Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

devDeps: [email protected]>~0.72.14 #29

Draft
wants to merge 43 commits into
base: main
Choose a base branch
from
Draft

devDeps: [email protected]>~0.72.14 #29

wants to merge 43 commits into from
+1,656 −1,998

Conversation

legobeat
Copy link

@legobeat legobeat commented May 23, 2024
edited
Loading

@legobeat legobeat requested review from leotm and a team May 23, 2024 21:01
@socket-security Socket Security
Copy link

socket-security bot commented May 24, 2024
edited
Loading

Report too large to display inline

View full report↗︎

@socket-security Socket Security
Copy link

socket-security bot commented May 24, 2024
edited
Loading

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSourceCI
Deprecated npm/@babel/[email protected]
  • Reason: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-numeric-separator instead.
 ⚠︎
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
Network access npm/@azure/[email protected] 🚫
New author npm/[email protected] 🚫
Shell access npm/@react-native-community/[email protected] 🚫
AI warning npm/@react-native-community/[email protected]
  • Notes: The code is generally intended for shortcut creation but poses a security risk due to its method of executing a VBScript file that could be manipulated or misused. External command execution increases the risk. No immediate signs of malicious intent, but the approach has inherent risks and could potentially be leveraged for harmful purposes if input is not properly sanitized or secured.
  • Confidence: 1.00
  • Severity: 0.60
 ⚠︎
Shell access npm/@react-native-community/[email protected] 🚫
Shell access npm/@opentelemetry/[email protected] 🚫
Shell access npm/@opentelemetry/[email protected] 🚫
Network access npm/[email protected] 🚫

Ignoring: npm/@react-native/[email protected]

View full report↗︎

Next steps

What is a deprecated package?

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is an AI-detected potential code anomaly?

AI has identified unusual behaviors that may pose a security risk.

An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@legobeat legobeat marked this pull request as ready for review May 28, 2024 18:42
@legobeat legobeat mentioned this pull request May 28, 2024
Merged
@legobeat
Copy link
Author 

@SocketSecurity ignore npm/[email protected]

shell access, install scripts ok

@legobeat
Copy link
Author 

@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/@appium/[email protected]

network access ok

@legobeat
Copy link
Author 

@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]

shell access ok

@legobeat
Copy link
Author 

@SocketSecurity ignore npm/@react-native/[email protected]
@SocketSecurity ignore npm/[email protected]

new authors ok

@legobeat legobeat mentioned this pull request May 28, 2024
Closed
2 tasks
@legobeat legobeat requested review from sethkfman, cortisiko and a team and removed request for a team, sethkfman and cortisiko May 28, 2024 20:13
@legobeat legobeat force-pushed the devdeps-react-native-0.72 branch 2 times, most recently from a3b7413 to 5fc06a4 Compare May 29, 2024 06:03
@leotm
Copy link
Member

leotm commented May 29, 2024

noting example app changes to check: https://react-native-community.github.io/upgrade-helper/?from=0.71.12&to=0.72.14&package=WebviewExample&name=com.reactnativecommunity.webview

leotm
leotm reviewed May 29, 2024
View reviewed changes
.github/workflows/android-ci.yml
Comment on lines +25 to 26
distribution: zulu
java-version: 11
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

best we stick to zulu@11 for RN 0.72
then introduce JDK 17 in RN 0.73
like upstream

legobeat and others added 27 commits September 11, 2024 02:05
@legobeat
Revert "remove kotlin-stdlib setting"
9674ef4 
This reverts commit 986d06f.
@legobeat
fix(example): specify kotlin version
2defbc0
@legobeat
kotlin 1.9.20
b70c67b
@legobeat
ci(macos): example app scheme
1e5ec88
@legobeat
revertme
70e0cfc
@legobeat
Revert "revertme"
e221b29 
This reverts commit fcf380e.
@legobeat
ci(macos): example app scheme
3c9335a 
    $ /Applications/Xcode_15.0.1.app/Contents/Developer/usr/bin/xcodebuild -workspace WebviewExample.xcworkspace -list

    User defaults from command line:
        IDEPackageSupportUseBuiltinSCM = YES
    There are no schemes in workspace "WebviewExample".
@legobeat
fix(example): use_test_app
5f6c537
@legobeat
Revert "ci(macos): example app scheme"
5f97753 
This reverts commit 5aeb2db.
@legobeat
chore: update example Podfiles
cac5bd1
@legobeat
Revert "ci(macos): example app scheme"
4591cad 
This reverts commit 17c445b.
@legobeat
fix: add missing devDependency @react-native-community/cli-platform-ios
87f464c
@legobeat
chore: update example Podfiles
272f3a4
@leotm @legobeat
fix: downgrade kotlin from 1.9.20 to 1.7.1
83e9c49 
CI expects 1.7.1
@leotm @legobeat
Revert "fix: downgrade kotlin from 1.9.20 to 1.7.1"
f81b2ac 
This reverts commit c1752fd.
@leotm @legobeat
fix: stick to JDK 11 for RN 0.72
192b269
@leotm @legobeat
fix: switch from temurin to zulu distro for RN 0.72
d101647
@leotm @legobeat
fix: downgrade kotlin from 1.9.20 to 1.7.1 (full)
c55c822
@leotm @legobeat
Revert "fix: downgrade kotlin from 1.9.20 to 1.7.1 (full)"
4fb769b 
This reverts commit b9b1d3e.
@leotm @legobeat
fix: downgrade kotlin from 1.9.20 to 1.7.10
f51d5b1
@leotm @legobeat
Revert "fix: downgrade kotlin from 1.9.20 to 1.7.10"
99ce6be 
This reverts commit a124291.
@leotm @legobeat
fix: downgrade gradle from 8.3.0 to 7.0.4
d544fab
@leotm @legobeat
Revert "fix: downgrade gradle from 8.3.0 to 7.0.4"
2ebb89e 
This reverts commit 095e560.
@leotm @legobeat
fix: downgrade Gradle and AGP
de0dfd8
@leotm @legobeat
fix: downgrade kotlin from 1.9.20 to 1.6.0
b04e7b2
@leotm @legobeat
fix: android example app build
35b216e 
Could not find method implementation()...
@leotm @legobeat
fix: android example app build
cce2133 
Class 'kotlin.Unit' was compiled with an incompatible version of Kotlin. The binary version of its metadata is 1.8.0, expected version is 1.6.0.
@legobeat legobeat mentioned this pull request Sep 11, 2024
Merged
7 tasks
@legobeat legobeat marked this pull request as draft September 11, 2024 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leotm leotm leotm left review comments

@jpcloureiro jpcloureiro Awaiting requested review from jpcloureiro

@tommasini tommasini Awaiting requested review from tommasini

@sethkfman sethkfman Awaiting requested review from sethkfman

@cortisiko cortisiko Awaiting requested review from cortisiko

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@legobeat @leotm @sethkfman