Skip to content

Commit

Permalink
deps: Upgrade react-native-webview to 11.6.4, the latest.
Browse files Browse the repository at this point in the history
To get a version that has the React Native peer dep range bumped to
include React Native v0.64, which we hope to upgrade to soon
(zulip#4426).

There is one announced breaking change for Android; the
`setSupportMultipleWindows` prop is introduced, defaulting to
`true` [1]. This is to "mitigate the security advisory
CVE-2020-6506". The advisory says, "This vulnerability affects React
Native apps which use a react-native-webview that allows navigation
to arbitrary URLs, and when that app runs on systems with an Android
WebView version prior to 83.0.4103.106."

I'm skeptical that we were affected, because I don't think we allow
navigation to arbitrary URLs; see our comments on our use of the
`originWhitelist` and `onShouldStartLoadWithRequest` props. But good
that they're addressing reported vulnerabilities.

[1] https://github.com/react-native-webview/react-native-webview/releases/tag/v11.0.0
  • Loading branch information
chrisbobbe committed Jul 1, 2021
1 parent cdb9ed4 commit 953ed90
Show file tree
Hide file tree
Showing 7 changed files with 1,353 additions and 702 deletions.
20 changes: 20 additions & 0 deletions docs/howto/libdefs.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,26 @@ was like.
[7]: https://flow.org/en/docs/libdefs/creation/
[8]: https://github.com/flow-typed/flow-typed/blob/master/CONTRIBUTING.md#dont-import-types-from-other-libdefs

## `react-native-webview` at 11.6.4

As seen in the entry below, our practice as we update `react-native-webview`
has been to look at diffs in relevant TypeScript files between versions, and
try to translate and apply those to our Flow libdef. Since our starting
point was a libdef from `flow-typed` that was "lacking most of the JSDocs,
and several properties were needlessly in a different order than in the
TypeScript" (see below), though, that process has been kind of frustrating.

So with this upgrade, I did a reset by translating the relevant
`react-native-webview` files (and parts of a file from
`@types/react-native`, which those files depended on) with Flowgen into a
totally fresh libdef. It worked surprisingly well, preserving jsdocs and
ordering. (I think there may have been a glitch with copying jsdocs in the
translation, maybe in @types/react-native, but I was able to run the
`flowgen` command with `--no-jsdoc` and then copy them over by hand.)

Hopefully this will allow us to restart the diffing approach more easily for
future upgrades.

## `react-native-webview` at v7.6

The latest version FlowTyped has a libdef for is 6, unfortunately.
Expand Down
Loading

0 comments on commit 953ed90

Please sign in to comment.