Android build does not send data to the server

[mikhail-panzo]

Web build on the mobile app still works though. When downloading the dependencies, the following audit was generated:

npm audit report

json5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via npm audit fix --force Will install expo@46.0.21, which is a breaking change node_modules/find-babel-config/node_modules/json5 find-babel-config <=1.2.0 Depends on vulnerable versions of json5 node_modules/find-babel-config babel-plugin-module-resolver 2.3.0 - 4.1.0 Depends on vulnerable versions of find-babel-config node_modules/babel-plugin-module-resolver babel-preset-expo * Depends on vulnerable versions of babel-plugin-module-resolver node_modules/babel-preset-expo expo >=14.0.0 Depends on vulnerable versions of @expo/cli Depends on vulnerable versions of @expo/config Depends on vulnerable versions of @expo/config-plugins Depends on vulnerable versions of babel-preset-expo Depends on vulnerable versions of expo-asset Depends on vulnerable versions of expo-constants node_modules/expo expo-router >=1.2.0 Depends on vulnerable versions of expo node_modules/expo-router

xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc fix available via npm audit fix --force Will install expo@46.0.21, which is a breaking change node_modules/xml2js @expo/config-plugins Depends on vulnerable versions of xml2js node_modules/@expo/config-plugins @expo/cli >=0.1.0 Depends on vulnerable versions of @expo/config Depends on vulnerable versions of @expo/config-plugins Depends on vulnerable versions of @expo/dev-server Depends on vulnerable versions of @expo/metro-config Depends on vulnerable versions of @expo/prebuild-config node_modules/@expo/cli @expo/config >=3.3.23-alpha.0 Depends on vulnerable versions of @expo/config-plugins node_modules/@expo/config @expo/metro-config >=0.1.49-alpha.0 Depends on vulnerable versions of @expo/config node_modules/@expo/metro-config @expo/dev-server >=0.1.49-alpha.0 Depends on vulnerable versions of @expo/metro-config expo-constants >=10.1.2 Depends on vulnerable versions of @expo/config node_modules/expo-constants expo-asset >=8.6.1 Depends on vulnerable versions of expo-constants node_modules/expo-asset expo-linking >=2.2.2 Depends on vulnerable versions of expo-constants node_modules/expo-linking @expo/prebuild-config Depends on vulnerable versions of @expo/config Depends on vulnerable versions of @expo/config-plugins Depends on vulnerable versions of xml2js node_modules/@expo/prebuild-config expo-splash-screen >=0.14.1 Depends on vulnerable versions of @expo/prebuild-config node_modules/expo-splash-screen

17 vulnerabilities (12 moderate, 5 high)

[NateCross]

According to the audit posted, it has actually revealed another issue, that those libraries downloaded from several node packages run versions with specific security issues. These issues are described here: json5 and xml2js.

As advised by this StackOverflow post, the solution is to, essentially, override the packages with the patched versions as indicated in their respective security issue pages.

See commit 9b407bb which attempts to rectify this. Note that this may not directly be related to the real issue here as per the original post.

[mikhail-panzo]

That commit solves it, no known security issue during dependency install.