Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: update insecure tar dependency #26

Merged
merged 18 commits into from
May 7, 2024
Merged

fix: update insecure tar dependency #26

merged 18 commits into from
May 7, 2024

Conversation

luca-gr4vy
Copy link
Collaborator

@luca-gr4vy luca-gr4vy commented May 7, 2024
edited
Loading

Description: Adds resolution to tar ^6.2.1, fixing the vulnerability related to it https://github.com/gr4vy/gr4vy-react-native/security/dependabot/53. Also ignores a few vulnerabilities found by trivy that are not important and can only be fixed by upgrading the project.

Note: To test I had to downgrade to Xcode 14.3 (we originally set up the project with that version), as working with Xcode 15 would fail to launch the example app. We'd need to upgrade the React Native version, I created a ticket for it https://gr4vy.atlassian.net/browse/TA-6984

@luca-gr4vy luca-gr4vy added internal Changes only affect the internal API dependencies Update one or more dependencies version labels May 7, 2024
luca-gr4vy
luca-gr4vy commented May 7, 2024
View reviewed changes
example/ios/Podfile.lock
Comment on lines +80 to +82
- hermes-engine (0.71.8):
- hermes-engine/Pre-built (= 0.71.8)
- hermes-engine/Pre-built (0.71.8)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last time we upgraded RN we didn't commit these lock file changes

luca-gr4vy
luca-gr4vy commented May 7, 2024
View reviewed changes
.github/actions/setup/action.yml
@@ -25,3 +25,5 @@ runs:
yarn install --cwd example --frozen-lockfile
yarn install --frozen-lockfile
shell: bash
env:
SKIP_YARN_COREPACK_CHECK: '1'
Copy link
Collaborator Author

@luca-gr4vy luca-gr4vy May 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipping corepack check for these tasks due to this https://github.com/gr4vy/gr4vy-react-native/actions/runs/8982545520/job/24670387490?pr=26#step:3:46. We don't need to use the same exact yarn version for linting, but will probably upgrade the supported one in the future.

@luca-gr4vy luca-gr4vy requested a review from gryevns May 7, 2024 09:51
@gryevns
Copy link
Member

gryevns commented May 7, 2024

Do we have a way of testing this e2e?

@luca-gr4vy
Copy link
Collaborator Author

Do we have a way of testing this e2e?

Not really, we don't have it for react native yet as it's notoriously complicated to set up

@luca-gr4vy luca-gr4vy merged commit 8309ca2 into main May 7, 2024
3 checks passed
@luca-gr4vy luca-gr4vy deleted the fix/TA-6888-update-insecure-tar-dependency branch May 7, 2024 11:37
@gr4vy-code
Copy link
Contributor

🚀 PR was released in v1.1.0 🚀

@gr4vy-code gr4vy-code added the released This issue/pull request has been released. label Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gryevns gryevns gryevns approved these changes

Assignees
No one assigned
Labels
dependencies Update one or more dependencies version internal Changes only affect the internal API released This issue/pull request has been released.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luca-gr4vy @gryevns @gr4vy-code