chore: bump @react-native-firebase/* 20.1.0 → 23.8.8

[janicduplessis]

Fixes APP-3606, APP-3614

What changed (plus any additional context for devs)

Bumps the React Native Firebase suite from 20.1.0 to 23.8.8 — a major version jump that upgrades the underlying Firebase iOS SDK from v10 to v12 and the Android Firebase BoM accordingly.

• @react-native-firebase/app, @react-native-firebase/messaging, and @react-native-firebase/remote-config pinned to 23.8.8.
• @lavamoat/allow-scripts entries for two new transitive dependencies the upgrade brings in (protobufjs, @firebase/util).
• Android gradle plugins updated to the versions react-native-firebase v23.8.8 recommends: google-services 4.4.4 and firebase-crashlytics-gradle 3.0.6. The crashlytics plugin was a major version behind, which can cause deobfuscation issues in crash reports.
• globalThis.RNFB_SILENCE_MODULAR_DEPRECATION_WARNINGS is set in index.js. v23 deprecated the namespaced API (messaging().getToken(), remoteConfig().fetchAndActivate(), etc.) and emits a console.warn on every call; Sentry captures console.warn as breadcrumbs, so without the flag ~7+ warnings fire on every cold start and blow through the breadcrumb budget before any useful crash diagnostics land. Migration to the modular API is tracked in FEPLAT-80.

Heads-up for app store review / binary audits: Firebase iOS SDK v12 restructured analytics packaging and now transitively pulls in GoogleAdsOnDeviceConversion 3.3.0 via GoogleAppMeasurement/Default. We don't use it, but it's compiled into the binary.

Requires companion rainbow-scripts PR: https://github.com/rainbow-me/rainbow-scripts/pull/217 (updates native module whitelist paths from lib/ to dist/module/ for v23).

Screen recordings / screenshots

N/A

What to test

• Push notifications: receive in foreground, background, and killed state; tap to open
• Remote config: verify feature flags load correctly on app launch
• Cold start: no Firebase initialization crashes or warnings in logs

Validation done

• Android: FCM token obtained successfully, registered with echo server (response: SUCCESS), remote config loaded (103 keys)
• iOS (simulator): FCM token correctly unavailable (simulator limitation), remote config loaded successfully (102 keys, fetchAndActivate: true)
• Both platforms: app starts without Firebase crashes, dapp_browser and other remote config flags resolve correctly

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​react-native-firebase/​app@​20.1.0 ⏵ 23.8.8			+2	+2
	npm/​@​react-native-firebase/​messaging@​20.1.0 ⏵ 23.8.8	+1		+1	+2
	npm/​@​react-native-firebase/​remote-config@​20.1.0 ⏵ 23.8.8	-1		+1	+2

View full report

[linear]

APP-3606 Bump @react-native-firebase/* 20.1.0 → 23.8.8

APP-3614 Upgrade outdated Firebase module due to deprecation warning

[github-actions]

Launch in simulator or device for e5a40cc

[janicduplessis]

Important

Companion PR: https://github.com/rainbow-me/rainbow-scripts/pull/217 (updates firebase native module whitelist path from nativeModule.js to nativeModuleAndroidIos.js)

Note

TODO: Migrate firebase consumers from namespaced API to modular API — FEPLAT-80

[olerass]

Couple things from reviewing the diff + tracing the consumer files:

Deprecation warnings flooding sentry breadcrumbs
v23 deprecated the namespaced API (messaging().getToken(), remoteConfig().fetchAndActivate(), etc) and emits a console.warn on every call. All our consumer files use this style, so wed get ~7+ warnings on every cold start alone. Since sentry captures console.warn as breadcrumbs and we have maxBreadcrumbs at 10, these basically fill up the entire breadcrumb budget within seconds of launch, pushing out actually useful crash diagnostics.

One-liner fixcould add this early in app init (e.g. index.js before firebase imports):

globalThis.RNFB_SILENCE_MODULAR_DEPRECATION_WARNINGS = true

(eventual migration to the modular API is a separate task, namespaced works fine until the next major afaics)

Android gradle plugin versions
The firebase BoM jumped from 33.1.0 to 34.10.0 but android/build.gradle still has google-services:4.3.15 and firebase-crashlytics-gradle:2.9.2 (recommended: 4.4.4 and 3.0.6 from https://github.com/invertase/react-native-firebase/blob/v23.8.8/packages/app/package.json#L110-L122). The crashlytics one is a major version behind which could cause deobfuscation issues in crash reports. Not blocking but probably worth bumping while we're in here.

GoogleAdsOnDeviceConversion pod
Just flagging since firebase iOS SDK v12 restructured analytics packaging and now pulls in GoogleAdsOnDeviceConversion 3.3.0 transitively via GoogleAppMeasurement/Default. Our app doesn't use it ofc, but it's compiled into the binary. Might be worth noting in the PR description for visibility since it could come up in app store review or binary audits. Otherwize not actionable in this PR afaiu, just good to be aware of.

[github-actions]

Launch in simulator or device for 708dfd3

[github-actions]

🧪 Flashlight Performance Report (AWS Device Farm)

🔀 Commit: 94a76f5

📎 View Artifacts

Metric	Current	Δ vs Baseline
Time to Interactive (TTI)	2666 ms	🔴 +177.5 ms (+7.1%)
Average FPS	59.71	⚪ +0.0 (+0.1%)
Average RAM	464.1 MB	⚪ -3.4 MB (-0.7%)

[github-actions]

Launch in simulator or device for ddf3b47

[github-actions]

Launch in simulator or device for 3d6fb1a