I’m working on a JavaScript/typescript project and I have used the github provided code scanner CI. Until one day I found a warning popping up saying:”simple-plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse().” I thought updating the package should fix it but github says there was not patched version. I’m just wondering should I ignore this warning or should I do something about it? Even know they said this is a critical vulnerability 9.8/10.bit
Any help will be appreciated!
Related
Problem started suddenly and seems to be not related to any change that happened in code around its first occurance.
We have automated CI workflow that prepares RC.
At first every second build worked. Now I had to rebuild RC 7 times to get app that is not crashing.
After investigating it is clear that there are no config values in resources, ergo plugin is not generating values from json config file. Basically rebuilding same code many times makes it work, at some point.
We had recently changed dependency injection in app from dagger components to hilt, it might be the reason of some kind of race or shared resources during build time.
It is also problematic to work around. I've prepared resource files with all values in order to manually add them in build process instead of generating with plugin. Now, because we also use crashlytics, I cannot remove google services plugin as crashlytics is checking for google services tasks in gradle. I cannot remove unused json file as plugin will crash because of lack of config file. Plugin also (based on docs https://developers.google.com/android/guides/google-services-plugin) adds some dependencies to main module, but I wasn't able to find anything in :app:dependencies so maybe docs are outdated.
I am not able to provide any project for reproduction as it only happens in commercial project. I understand it makes the problem hard to resolve in such case but maybe other people has it also.
AGP: 7.2.0-beta02
Google Services plugin: 4.3.10
Hilt: 2.41
EDIT:
I've resolved symptoms by creating gradle module for each build type we have, and each module contains only res/values.xml which I've copied from app/build/generated/res/google-services/*. This way required keys are always available in resources, as we do not often (hardly ever) change json file with config. I am still trying to investigate builds with --scan option but I cannot reproduce it with scan, it only happens without it.
I'm trying to get Checkly working with GitHub using its integration with GitHub. It's quite simple to set up, but there's a variable that GitHub is supposed to give it that doesn't end up defined when I run my tests.
I don't know if Checkly is polling GitHub or if GitHub pushes to Checkly when it does a deploy. Looking through GitHub's docs, there doesn't appear to be any way to see deploy events at all (though I suspect I must be missing something here).
So, my question is, how do I troubleshoot this connection? Somebody is using somebody's API for sure, but I don't have insight into how it works.
Svelte 3 FAQ states that testing Svelte (components) isn't really thought out, yet - that there's no template or workflow to follow.
I found EmilTholin's svelte-spinner to be the best such, and gave it a try. However, in the example side, it pulls in the Spinner component from npm, instead of using the component under development.
My take is here: https://github.com/akauppi/svelte-spinner
I've tried to set it up for:
- testability
- fast change-to-demo cycle (no npm publishing involved)
Would someone with Svelte or module experience care to help? The remaining piece is that my Spinner component isn't found by the application.
Also other comments on the design / choices are welcome. Maybe we can get a pattern that works well for development, demoing, testing and publishing of components, using Svelte 3.
Was able to solve the acute problem - just reading the warnings and maybe update of npm dependencies helped.
Anyhow, since there are no established ways of testing/developing Svelte-made components, I'm leaving this entry visible in the hope that someone would share insights as to good practices on using Svelte.
I am using describeType and am able to get all of the variable and accessor metadata tags just fine in local debug, local test suite or local air build. Our web app running this code also sees the metadata just fine in production (running with browser plugin). But, our production air desktop app throws my error "can't find metadata". When I added some logging code (being thoroughly confused LOL) I discovered that the metadata property in the XML from describeType is empty?!?
My only thought is that we use gradle and run a bunch of custom scripts during the actual build process... but HOW could that be either removing or making unreadable class metadata tags?
I've tried standard v/s custom tags, accessors v/s variables, describeType(instance) v/s describeType(class) and all of these give same result... all variations work everywhere every time except in production desktop build.
Anyone with ANY thoughts on this... please chime in. I've been pulling my hair out with this one!
Thanks!!!
so it turns out my "only thought" was the correct answer. after digging deeper I found that the keep-as3-metadata that was on our compiler options was not up to date in our grade build scripts and didn't include the tags we were using for this. Thank god!!! LOL.
I have been building a web application with Dart and AngularDart upon Google Maps. I noticed a problem since the begin of the process even though I tested the development Dart sdk, and today the latest dart sdk (version 1.0.0.10_R30798) and still face the problem.
Firstly the packages I am using are shadow_dom, google_maps and AngularDart.
When I build my application WITH --no-minify option it works great, even in all the browsers after fiddling around with shadow_dom for a week (I should add the shadow_dom script BEFORE everything else to work properly).
The problem is that when I build normally (minify) or even directly using Dart2JS compiler with the --minify option the application does not run and I get an exception.
Above you can see the two cases, where in the first the application loads the google maps correctly and in the second picture the google maps are not loaded and I get that exception.
More importantly is that if I use a 3rd party minifier to minify the original main.dart.js file (the unminified) it works perfectly fine.
Thank you
The 2.x version of google_maps package has removed the dependency on dart:mirrors and is only based on dart:js. So the minification problem should come from another part of your code.
Moreover I just tested the map-simple example with --minify and it works.
Usually this can be solved with the #MirrorsUsed annotation if it's 3rd-party code that is affected.
It's easier with your own code where you just have to add #reflectable to the affected functions/methods/fields to ensure they are retained.
It may be hard to find what functions/methods/fields should be included when the names are minified.
Maybe you can gain some knowledge by looking at the stack trace.
Minification usually drops code that is not referenced anywhere.
In Polymer this is because polymer expressions {{ expr }} in HTML are not yet considered.
If you invoke parts of the code only by reflection this is also not recognized.
I have no experience with regard to Angular and minification.
This is just generic advice about problems with minification through pub build.