firebase-android-sdk
firebase-android-sdk copied to clipboard
firebase
Request to Update gRPC dependency from 1.44.1 to 1.46.0
Discussed in https://github.com/firebase/firebase-android-sdk/discussions/3758
Originally posted by jaira May 30, 2022 Hi Firebase Developers,
I would like to ask, is it possible to update the gRPC dependencies of Firestore from 1.44.1 to 1.46.0 asap? This request was flagged because a util class in gRPC 1.44.1 has raised vulnerability concerns regarding some hashing methods for MD5 and SHA1, which are considered weak hashing algorithms. I have already contacted one of the developer of gRPC and he included the code cleanup in v1.46.0. Here is the Util.java class with cleanup that needs to be updated in Firestore dependencies https://github.com/grpc/grpc-java/blob/master/okhttp/third_party/okhttp/main/java/io/grpc/okhttp/internal/Util.java
Hoping faster response regarding this matter since this is causing delay for our code deployment with our clients.
Thanks.
I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
If i understand correctly, this does not have a real impact besides static analysis complaints: https://github.com/grpc/grpc-java/commit/78ccc81fd5c3a9c94c8a202f141e477b946a263b ?
Not saying we will not upgrade, but this will not be an urgent upgrade.
Yes @wu-hui. But our client is very particular regarding this change. Hoping this upgrade of gRPC to v1.146.0 would be done asap to remove our client's hesitation on the dependencies of Firebase Firestore SDK. Thanks.
@jaira While you wait for the upgrade, you can actually specify the grpc dependency explicitly and it should override the version bundled in firestore:
implementation 'io.grpc:grpc-android:1.46.0'
implementation 'io.grpc:grpc-okhttp:1.46.0'
implementation 'io.grpc:grpc-protobuf-lite:1.46.0'
implementation 'io.grpc:grpc-stub:1.46.0'
Not sure if this will satisfy your need, but it's worth a try.
