Package flagged as vulnerable
Closed this issue ยท 16 comments
Hello,
we use Lottie in our app, while Lottie is using archive as a transitive dependency.
However, since today, our Pipeline fails its vulnerability check due to the archive package.
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9v85-q87q-g4vg/GHSA-9v85-q87q-g4vg.json
Is this a known issue and will be fixed in the near future?
Thank you!
Actually, there're two at the moment https://osv.dev/list?ecosystem=Pub&q=archive:
I'll take a look. No rest for the open source developer.
If you need a hand, let me know
Thanks. I think both those shouldn't bee too hard to fix, I'll squeeze it in while waiting for my work code to compile :-)
Chipping away at it. I added the symlink check. I'll get to that other vulnerability next.
Every time I work on this library I just want to rewrite it. I wrote it almost 10 years ago, for a personal project; lots I would do differently if I knew then what I know now. Maybe one day.
I got a dependabot notification about this vulnerability too. Happy to wait for/help with the fix
I should have the second vulnerability patched tomorrow, and then I'll get a release out to keep the vulnerability bots from yelling at me.
I believe both vulnerabilities should be fixed. These only reaffirm my believe that ZIP is an awful format. Not as bad as RAR, but still awful. Sure is convenient though.
I'll get a version pushed as soon as I can.
Thanks for the fast effort put into this!
It's highly appreciated
Awesome work @brendan-duncan, much appreciated.
Sorry if this is a noob question, but if the vulnerability is fixed in 3.3.8 then when does that show up under 'Patched version'?
@jtaylor-dohle GHSA has been updated just now. GitHub takes some time to review advisory updates.