Skip to content

Upgrade to React Native 0.85.3 / Expo SDK 56 (new architecture)#6064

Draft
peachbits wants to merge 5 commits into
developfrom
phase2-rn-upgrade
Draft

Upgrade to React Native 0.85.3 / Expo SDK 56 (new architecture)#6064
peachbits wants to merge 5 commits into
developfrom
phase2-rn-upgrade

Conversation

@peachbits

@peachbits peachbits commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Upgrades edge-react-gui from React Native 0.79.2 → 0.85.3 (Expo SDK 53 → 56), moving both platforms to the new architecture and removing the reanimated v3/v4 platform split.

Android was previously pinned to reanimated 3 on the old architecture via a local scripts/r3-hack crutch (iOS already ran reanimated 4 on the new arch). This drops the crutch so the whole app runs reanimated v4 on the new architecture, and brings RN, Expo, and the RN-ecosystem dependencies up to current.

Commits (each passes precommit independently)

  1. Remove reanimated v3/v4 split; enable new architecture on Android — the isolated crutch removal (babel/metro/rn-config, scripts/r3-hack deletion, newArchEnabled=true). Gated on the RN 0.79 dependency set: 521/521 tests.
  2. Upgrade to React Native 0.85.3 and Expo SDK 56 — dependency bumps, jest preset + worklets resolver, snapshot updates. Includes 16 mechanical lint fixes (explicit return types, catch typing, explicit empty-string checks) in files this diff touches — the TypeScript 5.0→5.8 bump surfaces them, and lint-staged holds commits touching those files responsible. All semantics-preserving.
  3. Android: build under React Native 0.85 with the new architecture — compile/target SDK 36, Expo SDK 56 autolinking, MainApplication unwrap.
  4. iOS: build and run under React Native 0.85 / Expo SDK 56 / Xcode 26 — Expo autolinking + new-arch Podfile (iOS 16.4), ExpoReactNativeFactory AppDelegate, RCTNewArchEnabled.
  5. Restore ShadowTree commit-exhaustion protection — RN 0.85.3 upstreamed the equivalent of our old react-native+0.79.2.patch (retry cap + recursive-lock fallback in ShadowTree.cpp) but behind preventShadowTreeCommitExhaustion, which defaults to false. A 1-line patch flips the default so the upgrade doesn't silently drop the crash fix. Delete when upstream flips it.

Every commit passed: localize + update-eslint-warnings (tree stays clean), eslint on its changed files, tsc, and the full jest suite (521/521 on commit 1's RN 0.79 base; 517/517 on 0.85).

Performance — Android, Flashlight, physical device

During scroll Baseline (rea3 / old arch / 0.79) After (rea4 / new arch / 0.85)
Jank (frames <30 fps) 7.3% 2.5%
Worst-case FPS (p10) 33.3 48.1
Peak scroll CPU 326% 201%
RAM mean / peak 456 / 704 MB 662 / 827 MB

Net: jank floor 33 → 48 fps (+44%), jank −66%, peak CPU −38%, total CPU −42% — at a RAM cost (the new-arch tradeoff).

Testing

  • Per-commit gates as above; iOS builds under Xcode 26 and runs on the iOS 26 simulator (boots, new-arch runtime, app navigable)
  • Android release build benchmarked on a physical device (table above)

Notes

🤖 Generated with Claude Code

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedjest@​30.0.0 ⏵ 29.7.01001006892100
Updated@​react-native/​metro-config@​0.79.2 ⏵ 0.85.3100 +110073 +197 +1100
Updated@​react-native/​typescript-config@​0.79.2 ⏵ 0.85.310010073 +1097 +1100
Updated@​react-native-community/​cli@​18.0.0 ⏵ 20.1.098 +1100 +7575 +194100
Added@​react-native/​jest-preset@​0.85.3761008297100
Updatedexpo@​53.0.20 ⏵ 56.0.1277100100 +23100100
Updatedreact-native-safe-area-context@​5.6.1 ⏵ 5.7.0991007887100
Updated@​types/​react@​19.1.9 ⏵ 19.2.171001007995100
Updated@​babel/​core@​7.28.0 ⏵ 7.29.797100 +180 +196100
Updatedreact-native-gesture-handler@​2.28.0 ⏵ 2.31.28010094 +198100
Updatedreact-test-renderer@​19.0.0 ⏵ 19.2.380 +110086 +198100
Updated@​react-native-firebase/​app@​20.5.0 ⏵ 25.1.010010089 +19880
Updated@​react-native-firebase/​messaging@​20.5.0 ⏵ 25.1.010010091 +19880
Updated@​react-native/​babel-preset@​0.79.5 ⏵ 0.85.398 +110082 +197100
Updated@​react-native-picker/​picker@​2.11.2 ⏵ 2.11.410010010082100
Updatedreact@​19.0.0 ⏵ 19.2.31001008497100
Updatedreact-native-worklets@​0.6.1 ⏵ 0.8.399 +110085 +298100
Updated@​react-native-community/​netinfo@​11.4.1 ⏵ 12.0.19910010086100
Updatedreact-native-keyboard-controller@​1.19.0 ⏵ 1.21.69910087 +196 +2100
Updated@​react-native-async-storage/​async-storage@​1.19.4 ⏵ 2.2.010010088 +1690 -1100
Updatedreact-native-svg@​15.14.0 ⏵ 15.15.499 +110010088100
Updatedreact-native-bootsplash@​6.3.8 ⏵ 6.3.1288 -1010010090100
Updatedreact-native-reanimated@​3.19.5 ⏵ 4.3.199 +110090 +198100
Updatedtypescript@​5.0.4 ⏵ 5.8.3100 +110090 +19690
Updated@​react-native-community/​datetimepicker@​8.4.2 ⏵ 9.1.09910010090 -4100
Updatedreact-native-vision-camera@​4.7.2 ⏵ 4.7.310010010093 +2100
Updatedreact-native-webview@​13.15.0 ⏵ 13.16.110010096 +195 +1100
Updated@​react-native-community/​cli-platform-android@​18.0.0 ⏵ 20.1.09910010096100
Updated@​react-native-community/​cli-platform-ios@​18.0.0 ⏵ 20.1.010010010096100
Updated@​sentry/​react-native@​7.12.0 ⏵ 7.11.099 +110010096 +1100
Updatedreact-native@​0.79.2 ⏵ 0.85.398 +1210099100100
Updatedreact-native-screens@​4.16.0 ⏵ 4.25.299 +110010098100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @expo/cli is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/expo@56.0.12npm/@expo/cli@56.1.16

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/cli@56.1.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @react-native/debugger-frontend is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/react-native@0.85.3npm/expo@56.0.12npm/@react-native/debugger-frontend@0.85.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.85.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @react-native/debugger-frontend is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/react-native@0.85.3npm/expo@56.0.12npm/@react-native/debugger-frontend@0.85.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.85.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @sentry-internal/feedback is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@sentry/react-native@7.11.0npm/@sentry-internal/feedback@10.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry-internal/feedback@10.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @sentry/browser is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@sentry/react-native@7.11.0npm/@sentry/browser@10.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/browser@10.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @sentry/core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@sentry/react-native@7.11.0npm/@sentry/core@10.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@10.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm node-forge is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/expo@56.0.12npm/@walletconnect/web3wallet@1.10.1npm/node-forge@1.4.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm react-native-bootsplash is 75.0% likely obfuscated

Confidence: 0.75

Location: Package overview

From: package-lock.jsonnpm/react-native-bootsplash@6.3.12

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native-bootsplash@6.3.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm fetch-nodeshim

Location: Package overview

From: package-lock.jsonnpm/expo@56.0.12npm/fetch-nodeshim@0.4.10

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fetch-nodeshim@0.4.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Android ran reanimated 3 via the local `r3-hack` package on the old
architecture while iOS ran reanimated 4 on Fabric. Reanimated 4 requires the
new architecture, so route both platforms through reanimated 4 / worklets and
enable the new architecture on Android:

- babel.config.js: always use react-native-worklets/plugin; add api.cache(true)
  now that the config is static (no platform branch configuring the cache).
- metro.config.js: drop the r3-hack Android resolver.
- react-native.config.js: drop the reanimated sourceDir override and the
  worklets Android disable.
- package.json: remove the r3-hack dependency; delete scripts/r3-hack.
- android/gradle.properties: newArchEnabled=true.
- useCarouselGesture: unify the withSpring config to the reanimated-4 algorithm
  on both platforms (Android previously used the reanimated-3 damping).

Also dedupe yaob to ^0.4.0, fixing the nativeIo collision that crashed
ZEC/Pirate wallet creation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@peachbits peachbits force-pushed the phase2-rn-upgrade branch from f3dd774 to 0a46981 Compare July 3, 2026 18:16
peachbits and others added 4 commits July 3, 2026 12:27
Move the app to React Native 0.85.3 / Expo SDK 56, with both platforms on reanimated v4 and the new architecture. Bumps the RN-ecosystem dependencies together and updates the jest preset, worklets resolver, and test snapshots.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Enable newArchEnabled, bump compile/target SDK 35->36, and rewrite settings.gradle for Expo SDK 56 autolinking. Unwrap MainApplication from the ReactNativeHostWrapper removed in SDK 56.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Expo autolinking + new-architecture Podfile (deployment target 16.4), the ExpoReactNativeFactory AppDelegate, and RCTNewArchEnabled in Info.plist. Includes the build fixes needed under Xcode 26.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
React Native 0.85.3 upstreamed the equivalent of our old react-native+0.79.2.patch — ShadowTree::commit() now caps optimistic retries at MAX_COMMIT_ATTEMPTS_BEFORE_LOCKING and falls back to an exclusive recursive lock (ReactCommon/react/renderer/mounting/ShadowTree.cpp) — but only behind the preventShadowTreeCommitExhaustion feature flag, which defaults to false. Enable the flag with a 1-line patch so the RN upgrade doesn't silently drop the crash protection. Delete this patch when upstream flips the default.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@peachbits

Copy link
Copy Markdown
Contributor Author

History cleanup after a review question: commit 2 ("Upgrade to React Native 0.85.3") previously contained a spurious newArchEnabled true→false flip that commit 3 flipped back — an artifact of how the upgrade commit was reconstructed during the re-split, not a real setting change. Fixed: the flag now changes exactly once, in commit 1 (false→true), and commits 2–5 don't touch it. The Android commit keeps its legitimate jvmargs bump.

Audited the whole series for more of the same (blob-level revert detection across all commits + exact-line added-then-removed scan, lockfile excluded): this was the only instance. Final tree is bit-identical to the previously validated one, and all 5 commits re-passed the per-commit precommit gate (521/521 tests on commit 1's RN 0.79 base; 517/517 on 0.85).

@peachbits peachbits force-pushed the phase2-rn-upgrade branch from 0a46981 to 30638ca Compare July 3, 2026 19:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant