Conversation
Contributor
📝 PRs merging into main branchOur main branch should always be in a releasable state. If you are working on a larger change, or if you don't want this change to see the light of the day just yet, consider using a feature branch first, and only merge into the main branch when the code complete and ready to be released. |
Contributor
Test Results 1 051 files + 941 1 051 suites +941 34m 52s ⏱️ + 32m 44s For more details on these failures, see this check. Results for commit 35a6724. ± Comparison against base commit 79deb5f. ♻️ This comment has been updated with latest results. |
Collaborator
Size Report 1Affected Products
Test Logs |
Collaborator
Coverage Report 1Affected Products
Test Logs |
rlazo
approved these changes
Feb 11, 2025
tejasd
approved these changes
Feb 11, 2025
# Conflicts: # firebase-sessions/CHANGELOG.md
mrober
changed the title
tejasd
pushed a commit
that referenced
this pull request
Apr 1, 2025
Update datastore dependency to `1.1.3` to address [CVE-2024-7254](GHSA-735f-pc8j-v9w8) in AQS. We had landed #6343, but it missed the datastore dependency because version 1.0.0 "shaded" the vulnerable protobuf dependency, see #6534. I verified this was happening by extracting the jar from https://maven.google.com/web/index.html?q=datastore-pre#androidx.datastore:datastore-preferences-core:1.0.0 and seeing `<groupId>com.google.protobuf</groupId><artifactId>protobuf-parent</artifactId><version>3.10.0</version>` nested in a maven dir. I also verified datastore 1.1.3 has upgraded the protobuf version to 4.28.2, a safe version. See https://cs.android.com/androidx/platform/frameworks/support/+/androidx-datastore-release:gradle/libs.versions.toml;l=59. This datastore update also includes the stable `MultiProcessDataStoreFactory` which we can utilize in a future change to optimize things like the settings fetch for multi-process apps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update datastore dependency to
1.1.3to address CVE-2024-7254 in AQS.We had landed #6343, but it missed the datastore dependency because version 1.0.0 "shaded" the vulnerable protobuf dependency, see #6534. I verified this was happening by extracting the jar from https://maven.google.com/web/index.html?q=datastore-pre#androidx.datastore:datastore-preferences-core:1.0.0 and seeing
<groupId>com.google.protobuf</groupId><artifactId>protobuf-parent</artifactId><version>3.10.0</version>nested in a maven dir. I also verified datastore 1.1.3 has upgraded the protobuf version to 4.28.2, a safe version. See https://cs.android.com/androidx/platform/frameworks/support/+/androidx-datastore-release:gradle/libs.versions.toml;l=59.This datastore update also includes the stable
MultiProcessDataStoreFactorywhich we can utilize in a future change to optimize things like the settings fetch for multi-process apps.