diff --git a/common/index.ts b/common/index.ts
index 909170e2c..39f3387d6 100644
--- a/common/index.ts
+++ b/common/index.ts
@@ -18,11 +18,9 @@ export type {
   UserIdType,
 } from './src/utils/index.js';
 
-
 // Constants exports
 export type { Country3LetterCode } from './src/constants/index.js';
 
-
 // Additional type exports
 export type { Environment } from './src/utils/types.js';
 
diff --git a/common/src/utils/aadhaar/mockData.ts b/common/src/utils/aadhaar/mockData.ts
index ae74877f5..4cb80b69d 100644
--- a/common/src/utils/aadhaar/mockData.ts
+++ b/common/src/utils/aadhaar/mockData.ts
@@ -49,7 +49,6 @@ function computeUppercasePaddedName(name: string): number[] {
     .map((char) => char.charCodeAt(0));
 }
 
-
 // Helper function to compute final commitment
 export function computeCommitment(
   secret: bigint,
@@ -61,8 +60,6 @@ export function computeCommitment(
   return poseidon5([secret, qrHash, nullifier, packedCommitment, photoHash]);
 }
 
-
-
 // Helper function to compute packed commitment
 export function computePackedCommitment(
   extractedFields: ReturnType<typeof extractQRDataFields>
@@ -77,7 +74,6 @@ export function computePackedCommitment(
   return BigInt(packBytesAndPoseidon(packedCommitmentArgs));
 }
 
-
 export function convertByteArrayToBigInt(byteArray: Uint8Array | number[]): bigint {
   let result = 0n;
   for (let i = 0; i < byteArray.length; i++) {
diff --git a/packages/mobile-sdk-demo/metro.config.cjs b/packages/mobile-sdk-demo/metro.config.cjs
index 41fce5001..8c96308c2 100644
--- a/packages/mobile-sdk-demo/metro.config.cjs
+++ b/packages/mobile-sdk-demo/metro.config.cjs
@@ -128,9 +128,18 @@ const config = {
             candidatePaths.push(path.join(packageRoot, 'lib', `${subpath}.js`));
           }
 
-          // Find the first existing file
+          // Guard against path traversal: normalize and ensure within packageRoot
           const fs = require('fs');
-          for (const candidatePath of candidatePaths) {
+          const normalizedCandidates = candidatePaths
+            .map(p => path.resolve(p))
+            .filter(p => {
+              const relative = path.relative(packageRoot, p);
+              // keep only files strictly inside packageRoot
+              return relative !== '' && !relative.startsWith('..') && !path.isAbsolute(relative);
+            });
+
+          // Find the first existing file among safe candidates
+          for (const candidatePath of normalizedCandidates) {
             if (fs.existsSync(candidatePath)) {
               return {
                 type: 'sourceFile',