Open jonthysell opened 2 years ago
One potential solution for RNW apps would be to generate the appropriate cgmanifest.json file on their behalf, but that limits the detection to RNW apps that run whatever code we create. Regular RN apps will escape detection.
This might not be an issue if, since hermes is bundled within RN, any vulnerabilities are ascribed to the affected RN release, rather than to hermes (which no longer has releases).
Moving this to the backlog as I don't think it's strictly an RNW problem, and if comes down to us having to fix for it, we can reassign to a release milestone at that time.
Problem Description
RNW does not actually depend on the published hermes NPM package (as of #10210), because technically neither does RN.
However, RN does release with hermes binaries within their NPM package, which Component Governance won't be able to detect.
So all RN (and therefore RNW apps) built by MSFT running internal compliance tools will be missing this dependency, which, as a JS engine, is ripe for future security vulnerabilities.
Steps To Reproduce
npx react-native init testapp
node_modules/react-native/sdks
, you'll see versions of hermes.Expected Results
No response
CLI version
npx react-native --version
Environment
Target Platform Version
No response
Target Device(s)
No response
Visual Studio Version
No response
Build Configuration
No response
Snack, code example, screenshot, or link to a repository
No response