okio dependency #2392
Comments
|
Which vulnerability? I can't upgrade to okio 2.0 because it would pull in Kotlin as a transitive dependency which I'd prefer not to do in case there are any apps that (for some reason) aren't using Kotlin yet. You can also not use Lottie networking feature and no okio code paths will be executed. |
|
This is tripping our security scanner as well. It looks like all versions of okio < 3.4 have a vulnerability (see https://mvnrepository.com/artifact/com.squareup.okio/okio). Ideally, lottie could move to the latest okio. |
|
Could you link to the okio commit that fixed the vulnerability? |
|
Looks the the okio fix is this commit: square/okio#1280 |
|
Thanks for the source. From the looks of it, the worst that can happen is that the app crashes if you try and load a malicious zip file. Are either of you using Lottie's network handling to load zip files from urls you don't control? If you are and that is an important feature, you can use your own NetworkFetcher to bypass Lottie's networking stack when loading animations from a URL. If you load animations in your own stack or use your own Lottie NetworkFetcher to load animations then Lottie's okio code will never get executed. |
it would be great if you updated okio and okhttp dependencies to the latest version as it gives us a vulnerability issue as lottie uses an old version of them and maybe it causes to remove lottie for that reason
The text was updated successfully, but these errors were encountered: