@hot-updater/react-native 0.25.8 → 0.25.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/android/build.gradle
CHANGED
|
@@ -131,7 +131,7 @@ dependencies {
|
|
|
131
131
|
implementation "org.jetbrains.kotlinx:kotlinx-coroutines-core:1.7.3"
|
|
132
132
|
implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:1.7.3"
|
|
133
133
|
implementation "com.squareup.okhttp3:okhttp:4.12.0"
|
|
134
|
-
implementation
|
|
134
|
+
implementation files('libs/org.brotli.dec-1.2.0.jar')
|
|
135
135
|
}
|
|
136
136
|
|
|
137
137
|
if (isNewArchitectureEnabled()) {
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# Bundled Libraries
|
|
2
|
+
|
|
3
|
+
## org.brotli.dec-1.2.0.jar
|
|
4
|
+
|
|
5
|
+
**Why bundled:** The official `org.brotli:dec` package on Maven Central is stuck at v0.1.2 (released May 2017) and contains critical security vulnerabilities. Google has not published newer versions to Maven Central despite releasing v1.2.0 with security fixes.
|
|
6
|
+
|
|
7
|
+
**Source:** Built from [google/brotli v1.2.0](https://github.com/google/brotli/releases/tag/v1.2.0)
|
|
8
|
+
|
|
9
|
+
**Security Fixes:**
|
|
10
|
+
- CVE-2020-8927: Buffer overflow in Brotli versions < 1.0.8
|
|
11
|
+
- CVE-2025-6176: DoS vulnerability in versions ≤ 1.1.0 (fixed in v1.2.0)
|
|
12
|
+
|
|
13
|
+
**Build Command:**
|
|
14
|
+
```bash
|
|
15
|
+
git clone --depth 1 --branch v1.2.0 https://github.com/google/brotli.git
|
|
16
|
+
cd brotli/java/org/brotli/dec
|
|
17
|
+
mvn clean package -DskipTests
|
|
18
|
+
cp target/org.brotli.dec-1.2.0-SNAPSHOT.jar <destination>/org.brotli.dec-1.2.0.jar
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
**Verification:**
|
|
22
|
+
- **SHA256:** `2d12a2d7fb52fd7f944564fb378aaccd41389cf02ea2e5eb6b3a6477188cced8`
|
|
23
|
+
- **Size:** 97KB
|
|
24
|
+
- **Built:** 2026-02-12
|
|
25
|
+
- **Git Commit:** [028fb5a](https://github.com/google/brotli/commit/028fb5a23661f123017c060daa546b55cf4bde29) (v1.2.0 tag)
|
|
26
|
+
|
|
27
|
+
**API Compatibility:**
|
|
28
|
+
The v1.2.0 decoder is 100% API compatible with v0.1.2. No code changes are required:
|
|
29
|
+
- Same package: `org.brotli.dec`
|
|
30
|
+
- Same class: `BrotliInputStream`
|
|
31
|
+
- Same constructor: `BrotliInputStream(InputStream)`
|
|
32
|
+
|
|
33
|
+
**Why Not Apache Commons Compress?**
|
|
34
|
+
Apache Commons Compress depends on `org.brotli:dec:0.1.2` as an optional dependency, so switching to it would not fix the vulnerability—it would just make it transitive.
|
|
35
|
+
|
|
36
|
+
**Future Updates:**
|
|
37
|
+
When Google releases new versions of Brotli (e.g., v1.3.0), rebuild this JAR using the same process and update the SHA256 checksum and build date in this file.
|
|
Binary file
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@hot-updater/react-native",
|
|
3
|
-
"version": "0.25.
|
|
3
|
+
"version": "0.25.10",
|
|
4
4
|
"description": "React Native OTA solution for self-hosted",
|
|
5
5
|
"main": "lib/commonjs/index",
|
|
6
6
|
"module": "lib/module/index",
|
|
@@ -120,14 +120,14 @@
|
|
|
120
120
|
"react-native": "0.79.1",
|
|
121
121
|
"react-native-builder-bob": "^0.40.10",
|
|
122
122
|
"typescript": "^5.8.3",
|
|
123
|
-
"hot-updater": "0.25.
|
|
123
|
+
"hot-updater": "0.25.10"
|
|
124
124
|
},
|
|
125
125
|
"dependencies": {
|
|
126
126
|
"use-sync-external-store": "1.5.0",
|
|
127
|
-
"@hot-updater/
|
|
128
|
-
"@hot-updater/
|
|
129
|
-
"@hot-updater/
|
|
130
|
-
"@hot-updater/
|
|
127
|
+
"@hot-updater/core": "0.25.10",
|
|
128
|
+
"@hot-updater/js": "0.25.10",
|
|
129
|
+
"@hot-updater/cli-tools": "0.25.10",
|
|
130
|
+
"@hot-updater/plugin-core": "0.25.10"
|
|
131
131
|
},
|
|
132
132
|
"scripts": {
|
|
133
133
|
"build": "bob build && tsc -p plugin/tsconfig.build.json",
|