search

microsoft / react-native-code-push

React Native module for CodePush
http://appcenter.ms
Other
8.98k stars 1.47k forks source link

Vulnerability issue ZipArchive - iOS - Codepush 7.1.0 #2445

Closed ribamarsantos closed 1 year ago

ribamarsantos commented 1 year ago

Steps to Reproduce

  1. Setup React-native-codepush on latest version 7.1.0
  2. Veracode / Snyk identified a vulnerability in one of the cocoapods dependecies See link https://github.com/microsoft/react-native-code-push/blob/master/CodePush.podspec#L24 More details in the Lib issues: https://github.com/ZipArchive/ZipArchive/issues/665

Expected Behavior

What you expected to happen? Vulnerability tool pass

Actual Behavior

What actually happens?

Vulnerability tool find possible issues.

https://sca.analysiscenter.veracode.com/vulnerability-database/security/arbitrary-file-write/objective-c/sid-38804

Environment

(The more info the faster we will be able to address it!)

ribamarsantos commented 1 year ago

I believe there is no action item from the Codepush team besides, subscribe or contribute to the dependency lib https://github.com/ZipArchive/ZipArchive/issues/665 Once it is fixed point to the latest version.

Hope this is helpful.

microsoft-github-policy-service[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

microsoft-github-policy-service[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

microsoft-github-policy-service[bot] commented 1 year ago

This issue will now be closed because it hasn't had any activity for 15 days after stale. Please feel free to open a new issue if you still have a question/issue or suggestion.

microsoft-github-policy-service[bot] commented 1 year ago

This issue will now be closed because it hasn't had any activity for 15 days after stale. Please feel free to open a new issue if you still have a question/issue or suggestion.

TheSolly commented 1 year ago

This issue was solved according to this post, could we please bump the version to 2.5.4?