feat(bundle-update): add resetToBuiltInBundle API and bump to 1.1.37

[huhuanming]

Summary

• Add resetToBuiltInBundle() API to react-native-bundle-update that clears the currentBundleVersion preference, allowing the app to revert to the built-in JS bundle on next restart
• Implemented on both Android (SharedPreferences) and iOS (UserDefaults) with nitrogen bindings
• Bump all packages version from 1.1.36 to 1.1.37

Test plan

• Verify resetToBuiltInBundle() clears the bundle preference on Android
• Verify resetToBuiltInBundle() clears the bundle preference on iOS
• Verify app loads built-in bundle after calling resetToBuiltInBundle() and restarting

🤖 Generated with Claude Code

---

[devin-ai-integration]

Devin Review found 1 potential issue.

View 3 additional findings in Devin Review.

[devin-ai-integration]

🔴 iOS resetToBuiltInBundle() erroneously removes unrelated UserDefaults entry keyed by bundle version string

In the iOS resetToBuiltInBundle() implementation, line 1037 calls ud.removeObject(forKey: cbv) where cbv is the value of currentBundleVersion (e.g., "1.0.0-100"). This removes an unrelated UserDefaults entry that was used for legacy signature storage. This line was copy-pasted from clearAllJSBundleData() (ReactNativeBundleUpdate.swift:1058) where it makes sense because that function clears ALL data. However, resetToBuiltInBundle() should only clear the currentBundleVersion preference. The Android implementation at ReactNativeBundleUpdate.kt:1076 confirms this — it only removes "currentBundleVersion" and does not touch any other keys. This extra removal could delete legacy signature data that should be preserved, since the user may want to switch back to that bundle version later via setCurrentUpdateBundleData.

Suggested change

	ud.removeObject(forKey: cbv)
	ud.removeObject(forKey: "currentBundleVersion")

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​onekeyfe/​react-native-scroll-guard@​0.0.0-use.local

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL) Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4 Patched version: 4.5.4 From: ? → npm/@react-native-community/cli-platform-android@20.0.0 → npm/@react-native-community/cli-platform-ios@20.0.0 → npm/@react-native-community/cli@20.0.0 → npm/fast-xml-parser@4.5.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/react-native@0.83.0 → npm/@react-native/debugger-frontend@0.83.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.83.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report