flutterrexmldependabotaddressable-gem

rexml and addressable security vulnerabilities in Flutter


I have a Flutter project currently in production, and I have seen a while ago two security vulnerabilities pop up in dependabot, see below:

dependabot

I am not really acquainted with native code, so am unsure on how to fix these dependencies.

Apart from waiting for packages owners to update their libraries, is there a way for me to force a minimum version for the Gemfile?


Solution

  • Found the issue, it was not related to native code, nor to Flutter code. All was tied to Fastlane and its subdependecies (I use firebase_app_distribution and upload_to_browserstack_app_live packages)

    In order to fix, for anyone stumbling upon this question, do these steps:

    1. Makes sure to have the latest fast lane version (fast lane update_fastlane)
    2. Update the locally installed gems (bundle update)
    3. Go to each directory that you have Fastlane installed in (android and iOS in my case), and run fastlane update_plugins.

    This should upgrade the packages to the latest versions, hopefully that have fixed the security vulnerabilities.