Security Bug: Dependency on xz 5.6.1

[prog-nick]

• [x] This is a new bug that hasn't been documented in a closed issue or in the Readme.

There is a transitive dependency on xz version 5.6.1 which is known to exploitable and/or vulnerable to security issues. Rectangle currently installs xz version 5.6.1 which is known to be vulnerable.

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

Please update this dependency so I can install on my work computer! Thank you so much for the great software.

macOS version: 14.4.1 Rectangle version: 0.77 Logs if applicable (In Rectangle menu, hold option, "View Logging..."):

[rxhanson]

Thanks for reporting this.

How is this determined? Is this output from a security scan?

I've updated Rectangle's dependency on Sparkle for a security patch from yesterday. You can download it from this pre-release: https://github.com/rxhanson/Rectangle/releases/tag/v0.78.

If you can scan it or get your security team to scan it and verify the output passes, please let me know.

I will roll it out as soon as a Sparkle issue for generating the update xml gets a fix or workaround: https://github.com/sparkle-project/Sparkle/issues/2554

[prog-nick]

Looks good

[prog-nick]

Just to follow up. I think this Issue was mistakenly created. The xz vulnerability was from a scan of another machine. Apologies!! Again, thanks for the awesome software.