Skip to content

Fixes CVE-2021-44228 WIZ scan violation #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

SomethingNew71
Copy link

Fix for issue #64

…ns using this as a dependency

Signed-off-by: Cole Gentry <[email protected]>
Signed-off-by: Cole Gentry <[email protected]>
@@ -7,7 +7,7 @@ buildscript {
mavenCentral()
google()
}
def buildGradleVersion = ext.has('buildGradlePluginVersion') ? ext.get('buildGradlePluginVersion') : '4.2.2'
def buildGradleVersion = ext.has('buildGradlePluginVersion') ? ext.get('buildGradlePluginVersion') : '7.3.3'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure that upgrading the gradle version will not make some dependency not working
think we should relainch the project

Copy link
Author

@SomethingNew71 SomethingNew71 May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really sure to be honest. I am not a android dev I was just following the suggestion by WIZ to resolve it. Was hoping someone more experienced with gradle and android development to review and help out.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i will try to check it later
but am sure if the maintainer is still maintaining the project
@LinusU are you still up to validate PRs, thanks

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glc-ineddar @LinusU I just pushed a second update based on some AI suggestions I got from Windsurf. According to this, that's the only thing required to ensure its working properly

@SomethingNew71
Copy link
Author

@glc-ineddar @LinusU any chance of merging this in? It would fix about 50 repos in our org that we can't deploy at this time.

@LinusU
Copy link
Owner

LinusU commented May 20, 2025

Hmm, I'm a bit hesitant to merge this since it bumps major versions of dependencies 🤔

Are we sure that this won't cause problems with peoples existing setups?

I cannot imagine that the CVE affects this project, since we are not logging anything at all. Although I can of course see the benefit of not even installing the package. But since this package has a million weekly downloads I want to be very careful not to break anything for the end users...

Signed-off-by: Cole Gentry <[email protected]>
@SomethingNew71
Copy link
Author

Hmm, I'm a bit hesitant to merge this since it bumps major versions of dependencies 🤔

Are we sure that this won't cause problems with peoples existing setups?

I cannot imagine that the CVE affects this project, since we are not logging anything at all. Although I can of course see the benefit of not even installing the package. But since this package has a million weekly downloads I want to be very careful not to break anything for the end users...

@LinusU In truth no I am not sure it wont break existing repos. I am not a native app developer and really was focusing on resolving the flagged vulnerability. For the CVE any references to vulnerable versions are going to cause a flag failure. Whether they are used in the compiled code or not. I also agree that in practicality the CVE likely doesn't truly impact this project but perhaps making a major version update of react-native-get-random-values at the same time to indicate that this could be a breaking change would be a way to address the concerns?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants