security(MSDK-3377): resolve OSS vulnerabilities in sample app depend…

[asadraza-usercentrics]

User description

Summary

Resolves 51 Apiiro OSS vulnerability findings across the three sample directories (legacy-sample, example, sample) in the public GitHub repository.

• legacy-sample (13 findings) — package.json already absent from HEAD; no npm surface for scanners to flag
• example (19 findings) — directory cleaned to android/ only; no npm packages remain
• sample (19 findings) — all findings resolved via dependency upgrades:
  • eslint 8.x (EOL) → 9.39.4 with ESLint 9 flat config migration (.eslintrc.js removed, eslint.config.js added)
  • @react-native-community/cli 18.0.0 (CISA known exploit) → ^20.1.3
  • fast-xml-parser 4.5.3 → 5.7.1 (resolved transitively via cli upgrade)
  • minimatch, tar, glob, @isaacs/brace-expansion, js-yaml and all remaining Low findings resolved transitively

npm audit post-fix: 0 vulnerabilities in all directories.

Impact

• No impact on published SDK package — sample/ is not included in npm publish
• No impact on existing or new customers — SDK runtime dependencies is empty
• No SDK version bump required
• Developers running the sample app get upgraded CLI tooling (cli 20.1.3) and ESLint 9

Test Plan

• Run npm audit in sample/ — expect 0 vulnerabilities
• Run npm run android or npm run ios in sample/ to verify app still builds and runs
• Run npm run lint in sample/ to verify ESLint 9 flat config works
• Verify Apiiro findings are resolved in the Apiiro dashboard after merge

---

CodeAnt-AI Description

Update the sample app setup to use newer tooling and remove stale vulnerability-prone dependencies

What Changed

• The sample app now runs React Native commands directly instead of through npx
• The sample app’s lint setup was updated for the newer ESLint format, so checks keep working after the version upgrade
• Dependencies were refreshed to newer React Native CLI and linting packages, which removes known vulnerability findings in the sample app
• The sample app now requires a newer Node version to match the updated tooling

Impact

✅ Fewer dependency security warnings in the sample app
✅ Cleaner local app startup commands
✅ Fewer setup failures on outdated Node versions

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

Review Summary by Qodo

Resolve 51 OSS vulnerabilities in sample app dependencies

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Upgraded ESLint from 8.x (EOL) to 9.39.4 with flat config migration
• Upgraded @react-native-community/cli from 18.0.0 to ^20.1.3 (CISA known exploit)
• Added ESLint 9 compatible dependencies and plugins for TypeScript support
• Resolved 51 OSS vulnerabilities across sample directories via dependency upgrades
• Removed npx prefix from npm scripts for direct CLI invocation

Diagram

flowchart LR
  A["ESLint 8.x EOL"] -->|upgrade to 9.39.4| B["ESLint 9 flat config"]
  C[".eslintrc.js"] -->|migrate to| D["eslint.config.js"]
  E["CLI 18.0.0 CISA exploit"] -->|upgrade to 20.1.3| F["Secure CLI tooling"]
  G["51 OSS vulnerabilities"] -->|resolved via upgrades| H["0 vulnerabilities"]

Loading

File Changes

1. sample/.eslintrc.js ⚙️ Configuration changes +0/-4

Remove legacy ESLint configuration file

• Removed legacy ESLint configuration file
• Replaced with new flat config format for ESLint 9 compatibility

sample/.eslintrc.js

---

2. sample/eslint.config.js ⚙️ Configuration changes +19/-0

Add ESLint 9 flat config with TypeScript support

• Created new ESLint 9 flat config file using FlatCompat
• Configured @react-native shared config with TypeScript plugin
• Added @typescript-eslint/no-unused-vars rule with warn severity

sample/eslint.config.js

---

3. sample/package.json Dependencies +26/-13

Upgrade dependencies and resolve OSS vulnerabilities

• Upgraded ESLint from ^8.19.0 to ^9.39.4 with new flat config dependencies
• Upgraded @react-native-community/cli from 18.0.0 to ^20.1.3 (CISA known exploit fix)
• Added TypeScript ESLint plugins and ESLint 9 compatibility packages
• Added multiple ESLint plugins for React, Jest, and code quality
• Removed npx prefix from android, ios, and start scripts
• Updated react-native-safe-area-context, react-native-screens, and react-native-webview versions
• Added @babel/eslint-parser and updated Babel dependencies

sample/package.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Node requirement too low ☑ 🐞 Bug ☼ Reliability

Description

The PR upgrades the sample app to @react-native-community/cli@^20.1.3 and eslint@^9.39.4, but the
sample still declares Node ">=18" (and the repo check script enforces only >=18.0). These upgraded
tools require newer Node (RN CLI/react-native require >=20.19.4; ESLint 9 requires >=18.18.0), so
installs or scripts like react-native start / eslint . can fail on Node 18.x.

Code

sample/package.json[R36-50]

+    "@react-native-community/cli": "^20.1.3",
+    "@react-native-community/cli-platform-android": "^20.1.3",
+    "@react-native-community/cli-platform-ios": "^20.1.3",
  "@react-native/babel-preset": "0.81.4",
  "@react-native/eslint-config": "0.81.4",
+    "@react-native/eslint-plugin": "^0.85.2",
  "@react-native/metro-config": "0.81.4",
  "@react-native/typescript-config": "0.81.4",
  "@types/jest": "^29.5.13",
  "@types/react": "^19.0.0",
  "@types/react-test-renderer": "^19.0.0",
-    "eslint": "^8.19.0",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
+    "@typescript-eslint/parser": "^7.18.0",
+    "eslint": "^9.39.4",
+    "eslint-config-prettier": "^10.1.8",

Evidence

The sample declares Node >=18, but the installed versions (from the checked-out PR branch)
explicitly require higher Node versions via their engines fields, and the repo’s environment check
script still permits Node 18.0. This mismatch can block dependency installation (with engine-strict)
or cause runtime failures when invoking the CLI/linter.

sample/package.json[63-65]
scripts/check-requirements.sh[80-86]
sample/package-lock.json[2806-2834]
sample/package-lock.json[10802-10848]
sample/package-lock.json[5925-5972]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`sample/package.json` (and repo tooling) currently allows Node >=18, but the upgraded React Native CLI and ESLint versions in this PR require newer Node versions (notably >=20.19.4 for `react-native` / `@react-native-community/cli`, and >=18.18.0 for ESLint 9). This mismatch can break installs and common dev scripts.
### Issue Context
- `@react-native-community/cli@20.1.3` and `react-native@0.81.4` require Node >=20.19.4 (per their `engines` fields in the lockfile).
- `eslint@9.39.4` requires Node >=18.18.0.
- The sample app currently declares `"node": ">=18"`, and the repo check script validates only Node >=18.0.
### Fix Focus Areas
- sample/package.json[63-65]
- scripts/check-requirements.sh[80-86]
- README.md[99-122]
### Expected fix
- Bump the declared Node engine requirement (recommend: `>=20.19.4` to match React Native/CLI).
- Update `scripts/check-requirements.sh` to enforce the same minimum.
- Update README instructions (optional but recommended) to match the new minimum Node requirement.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[pantoaibot]

PR Summary:

Update sample app to address OSS vulnerabilities: replace legacy ESLint config with new flat config and bump/pin several dev & runtime dependencies (adds many ESLint/TypeScript packages and updates React Native CLI). Changes aim to remove vulnerable packages and align tooling with ESLint v9+.

Key changes:

• Structural
  • Removed sample/.eslintrc.js and added sample/eslint.config.js (ESLint flat config using @eslint/eslintrc, @eslint/js and @typescript-eslint plugin).
• Scripts
  • Removed npx from android/ios/start scripts (now "react-native run-android/run-ios/start" referencing local bin).
• Dependencies (runtime)
  • react-native-safe-area-context: ^5.7.0 -> 5.6.1 (pin/downgrade)
  • react-native-screens: ^4.24.0 -> ^4.16.0 (downgrade)
  • react-native-webview: ^13.16.1 -> ^13.16.0 (patch)
• DevDependencies (major additions/updates)
  • Added: @eslint/eslintrc, @eslint/js, @babel/eslint-parser, @typescript-eslint/{parser,plugin}, eslint-config-prettier, eslint-plugin-* (react, react-hooks, react-native, jest, eslint-comments, ft-flow), @react-native/eslint-plugin
  • Bumped: eslint -> ^9.39.4, @react-native-community/cli and platform packages -> ^20.1.3
  • Small version adjustments for @babel/* and other RN tooling to align with new linting stack
• Linting/behavior changes
  • ESLint now uses flat config and TypeScript ESLint; rule added: "@typescript-eslint/no-unused-vars": "warn".
  • Requires ESLint v9+ and the newly added ESLint plugins; CI/local devs should reinstall node_modules.
• Notes / potential impacts
  • Switching to flat ESLint config and newer ESLint/plugins may change lint results and require devs to update editors/IDE integrations.
  • Downgrading some native libs (safe-area, screens) may impact runtime behavior if sample relied on newer bugfixes—verify sample app runs on target platforms.
  • Removing npx is fine if the react-native CLI is available in node_modules/.bin (postinstall/install step should ensure this).
• Recommended actions for reviewers
  • npm/yarn install and run lint + start + android/ios build to validate toolchain and sample app behavior.

Reviewed by Panto AI

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces legacy ESLint config (sample/.eslintrc.js) with a Flat Config (sample/eslint.config.js) using FlatCompat and TypeScript rules, and updates sample/package.json scripts, devDependencies (ESLint v9, TypeScript ESLint, Prettier, Babel ESLint parser, CLI upgrades) and Node engine to >=20.19.4.

Changes

Cohort / File(s)	Summary
ESLint config files sample/.eslintrc.js, sample/eslint.config.js	Removed legacy module.exports config (sample/.eslintrc.js); added sample/eslint.config.js exporting a Flat Config array using FlatCompat to extend @react-native, and a TypeScript-targeted config (parser @typescript-eslint/parser, plugin @typescript-eslint, rule @typescript-eslint/no-unused-vars: warn).
Project manifest / scripts / deps sample/package.json	Updated npm scripts to call local react-native binary; upgraded React Native CLI packages to ^20.1.3; modernized linting deps to ESLint v9, Prettier integration, @typescript-eslint/*, @babel/eslint-parser, and related plugins; bumped engines.node to >=20.19.4.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix(MSDK-3374): resolve npm dependency vulnerabilities  #202 — Also upgrades @react-native-community/cli* packages to ^20.1.3 and adjusts related devDependencies.

Suggested reviewers

• uc-brunosilva

Poem

🐇 I hopped through configs, tidy and quick,
Swapped old exports for a flatter trick.
Scripts now sprint, linters hum in tune,
TypeScript whispers under the moon.
A rabbit’s nibble — changes bloom.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective: resolving OSS vulnerabilities in the sample app dependencies through upgrades and configuration changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/MSDK-3377-resolve-sample-oss-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pantoaibot]

Reviewed up to commit:8124ab373539861bf3824c5c4717678537f86559

Additional Suggestion

sample/package.json, line:11

The postinstall still runs 'patch-package && ./scripts/fix-react-logger.sh'. You changed react-native-screens to a different version (see lines 25-26) while there is an existing patch file named 'sample/patches/react-native-screens+4.24.0.patch'. If the installed package version no longer matches the patch filename, patch-package will not apply the patch and postinstall may warn/fail. Update or remove the patch file to match the dependency version or restore the dependency version expected by the patch. (Reference: sample/patches/react-native-screens+4.24.0.patch, lines 1-13 of the patch file.)

Given the dependency change, either restore the version to keep the existing patch working, or update both the dependency and the patch together. For example, to keep using the current patch file:

{
  "dependencies": {
    "@react-navigation/native": "^6.1.18",
    "@react-navigation/native-stack": "^6.11.0",
    "react": "19.1.0",
    "react-native": "0.81.4",
    "react-native-safe-area-context": "^5.7.0",
    "react-native-screens": "^4.24.0",
    "react-native-webview": "^13.16.1"
  }
}

If you intend to keep the new versions instead, also rename and adjust the patch, for example:

mv sample/patches/react-native-screens+4.24.0.patch \
   sample/patches/react-native-screens+4.16.0.patch

and update its contents to match the android/build.gradle of react-native-screens@4.16.0.

Reviewed by Panto AI

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@sample/eslint.config.js`:
- Around line 11-18: Add the eslint-plugin-simple-import-sort dependency to
sample/package.json devDependencies (use version ^10.0.0) and update the ESLint
config block that defines plugins and rules: in the object that currently sets
plugins: { "@typescript-eslint": typescriptEslint } and rules: {
"@typescript-eslint/no-unused-vars": "warn" }, add the simple-import-sort plugin
to plugins and enable "simple-import-sort/imports" and
"simple-import-sort/exports" rules (set to "error" or your desired level) so all
sample **/*.{ts,tsx,js,jsx} files enforce sorted imports.

In `@sample/package.json`:
- Line 25: The dependency "react-native-safe-area-context" is exact-pinned to
"5.6.1"; update its version specifier in package.json to a range (e.g., change
"react-native-safe-area-context": "5.6.1" to "react-native-safe-area-context":
"^5.6.1" or "~5.6.1") so that patch/minor updates are allowed; locate the
dependency entry in package.json and replace the exact version string
accordingly and run your lockfile install to update package-lock/yarn.lock.
- Around line 47-49: The package.json lists `@typescript-eslint/eslint-plugin` and
`@typescript-eslint/parser` at ^7.18.0 which require eslint ^8.x while eslint is
pinned to ^9.39.4 and engines.node is ">=18"; update package.json to use
`@typescript-eslint/eslint-plugin` and `@typescript-eslint/parser` v8 (compatible
with ESLint 9) and adjust the engines.node constraint to a version range
supported by ESLint 9 (e.g., ">=18.12" or the project’s minimum supported Node
that ESLint 9 supports) so peer deps align and npm install/lint won’t fail;
update the dependency entries "@typescript-eslint/eslint-plugin" and
"@typescript-eslint/parser" and the "engines.node" field accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0ad24e4d-80c0-4ab7-93ac-6c2596678204

📥 Commits

Reviewing files that changed from the base of the PR and between f8ddd2e and 8124ab3.

⛔ Files ignored due to path filters (1)

• sample/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• sample/.eslintrc.js
• sample/eslint.config.js
• sample/package.json

💤 Files with no reviewable changes (1)

• sample/.eslintrc.js

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

A review was recently triggered for this PR. Please wait 47s before retriggering.

[codeant-ai]

Sequence Diagram

This PR raises the minimum Node.js version for the samples and updates npm scripts to rely on the local React Native CLI instead of npx when building or starting the sample app.

sequenceDiagram
    participant Developer
    participant RequirementsScript
    participant Npm
    participant ReactNativeCLI
    participant SampleApp

    Developer->>RequirementsScript: run check-requirements.sh
    RequirementsScript->>RequirementsScript: verify Node version >= 20.19.4
    RequirementsScript-->>Developer: environment ok
    Developer->>Npm: npm run android or ios or start
    Npm->>ReactNativeCLI: run command via local cli dependency
    ReactNativeCLI->>SampleApp: build and launch sample app

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR raises the minimum Node.js version for running the sample tooling and updates linting and React Native CLI usage. The diagram shows how developers now interact with the requirements script, React Native CLI scripts, and the new ESLint flat config.

sequenceDiagram
    participant Developer
    participant RequirementsScript
    participant NodeRuntime
    participant ReactNativeCLI
    participant ESLint

    Developer->>RequirementsScript: Run check-requirements.sh
    RequirementsScript->>NodeRuntime: node --version
    NodeRuntime-->>RequirementsScript: Current Node version
    RequirementsScript-->>Developer: Enforce Node >= 20.19.4

    Developer->>ReactNativeCLI: npm run android or ios or start
    ReactNativeCLI-->>Developer: Build and run sample app

    Developer->>ESLint: npm run lint
    ESLint-->>Developer: Lint results using React Native and TypeScript rules

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

🟠 Architect Review — HIGH

The sample app's package.json declares "engines": { "node": ">=20.19.4" } while the repository's README and setup scripts (check-requirements.sh and auto-setup.sh) explicitly require and install only Node.js >=18.0, creating a conflicting Node version contract for normal onboarding flows.

Suggestion: Align the Node.js version requirement across sample/package.json, scripts/check-requirements.sh, scripts/auto-setup.sh, and the README: either keep the sample compatible with Node 18.x or update docs and scripts to require and provision Node >=20.19.4 consistently.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** sample/package.json
**Line:** 63:64
**Comment:**
	*HIGH: The sample app's package.json declares "engines": { "node": ">=20.19.4" } while the repository's README and setup scripts (check-requirements.sh and auto-setup.sh) explicitly require and install only Node.js >=18.0, creating a conflicting Node version contract for normal onboarding flows.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR upgrades the sample app's React Native CLI and ESLint to secure, current versions, switches scripts from npx to direct CLI usage, and introduces an ESLint flat config with React Native and TypeScript support. The diagram shows how developer commands now flow through the updated npm scripts into the new linting setup and React Native tooling.

sequenceDiagram
    participant Developer
    participant NpmScripts
    participant ReactNativeCLI
    participant ESLint
    participant ReactNativeConfig
    participant TypeScriptPlugin

    Developer->>NpmScripts: run lint
    NpmScripts->>ESLint: invoke ESLint with flat config
    ESLint->>ReactNativeConfig: apply React Native lint rules
    ESLint->>TypeScriptPlugin: use TS parser and rules for ts and tsx files
    ESLint-->>Developer: lint results

    Developer->>NpmScripts: run android or ios
    NpmScripts->>ReactNativeCLI: run platform command with updated CLI
    ReactNativeCLI-->>Developer: build app and start React Native packager

Loading

---

Generated by CodeAnt AI

[codeant-ai]

Suggestion: The TypeScript-specific unused-variable rule is enabled, but the base JavaScript no-unused-vars rule is not turned off for the same files. When both run on .ts/.tsx, ESLint can report duplicate or incorrect unused-variable findings (and may fail lint if the base rule is configured as an error in the extended config). Disable the base rule in this TypeScript override when enabling the TypeScript version. [logic error]

Severity Level: Major ⚠️

- ⚠️ TypeScript linting reports duplicate unused-variable errors on symbols.
- ⚠️ CI lint step may fail on duplicated TS unused-vars.

Steps of Reproduction ✅

1. From `sample/package.json:5-8`, note the lint script `"lint": "eslint ."` which runs
ESLint over the entire `sample` project.

2. Open `sample/src/App.tsx:9-34` and temporarily add an unused variable inside the `App`
component (e.g., on a new line after 10: `const unused = 1;`).

3. In the `sample` directory, run `npm install` to install devDependencies (including
`eslint`, `@react-native/eslint-config`, `@typescript-eslint/*`) and then run `npm run
lint` to execute ESLint with the flat config in `sample/eslint.config.js:1-28`.

4. ESLint loads the base `@react-native` config via `...compat.extends("@react-native")`
at `sample/eslint.config.js:12-13`, which includes the core `no-unused-vars` rule, and
then applies the TypeScript override at lines 15-27 where
`@typescript-eslint/no-unused-vars` is enabled at line 25 without disabling the core
`no-unused-vars` rule; the unused variable in `App.tsx` is reported twice (once by
`no-unused-vars` from the base config and once by `@typescript-eslint/no-unused-vars` from
this override), and if the base rule is configured as an error upstream, the lint command
will fail even though the TypeScript-specific rule is only a warning.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is a comment left during a code review.

**Path:** sample/eslint.config.js
**Line:** 25:25
**Comment:**
	*Logic Error: The TypeScript-specific unused-variable rule is enabled, but the base JavaScript `no-unused-vars` rule is not turned off for the same files. When both run on `.ts/.tsx`, ESLint can report duplicate or incorrect unused-variable findings (and may fail lint if the base rule is configured as an error in the extended config). Disable the base rule in this TypeScript override when enabling the TypeScript version.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

👍 | 👎

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR updates the sample app's developer workflow so linting uses ESLint 9 flat config with React Native and TypeScript plugins, and run scripts call the upgraded React Native CLI directly under a Node 20+ engine.

sequenceDiagram
    participant Developer
    participant NpmScripts as npm scripts
    participant ESLint as ESLint 9
    participant RNCLI as React Native CLI

    Developer->>NpmScripts: run lint
    NpmScripts->>ESLint: invoke with flat config
    ESLint->>ESLint: Apply React Native and TypeScript rules
    ESLint-->>Developer: Lint warnings and errors

    Developer->>NpmScripts: run android or ios or start
    NpmScripts->>RNCLI: invoke react-native command
    RNCLI->>RNCLI: Use updated project config and Node 20 engine
    RNCLI-->>Developer: Build or start sample app

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR upgrades the sample app to ESLint 9 with flat config and TypeScript support; the diagram shows how a lint run now loads React Native rules via FlatCompat and applies TypeScript-aware linting.

sequenceDiagram
    participant Developer
    participant ESLint
    participant FlatCompat
    participant TSPlugin

    Developer->>ESLint: Run npm run lint
    ESLint->>FlatCompat: Load React Native legacy config as flat config
    FlatCompat-->>ESLint: React Native lint rules merged
    ESLint->>TSPlugin: Parse and analyze TS and TSX files
    TSPlugin-->>ESLint: TS-aware lint diagnostics
    ESLint-->>Developer: Report React Native and TS lint results

Loading

---

Generated by CodeAnt AI

[codeant-ai]

🟠 Architect Review — HIGH

sample/package.json declares "engines.node" as ">=20.19.4" while the README ("Development Environment") and the scripts auto-setup.sh and check-requirements.sh all treat Node.js >=18.0 as sufficient, so the documented/automated environment checks will green-light Node 18 even though the sample's declared minimum is 20.19.4.

Suggestion: Align all Node.js minimum versions across sample/package.json, README.md, scripts/auto-setup.sh, and scripts/check-requirements.sh to a single baseline (likely Node 20.x) so that environment checks and documentation match the sample's engines constraint and fail early for unsupported Node versions.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** sample/package.json
**Line:** 63:64
**Comment:**
	*HIGH: sample/package.json declares "engines.node" as ">=20.19.4" while the README ("Development Environment") and the scripts auto-setup.sh and check-requirements.sh all treat Node.js >=18.0 as sufficient, so the documented/automated environment checks will green-light Node 18 even though the sample's declared minimum is 20.19.4.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR upgrades the sample app to ESLint 9 with a new flat config and TypeScript-aware linting, while also updating React Native CLI tooling. The diagram shows how the lint script now runs through the flat config and TypeScript ESLint plugin to analyze project files.

sequenceDiagram
    participant Developer
    participant NpmScripts
    participant ESLint
    participant TypeScriptEslint

    Developer->>NpmScripts: run lint
    NpmScripts->>ESLint: execute eslint with flat config
    ESLint->>ESLint: load react native config via FlatCompat
    ESLint->>TypeScriptEslint: parse and lint TypeScript files
    TypeScriptEslint-->>ESLint: lint diagnostics
    ESLint-->>Developer: report lint results

Loading

---

Generated by CodeAnt AI

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

Sequence Diagram

This PR updates the sample app's tooling by migrating to an ESLint 9 flat config with TypeScript support and upgrading the React Native CLI, while also raising the Node engine requirement and switching npm scripts to use the local React Native CLI instead of npx.

sequenceDiagram
    participant Developer
    participant NPM Scripts
    participant ESLint
    participant ESLintConfig
    participant NodeRuntime
    participant ReactNativeCLI

    Developer->>NPM Scripts: npm run lint
    NPM Scripts->>ESLint: Run ESLint on sample project
    ESLint->>ESLintConfig: Load RN base rules and TS rules (flat config)
    ESLint-->>Developer: Lint report for JS and TS files

    Developer->>NPM Scripts: npm run android
    NPM Scripts->>NodeRuntime: Start local react-native CLI (Node >= 20.19.4)
    NodeRuntime->>ReactNativeCLI: Run android build and deploy
    ReactNativeCLI-->>Developer: Sample app built and launched on device

Loading

---

Generated by CodeAnt AI

[codeant-ai]

🟠 Architect Review — HIGH

Node.js version requirements are inconsistent: sample/package.json declares "engines.node" as ">=20.19.4", while README.md and scripts/check-requirements.sh both state and enforce Node.js >=18.0, so developers following the documented setup can pass environment checks yet still run the sample below its declared minimum Node version.

Suggestion: Align the Node.js version requirement across sample/package.json, README.md, and scripts/check-requirements.sh by either keeping the sample compatible with Node 18 and lowering the engines field, or updating the documented and scripted requirement to Node 20.19.4+ so all entry points agree.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** sample/package.json
**Line:** 36:64
**Comment:**
	*HIGH: Node.js version requirements are inconsistent: sample/package.json declares "engines.node" as ">=20.19.4", while README.md and scripts/check-requirements.sh both state and enforce Node.js >=18.0, so developers following the documented setup can pass environment checks yet still run the sample below its declared minimum Node version.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn