Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require a package:jni version without known buffer overflows #1044

Merged
merged 1 commit into from
Nov 9, 2023
Merged

Require a package:jni version without known buffer overflows #1044

merged 1 commit into from
Nov 9, 2023

Conversation

brianquinlan
Copy link
Collaborator

  • package:jni 0.7.1 has a potential buffer overflow when converting Java to Dart strings.
  • I’ve reviewed the contributor guide and applied the relevant portions to this PR.
Contribution guidelines:

Note that many Dart repos have a weekly cadence for reviewing PRs - please allow for some latency before initial review feedback.

natebosch
natebosch approved these changes Nov 9, 2023
View reviewed changes
Copy link
Member

@natebosch natebosch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could publish this, I don't think it will hurt anything, but I also don't think it helps.

This doesn't prevent anyone from resolving the old package (they could get old cronet_http with old jni) and nothing stops projects from dart pub upgrade to get the working versions with the current cronet_http.

What effect is intended with this change?

@brianquinlan
Copy link
Collaborator Author

We could publish this, I don't think it will hurt anything, but I also don't think it helps.

This doesn't prevent anyone from resolving the old package (they could get old cronet_http with old jni) and nothing stops projects from dart pub upgrade to get the working versions with the current cronet_http.

What effect is intended with this change?

I was actually writing you in chat about that... My intent was to provide some signal that people should upgrade and this is the only way that I could think to do it.

I would expect that few people have any version constraints applied to package:jni so they will get the new version automatically.

For people who pin their dependencies, hopefully the CHANGELOG for package:cronet_http is attractive enough to make it seem worthwhile.

But I'm happy to not do a release for this if it won't have any positive effect (checking this code in still seems sensible).

@natebosch
Copy link
Member

My intent was to provide some signal that people should upgrade and this is the only way that I could think to do it.

I don't think I would expect this publish to be noticed as sending that signal. Either way a dart pub upgrade is the way to get out of the situation and we need to inform some users about that either way.

@brianquinlan brianquinlan merged commit f0a02f9 into dart-lang:master Nov 9, 2023
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@natebosch natebosch natebosch approved these changes

Assignees
No one assigned
Labels
package:cronet_http
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brianquinlan @natebosch