-
Notifications
You must be signed in to change notification settings - Fork 57
Fixes CVE-2021-44228 WIZ scan violation #65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
…ns using this as a dependency Signed-off-by: Cole Gentry <[email protected]>
Signed-off-by: Cole Gentry <[email protected]>
@@ -7,7 +7,7 @@ buildscript { | |||
mavenCentral() | |||
google() | |||
} | |||
def buildGradleVersion = ext.has('buildGradlePluginVersion') ? ext.get('buildGradlePluginVersion') : '4.2.2' | |||
def buildGradleVersion = ext.has('buildGradlePluginVersion') ? ext.get('buildGradlePluginVersion') : '7.3.3' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are you sure that upgrading the gradle version will not make some dependency not working
think we should relainch the project
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really sure to be honest. I am not a android dev I was just following the suggestion by WIZ to resolve it. Was hoping someone more experienced with gradle and android development to review and help out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i will try to check it later
but am sure if the maintainer is still maintaining the project
@LinusU are you still up to validate PRs, thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@glc-ineddar @LinusU I just pushed a second update based on some AI suggestions I got from Windsurf. According to this, that's the only thing required to ensure its working properly
Signed-off-by: Cole Gentry <[email protected]>
@glc-ineddar @LinusU any chance of merging this in? It would fix about 50 repos in our org that we can't deploy at this time. |
Hmm, I'm a bit hesitant to merge this since it bumps major versions of dependencies 🤔 Are we sure that this won't cause problems with peoples existing setups? I cannot imagine that the CVE affects this project, since we are not logging anything at all. Although I can of course see the benefit of not even installing the package. But since this package has a million weekly downloads I want to be very careful not to break anything for the end users... |
Signed-off-by: Cole Gentry <[email protected]>
@LinusU In truth no I am not sure it wont break existing repos. I am not a native app developer and really was focusing on resolving the flagged vulnerability. For the CVE any references to vulnerable versions are going to cause a flag failure. Whether they are used in the compiled code or not. I also agree that in practicality the CVE likely doesn't truly impact this project but perhaps making a major version update of |
Fix for issue #64