The version of `archive` package the tool uses "are affected by security advisories"

[jmagman]

Downloading packages...
   _fe_analyzer_shared 69.0.0 (70.0.0 available)
   analyzer 6.5.1 (6.5.2 available)
   archive 3.3.2 (affected by advisories: [^0], [^1], 3.6.0 available)
   web_socket_channel 2.4.5 (3.0.0 available)
 No dependencies changed.
 1 package is discontinued.
 Dependencies are affected by security advisories:
   [^0]: https://github.com/advisories/GHSA-9v85-q87q-g4vg
   [^1]: https://github.com/advisories/GHSA-r285-q736-9v95

GHSA-9v85-q87q-g4vg

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

GHSA-r285-q736-9v95

An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.

Both issues are patched in archive 3.3.8.

In addition to there being security issues, the fact that this logging appears in tool output is embarrassing...

Pinned here

flutter/packages/flutter_tools/lib/src/update_packages_pins.dart

Line 22 in 5bd34ef

'archive': '3.3.2', // https://github.com/flutter/flutter/issues/115660

Linked issue is #115660, appears this is blocked by #133371? Can we update without totally changing Windows archiving in the meantime?

[jmagman]

Version 3.5.0 removed the dependency on pointycastle
https://github.com/brendan-duncan/archive/blob/98e1158d689e73f26f31f4c2188920c3746aa3b9/CHANGELOG.md?plain=1#L13

which might address the "it has introduced new dependencies we don't want to take on: https://github.com/flutter/flutter/issues/115660." part of the concern with rolling this.
https://github.com/flutter/flutter/pull/115600/files#diff-e23391c4ee2d40226a43584e2bd12a9f46bdcc018a44de6b02c65d0334465a15R30

[jmagman]

cc @christopherfujino @andrewkolos

[christopherfujino]

Deduping with #133371

[christopherfujino]

That's a good point about the deps, though, looks like the newest only depends on crypto and path....

[jmagman]

Can we undup with #133371? I don't think unpinning should depend on rewriting the Windows archiving logic if the latest version of archive doesn't pull in any dependencies, is no worse in terms of OOM, and ALSO doesn't have security advisories.

[jmagman]

Confirmed that unpinning pulled in no additional dependencies.

[jmagman]

I hit size analysis test failures when I tried to roll, filed brendan-duncan/archive#339.

There might be a workaround but I'm not too familiar with the code that's tickling this bug:

flutter/packages/flutter_tools/lib/src/base/analyze_size.dart

Lines 154 to 161 in 3bc1f51

	final Archive archive = ZipDecoder().decodeBytes(zipFile.readAsBytesSync());
	final Map<List<String>, int> pathsToSize = <List<String>, int>{};
	for (final ArchiveFile archiveFile in archive.files) {
	final InputStreamBase? rawContent = archiveFile.rawContent;
	if (rawContent != null) {
	pathsToSize[_fileSystem.path.split(archiveFile.name)] = rawContent.length;
	}