Upgrade semver and json5 for remove security vulnerabilities (expo#23113

)

# Why
Integrate Expo SDK in a bare flow project, creates new security
vulnerabilities.

![Screenshot 2023-06-26 at 9 52 16
AM](https://github.com/expo/expo/assets/10479750/590f3bae-e1e0-4452-9669-3aebb3641e0a)

This PR upgrade the Libs to remove those vulnerabilities


[CVE-2022-46175](https://www.mend.io/vulnerability-database/CVE-2022-46175)

[CVE-2023-0842](https://www.mend.io/vulnerability-database/CVE-2023-0842)
- It's already up to date

[CVE-2022-25883](https://www.mend.io/vulnerability-database/CVE-2022-25883)

[CVE-2022-25883](https://www.mend.io/vulnerability-database/CVE-2022-25883)

<!--
Please describe the motivation for this PR, and link to relevant GitHub
issues, forums posts, or feature requests.
-->

# How
It's a simple non-break changes lib upgrades
<!--
How did you build this feature or fix this bug and why?
-->

# Test Plan
CI should pass
<!--
Please describe how you tested this change and how a reviewer could
reproduce your test, especially if this PR does not include automated
tests! If possible, please also provide terminal output and/or
screenshots demonstrating your test/reproduction.
-->

# Checklist

<!--
Please check the appropriate items below if they apply to your diff.
This is required for changes to Expo modules.
-->

- [x] Documentation is up to date to reflect these changes (eg:
https://docs.expo.dev and README.md).
- [x] Conforms with the [Documentation Writing Style
Guide](https://github.com/expo/expo/blob/main/guides/Expo%20Documentation%20Writing%20Style%20Guide.md)
- [x] This diff will work correctly for `npx expo prebuild` & EAS Build
(eg: updated a module plugin).

---------

Co-authored-by: Brent Vatne <[email protected]>

home/package.json

@@ -70,7 +70,7 @@
     "react-string-replace": "^0.4.4",
     "redux": "^4.0.5",
     "redux-thunk": "^2.3.0",
-    "semver": "^7.3.5",
+    "semver": "^7.5.3",
     "sha1": "^1.1.1",
     "url": "^0.11.0"
   },
@@ -84,7 +84,7 @@
     "@types/lodash": "^4.14.161",
     "@types/react": "~18.0.14",
     "@types/react-redux": "^7.1.16",
-    "@types/semver": "^7.3.6",
+    "@types/semver": "^7.5.0",
     "@types/sha1": "^1.1.2",
     "expo-module-scripts": "^3.0.0",
     "jest-expo": "~49.0.0-alpha.1",

packages/@expo/cli/CHANGELOG.md

@@ -12,6 +12,8 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 0.10.2 — 2023-06-24
 
 _This version does not introduce any user-facing changes._

packages/@expo/cli/package.json

@@ -89,7 +89,7 @@
     "require-from-string": "^2.0.2",
     "requireg": "^0.2.2",
     "resolve-from": "^5.0.0",
-    "semver": "^6.3.0",
+    "semver": "^7.5.3",
     "send": "^0.18.0",
     "slugify": "^1.3.4",
     "structured-headers": "^0.4.1",

packages/@expo/config-plugins/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 7.2.1 — 2023-06-24
 
 ### 🐛 Bug fixes

packages/@expo/config-plugins/package.json

@@ -43,7 +43,7 @@
     "getenv": "^1.0.0",
     "glob": "7.1.6",
     "resolve-from": "^5.0.0",
-    "semver": "^7.3.5",
+    "semver": "^7.5.3",
     "slash": "^3.0.0",
     "xcode": "^3.0.1",
     "xml2js": "0.6.0"

packages/@expo/config/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 8.1.0 — 2023-06-21
 
 _This version does not introduce any user-facing changes._

packages/@expo/config/package.json

@@ -40,7 +40,7 @@
     "glob": "7.1.6",
     "require-from-string": "^2.0.2",
     "resolve-from": "^5.0.0",
-    "semver": "7.3.2",
+    "semver": "7.5.3",
     "slugify": "^1.3.4",
     "sucrase": "^3.20.0"
   },

packages/@expo/dev-server/package.json

@@ -43,7 +43,7 @@
     "node-fetch": "^2.6.0",
     "open": "^8.3.0",
     "resolve-from": "^5.0.0",
-    "semver": "7.3.2",
+    "semver": "7.5.3",
     "serialize-error": "6.0.0",
     "temp-dir": "^2.0.0"
   },

packages/@expo/prebuild-config/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 6.2.3 — 2023-06-24
 
 ### 🐛 Bug fixes

packages/@expo/prebuild-config/package.json

@@ -43,7 +43,7 @@
     "debug": "^4.3.1",
     "fs-extra": "^9.0.0",
     "resolve-from": "^5.0.0",
-    "semver": "7.3.2",
+    "semver": "7.5.3",
     "xml2js": "0.6.0"
   },
   "peerDependencies": {

packages/expo-build-properties/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 0.8.1 — 2023-06-23
 
 _This version does not introduce any user-facing changes._

packages/expo-build-properties/package.json

@@ -32,7 +32,7 @@
   "homepage": "https://docs.expo.dev/versions/latest/sdk/build-properties",
   "dependencies": {
     "ajv": "^8.11.0",
-    "semver": "^7.3.5"
+    "semver": "^7.5.3"
   },
   "devDependencies": {
     "expo-module-scripts": "^3.0.0"

packages/expo-dev-launcher/CHANGELOG.md

@@ -12,6 +12,8 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 2.4.2 — 2023-06-23
 
 ### 🐛 Bug fixes

packages/expo-dev-launcher/package.json

@@ -32,7 +32,7 @@
   "dependencies": {
     "expo-dev-menu": "3.1.2",
     "resolve-from": "^5.0.0",
-    "semver": "^7.3.5"
+    "semver": "^7.5.3"
   },
   "devDependencies": {
     "@babel/plugin-proposal-export-namespace-from": "^7.18.6",

packages/expo-dev-menu/CHANGELOG.md

@@ -10,6 +10,7 @@
 
 ### 💡 Others
 
+- Upgrade `semver` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
 - Remove unused fonts. ([#23107](https://github.com/expo/expo/pull/23107) by [@gabrieldonadel](https://github.com/gabrieldonadel))
 
 ## 3.1.2 — 2023-06-23

packages/expo-dev-menu/package.json

@@ -49,7 +49,7 @@
   },
   "dependencies": {
     "expo-dev-menu-interface": "1.3.0",
-    "semver": "^7.3.5"
+    "semver": "^7.5.3"
   },
   "devDependencies": {
     "@apollo/client": "^3.4.10",

packages/jest-expo/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### 💡 Others
 
+- upgrade `json5` lib. ([#23113](https://github.com/expo/expo/pull/23113) by [@felipemillhouse](https://github.com/felipemillhouse))
+
 ## 49.0.0-alpha.4 — 2023-06-24
 
 ### 🎉 New features

packages/jest-expo/package.json

@@ -38,7 +38,7 @@
     "jest-watch-select-projects": "^2.0.0",
     "jest-watch-typeahead": "2.2.1",
     "jest-environment-jsdom": "^29.2.1",
-    "json5": "^2.1.0",
+    "json5": "^2.2.3",
     "lodash": "^4.17.19",
     "react-test-renderer": "18.2.0"
   },

tools/package.json

@@ -68,7 +68,7 @@
     "pretty-bytes": "^5.6.0",
     "qrcode-terminal": "^0.12.0",
     "recursive-omit-by": "^2.0.0",
-    "semver": "^7.5.2",
+    "semver": "^7.5.3",
     "sharp": "^0.30.5",
     "strip-ansi": "^6.0.0",
     "terminal-link": "^2.1.1",
@@ -90,7 +90,7 @@
     "@types/klaw-sync": "^6.0.1",
     "@types/node": "^16.18.11",
     "@types/node-fetch": "^2.6.2",
-    "@types/semver": "^7.3.12",
+    "@types/semver": "^7.5.0",
     "eslint": "^8.29.0",
     "eslint-config-universe": "^11.1.1",
     "eslint-plugin-lodash": "^7.4.0",

tools/yarn.lock

@@ -2310,6 +2310,11 @@
   resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.3.12.tgz#920447fdd78d76b19de0438b7f60df3c4a80bf1c"
   integrity sha512-WwA1MW0++RfXmCr12xeYOOC5baSC9mSb0ZqCquFzKhcoF4TvHu5MKOuXsncgZcpVFhB1pXd5hZmM0ryAoCp12A==
 
+"@types/semver@^7.5.0":
+  version "7.5.0"
+  resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.5.0.tgz#591c1ce3a702c45ee15f47a42ade72c2fd78978a"
+  integrity sha512-G8hZ6XJiHnuhQKR7ZmysCeJWE08o8T0AXtk5darsCaTVsYZhhgUrq53jizaR2FvsoeCwJhlmwTjkXBY5Pn/ZHw==
+
 "@types/source-list-map@*":
   version "0.1.2"
   resolved "https://registry.yarnpkg.com/@types/source-list-map/-/source-list-map-0.1.2.tgz#0078836063ffaf17412349bba364087e0ac02ec9"
@@ -11184,13 +11189,20 @@ semver@^6.0.0, semver@^6.1.0, semver@^6.1.1, semver@^6.2.0, semver@^6.3.0:
   resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.0.tgz#ee0a64c8af5e8ceea67687b133761e1becbd1d3d"
   integrity sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==
 
-semver@^7.0.0, semver@^7.1.1, semver@^7.3.5, semver@^7.3.7, semver@^7.5.2:
+semver@^7.0.0, semver@^7.1.1, semver@^7.3.5, semver@^7.3.7:
   version "7.5.2"
   resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.2.tgz#5b851e66d1be07c1cdaf37dfc856f543325a2beb"
   integrity sha512-SoftuTROv/cRjCze/scjGyiDtcUyxw1rgYQSZY7XTmtR5hX+dm76iDbTH8TkLPHCQmlbQVSSbNZCPM2hb0knnQ==
   dependencies:
     lru-cache "^6.0.0"
 
+semver@^7.5.3:
+  version "7.5.3"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.3.tgz#161ce8c2c6b4b3bdca6caadc9fa3317a4c4fe88e"
+  integrity sha512-QBlUtyVk/5EeHbi7X0fw6liDZc7BBmEaSYn01fMU1OUYbf6GPsbTtd8WmnqbI20SeycoHSeiybkE/q1Q+qlThQ==
+  dependencies:
+    lru-cache "^6.0.0"
+
 semver@~7.3.2:
   version "7.3.7"
   resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.7.tgz#12c5b649afdbf9049707796e22a4028814ce523f"

yarn.lock

@@ -4371,10 +4371,10 @@
   resolved "https://registry.yarnpkg.com/@types/scheduler/-/scheduler-0.16.2.tgz#1a62f89525723dde24ba1b01b092bf5df8ad4d39"
   integrity sha512-hppQEBDmlwhFAXKJX2KnWLYu5yMfi91yazPb2l+lbJiwW+wdo1gNeRA+3RgNSO39WYX2euey41KEwnqesU2Jew==
 
-"@types/semver@^7.3.12", "@types/semver@^7.3.6":
-  version "7.3.13"
-  resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.3.13.tgz#da4bfd73f49bd541d28920ab0e2bf0ee80f71c91"
-  integrity sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==
+"@types/semver@^7.3.12", "@types/semver@^7.5.0":
+  version "7.5.0"
+  resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.5.0.tgz#591c1ce3a702c45ee15f47a42ade72c2fd78978a"
+  integrity sha512-G8hZ6XJiHnuhQKR7ZmysCeJWE08o8T0AXtk5darsCaTVsYZhhgUrq53jizaR2FvsoeCwJhlmwTjkXBY5Pn/ZHw==
 
 "@types/send@^0.17.1":
   version "0.17.1"
@@ -12453,7 +12453,7 @@ json5@^1.0.1:
   dependencies:
     minimist "^1.2.0"
 
-json5@^2.1.0, json5@^2.1.1, json5@^2.1.2, json5@^2.2.2, json5@^2.2.3:
+json5@^2.1.1, json5@^2.1.2, json5@^2.2.2, json5@^2.2.3:
   version "2.2.3"
   resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
   integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
@@ -16820,10 +16820,10 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.2.tgz#604962b052b81ed0786aae84389ffba70ffd3938"
   integrity sha512-OrOb32TeeambH6UrhtShmF7CRDqhL6/5XpPNp2DuRH6+9QLw/orhp72j87v8Qa1ScDkvrrBNpZcDejAirJmfXQ==
 
-[email protected], semver@^7.0.0, semver@^7.3.5, semver@^7.3.7, semver@~7.3.2:
-  version "7.3.7"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.7.tgz#12c5b649afdbf9049707796e22a4028814ce523f"
-  integrity sha512-QlYTucUYOews+WeEujDoEGziz4K6c47V/Bd+LjSSYcA94p+DmINdf7ncaUinThfvZyu13lN9OY1XDxt8C0Tw0g==
+semver@7.5.3, semver@7.x, semver@^7.0.0, semver@^7.3.5, semver@^7.3.7, semver@^7.5.3:
+  version "7.5.3"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.3.tgz#161ce8c2c6b4b3bdca6caadc9fa3317a4c4fe88e"
+  integrity sha512-QBlUtyVk/5EeHbi7X0fw6liDZc7BBmEaSYn01fMU1OUYbf6GPsbTtd8WmnqbI20SeycoHSeiybkE/q1Q+qlThQ==
   dependencies:
     lru-cache "^6.0.0"
 
@@ -16837,6 +16837,13 @@ semver@^6.0.0, semver@^6.1.0, semver@^6.1.1, semver@^6.1.2, semver@^6.3.0:
   resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.0.tgz#ee0a64c8af5e8ceea67687b133761e1becbd1d3d"
   integrity sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==
 
+semver@~7.3.2:
+  version "7.3.7"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.3.7.tgz#12c5b649afdbf9049707796e22a4028814ce523f"
+  integrity sha512-QlYTucUYOews+WeEujDoEGziz4K6c47V/Bd+LjSSYcA94p+DmINdf7ncaUinThfvZyu13lN9OY1XDxt8C0Tw0g==
+  dependencies:
+    lru-cache "^6.0.0"
+
 [email protected], send@^0.18.0:
   version "0.18.0"
   resolved "https://registry.yarnpkg.com/send/-/send-0.18.0.tgz#670167cc654b05f5aa4a767f9113bb371bc706be"