fix(deps): update activesupport (medium)

[claude]

Summary

Update activesupport version constraint in examples/react-native/Gemfile to resolve 3 medium-severity security advisories. The previous constraint (>= 6.1.7.5, < 7.1.0) excluded the patched version 7.2.3.1, so the version range was updated to >= 7.2.3.1, < 8.0.

Advisories Resolved

• GHSA-2j26-frm8-cmj9 (CVE-2026-33176): Rails Active Support DoS vulnerability in number helpers
• GHSA-89vf-4333-qx8v (CVE-2026-33170): Rails Active Support XSS vulnerability in SafeBuffer#%
• GHSA-cg4j-q9v8-6v38 (CVE-2026-33169): Rails Active Support ReDoS vulnerability in number_to_delimited

Lockfiles Modified

• examples/react-native/Gemfile

Unresolved Alerts

None — all 3 alerts are resolved by this change.

Resolves #872

🤖 Generated with Claude Code

[claude]

Review: fix(deps): update activesupport (medium)

Scope: single-file change to examples/react-native/Gemfile — no TypeScript, no src/gen/, no public API surface affected.

Correctness of the security fix ✓

The version constraint change from '>= 6.1.7.5', '< 7.1.0' to '>= 7.2.3.1', '< 8.0' correctly targets the patched release for the three reported advisories (GHSA-2j26-frm8-cmj9, GHSA-89vf-4333-qx8v, GHSA-cg4j-q9v8-6v38). The upper bound of < 8.0 is a safe future-proofing limit.

Issue fixed in follow-up commit

examples/react-native/Gemfile line 4 — Ruby version constraint was stale

activesupport >= 7.2.x requires Ruby >= 3.1.0. The original PR left the Gemfile declaring ruby ">= 2.6.10", which would produce a confusing Gem::MissingSpecError for any developer running Ruby < 3.1 — the error message points at activesupport, not the ruby version mismatch. I've pushed a follow-up commit updating the constraint to ruby ">= 3.1".

Other observations

• No Gemfile.lock checked in. This is a pre-existing condition for this example project. Not introduced by this PR; not blocking.
• Version gap (7.1.x entirely excluded). The new lower bound skips the entire activesupport 7.1 series. This is acceptable if the CVEs have no backport to 7.1.x, which the PR description implies.

Verdict

The security fix itself is correct. The ruby version inconsistency has been corrected in a follow-up commit on this branch. No further changes needed.

[claude]

Code Review

This is a minimal, correct security-fix PR. Only examples/react-native/Gemfile is modified. No TypeScript, no src/gen/, no public API changes. No CI workflows exercise this Gemfile, so there is no CI risk.

What was changed

• activesupport: >= 6.1.7.5, < 7.1.0 → >= 7.2.3.1, < 8.0
• ruby: >= 2.6.10 → >= 3.1

Assessment

Ruby version bump is correct. activesupport 7.2.x requires Ruby ≥ 3.1. Leaving the old >= 2.6.10 would produce a confusing install-time error, so updating the constraint is the right call.

activesupport version range is plausible. The jump skips all of 7.1.x. According to the PR description the three advisories (GHSA-2j26-frm8-cmj9, GHSA-89vf-4333-qx8v, GHSA-cg4j-q9v8-6v38) were fixed in 7.2.3.1 and not backported to 7.1.x, which would explain why 7.1.x is excluded. The upper bound < 8.0 is appropriate to guard against future major-version breakage.

cocoapods compatibility is unaffected. cocoapods 1.13–1.14 (the pinned range) declare activesupport >= 5.0, < 8 as a dependency, so 7.2.3.1 is within their allowed range.

No Gemfile.lock is committed — this is pre-existing and not introduced by this PR. It is a mild concern for reproducibility of the example, but out of scope here.

No changes requested — no blocking issues found.

A human must approve before merging.