23...4.18.0</a></p>
<h3>Security</h3>
<p><strong><code>_.unset</code> / <code>_.omit</code></strong>: Fixed
prototype pollution via <code>constructor</code>/<code>prototype</code>
path traversal (<a
href="https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh">GHSA-f23m-r3pf-42rh</a>,
<a
href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b">fe8d32e</a>).
Previously, array-wrapped path segments and primitive roots could bypass
the existing guards, allowing deletion of properties from built-in
prototypes. Now <code>constructor</code> and <code>prototype</code> are
blocked unconditionally as non-terminal path keys, matching
<code>baseSet</code>. Calls that previously returned <code>true</code>
and deleted the property now return <code>false</code> and leave the
target untouched.</p>
<p><strong><code>_.template</code></strong>: Fixed code injection via
<code>imports</code> keys (<a
href="https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc">GHSA-r5fr-rjxr-66jc</a>,
CVE-2026-4800, <a
href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6">879aaa9</a>).
Fixes an incomplete patch for CVE-2021-23337. The <code>variable</code>
option was validated against <code>reForbiddenIdentifierChars</code> but
<code>importsKeys</code> was left unguarded, allowing code injection via
the same <code>Function()</code> constructor sink. <code>imports</code>
keys containing forbidden identifier characters now throw
<code>&quot;Invalid imports option passed into
_.template&quot;</code>.</p>
<h3>Docs</h3>
<ul>
<li>Add security notice for <code>_.template</code> in threat model and
API docs (<a
href="https://redirect.github.com/lodash/lodash/pull/6099">#6099</a>)</li>
<li>Document <code>lower &gt; upper</code> behavior in
<code>_.random</code> (<a
href="https://redirect.github.com/lodash/lodash/pull/6115">#6115</a>)</li>
<li>Fix quotes in <code>_.compact</code> jsdoc (<a
href="https://redirect.github.com/lodash/lodash/pull/6090">#6090</a>)</li>
</ul>
<h3><code>lodash.*</code> modular packages</h3>
<p><a
href="https://redirect.github.com/lodash/lodash/pull/6157">Diff</a></p>
<p>We have also regenerated and published a select number of the
<code>lodash.*</code> modular packages.</p>
<p>These modular packages had fallen out of sync significantly from the
minor/patch updates to lodash. Specifically, we have brought the
following packages up to parity w/ the latest lodash release because
they have had CVEs on them in the past:</p>
<ul>
<li><a
href="https://www.npmjs.com/package/lodash.orderby">lodash.orderby</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.tonumber">lodash.tonumber</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.trim">lodash.trim</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.trimend">lodash.trimend</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.sortedindexby">lodash.sortedindexby</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.zipobjectdeep">lodash.zipobjectdeep</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.unset">lodash.unset</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.omit">lodash.omit</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.template">lodash.template</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lodash/lodash/commit/cb0b9b9212521c08e3eafe7c8cb0af1b42b6649e"><code>cb0b9b9</code></a>
release(patch): bump main to 4.18.1 (<a
href="https://redirect.github.com/lodash/lodash/issues/6177">#6177</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/75535f57883b7225adb96de1cfc1cd4169cfcb51"><code>75535f5</code></a>
chore: prune stale advisory refs (<a
href="https://redirect.github.com/lodash/lodash/issues/6170">#6170</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/62e91bc6a39c98d85b9ada8c44d40593deaf82a4"><code>62e91bc</code></a>
docs: remove n_ Node.js &lt; 6 REPL note from README (<a
href="https://redirect.github.com/lodash/lodash/issues/6165">#6165</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/59be2de61f8aa9461c7856533b51d31b7d8babc4"><code>59be2de</code></a>
release(minor): bump to 4.18.0 (<a
href="https://redirect.github.com/lodash/lodash/issues/6161">#6161</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/af634573030f979194871da7c68f79420992f53d"><code>af63457</code></a>
fix: broken tests for _.template 879aaa9</li>
<li><a
href="https://github.com/lodash/lodash/commit/1073a7693e1727e0cf3641e5f71f75ddcf8de7c0"><code>1073a76</code></a>
fix: linting issues</li>
<li><a
href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6"><code>879aaa9</code></a>
fix: validate imports keys in _.template</li>
<li><a
href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b"><code>fe8d32e</code></a>
fix: block prototype pollution in baseUnset via constructor/prototype
traversal</li>
<li><a
href="https://github.com/lodash/lodash/commit/18ba0a32f42fd02117f096b032f89c984173462d"><code>18ba0a3</code></a>
refactor(fromPairs): use baseAssignValue for consistent assignment (<a
href="https://redirect.github.com/lodash/lodash/issues/6153">#6153</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/b8190803d48d60b8c80ad45d39125f32fa618cb2"><code>b819080</code></a>
ci: add dist sync validation workflow (<a
href="https://redirect.github.com/lodash/lodash/issues/6137">#6137</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lodash/lodash/compare/4.17.23...4.18.1">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=lodash&package-manager=npm_and_yarn&previous-version=4.17.23&new-version=4.18.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/RevenueCat/react-native-purchases/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…1715)

Bumps
[fastlane-plugin-revenuecat_internal](https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal)
from `5d6e93f` to `6289be1`.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/commit/6289be1dcdf7efc57682b284be9bdb1db3efbe69"><code>6289be1</code></a>
Add optional commitish parameter to create_github_release (<a
href="https://redirect.github.com/RevenueCat/fastlane-plugin-revenuecat_internal/issues/123">#123</a>)</li>
<li>See full diff in <a
href="https://github.com/RevenueCat/fastlane-plugin-revenuecat_internal/compare/5d6e93f4b0684ddc1ee65c993f747bc2adc82307...6289be1dcdf7efc57682b284be9bdb1db3efbe69">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Resolve yarn.lock conflict by regenerating.

Made-with: Cursor