Bug Fixes
- pin lodash to 4.17.23 (4.18.0 breaks kitchen-sink webpack build) (#4039) #4039 (Nate Wienert)
- patch brace-expansion 5.x CJS to be callable (react-native codegen does require('brace-expansion')() — fixes iOS pod install 'expand is not a function') (natew)
- patch detox to force-terminate ws clients before server close (ws 8 close() hangs on lingering app connection, causing iOS detox teardown to time out) (natew)
- detox: improve flake classifier to catch simulator/teardown failures (natew)
- web: guard updateConfig keys Fixes #4029 (natew)
- web: avoid color opacity token union blowup (natew)
Continuous Integration
- harden workflows (fork-secret gate, least-priv permissions, sha-pin third-party actions, frozen lockfile, dependabot) (natew)
- grant pull-requests:read to reusable-workflow callers (fixes startup_failure) (natew)
Chores
- remove broken local MCP server configs (natew)
- add security policy, gitleaks secret scanning, and audit record (natew)
- remove gitleaks scanning in favor of github native secret scanning + push protection (natew)
- remove dependabot, fix critical security advisories, add bun audit gate (#4037) #4037 (Nate Wienert)
- up one for memory usage fixes (natew)
- pin patched versions for tmp/hono/protobufjs/brace-expansion/cross-spawn/launch-editor/babel (bun audit) (natew)
- remove unused legacy devDeps from create-tamagui (got/tar/cpy/cross-spawn/etc, clears bun audit advisories) (natew)
- migrate remix-starter from Remix v2 (EOL) to React Router 7 (clears EOL transitive advisories: tar/turbo-stream/estree-util-value-to-estree/vite/undici/js-yaml) (natew)
- clear remaining bun audit advisories to zero (natew)
- format remix vite.config + ignore generated .react-router types in oxfmt (natew)
- bump webpack-cli to ^6 (required by webpack-dev-server 5 serve integration) (natew)