react-native-zip-archive icon indicating copy to clipboard operation
react-native-zip-archive copied to clipboard

Published 20 hours ago verified publisher icon mockingbot

Are the podspec compiler flags mandatory for versions before 6.1.0.?

Open kptp opened this issue 1 year ago • 13 comments

I am having issues building this library on XCode 16. I noticed that in the latest version the compiler_flag GCC_PREPROCESSOR_DEFINITIONS has been removed from the Podspec. This fixes the issue I am having. However, I cannot update this library to the latest version as it requires iOS 15.5 and I have many users who are using an older iOS versions. (The vulnerability that requires iOS 15.5 update should not affect my app as I only use this library for unzipping)

I was wondering if the compiler_flags in the Podspec are actually required for version 6.0.9 of this library, or can they be removed? I can remove them with an npm patch or a pod post install script, which seem to work.

Env:

  • Device: iPhone, iPad
  • OS: iOS
  • OS Version: < 15.5
  • Package Version: 6.0.9

kptp avatar Sep 19 '24 06:09 kptp

Interesting, the compiler flag was introduced since using cocoapods to manage iOS deps, and I never thought what it could if removing that.

So, it maybe useless since the ziparchive(the underlying module) already has that.

plrthink avatar Sep 21 '24 05:09 plrthink

Anyway, thanks for reporting this, and I think we should release a patch on the v6 for anyone can't upgrade the deployment to iOS 15 and above.

plrthink avatar Sep 21 '24 05:09 plrthink

Hi @plrthink any timeline on when the patch will be out? Thank you.

Pingou avatar Sep 25 '24 08:09 Pingou

Yeah, in a few days, need some testing before that.

On Wed, Sep 25, 2024 at 4:36 PM Pingou @.***> wrote:

Hi @plrthink https://github.com/plrthink any timeline on when the patch will be out? Thank you.

— Reply to this email directly, view it on GitHub https://github.com/mockingbot/react-native-zip-archive/issues/317#issuecomment-2373429748, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASRDOO3LYZR63DTGOBBIU3ZYJYZFAVCNFSM6AAAAABOPFIEACVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZTGQZDSNZUHA . You are receiving this because you were mentioned.Message ID: @.***>

-- Perry Poon

plrthink avatar Sep 26 '24 00:09 plrthink

@Pingou I recap the recent changes and I think you should do the update if you're dispatching your app by App Store. Otherwise, even if I make the patch for the compiler flags issue, you still release new changes to the end users.

Here is the full story:

Due to recent Apple Store privacy requirements, third-party SDKs and libraries must now declare the reasons for accessing certain APIs, including those used by underlying libraries like minizip.

To comply with these new guidelines, we’ve updated SSZipArchive to version 2.5.5, which implements the necessary changes.

However, this update represents a significant jump from 2.2.0 to 2.5.5, including version 2.5.0, which introduces a breaking change: it now requires a minimum iOS deployment target of iOS 15.5+. This has become a blocker for developers who still need to support older iOS versions.

The reason for this breaking change is that SSZipArchive 2.5.0 addresses a potential security vulnerability in the zipping process, making the update essential for maintaining security.

As you can see, we need the code changes in SSZipArchive 2.5.5 to make the App Store privacy happy, which forces iOS deployment to be 15.5 at least.

plrthink avatar Sep 28 '24 09:09 plrthink

@plrthink Thank you for the details. Personally I just removed the flag from the podspec as I need to support ios 13, I haven't released yet, not sure if that will pass when uploading to the App Store. "third-party SDKs and libraries must now declare the reasons for accessing certain APIs, including those used by underlying libraries like minizip." That seems a bit odd to me, the app should be able to declare them, right? If that is the case could there be another version that just removes the flag and mentions in the documentation those needed declarations? It is a bit unclear for me if you're saying that it is the security vulnerability changes that requires 15.5 or just the App Store privacy. Personally I am not impacted by the security issues as I control the zip.

Pingou avatar Sep 28 '24 10:09 Pingou

"third-party SDKs and libraries must now declare the reasons for accessing certain APIs, including those used by underlying libraries like minizip." That seems a bit odd to me, the app should be able to declare them, right?

You can't add the privacy manifest on your own, it should be done by the library itself if I understand correctly.

If that is the case could there be another version that just removes the flag and mentions in the documentation those needed declarations?

My point is, that I have to upgrade the SSZipArchive to make the app satisfy the App Store requirement, which requires the minimum deployment target of 15.5.

Removing the flag itself can't help with the App Store requirement.

plrthink avatar Sep 28 '24 13:09 plrthink

Oh, I think I'm wrong, the app developer could make the privacy manifest on their own. And here is content: https://github.com/ZipArchive/ZipArchive/blob/main/SSZipArchive/Supporting%20Files/PrivacyInfo.xcprivacy.

But for maintenance reasons, I would not make the patch version for this since I would only fix bugs for the latest one.

So you can stick with your forked repo until you can upgrade to the v7+.

plrthink avatar Sep 28 '24 13:09 plrthink

How to resolve?

hengkx avatar Oct 11 '24 03:10 hengkx

如何解决?

hujiang1 avatar Nov 27 '24 11:11 hujiang1

@hengkx @hujiang1 can you update to the latest version of this package? this should solve the problem after running pod install

plrthink avatar Nov 28 '24 01:11 plrthink 

diff --git a/node_modules/react-native-zip-archive/RNZipArchive.podspec b/node_modules/react-native-zip-archive/RNZipArchive.podspec
index 8eebcdc..1eada4c 100644
--- a/node_modules/react-native-zip-archive/RNZipArchive.podspec
+++ b/node_modules/react-native-zip-archive/RNZipArchive.podspec
@@ -15,7 +15,6 @@ Pod::Spec.new do |s|
 
   s.dependency 'React-Core'
   s.dependency 'SSZipArchive', '~>2.2'
-  s.compiler_flags = '-GCC_PREPROCESSOR_DEFINITIONS="HAVE_INTTYPES_H HAVE_PKCRYPT HAVE_STDINT_H HAVE_WZAES HAVE_ZLIB MZ_ZIP_NO_SIGNING $(inherited)"'
 
   s.subspec 'Core' do |ss|
     ss.source_files = 'ios/*.{h,m}'

@plrthink

hengkx avatar Nov 28 '24 09:11 hengkx 

diff --git a/node_modules/react-native-zip-archive/RNZipArchive.podspec b/node_modules/react-native-zip-archive/RNZipArchive.podspec
index 8eebcdc..1eada4c 100644
--- a/node_modules/react-native-zip-archive/RNZipArchive.podspec
+++ b/node_modules/react-native-zip-archive/RNZipArchive.podspec
@@ -15,7 +15,6 @@ Pod::Spec.new do |s|
 
   s.dependency 'React-Core'
   s.dependency 'SSZipArchive', '~>2.2'
-  s.compiler_flags = '-GCC_PREPROCESSOR_DEFINITIONS="HAVE_INTTYPES_H HAVE_PKCRYPT HAVE_STDINT_H HAVE_WZAES HAVE_ZLIB MZ_ZIP_NO_SIGNING $(inherited)"'
 
   s.subspec 'Core' do |ss|
     ss.source_files = 'ios/*.{h,m}'

@plrthink

sorry for the late response, but i dont get what you're trying say, can you explain more?

plrthink avatar Jan 07 '25 13:01 plrthink