From 7515a14fe4808a44f67481384c38a1fa47cc6b0b Mon Sep 17 00:00:00 2001
From: Tommy Nguyen <4123478+tido64@users.noreply.github.com>
Date: Wed, 17 Jun 2026 09:50:29 +0200
Subject: [PATCH] chore(security): address security vulnerabilities

- CVE-2026-49982
- CVE-2026-48779
- CVE-2026-12143
---
 package.json                       |  3 +++
 packages/app/scripts/configure.mjs |  2 +-
 yarn.lock                          | 36 +++++++++++++++---------------
 3 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/package.json b/package.json
index 966a39c9a..d8a4129d1 100644
--- a/package.json
+++ b/package.json
@@ -87,7 +87,10 @@
     "compression/bytes": "^3.1.2",
     "node-gyp": "ignore:",
     "node-gyp-build": "ignore:",
+    "nx/form-data": "~4.0.5",
+    "nx/hasown": "~2.0.2",
     "nx/minimatch": "^10.2.5",
+    "nx/tmp": "^0.2.6",
     "react-native-windows/@react-native-community/cli": "^20.0.0",
     "react-native-windows/@react-native-community/cli-platform-android": "^20.0.0",
     "react-native-windows/@react-native-community/cli-platform-ios": "^20.0.0",
diff --git a/packages/app/scripts/configure.mjs b/packages/app/scripts/configure.mjs
index 58073badd..52229aaa4 100755
--- a/packages/app/scripts/configure.mjs
+++ b/packages/app/scripts/configure.mjs
@@ -352,13 +352,13 @@ export function gatherConfig(params, disableCache = false) {
   const config = (() => {
     return platforms.reduce(
       (config, platform) => {
-        const platformConfig = getConfig(params, platform, disableCache);
         const dependencies = getPlatformPackage(platform, targetVersion);
         if (!dependencies) {
           /* node:coverage ignore next */
           return config;
         }
 
+        const platformConfig = getConfig(params, platform, disableCache);
         return mergeConfig(config, {
           ...platformConfig,
           files: Object.fromEntries(
diff --git a/yarn.lock b/yarn.lock
index 0a6c1831e..90f70246f 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8724,16 +8724,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"form-data@npm:4.0.5, form-data@npm:^4.0.5, form-data@npm:~4.0.5":
-  version: 4.0.5
-  resolution: "form-data@npm:4.0.5"
+"form-data@npm:^4.0.5, form-data@npm:~4.0.5":
+  version: 4.0.6
+  resolution: "form-data@npm:4.0.6"
   dependencies:
     asynckit: "npm:^0.4.0"
     combined-stream: "npm:^1.0.8"
     es-set-tostringtag: "npm:^2.1.0"
-    hasown: "npm:^2.0.2"
-    mime-types: "npm:^2.1.12"
-  checksum: 10c0/dd6b767ee0bbd6d84039db12a0fa5a2028160ffbfaba1800695713b46ae974a5f6e08b3356c3195137f8530dcd9dfcb5d5ae1eeff53d0db1e5aad863b619ce3b
+    hasown: "npm:^2.0.4"
+    mime-types: "npm:^2.1.35"
+  checksum: 10c0/43947a77bf0ff45c6ceed789778982d47a3f3e720a74b71721174ebf3310a5f1a8be1d6b38a3ee3688e8a18a2c4273073ec0844cd37efda3eaf46d41c9c318ff
   languageName: node
   linkType: hard
 
@@ -9234,12 +9234,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"hasown@npm:2.0.2, hasown@npm:^2.0.2":
-  version: 2.0.2
-  resolution: "hasown@npm:2.0.2"
+"hasown@npm:^2.0.2, hasown@npm:^2.0.4, hasown@npm:~2.0.2":
+  version: 2.0.4
+  resolution: "hasown@npm:2.0.4"
   dependencies:
     function-bind: "npm:^1.1.2"
-  checksum: 10c0/3769d434703b8ac66b209a4cca0737519925bbdb61dd887f93a16372b14694c63ff4e797686d87c90f08168e81082248b9b028bad60d4da9e0d1148766f56eb9
+  checksum: 10c0/2d8de939e270b70618f8cebb69746620db10617dbb495bc66ddad326955ea24d3ca4af133aff3eb7c1853e0218f867bc2b050ec26fe02e3aea58f880ffc5e506
   languageName: node
   linkType: hard
 
@@ -11229,7 +11229,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"mime-types@npm:2.1.35, mime-types@npm:^2.1.12, mime-types@npm:~2.1.34":
+"mime-types@npm:2.1.35, mime-types@npm:^2.1.35, mime-types@npm:~2.1.34":
   version: 2.1.35
   resolution: "mime-types@npm:2.1.35"
   dependencies:
@@ -14791,10 +14791,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tmp@npm:0.2.6":
-  version: 0.2.6
-  resolution: "tmp@npm:0.2.6"
-  checksum: 10c0/fa5b9bfbe60f70904aba5c96b4970e9158d99867891302d10320fe35eee1e45f42946fded4cf5c8514baa087bebee44419029b7deb227da05a68b5205a12d8ab
+"tmp@npm:^0.2.6":
+  version: 0.2.7
+  resolution: "tmp@npm:0.2.7"
+  checksum: 10c0/59eb55584f2f07210d3231b6a1f6b5c2b9794d8a7b509c8ee867ed2acad6d2245ee2448b7937b676ffbff3155a70077edde8a69f9d7cf0f90c86a62e8910c357
   languageName: node
   linkType: hard
 
@@ -15641,8 +15641,8 @@ __metadata:
   linkType: hard
 
 "ws@npm:^7, ws@npm:^7.5.10":
-  version: 7.5.10
-  resolution: "ws@npm:7.5.10"
+  version: 7.5.11
+  resolution: "ws@npm:7.5.11"
   peerDependencies:
     bufferutil: ^4.0.1
     utf-8-validate: ^5.0.2
@@ -15651,7 +15651,7 @@ __metadata:
       optional: true
     utf-8-validate:
       optional: true
-  checksum: 10c0/bd7d5f4aaf04fae7960c23dcb6c6375d525e00f795dd20b9385902bd008c40a94d3db3ce97d878acc7573df852056ca546328b27b39f47609f80fb22a0a9b61d
+  checksum: 10c0/7972670b676fb1ccba73b0899ca3c2e04e8c2075629c2614cced7f556536f96a672bbf4619fc5a06c8b8720bb839a47ca88c69c95dc14c9c61a99fbecba1c866
   languageName: node
   linkType: hard