Skip to content

chore(deps): update dependency eas-cli to v18#22697

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/eas-cli-18.x
Open

chore(deps): update dependency eas-cli to v18#22697
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/eas-cli-18.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 28, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
eas-cli (source) ^16.32.0^18.13.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

expo/eas-cli (eas-cli)

v18.13.1

Compare Source

🎉 New features
🐛 Bug fixes
  • [eas-cli] Prevent npx invocations that can be unreliable and fail when retrieving entitlements or project configs (#​3282 by @​kitten)

v18.13.0

Compare Source

🎉 New features
🧹 Chores

v18.12.3

Compare Source

v18.12.2

Compare Source

🐛 Bug fixes
  • [eas-cli] Fix eas go to use server-side project setup and support multiple Expo Go SDK versions. (#​3657 by @​gwdp)
🧹 Chores
  • [ci] Audit GitHub Actions workflows: harden pull_request_target usage, pin all external actions to commit SHAs, and add Dependabot to refresh them. (#​3718 by @​brentvatne)

v18.12.1

Compare Source

v18.12.0

Compare Source

🎉 New features
  • [eas-cli] Automatically save the Convex deployment URL as an EAS environment variable when connecting a Convex project. (#​3685 by @​fiberjw)
🐛 Bug fixes
  • [build-tools] Update the minimum Expo version required for iOS precompiled modules. (#​3677 by @​sjchmiela)
  • [eas-cli] recommend that users read the docs after connecting Convex (#​3683 by @​fiberjw)

v18.11.0

Compare Source

🎉 New features
  • [eas-cli] Add --simulator to eas build:dev and eas build:run to select which iOS simulator to install and run builds on. (#​3637 by @​mmichels-brex)
🐛 Bug fixes
  • [eas-cli] Fix Convex team invite output after skipped or unnecessary invitations. (#​3672 by @​fiberjw)
  • Make directories marked as read-only writable when creating a tar, to prevent the cross-filesystem issues when extracting the tar. (#​3489 by @​sswrk)

v18.10.0

Compare Source

🎉 New features
  • [eas-cli] Add eas integrations:convex commands to manage Convex integrations for EAS projects. (#​3575 by @​fiberjw)
  • [eas-cli] New command observe:logs for custom events. (#​3638 by @​douglowder)
🐛 Bug fixes
  • [eas-cli] Create portable project archives on all platforms to normalize cross-platform tar metadata and permissions. (#​3234 by @​sjchmiela)
  • [eas-cli] Remove hardcoded builderEnvironment.image override in eas build:resign. (#​3661 by @​hSATAC)
  • [eas-cli] Fix eas update --json intermittently failing with JSON parse errors during "Computing project fingerprints" by passing silent: true to @expo/fingerprint to suppress subprocess stdout pollution. (#​3659 by @​Mookiies)

v18.9.1

Compare Source

v18.9.0

Compare Source

🎉 New features
  • [eas-cli] Add eas integrations:asc commands to manage App Store Connect integrations for EAS projects. (#​3558 by @​sswrk)
  • [eas-cli] Allow eas build:download to accept a build ID. (#​3655 by @​douglowder)
  • [eas-cli] Add --id alias for --build-id flag in eas build:download. (#​3656 by @​brentvatne)
🐛 Bug fixes
  • [steps] Fix workflow job context interpolation when a string contains multiple ${{ }} expressions on the same line (for example a changelog built from two context values). (#​3644 by @​gwdp)

v18.8.1

Compare Source

v18.8.0

Compare Source

🎉 New features
  • [eas-cli] Support custom params in observe:events results. (#​3620 by @​douglowder)
  • [build-tools] Add eas/deploy function for EAS Hosting web deployments. (#​3598 by @​gwdp)
  • [build-tools] Add eas/export function for Expo web exports. (#​3598 by @​gwdp)
  • [eas-cli] Add eas update:insights <groupId> command to display launch, crash, unique-user, and payload-size metrics for an update group. (#​3614 by @​kadikraman)
  • [eas-cli] Add --insights flag to eas update:view <groupId> to append the same metrics below the existing output. (#​3614 by @​kadikraman)
  • [eas-cli] Add eas channel:insights --channel <name> --runtime-version <version> command to display adoption and crash metrics for a channel + runtime version. (#​3614 by @​kadikraman)
🐛 Bug fixes
  • [eas-cli] Fix metadata:push not deleting video previews from App Store Connect when removed from config. (#​3603 by @​EvanBacon)
  • [eas-cli] Warn and skip unknown preview types in metadata:push with a helpful suggestion when the APP_ screenshot prefix is mistakenly used. (#​3603 by @​EvanBacon)
  • [eas-cli] Delete all existing previews in a preview set before uploading to avoid Apple's "Too many app previews" error. (#​3603 by @​EvanBacon)
  • [eas-cli] Fixes for observe commands, including an issue for apps with many update IDs. (#​3609 by @​douglowder)
  • [eas-cli] Add existing capability identifiers. (#​3615 by @​jakex7)

v18.7.0

Compare Source

🎉 New features
  • [build-tools] Add eas/read_package_json and eas/read_app_config functions (#​3585 by @​gwdp)
  • [eas-cli] Add --skip-bundler to eas build:dev to install and run a development build without starting the local Expo/Metro server. (#​3604 by @​mmichels-brex)

v18.6.0

Compare Source

🎉 New features
  • [eas-cli] Add missing Apple metadata attributes for age ratings and content descriptions. (#​3584 by @​EvanBacon)
  • [eas-cli] Add App Clip metadata support to metadata:push and metadata:pull (default experience action, per-locale subtitle and header image, App Store review invocation URLs). (#​3590 by @​EvanBacon)
  • [build-tools] Add working_directory input to eas/build function group for custom builds. (#​3582 by @​szdziedzic)
🐛 Bug fixes
  • [steps] Coerce numeric env values to strings in workflow step configuration. (#​3583 by @​szdziedzic)
  • [build-tools][eas-cli] Detect iOS Development provisioning profiles and set correct code signing identity instead of treating them as Ad Hoc. (#​3496 by @​qwertey6)
  • [build-tools] Prevent detecting Yarn Modern as Classic based on lockfile (#​3572 by @​kitten)
  • [build-tools] Early stop eas/start_android_emulator when Android emulator host setup is invalid. (#​3580 by @​gwdp)
  • [eas-cli] Bump @expo/apple-utils to 2.1.18 to fix metadata:push failing on ageRatingDeclarations due to the removed gamblingAndContests attribute. (#​3588 by @​EvanBacon)
  • [eas-cli] Bump @expo/apple-utils to 2.1.19 to fix image and video uploads via metadata:push getting stuck in AWAITING_UPLOAD state. The asset client was inheriting Bearer token injection from the App Store Connect API client, which caused S3 presigned URL uploads to be silently mishandled by Apple's CDN. Fixes screenshots, previews, and App Clip header image uploads. (#​3590 by @​EvanBacon)
  • [eas-cli] metadata:pull now preserves screenshot, video preview, and App Clip header image entries with placeholder paths when the asset is in an unrendered state, so users can recover broken records by replacing the file or removing the entry instead of having entries silently dropped from store.config.json. (#​3590 by @​EvanBacon)
  • [eas-cli] Surface hosting deployment's asset upload errors sooner (#​3600 by @​kitten)

v18.5.0

Compare Source

🎉 New features
  • [eas-cli] Add screenshots and previews support to metadata:push and metadata:pull. (#​3301 by @​EvanBacon)
  • [eas-cli] Add --non-interactive flag to metadata:push and metadata:pull commands with ASC API Key auth support. (#​3548 by @​EvanBacon)
  • [eas-cli] Add observe:metrics, observe:events, and observe:versions commands. (#​3401 by @​ubax), @​douglowder
🐛 Bug fixes
  • [eas-cli] Fix workflow:logs for builds using built-in EAS build steps. (#​3523 by @​douglowder)
  • [build-tools][worker] Read Expo app config with expo config CLI invocation before falling back to @expo/config (#​3536 by @​kitten)
  • Fix hasIgnoredIosProjectAsync() always returning false for ignored iOS projects. (#​3562 by @​sjchmiela)
🧹 Chores

v18.4.0

Compare Source

🎉 New features

v18.3.0

Compare Source

🎉 New features

v18.2.0

Compare Source

🎉 New features
🐛 Bug fixes
  • Check all certificates in provisioning profile during verification instead of only the first one. (#​3484 by @​qwertey6)
  • Provide an override for the new --environment flag requirement in the update command. (#​3442 by @​douglowder)
  • Add missing --include=dev for npm install commands (#​3459 by @​kitten)
  • Add missing --production false for yarn install commands for Yarn Classic (#​3459 by @​kitten)
🧹 Chores

v18.1.0

Compare Source

🎉 New features
🐛 Bug fixes

v18.0.6

Compare Source

v18.0.5

Compare Source

🛠 Breaking changes

v18.0.4

Compare Source

🐛 Bug fixes

v18.0.3

Compare Source

🎉 New features

v18.0.1

Compare Source

🛠 Breaking changes
🎉 New features
🐛 Bug fixes
🧹 Chores

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from batazor as a code owner February 28, 2026 19:12
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 5 times, most recently from bf5c479 to d4157e4 Compare February 28, 2026 20:21
github-advanced-security[bot]
github-advanced-security AI found potential problems Feb 28, 2026
View reviewed changes
Comment thread boundaries/mobile/pnpm-lock.yaml
tar@6.2.1:
resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==}
engines: {node: '>=10'}
tar@7.5.7:

Check failure

Code scanning / Semgrep PRO

Semgrep Finding: ssc-57bed0d1-ff99-ee22-f61c-8b06726885f0 Error

Affected versions of tar are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Node tar's tar.extract() can be abused by a malicious tar archive to escape the extraction directory via a symlink + hardlink trick: the archive creates symlinks inside the extract root and then a hardlink whose resolved target points outside the root. Because hardlink target validation is string-based and does not resolve on-disk symlinks, tar will create a file inside the extraction directory that is actually a hardlink to an external file, enabling arbitrary file read/write as the extracting user when processing attacker-controlled archives with default options.
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch from d4157e4 to 6bca057 Compare March 14, 2026 19:17
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 14, 2026
View reviewed changes
Comment thread boundaries/mobile/pnpm-lock.yaml
tar@6.2.1:
resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==}
engines: {node: '>=10'}
tar@7.5.7:

Check failure

Code scanning / Semgrep PRO

Semgrep Finding: ssc-7756a4fb-c6e4-1e33-48ed-f809b32adb6d Error

Affected versions of tar are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). tar's extractor can be bypassed to create a symlink that escapes the intended extraction root by using a drive-relative Windows-style link target like C:../../../target.txt. When such an attacker-controlled tarball is extracted via normal tar.x({ cwd, file }), the escape check is performed against the pre-stripped linkpath but the symlink is created with the stripped ../../../target.txt value, allowing subsequent writes through the extracted symlink to overwrite arbitrary files outside cwd with the permissions of the extracting process.
Comment thread boundaries/mobile/pnpm-lock.yaml
tar@6.2.1:
resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==}
engines: {node: '>=10'}
tar@7.5.7:

Check failure

Code scanning / Semgrep PRO

Semgrep Finding: ssc-d4117188-df1d-8856-27d7-223751823516 Error

Affected versions of tar are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') / Improper Link Resolution Before File Access ('Link Following'). node-tar can be abused during normal tar.x() extraction to write files outside the intended cwd by crafting a hardlink entry whose linkpath uses a drive-relative target like C:../target.txt. Because the unpack logic checks for .. path traversal segments before stripping the absolute root (C:), the link target is rewritten to ../target.txt after validation, allowing the extracted hardlink to resolve outside the extraction directory and enabling arbitrary file overwrite with the extractor's privileges.
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 2 times, most recently from 8869fc5 to 3f2c074 Compare March 16, 2026 21:31
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 3 times, most recently from c658d66 to 1a8a186 Compare April 2, 2026 13:18
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 5 times, most recently from 02cddc2 to 1f84684 Compare April 8, 2026 21:46
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 5 times, most recently from 2529849 to 2d88a47 Compare April 14, 2026 21:42
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 6 times, most recently from c6cf8e8 to ab8efff Compare April 23, 2026 17:13
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 4 times, most recently from 9513f4f to 18551ad Compare May 4, 2026 10:21
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch from 18551ad to 026a5ec Compare May 8, 2026 02:43
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch 6 times, most recently from e4188e5 to 7069676 Compare May 18, 2026 18:39
@renovate
chore(deps): update dependency eas-cli to v18
82bd8d4 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot force-pushed the renovate/eas-cli-18.x branch from 7069676 to 82bd8d4 Compare May 19, 2026 00:41
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@batazor batazor Awaiting requested review from batazor batazor is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@github-advanced-security