search

brendan-duncan / archive

Dart library to encode and decode various archive and compression formats, such as Zip, Tar, GZip, ZLib, and BZip2.
MIT License
399 stars 139 forks source link

Package flagged as vulnerable #276

Closed dditim closed 11 months ago

dditim commented 1 year ago

Hello,

we use Lottie in our app, while Lottie is using archive as a transitive dependency. However, since today, our Pipeline fails its vulnerability check due to the archive package. https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9v85-q87q-g4vg/GHSA-9v85-q87q-g4vg.json

Is this a known issue and will be fixed in the near future?

Thank you!

aekt commented 1 year ago

Actually, there're two at the moment https://osv.dev/list?ecosystem=Pub&q=archive:

brendan-duncan commented 1 year ago

I'll take a look. No rest for the open source developer.

NicolaVerbeeck commented 1 year ago

If you need a hand, let me know

brendan-duncan commented 1 year ago

Thanks. I think both those shouldn't bee too hard to fix, I'll squeeze it in while waiting for my work code to compile :-)

NicolaVerbeeck commented 1 year ago

image

brendan-duncan commented 1 year ago

Chipping away at it. I added the symlink check. I'll get to that other vulnerability next.

brendan-duncan commented 1 year ago

Every time I work on this library I just want to rewrite it. I wrote it almost 10 years ago, for a personal project; lots I would do differently if I knew then what I know now. Maybe one day.

JaredEzz commented 1 year ago

I got a dependabot notification about this vulnerability too. Happy to wait for/help with the fix

JaredEzz commented 1 year ago
image image image
brendan-duncan commented 1 year ago

I should have the second vulnerability patched tomorrow, and then I'll get a release out to keep the vulnerability bots from yelling at me.

brendan-duncan commented 1 year ago

I believe both vulnerabilities should be fixed. These only reaffirm my believe that ZIP is an awful format. Not as bad as RAR, but still awful. Sure is convenient though.

brendan-duncan commented 1 year ago

I'll get a version pushed as soon as I can.

dditim commented 1 year ago

Thanks for the fast effort put into this! It's highly appreciated

3asm commented 1 year ago

Awesome work @brendan-duncan, much appreciated.

jtaylor-dohle commented 1 year ago

Sorry if this is a noob question, but if the vulnerability is fixed in 3.3.8 then when does that show up under 'Patched version'?

image

kj415j45 commented 1 year ago

@jtaylor-dohle GHSA has been updated just now. GitHub takes some time to review advisory updates.