search

cozy / cozy-flagship-app

GNU Affero General Public License v3.0
9 stars 1 forks source link

fix(deps): update dependency @sentry/react-native to v5.19.1 [security] #1235

Open renovate[bot] opened 2 months ago

renovate[bot] commented 2 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@sentry/react-native 5.16.0 -> 5.19.1 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-68c2-4mpx-qh95

Impact

SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parameter, for debugging purposes. Doing so would result in the auth token being built into the application bundle, and therefore the auth token could be potentially exposed in case the application bundle is subsequently published.

You may ignore this notification if you are not using authToken configuration parameter in your React Native SDK configuration or did not publish apps using this way of configuring the authToken.

If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.

Patches

The behavior that allowed setting an authToken parameter was fixed in SDK version 5.19.1 where, if this parameter was set, you will see a warning and the authToken would be removed before bundling the application.

Workarounds

  1. Remove authToken from the plugin configuration.
  2. If you had set the authToken in the plugin config previously, and built and published an app with that config, you should rotate your token.

References

Release Notes

getsentry/sentry-react-native (@​sentry/react-native) ### [`v5.19.1`](https://togithub.com/getsentry/sentry-react-native/blob/HEAD/CHANGELOG.md#5191) [Compare Source](https://togithub.com/getsentry/sentry-react-native/compare/5.19.0...5.19.1) ##### Fixes - Don't add Expo Plugin option `authToken` to application bundle ([#​3630](https://togithub.com/getsentry/sentry-react-native/pull/3630)) - Expo plugin configurations are generelly stored in plain text, and are also automatically added to built app bundles, and are therefore considered insecure. - You should not set the auth token in the plugin config except for local testing. Instead, use the `SENTRY_AUTH_TOKEN` env variable, as pointed out in our [docs](https://docs.sentry.io/platforms/react-native/manual-setup/expo/). - In addition to showing a warning, we are now actively removing an `authToken` from the plugin config if it was set. - If you had set the auth token in the plugin config previously, **and** built and published an app with that config, you should [rotate your token](https://docs.sentry.io/product/accounts/auth-tokens/). - Reduce waning messages spam when a property in Expo plugin configuration is missing ([#​3631](https://togithub.com/getsentry/sentry-react-native/pull/3631)) - Add concrete error messages for RN bundle build phase patch ([#​3626](https://togithub.com/getsentry/sentry-react-native/pull/3626)) ### [`v5.19.0`](https://togithub.com/getsentry/sentry-react-native/blob/HEAD/CHANGELOG.md#5190) [Compare Source](https://togithub.com/getsentry/sentry-react-native/compare/5.18.0...5.19.0) This release contains upgrade of `sentry-android` dependency to major version 7. There are no breaking changes in the JS API. If you are using the Android API please check [the migration guide](https://docs.sentry.io/platforms/android/migration/#migrating-from-iosentrysentry-android-6x-to-iosentrysentry-android-700). ##### Features - Add Android profiles to React Native Profiling ([#​3397](https://togithub.com/getsentry/sentry-react-native/pull/3397)) - Add `Sentry.metrics` ([#​3590](https://togithub.com/getsentry/sentry-react-native/pull/3590)) To learn more, see the [Set Up Metrics](https://docs.sentry.io/platforms/react-native/metrics/) guide. ```javascript import * as Sentry from '@​sentry/react-native'; Sentry.init({ dsn: '___DSN___', integrations: [ Sentry.metrics.metricsAggregatorIntegration(), ], }); Sentry.metrics.increment("button_click", 1, { tags: { system: "iOS", app_version: "1.0.0" }, }); ``` ##### Fixes - Upload Debug Symbols Build Phase continues when `node` not found in `WITH_ENVIRONMENT` ([#​3573](https://togithub.com/getsentry/sentry-react-native/pull/3573)) - Fix `proguardUuid` loading on Android ([#​3591](https://togithub.com/getsentry/sentry-react-native/pull/3591)) ##### Dependencies - Bump Android SDK from v6.34.0 to v7.3.0 ([#​3434](https://togithub.com/getsentry/sentry-react-native/pull/3434)) - [changelog](https://togithub.com/getsentry/sentry-java/blob/main/CHANGELOG.md#730) - [diff](https://togithub.com/getsentry/sentry-java/compare/6.34.0...7.3.0) - Bump JavaScript SDK from v7.81.1 to v7.100.1 ([#​3426](https://togithub.com/getsentry/sentry-react-native/pull/3426), [#​3589](https://togithub.com/getsentry/sentry-react-native/pull/3589)) - [changelog](https://togithub.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md#7990) - [diff](https://togithub.com/getsentry/sentry-javascript/compare/7.81.1...7.100.1) ### [`v5.18.0`](https://togithub.com/getsentry/sentry-react-native/blob/HEAD/CHANGELOG.md#5180) [Compare Source](https://togithub.com/getsentry/sentry-react-native/compare/5.17.0...5.18.0) ##### Features - Add [`@spotlightjs/spotlight`](https://spotlightjs.com/) support ([#​3550](https://togithub.com/getsentry/sentry-react-native/pull/3550)) Download the `Spotlight` desktop application and add the integration to your `Sentry.init`. ```javascript import * as Sentry from '@​sentry/react-native'; Sentry.init({ dsn: '___DSN___', enableSpotlight: __DEV__, }); ``` - Only upload Expo artifact if source map exists ([#​3568](https://togithub.com/getsentry/sentry-react-native/pull/3568)) - Read `.env` file in `sentry-expo-upload-sourcemaps` ([#​3571](https://togithub.com/getsentry/sentry-react-native/pull/3571)) ##### Fixes - Prevent pod install crash when visionos is not present ([#​3548](https://togithub.com/getsentry/sentry-react-native/pull/3548)) - Fetch Organization slug from `@sentry/react-native/expo` config when uploading artifacts ([#​3557](https://togithub.com/getsentry/sentry-react-native/pull/3557)) - Remove 404 Http Client Errors reports for Metro Dev Server Requests ([#​3553](https://togithub.com/getsentry/sentry-react-native/pull/3553)) - Stop tracing Spotlight Sidecar network request in JS ([#​3559](https://togithub.com/getsentry/sentry-react-native/pull/3559)) ### [`v5.17.0`](https://togithub.com/getsentry/sentry-react-native/blob/HEAD/CHANGELOG.md#5170) [Compare Source](https://togithub.com/getsentry/sentry-react-native/compare/5.16.0...5.17.0) ##### Features - New Sentry Metro configuration function `withSentryConfig` ([#​3478](https://togithub.com/getsentry/sentry-react-native/pull/3478)) - Ensures all Sentry configuration is added to your Metro config - Includes `createSentryMetroSerializer` - Collapses Sentry internal frames from the stack trace view in LogBox ```javascript const { getDefaultConfig } = require('@​react-native/metro-config'); const { withSentryConfig } = require('@​sentry/react-native/metro'); const config = getDefaultConfig(__dirname); module.exports = withSentryConfig(config); ``` - Add experimental visionOS support ([#​3467](https://togithub.com/getsentry/sentry-react-native/pull/3467)) - To set up [`react-native-visionos`](https://togithub.com/callstack/react-native-visionos) with the Sentry React Native SDK follow [the standard `iOS` guides](https://docs.sentry.io/platforms/react-native/manual-setup/manual-setup/#ios). - Xcode project is located in `visionos` folder instead of `ios`. ##### Fixes - Fix `WITH_ENVIRONMENT` overwrite in `sentry-xcode-debug-files.sh` ([#​3525](https://togithub.com/getsentry/sentry-react-native/pull/3525)) - Sentry CLI 2.25.1 fixes background debug files uploads during Xcode builds ([#​3486](https://togithub.com/getsentry/sentry-react-native/pull/3486)) - Performance Tracing should be disabled by default ([#​3533](https://togithub.com/getsentry/sentry-react-native/pull/3533)) - Use `$NODE_BINARY` to execute Sentry CLI in Xcode scripts ([#​3493](https://togithub.com/getsentry/sentry-react-native/pull/3493)) - Return auto Release and Dist to source maps auto upload ([#​3540](https://togithub.com/getsentry/sentry-react-native/pull/3540)) - Linked errors processed before other integrations ([#​3535](https://togithub.com/getsentry/sentry-react-native/pull/3535)) - This ensure their frames are correctly symbolicated ##### Dependencies - Bump CLI from v2.23.0 to v2.25.2 ([#​3486](https://togithub.com/getsentry/sentry-react-native/pull/3486)) - [changelog](https://togithub.com/getsentry/sentry-cli/blob/master/CHANGELOG.md#2252) - [diff](https://togithub.com/getsentry/sentry-cli/compare/2.23.0...2.25.2)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.