chore(deps): upgrade safe patch/minor dependencies

[arstiefel]

Description

Bulk upgrade of 28 npm packages to the latest non-breaking versions across the SDK root and the example app. Covers React Native 0.85.0 → 0.85.2 (and every @react-native/* sibling), all seven @opentelemetry/* packages in the monorepo (0.213.x → 0.215.x and 2.6.x → 2.7.x, kept in sync), jest 30.2 → 30.3, turbo 2.8 → 2.9, react-native-builder-bob 0.40 → 0.41, release-it 19 → 20 (with @release-it/conventional-changelog 10 → 11, required for release-it 20), and assorted patch bumps on eslint, commitlint, prettier, lefthook, and react-native-webview. src/telemetry/sdkVersion.ts and example/ios/Podfile.lock come along because yarn prepare / pod resolution regenerated them for the new RN version.

Deliberately held back: react / react-test-renderer stay at 19.2.3 (RN 0.85.2's bundled react-native-renderer is 19.2.3, and any drift trips the runtime "Incompatible React versions" error); eslint / @eslint/js stay at ^9 (@react-native/eslint-config@0.85.2 pins ^8 || ^9); typescript stays at ^5.9.3 (TS 6 introduces TS2882 on the react-native-get-random-values side-effect import).

Testing

Verified locally with the full CI-equivalent pipeline:

• yarn install — resolves cleanly, only pre-existing peer warnings (@testing-library/react-hooks is archived and over-constrains React).
• tsc --noEmit — clean.
• eslint "**/*.{js,ts,tsx}" — clean.
• jest — 158/158 tests passing across all 16 suites (ApplePay, ApplePayWebView, GoogleWallet, bridge, tokenizer client, telemetry, etc.).
• bob build — produces lib/module and lib/typescript identically to the previous build.
• release-it --dry-run --ci — dry-run works end-to-end under release-it 20 + conventional-changelog 11.

Runtime smoke-test on Android emulator is still advised after Metro restart (yarn start --reset-cache) since RN bundles regenerate; no user-facing code paths were touched.

Security Review

Important

A security review is required for every PR in this repository to comply with PCI requirements.

• I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

No source code was modified. The only non-package.json edits are (a) src/telemetry/sdkVersion.ts, auto-generated to 0.9.0 by scripts/update-sdk-version.js during yarn prepare, and (b) example/ios/Podfile.lock, regenerated by CocoaPods for the RN 0.85.2 patch bump. No changes to tokenizer flows, Apple Pay / Google Pay handlers, bridge message routing, PCI-scoped credit-card entry, or any auth/authorization path. All upgrades are patch or minor SemVer bumps within the same major; release notes for RN 0.85.2 and OTel 0.215/2.7 contain no security-relevant deprecations that affect our usage. The tighter @react-native-community/cli 20.1.3 patch additionally rolls in upstream security fixes for the dev server (not shipped to production). yarn.lock has been regenerated from the registry and checked in.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.