unable to resolve module @shopify/flash-list [Crash]

[rodrigodiasf1984]

"react-native": "0.74.2",
"react-native-actions-sheet": "^0.9.6",
"react-native-gesture-handler": "^2.17.1",

Hi guys, just got this error , any idea how to solve it?

[goguda]

Got this too, just install @shopify/flash-list manually with npm install @shopify/flash-list or yarn add @shopify/flash-list

[cleardu-bony]

upgrade below dependencies :
"@react-navigation/drawer": "6.7.0",
"@react-navigation/native": "6.1.17",
"@react-navigation/native-stack": "6.10.0",

degrade your react-native-action-sheet version to "0.9.3" , if that doesn't work, upgrade your version to latest version and then degrade to "0.9.3" again... this worked for me. 👍

[rodrigodiasf1984]

I've fixed it by installing @shopify/flash-list like @goguda has mentioned it, thanks

[goguda]

@rodrigodiasf1984 Are you able to reopen this issue? We should probably leave this open since I think this technically is a bug. @shopify/flash-list shouldn’t need to be installed separately, it should be downloaded as a dependency of the package.

Thank you!

[divineniiquaye]

I don't understand why versions are shipped to npm which the code for it on repo doesn't exist. Last commit was even 3 months ago. Guys kindly install new versions with caution or better, stick to version 0.9.3

[goguda]

I don't understand why versions are shipped to npm which the code for it on repo doesn't exist. Last commit was even 3 months ago. Guys kindly install new versions with caution or better, stick to version 0.9.3

Hm, you do have a point, I did find this a little strange as well.

[goguda]

I don't understand why versions are shipped to npm which the code for it on repo doesn't exist. Last commit was even 3 months ago. Guys kindly install new versions with caution or better, stick to version 0.9.3

So, just for peace of mind, I had a look at the code in version 0.9.6 shipped by npm and I don't see anything too out of the ordinary. I also used npm diff between versions 0.9.3, 0.9.4, 0.9.5 and 0.9.6 and didn't find anything overly strange. I checked for both fetch calls as well as any weird react native calls that might modify something on the device, but I didn't see anything.

0.9.4 looks like it may have been a mistake, pretty much everything in the dist folder gets deleted. 0.9.5 fixes the mistake by restoring what's in dist and 0.9.6 looks like it completes the migration from FlatList to shopify's FlashList (which is what introduced this error).

So anyone who's already upgraded should be safe, for now.

However, that having been said, thank you for drawing attention to this. I do still find this behaviour a bit alarming considering we're talking 3 revisions now where the code has not been updated on GitHub. There's nothing stopping the author from releasing a 0.9.7 version the same way with something malicious in it.

The way everything gets deleted in 0.9.4 is also a bit strange. Not the most alarming thing, but could be testing the waters for something bigger perhaps?

We're probably going to lock our package version and ween our app off of this package just to be safe. Everyone else should probably also take these measures, unless the author of the package @ammarahm-ed can shed some light on what's going on here.

[arelstone]

I don't understand why versions are shipped to npm which the code for it on repo doesn't exist. Last commit was even 3 months ago. Guys kindly install new versions with caution or better, stick to version 0.9.3

So, just for peace of mind, I had a look at the code in version 0.9.6 shipped by npm and I don't see anything too out of the ordinary. I also used npm diff between versions 0.9.3, 0.9.4, 0.9.5 and 0.9.6 and didn't find anything overly strange. I checked for both fetch calls as well as any weird react native calls that might modify something on the device, but I didn't see anything.

0.9.4 looks like it may have been a mistake, pretty much everything in the dist folder gets deleted. 0.9.5 fixes the mistake by restoring what's in dist and 0.9.6 looks like it completes the migration from FlatList to shopify's FlashList (which is what introduced this error).

So anyone who's already upgraded should be safe, for now.

However, that having been said, thank you for drawing attention to this. I do still find this behaviour a bit alarming considering we're talking 3 revisions now where the code has not been updated on GitHub. There's nothing stopping the author from releasing a 0.9.7 version the same way with something malicious in it.

The way everything gets deleted in 0.9.4 is also a bit strange. Not the most alarming thing, but could be testing the waters for something bigger perhaps?

We're probably going to lock our package version and ween our app off of this package just to be safe. Everyone else should probably also take these measures, unless the author of the package @ammarahm-ed can shed some light on what's going on here.

Thanks @goguda for spending time investigating this. 👏
Do you have suggestions of other packages with similar features?

I'd be up for making a fork, but I am not at a place where I can be the only maintainer

[ammarahm-ed]

This has been fixed in v0.9.7 release.

v0.9.4 was an accident. I had added src folder to .gitignore not realising that it would also exclude dist/src folder too. It was fixed in the next release.