This repository contains sample React Native applications demonstrating WalletConnect and Reown integrations.
/
├── dapps/ # Sample dApps (decentralized applications)
└── wallets/ # Sample wallet implementations
| App | Description | AGENTS.md |
|---|---|---|
| appkit-expo-wagmi | Expo + Wagmi integration | - |
| poc-pos-app | Point of Sale proof of concept | View |
| pos-app | Point of Sale application | View |
| W3MEthers | AppKit with Ethers.js | - |
| W3MEthers5 | AppKit with Ethers.js v5 | - |
| W3MWagmi | AppKit with Wagmi | View |
| App | Description | AGENTS.md |
|---|---|---|
| expo-wallet | Expo-based sample wallet | View |
| rn_cli_wallet | React Native CLI wallet | View |
All dependency versions in package.json must be pinned to exact versions. Do not use ^ or ~ prefixes. For example, use "react-native": "0.76.9" instead of "react-native": "^0.76.9". This applies to dependencies, devDependencies, overrides, and resolutions.
WARNING: Do not delete or regenerate lock files (yarn.lock / package-lock.json). Regenerating a lock file causes massive version churn across the entire dependency tree and will break builds. Only make targeted, minimal changes to lock files. If you need to update a dependency, modify package.json and run the package manager — it will update only the affected entries in the lock file.
When Dependabot flags security vulnerabilities in transitive dependencies, fix them by adding overrides/resolutions to package.json only. Do not regenerate lock files.
Add to overrides in package.json:
{
"overrides": {
"vulnerable-package": "fixed-version"
}
}Add to resolutions in package.json:
{
"resolutions": {
"vulnerable-package": "fixed-version"
}
}After adding overrides/resolutions, run npm install or yarn install in the specific project directory. Verify the lock file diff is small and targeted — if it shows thousands of changed lines, something went wrong. Do not commit large lock file diffs.
To update only the changed lockfile entries (this is NOT a full lockfile regeneration — see the warning above; it re-resolves just the dependencies your override touched and leaves the rest of the lock alone) while iterating on overrides:
- npm:
npm install --package-lock-only --ignore-scripts— writespackage-lock.jsononly, does not create/modifynode_modules. - yarn berry (3.x):
yarn install --mode=update-lockfile— writesyarn.lockonly, skips the fetch/link steps. - yarn classic (1.x): has no lockfile-only mode.
yarn install --ignore-scriptsstill fetches and linksnode_modules(only the lifecycle/postinstall scripts are skipped); theyarn.lockdiff stays small because only the re-resolved entries change. Always sanity-check the diff before committing.
- uuid majors.
uuid@14requires Node ≥20 and a globalcrypto(RN needs thereact-native-get-random-valuespolyfill; web/Vercel must exposecrypto). The POS apps depend onuuid@14directly and work because that polyfill is installed — do not assume a fresh app will. For transitive uuid, pinning touuid@11.1.1is safe (every consumer here is ≥7.0.3, past the v7 removal of the default export anduuid/v4deep paths), but do not force transitive uuid to 14. When an app directly depends onuuid(e.g.14), npm rejects a top-leveluuidoverride to a different version — scope it instead:"overrides": { "xcode": { "uuid": "11.1.1" } }(the old uuid usually comes only fromxcode, a host-side prebuild tool, never bundled). - Pinned overrides drift into being the source of alerts. Versions like
tar,js-yaml,undici,hono,tmpare pinned for build stability; over time the pinned version itself gets a CVE. Fix by bumping the pin to the new patched version — never by deleting the override (dropping it lets the resolver pick a version that breaks the build, especially the Vercel web build inpos-app). - Vercel
@vercel/nodeundici.pos-apppins@vercel/node's nestedundici(vercel-only serverless tooling forapi/*). undici has no patched 5.x line, so the fix requires the 6.x line — bumping it is correct but must be verified on the Vercel preview deploy, not just the localweb:build(which doesn't build the serverless functions). Keep the pin scoped under@vercel/node. - Do NOT bump
wspast8.18.1in the React Native apps.ws@8.19+'slib/permessage-deflate.jshas a top-levelrequire('zlib'), and once that path is bundled Metro fails the release bundle withUnable to resolve module zlib(:app:createBundleInternalJsAndAssets FAILED/react-native bundle).ws@8.18.1is the highest bundle-safe version and is pinned deliberately in the W3M apps for that reason — leave the npm apps'wstransitive (do not add an override).wsis a Node-only transitive dep (RN uses the native WebSocket), so its DoS advisories are not exploitable in the RN runtime; thewsDependabot alerts are dismissed rather than fixed. Reproduce locally withnpx react-native bundle --entry-file index.js --platform android --dev false --bundle-output /tmp/b.jsbefore touchingws. tmp@0.2.6is itself vulnerable (GHSA-7c78); usetmp@0.2.7.- Keep
@babel/coreand@babel/helpersin sync. W3MEthers/W3MEthers5 pin@babel/helpers/@babel/runtimeinresolutions; if@babel/coreresolves to 7.29.x (it does, transitively) while@babel/helpersis pinned below7.29.2, Metro crashes at bundle time withhelpers(...).isInternal is not a function(@babel/core7.27+ callshelpers.isInternal). Bump both to a matching 7.29.x — note the packages don't share an exact version (e.g.@babel/core@7.29.6pairs with@babel/helpers@7.29.7; there is no@babel/helpers@7.29.6). The other apps don't pin helpers, so they self-resolve and are unaffected. concurrent-ruby < 1.3.4was pinned in someGemfiles to dodge the broken 1.3.4loggerregression. Withgem 'logger'present (it is),1.3.7is safe — pin to1.3.7rather than capping below the security fix.faradayis capped at~> 1.0by fastlane; its CVE fix (2.14.3) is a major that fastlane won't allow. Don't force it — dismiss the alert (CI release tooling only) or upgrade fastlane deliberately.