Open
Conversation
Cherry-picked from upstream master (1b71233) to ensure RN 0.85 compatibility. Changes hasActiveCatalystInstance to hasActiveReactInstance and adds fallback to getReactHost().getCurrentReactContext() for RN 0.76+.
Re-applied the following Exodus patches on clean upstream 5.1.0 base: - fix: hasActiveReactInstance — use hasActiveReactInstance() directly instead of try/catch with deprecated hasActiveCatalystInstance() (ReactAppLifecycleFacade) - fix: get initial notification returning null — use intent.getExtras() directly (RNNotificationsPackage) - chore: update default channel to 'exodus' (PushNotification) - fix: local notification press reloading the app — use PendingIntent.getActivity instead of trampoline branching (NotificationIntentAdapter) - feat: verify if notification was tapped to set initial value — add notificationTapped BOOL to RNNotificationsStore, set on response, check in getInitialNotification (iOS) - feat: add pinpoint UI sending compatibility layer (PushNotification) - fix: ios background notification — move notificationTapped gate from setBridge: to getInitialNotification: (RNCommandsHandler) Skipped patches: - All version bumps (will be set separately) - All cleanup/removal commits (upstream already reorganized) - @Exodus scoping (will be set separately)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rebase of Exodus patches onto upstream react-native-notifications 5.1.0 (from ~4.x-based fork).
Part of the RN 0.85 upgrade: ExodusMovement/exodus-mobile#38221.
Exodus Patches
7636a35ea23ba1ad940d1f641268Upstream Changelog (~4.x → 5.1.0)
The upstream delta from the old Exodus fork base (
4.4.0-exodus, itself based on4.3.5) to5.1.0is minimal — only 3 substantive upstream commits landed in the 5.x series:748e219android-get-initial-notification —RNNotificationsPackage: switch fromintent.getExtras()toNotificationIntentAdapter.extractPendingNotificationDataFromIntent(intent)and erase the notification intent after consumption (activity.setIntent(new Intent())) to prevent replay when the app resumes from background.NotificationIntentAdapter:extractPendingNotificationDataFromIntentnow falls back to raw extras when the typed bundle key is absent.c29bce6upgrade-android-33 — bumpsandroidSdkVersionfrom 31 → 33 andDEFAULT_COMPILE_SDK_VERSIONfrom 30 → 33 to target Android 13.980ce21Fix android build for RN 0.72 — changes deprecatedhtml.enabled truetohtml.required.set truein test report options; Gradle API compatibility fix only.Also added: a Docusaurus v2 documentation website (
website/) with no runtime impact, and a minorscripts/test-unit.jsCI refactor.Security Audit of Upstream Changes
Prototype Pollution Vectors
No JavaScript object mutation via user-supplied keys. The JS layer (
lib/src/) was not modified in this upstream delta. NoObject.assign,__proto__, or bracket-keyed property writes were introduced.Command Injection
scripts/test-unit.jsintroduces atestTarget(scheme, device, OS)helper that interpolates its parameters into axcodebuildshell command via template literals. However, all three call sites are hardcoded in source — no values derive from environment variables, CLI args, or external input. This file is a developer CI script, not shipped code. No risk to production.Network Requests
No new network calls introduced in native (Java/ObjC/Swift) or JS runtime code. The only URLs added are static documentation links in
website/docusaurus.config.jsandwebsite/package.json. These are build-time documentation assets with zero runtime impact.Binary Blobs / Non-reproducible Artifacts
No new binary artifacts were introduced. The pre-existing
lib/ios/libOCMock.a(test mock library) and Gradle wrapper JARs are unchanged.ReDoS Patterns
No regular expressions were added or modified in any of the diffed files.
Unsafe Dynamic Code Execution
No
eval(),new Function(),require()with dynamic string concatenation, orvm.runInContext()patterns introduced.New Dependencies
Runtime (
dependencies/peerDependencies): No changes —peerDependenciesremainreact: "*"andreact-native: "*"with no new runtime deps added.Dev dependencies: Identical between
4.4.0-exodusand5.1.0in the rootpackage.json.New
website/package.json(dev-only, not shipped): adds@docusaurus/core@2.0.0-alpha.64,@docusaurus/preset-classic@2.0.0-alpha.64,classnames@^2.2.6,react@^16.10.2,react-dom@^16.10.2. These are documentation build tools only, never bundled into the app.Findings Summary
testTarget()args are all hardcoded; CI script onlyTest Plan
src/package.jsonin exodus-mobile-upgrade worktreeyarn ios:basebuildsyarn android:basebuilds