Skip to content

Fixes CVE-2021-44228 WIZ scan violation #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Fixes CVE-2021-44228 WIZ scan violation #65

wants to merge 4 commits into from

Conversation

SomethingNew71
Copy link

Fix for issue #64

@SomethingNew71
Fixes CVE-2021-44228 WIZ scan violation breaking corporate applicatio…
ae5e9cc 
…ns using this as a dependency

Signed-off-by: Cole Gentry <[email protected]>
@SomethingNew71
Updates version number
88eb3aa 
Signed-off-by: Cole Gentry <[email protected]>
glc-ineddar
glc-ineddar reviewed May 15, 2025
View reviewed changes
android/build.gradle
@@ -7,7 +7,7 @@ buildscript {
mavenCentral()
google()
}
def buildGradleVersion = ext.has('buildGradlePluginVersion') ? ext.get('buildGradlePluginVersion') : '4.2.2'
def buildGradleVersion = ext.has('buildGradlePluginVersion') ? ext.get('buildGradlePluginVersion') : '7.3.3'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure that upgrading the gradle version will not make some dependency not working
think we should relainch the project

Copy link
Author

@SomethingNew71 SomethingNew71 May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really sure to be honest. I am not a android dev I was just following the suggestion by WIZ to resolve it. Was hoping someone more experienced with gradle and android development to review and help out.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i will try to check it later
but am sure if the maintainer is still maintaining the project
@LinusU are you still up to validate PRs, thanks

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glc-ineddar @LinusU I just pushed a second update based on some AI suggestions I got from Windsurf. According to this, that's the only thing required to ensure its working properly

@SomethingNew71 SomethingNew71 mentioned this pull request May 16, 2025
Open
@SomethingNew71
Copy link
Author

@glc-ineddar @LinusU any chance of merging this in? It would fix about 50 repos in our org that we can't deploy at this time.

LinusU
LinusU reviewed May 20, 2025
View reviewed changes
@LinusU
Copy link
Owner

LinusU commented May 20, 2025

Hmm, I'm a bit hesitant to merge this since it bumps major versions of dependencies 🤔

Are we sure that this won't cause problems with peoples existing setups?

I cannot imagine that the CVE affects this project, since we are not logging anything at all. Although I can of course see the benefit of not even installing the package. But since this package has a million weekly downloads I want to be very careful not to break anything for the end users...

@SomethingNew71
Reverts package.json
0e855a0 
Signed-off-by: Cole Gentry <[email protected]>
@SomethingNew71
Copy link
Author

Hmm, I'm a bit hesitant to merge this since it bumps major versions of dependencies 🤔

Are we sure that this won't cause problems with peoples existing setups?

I cannot imagine that the CVE affects this project, since we are not logging anything at all. Although I can of course see the benefit of not even installing the package. But since this package has a million weekly downloads I want to be very careful not to break anything for the end users...

@LinusU In truth no I am not sure it wont break existing repos. I am not a native app developer and really was focusing on resolving the flagged vulnerability. For the CVE any references to vulnerable versions are going to cause a flag failure. Whether they are used in the compiled code or not. I also agree that in practicality the CVE likely doesn't truly impact this project but perhaps making a major version update of react-native-get-random-values at the same time to indicate that this could be a breaking change would be a way to address the concerns?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LinusU LinusU LinusU left review comments

@glc-ineddar glc-ineddar glc-ineddar left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@SomethingNew71 @LinusU @glc-ineddar