JustMyGithub
commented
1 year ago Update: If I understand build.gradle correctly, jcifs-1.3.17 is used, which according to https://www.jcifs.org/ was released sometime between 2011 and 2014. 1.3.19 was released in 2017.
jcifs-ng seems to be used in 4 versions in parallel, the latest being jcifs-ng-2.1.4-20200413-02. When SMBSyncv2 Version 2.54 was released, the current version was 2.1.6 which was released about one month earlier. Edit: The version can be chosen by the user, however the selection is 2.14 instead of 2.1.4
Release notes of jcifs-1.3.19 lists a moderate security issue (As there are no release notes for jcifs-ng I have no idea whether anything related to security was changed).
Maybe there are good reasons for those selections (breaking changes?), I just want to raise awareness for dependency management, as this does cause security issues quite often.
Neither within the app nor in the release notes of this fine app is any reference to which version of the dependencies is actually in use for a specific apk. It would be nice to have this information especially considering possible future security updates of those dependencies.