chore: update bcel library and bump dependencies versions#408
chore: update bcel library and bump dependencies versions#408hansemannn merged 5 commits intotidev:masterfrom
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
m1ga
left a comment
m1ga
left a comment
There was a problem hiding this comment.
tested with hyperloop-examples and builds/runs fine here
There was a problem hiding this comment.
I noticed that 6.11.0 is out, can you use that one and make it usable via Gradle? I don't think we should use any manually packaged JARs anymore.
There was a problem hiding this comment.
6.11.0 didn't work when we've tested it: https://tidev.slack.com/archives/C03CVQX2A/p1767875537666399?thread_ts=1767858016.848209&cid=C03CVQX2A
Not sure if it works via gradle as it was included like this the whole time but I didn't test it that way
There was a problem hiding this comment.
But in that case, it should be fixed instead of bumping to an outdated version. I don't see a benefit in using that version over the existing ones. Regarding vulnerabilities, I also don't see the severity, as (different to other projects), the dependencies are only used to compile the metabase, which isn't an exposed-to-the-public process.
Please let me know if you have a point where this can cause an actual vulnerability.
There was a problem hiding this comment.
looks like the app repo was scanned and not the app. So we don't need to rush here and can check if we can use gradle and make the latest version work. I'll put it on draft again and we don't need to update it for 13.1.0
There was a problem hiding this comment.
latest versions work now.
about gradle:
Since it's only one simple java line spawn('java',['-Xmx1G', '-classpath', cp.concat(classPath).join(path.delimiter), 'JavaMetabaseGenerator'],{env:process.env})... where the external libs are used I'm not sure if we should create a gradle project for that (or if that will work at all).
|
Note: Tasks:
|
|
well done @trkas 👍 |
3 participants
This pull request updates several dependencies in both the Android and iPhone build hooks, addressing security and compatibility by bringing core libraries to their latest versions. It also upgrades a Java library used in the Android build process. The main focus is on updating
async,ejs, andlodashto their latest stable releases, and ensuring all related lock files and dependencies are consistent.Dependency updates and improvements:
asyncto version2.6.4in bothandroid/hooks/package.json,android/hooks/package-lock.json,iphone/hooks/package-lock.json, andiphone/hooks/package-lock.json(for the iPhone build). This also updates its dependency onlodashto^4.17.14.Android-specific improvements:
bcelJava library used inandroid/hooks/metabase/metabase.jsfrom version6.5.0to6.11.0for improved compatibility and security.These changes collectively ensure that the project is using the latest stable and secure versions of its key dependencies, reducing the risk of security vulnerabilities and improving long-term maintainability.