Sub-dependency fails vulnerability check

xvrh / lottie-flutter

Render After Effects animations natively on Flutter. This package is a pure Dart implementation of a Lottie player.

https://pub.dev/packages/lottie

MIT License

1.15k stars 197 forks source link

Sub-dependency fails vulnerability check #297

Open dditim opened 11 months ago

dditim commented 11 months ago

Hi,

we use Lottie in our App. Since this morning our Pipeline fails its vulnerability check due to archive which is a sub-dependency of Lottie.

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9v85-q87q-g4vg/GHSA-9v85-q87q-g4vg.json

We checked and no other dependency in our app is using archive, so the root is Lottie. Is this a known issue and are you in exchange with the archive devs for that?

I opened an issue in the archive GitHub as well.

Thank you!

davidnwaneri commented 11 months ago

I think the issue is with the archive dependency that lottie uses. An update has been released for the archive package. The version lottie depends on just has to be updated.

dominicmh commented 10 months ago

I think the issue is with the archive dependency that lottie uses. An update has been released for the archive package. The version lottie depends on just has to be updated.

Correct, it was fixed with version 3.3.8 on September 2. Deleting your pubspec.lock and flutter pub get should get your issue fixed (if you don't have any other dependencies that depend on archive < 3.3.8).