From cefa3a98f2be61bd122da81b7b5da325445fa05d Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 21 Mar 2026 13:42:26 +0000 Subject: [PATCH 1/3] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-JSON-15692503 --- Gemfile | 2 +- Gemfile.lock | 112 +++++++++++++++++++++++---------------------------- 2 files changed, 52 insertions(+), 62 deletions(-) diff --git a/Gemfile b/Gemfile index 4a74f5363ad26..ab34bf5fb0130 100644 --- a/Gemfile +++ b/Gemfile @@ -6,7 +6,7 @@ ruby ">= 3.3.4" gem "cocoapods", "= 1.16.2" gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0' gem 'xcodeproj', '~> 1.27' -gem "fastlane", "~> 2", ">= 2.229.0" +gem "fastlane", "~> 2", ">= 2.229.1" gem "xcpretty", "~> 0" gem "openssl", ">= 3.3.1" diff --git a/Gemfile.lock b/Gemfile.lock index 769319b168422..de1581929235c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,18 +15,16 @@ GEM minitest (>= 5.1) securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) - addressable (2.8.8) + addressable (2.8.9) public_suffix (>= 2.0.2, < 8.0) algoliasearch (1.27.5) httpclient (~> 2.8, >= 2.8.3) json (>= 1.5.1) - apktools (0.7.5) - rubyzip (~> 2.0) artifactory (3.0.17) atomos (0.1.3) aws-eventstream (1.4.0) - aws-partitions (1.1198.0) - aws-sdk-core (3.240.0) + aws-partitions (1.1229.0) + aws-sdk-core (3.244.0) aws-eventstream (~> 1, >= 1.3.0) aws-partitions (~> 1, >= 1.992.0) aws-sigv4 (~> 1.9) @@ -34,17 +32,17 @@ GEM bigdecimal jmespath (~> 1, >= 1.6.1) logger - aws-sdk-kms (1.118.0) - aws-sdk-core (~> 3, >= 3.239.1) + aws-sdk-kms (1.123.0) + aws-sdk-core (~> 3, >= 3.244.0) aws-sigv4 (~> 1.5) - aws-sdk-s3 (1.208.0) - aws-sdk-core (~> 3, >= 3.234.0) + aws-sdk-s3 (1.217.0) + aws-sdk-core (~> 3, >= 3.244.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.5) aws-sigv4 (1.12.1) aws-eventstream (~> 1, >= 1.0.2) babosa (1.0.4) - base64 (0.3.0) + base64 (0.2.0) benchmark (0.3.0) bigdecimal (4.0.1) claide (1.1.0) @@ -103,7 +101,7 @@ GEM ethon (0.15.0) ffi (>= 1.15.0) excon (0.112.0) - faraday (1.10.4) + faraday (1.10.5) faraday-em_http (~> 1.0) faraday-em_synchrony (~> 1.0) faraday-excon (~> 1.1) @@ -122,24 +120,26 @@ GEM faraday-em_synchrony (1.0.1) faraday-excon (1.1.0) faraday-httpclient (1.0.1) - faraday-multipart (1.1.1) + faraday-multipart (1.2.0) multipart-post (~> 2.0) faraday-net_http (1.0.2) faraday-net_http_persistent (1.2.0) faraday-patron (1.0.0) faraday-rack (1.0.0) - faraday-retry (1.0.3) + faraday-retry (1.0.4) faraday_middleware (1.2.1) faraday (~> 1.0) - fastimage (2.4.0) - fastlane (2.229.0) + fastimage (2.4.1) + fastlane (2.232.2) CFPropertyList (>= 2.3, < 4.0.0) abbrev (~> 0.1.2) addressable (>= 2.8, < 3.0.0) artifactory (~> 3.0) - aws-sdk-s3 (~> 1.0) + aws-sdk-s3 (~> 1.197) babosa (>= 1.0.3, < 2.0.0) - bundler (>= 1.12.0, < 3.0.0) + base64 (~> 0.2.0) + benchmark (>= 0.1.0) + bundler (>= 1.17.3, < 5.0.0) colored (~> 1.2) commander (~> 4.6) csv (~> 3.3) @@ -154,17 +154,20 @@ GEM gh_inspector (>= 1.1.2, < 2.0.0) google-apis-androidpublisher_v3 (~> 0.3) google-apis-playcustomapp_v1 (~> 0.1) - google-cloud-env (>= 1.6.0, < 2.0.0) + google-cloud-env (>= 1.6.0, <= 2.1.1) google-cloud-storage (~> 1.31) highline (~> 2.0) http-cookie (~> 1.0.5) json (< 3.0.0) jwt (>= 2.1.0, < 3) + logger (>= 1.6, < 2.0) mini_magick (>= 4.9.4, < 5.0.0) multipart-post (>= 2.0.0, < 3.0.0) mutex_m (~> 0.3.0) naturally (~> 2.2) + nkf (~> 0.2.0) optparse (>= 0.1.1, < 1.0.0) + ostruct (>= 0.1.0) plist (>= 3.1.0, < 4.0.0) rubyzip (>= 2.0.0, < 3.0.0) security (= 0.1.5) @@ -177,13 +180,6 @@ GEM xcodeproj (>= 1.13.0, < 2.0.0) xcpretty (~> 0.4.1) xcpretty-travis-formatter (>= 0.0.3, < 2.0.0) - fastlane-plugin-aws_s3 (2.1.0) - apktools (~> 0.7) - aws-sdk-s3 (~> 1) - mime-types (~> 3.3) - fastlane-plugin-firebase_app_distribution (0.10.1) - google-apis-firebaseappdistribution_v1 (~> 0.3.0) - google-apis-firebaseappdistribution_v1alpha (~> 0.2.0) fastlane-sirp (1.0.0) sysrandom (~> 1.0) ffi (1.17.2) @@ -193,42 +189,40 @@ GEM fourflusher (2.3.1) fuzzy_match (2.0.4) gh_inspector (1.1.3) - google-apis-androidpublisher_v3 (0.54.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-core (0.11.3) + google-apis-androidpublisher_v3 (0.97.0) + google-apis-core (>= 0.15.0, < 2.a) + google-apis-core (0.18.0) addressable (~> 2.5, >= 2.5.1) - googleauth (>= 0.16.2, < 2.a) - httpclient (>= 2.8.1, < 3.a) + googleauth (~> 1.9) + httpclient (>= 2.8.3, < 3.a) mini_mime (~> 1.0) + mutex_m representable (~> 3.0) retriable (>= 2.0, < 4.a) - rexml - google-apis-firebaseappdistribution_v1 (0.3.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-firebaseappdistribution_v1alpha (0.2.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-iamcredentials_v1 (0.17.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-playcustomapp_v1 (0.13.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-storage_v1 (0.31.0) - google-apis-core (>= 0.11.0, < 2.a) + google-apis-iamcredentials_v1 (0.26.0) + google-apis-core (>= 0.15.0, < 2.a) + google-apis-playcustomapp_v1 (0.17.0) + google-apis-core (>= 0.15.0, < 2.a) + google-apis-storage_v1 (0.61.0) + google-apis-core (>= 0.15.0, < 2.a) google-cloud-core (1.8.0) google-cloud-env (>= 1.0, < 3.a) google-cloud-errors (~> 1.0) - google-cloud-env (1.6.0) - faraday (>= 0.17.3, < 3.0) - google-cloud-errors (1.5.0) - google-cloud-storage (1.47.0) + google-cloud-env (2.1.1) + faraday (>= 1.0, < 3.a) + google-cloud-errors (1.6.0) + google-cloud-storage (1.58.0) addressable (~> 2.8) digest-crc (~> 0.4) - google-apis-iamcredentials_v1 (~> 0.1) - google-apis-storage_v1 (~> 0.31.0) + google-apis-core (>= 0.18, < 2) + google-apis-iamcredentials_v1 (~> 0.18) + google-apis-storage_v1 (>= 0.42) google-cloud-core (~> 1.6) - googleauth (>= 0.16.2, < 2.a) + googleauth (~> 1.9) mini_mime (~> 1.0) - googleauth (1.8.1) - faraday (>= 0.17.3, < 3.a) + googleauth (1.11.2) + faraday (>= 1.0, < 3.a) + google-cloud-env (~> 2.1) jwt (>= 1.4, < 3.0) multi_json (~> 1.11) os (>= 0.9, < 2.0) @@ -241,28 +235,26 @@ GEM i18n (1.14.7) concurrent-ruby (~> 1.0) jmespath (1.6.2) - json (2.18.0) + json (2.19.2) jwt (2.10.2) base64 logger (1.7.0) - mime-types (3.7.0) - logger - mime-types-data (~> 3.2025, >= 3.2025.0507) - mime-types-data (3.2025.0924) mini_magick (4.13.2) mini_mime (1.1.5) minitest (5.26.1) molinillo (0.8.0) - multi_json (1.18.0) + multi_json (1.19.1) multipart-post (2.4.1) mutex_m (0.3.0) nanaimo (0.4.0) nap (1.1.0) naturally (2.3.0) netrc (0.11.0) + nkf (0.2.0) openssl (3.3.1) optparse (0.8.1) os (1.1.4) + ostruct (0.6.3) plist (3.7.2) public_suffix (4.0.7) rake (13.3.1) @@ -270,7 +262,7 @@ GEM declarative (< 0.1.0) trailblazer-option (>= 0.1.1, < 0.2.0) uber (< 0.2.0) - retriable (3.1.2) + retriable (3.4.1) rexml (3.4.4) rouge (3.28.0) ruby-macho (2.5.1) @@ -326,9 +318,7 @@ DEPENDENCIES benchmark bigdecimal cocoapods (= 1.16.2) - fastlane (~> 2, >= 2.229.0) - fastlane-plugin-aws_s3 - fastlane-plugin-firebase_app_distribution + fastlane (~> 2, >= 2.229.1) logger mutex_m openssl (>= 3.3.1) @@ -339,4 +329,4 @@ RUBY VERSION ruby 3.3.4p94 BUNDLED WITH - 2.6.9 + 2.5.22 From 1ca9318f59c1e0ae38b103ae3ed4ed8d8844e650 Mon Sep 17 00:00:00 2001 From: Nathalie Kuoch Date: Sat, 21 Mar 2026 17:24:31 +0100 Subject: [PATCH 2/3] Restore fastlane plugin gems in Gemfile.lock Re-run bundle install so fastlane-plugin-aws_s3 and fastlane-plugin-firebase_app_distribution are listed again after the fastlane security bump. Pluginfile is still evaluated from the Gemfile; without these entries, deploy lanes that use aws_s3 can fail when installing from the lockfile alone. --- Gemfile.lock | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Gemfile.lock b/Gemfile.lock index de1581929235c..affdd47128ae8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -20,6 +20,8 @@ GEM algoliasearch (1.27.5) httpclient (~> 2.8, >= 2.8.3) json (>= 1.5.1) + apktools (0.7.5) + rubyzip (~> 2.0) artifactory (3.0.17) atomos (0.1.3) aws-eventstream (1.4.0) @@ -180,6 +182,14 @@ GEM xcodeproj (>= 1.13.0, < 2.0.0) xcpretty (~> 0.4.1) xcpretty-travis-formatter (>= 0.0.3, < 2.0.0) + fastlane-plugin-aws_s3 (2.1.0) + apktools (~> 0.7) + aws-sdk-s3 (~> 1) + mime-types (~> 3.3) + fastlane-plugin-firebase_app_distribution (1.0.0) + fastlane (>= 2.232.0) + google-apis-firebaseappdistribution_v1 (>= 0.9.0) + google-apis-firebaseappdistribution_v1alpha (>= 0.12.0) fastlane-sirp (1.0.0) sysrandom (~> 1.0) ffi (1.17.2) @@ -199,6 +209,10 @@ GEM mutex_m representable (~> 3.0) retriable (>= 2.0, < 4.a) + google-apis-firebaseappdistribution_v1 (0.17.0) + google-apis-core (>= 0.15.0, < 2.a) + google-apis-firebaseappdistribution_v1alpha (0.26.0) + google-apis-core (>= 0.15.0, < 2.a) google-apis-iamcredentials_v1 (0.26.0) google-apis-core (>= 0.15.0, < 2.a) google-apis-playcustomapp_v1 (0.17.0) @@ -239,6 +253,10 @@ GEM jwt (2.10.2) base64 logger (1.7.0) + mime-types (3.7.0) + logger + mime-types-data (~> 3.2025, >= 3.2025.0507) + mime-types-data (3.2026.0317) mini_magick (4.13.2) mini_mime (1.1.5) minitest (5.26.1) @@ -319,6 +337,8 @@ DEPENDENCIES bigdecimal cocoapods (= 1.16.2) fastlane (~> 2, >= 2.229.1) + fastlane-plugin-aws_s3 + fastlane-plugin-firebase_app_distribution logger mutex_m openssl (>= 3.3.1) From 1405ef0acade47ab439250ccd7089cc379f173ee Mon Sep 17 00:00:00 2001 From: Nathalie Kuoch Date: Sat, 21 Mar 2026 17:51:20 +0100 Subject: [PATCH 3/3] Fix gem fastlane version --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index ab34bf5fb0130..ea2b57d64cae6 100644 --- a/Gemfile +++ b/Gemfile @@ -6,7 +6,7 @@ ruby ">= 3.3.4" gem "cocoapods", "= 1.16.2" gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0' gem 'xcodeproj', '~> 1.27' -gem "fastlane", "~> 2", ">= 2.229.1" +gem "fastlane", "~> 2.232.0" gem "xcpretty", "~> 0" gem "openssl", ">= 3.3.1" diff --git a/Gemfile.lock b/Gemfile.lock index affdd47128ae8..ba8eaa60020b7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -45,7 +45,7 @@ GEM aws-eventstream (~> 1, >= 1.0.2) babosa (1.0.4) base64 (0.2.0) - benchmark (0.3.0) + benchmark (0.5.0) bigdecimal (4.0.1) claide (1.1.0) cocoapods (1.16.2) @@ -336,7 +336,7 @@ DEPENDENCIES benchmark bigdecimal cocoapods (= 1.16.2) - fastlane (~> 2, >= 2.229.1) + fastlane (~> 2.232.0) fastlane-plugin-aws_s3 fastlane-plugin-firebase_app_distribution logger