Skip to content

[Flight] Add more DoS mitigations to Flight Reply, and harden Flight#35632

Merged
unstubbable merged 2 commits into
react:mainfrom
unstubbable:flight-dos-mitigations
Jan 26, 2026
Merged

[Flight] Add more DoS mitigations to Flight Reply, and harden Flight#35632
unstubbable merged 2 commits into
react:mainfrom
unstubbable:flight-dos-mitigations

Conversation

@unstubbable

@unstubbable unstubbable commented Jan 26, 2026

Copy link
Copy Markdown
Collaborator

This fixes security vulnerabilities in Server Functions.

@sebmarkbage @gnoff
@lubieowoce @unstubbable
[Flight] Add more DoS mitigations to Flight Reply, and harden Flight
0e72d28 
This fixes security vulnerabilities in Server Functions.

Co-authored-by: Josh Story <josh.c.story@gmail.com>
Co-authored-by: Janka Uryga <lolzatu2@gmail.com>
Co-authored-by: Hendrik Liebau <mail@hendrik-liebau.de>
@unstubbable unstubbable requested a review from eps1lon January 26, 2026 19:09
@meta-cla meta-cla Bot added the CLA Signed label Jan 26, 2026
@github-actions github-actions Bot added the React Core Team Opened by a member of the React Core Team label Jan 26, 2026
@react-sizebot

react-sizebot commented Jan 26, 2026
edited
Loading

Copy link
Copy Markdown

The size diff is too large to display in a single comment. The GitHub action for this pull request contains an artifact called 'sizebot-message.md' with the full message.

Generated by 🚫 dangerJS against d5324f4

@everettbu everettbu mentioned this pull request Jan 26, 2026
Closed
@unstubbable unstubbable merged commit 1068027 into react:main Jan 26, 2026
233 of 234 checks passed
@unstubbable unstubbable deleted the flight-dos-mitigations branch January 26, 2026 19:25
github-actions Bot pushed a commit that referenced this pull request Jan 26, 2026
@unstubbable
[Flight] Add more DoS mitigations to Flight Reply, and harden Flight (#…
ca63123 
…35632)

This fixes security vulnerabilities in Server Functions.

---------

Co-authored-by: Sebastian Markbåge <sebastian@calyptus.eu>
Co-authored-by: Josh Story <josh.c.story@gmail.com>
Co-authored-by: Janka Uryga <lolzatu2@gmail.com>
Co-authored-by: Sebastian Sebbie Silbermann <sebastian.silbermann@vercel.com>

DiffTrain build for [1068027](1068027)
This was referenced Jan 26, 2026
Closed
Closed
@eps1lon eps1lon mentioned this pull request Jan 26, 2026
Merged
@tnorlund tnorlund mentioned this pull request Feb 5, 2026
Merged
2 tasks
This was referenced Feb 5, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Feb 19, 2026
Closed
Closed
Closed
Closed
abnermelendez1993-cmd

This comment was marked as spam.

Sign in to view

This was referenced Feb 25, 2026
Closed
Closed
Closed
Closed
bighomiecash83

This comment was marked as spam.

Sign in to view

This was referenced Feb 26, 2026
Closed
Closed
Closed
Closed
Closed
bobbyrusj-sys

This comment was marked as spam.

Sign in to view

@christopherjohnson3028-stack

This comment was marked as spam.

Sign in to view
@bobbyrusj-sys

This comment was marked as spam.

Sign in to view
@chrisbbreuer chrisbbreuer mentioned this pull request Feb 26, 2026
Closed
1 task
bighomiecash83

This comment was marked as spam.

Sign in to view

jgw6fg8qng-ai

This comment was marked as spam.

Sign in to view

@eps1lon eps1lon mentioned this pull request Mar 17, 2026
Merged
@everettbu everettbu mentioned this pull request Mar 17, 2026
Closed
leuasseurfarrelds247-arch

This comment was marked as spam.

Sign in to view

This was referenced Mar 25, 2026
Closed
Open
@github-actions github-actions Bot mentioned this pull request Mar 26, 2026
Merged
1 task
@tases342

This comment was marked as spam.

Sign in to view
@rubennorte rubennorte mentioned this pull request Jun 5, 2026
Closed
vytick added a commit to trezor/trezor-suite that referenced this pull request Jun 17, 2026
@vytick @claude
chore(suite): pin react to 19.2.3 to match react-native 0.85 renderer
af196cd 
The previous commit bumped react-native 0.83.2 -> 0.85.3 (required by
Expo SDK 56) but left the react resolution at 19.2.4. React Native
bundles its own copy of the React reconciler and asserts at runtime that
the installed `react` version exactly equals that bundled renderer:

  Error: Incompatible React versions: The "react" and
  "react-native-renderer" packages must have the exact same version.
    - react:                 19.2.4
    - react-native-renderer: 19.2.3

RN 0.85.3 syncs React 19.2.3 (confirmed in the bundled
ReactFabric-prod.js), so react must be 19.2.3, not 19.2.4. React 19.2.4
is pinned by Expo SDK 56's RN version; there is no 0.85.x release built
against 19.2.4.

19.2.4's only change over 19.2.3 is server-side hardening of React
Server Components / Flight Reply against DoS (react/react#35632).
Trezor Suite is client-only (Electron, web SPA, React Native) with no
React server runtime, so nothing functional is lost by the downgrade.

Aligns the resolution and all workspace declarations to 19.2.3
(react, react-dom, react-test-renderer).

Also bumps react-native-svg 15.15.3 -> 15.15.5: 15.15.4+ adds the
RN-version-guarded ImageResponseObserverCoordinator call (shared_ptr
instead of dereferenced ref) required for the iOS build on RN 0.85.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eps1lon eps1lon eps1lon approved these changes

+5 more reviewers

@bighomiecash83 bighomiecash83 bighomiecash83 left review comments

@abnermelendez1993-cmd abnermelendez1993-cmd abnermelendez1993-cmd left review comments

@jgw6fg8qng-ai jgw6fg8qng-ai jgw6fg8qng-ai left review comments

@bobbyrusj-sys bobbyrusj-sys bobbyrusj-sys left review comments

@leuasseurfarrelds247-arch leuasseurfarrelds247-arch leuasseurfarrelds247-arch left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

CLA Signed React Core Team Opened by a member of the React Core Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.