From aa7bf792fb76a959a6d0ad9be4aba0a14381a329 Mon Sep 17 00:00:00 2001 From: Brad Anderson Date: Sat, 16 May 2026 08:21:20 -0400 Subject: [PATCH 1/3] chore(deps): bump Android OpenSSL prefab 3.6.0-1 to 3.6.2-1 (#988) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Skips 3.6.1-1, going straight to 3.6.2-1 — the latest published prefab from io.github.ronickg. Clears CVE-2025-15467 (CMS EnvelopedData stack overflow; not reachable from RNQC) and aligns Android closer to iOS, which auto-resolves via OpenSSL-Universal ~> 3.6. Closes #988 --- packages/react-native-quick-crypto/android/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/react-native-quick-crypto/android/build.gradle b/packages/react-native-quick-crypto/android/build.gradle index 4c98f4c8..9055768d 100644 --- a/packages/react-native-quick-crypto/android/build.gradle +++ b/packages/react-native-quick-crypto/android/build.gradle @@ -150,7 +150,7 @@ dependencies { implementation project(":react-native-nitro-modules") // Add a dependency on OpenSSL - implementation 'io.github.ronickg:openssl:3.6.0-1' + implementation 'io.github.ronickg:openssl:3.6.2-1' if (sodiumEnabled) { // Add a dependency on libsodium From 7a07a27bd9d529a2498b025b2bc215e2063b5bf3 Mon Sep 17 00:00:00 2001 From: Brad Anderson Date: Sat, 16 May 2026 08:21:47 -0400 Subject: [PATCH 2/3] chore(deps): bump libsodium 1.0.20 to 1.0.22 (#989) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the iOS podspec download URL + the Android prefab dependency. libsodium is opt-in behind SODIUM_ENABLED=1 and only powers the XSalsa20 / XChaCha20-Poly1305 cipher paths — RNQC is not vulnerable to the crypto_core_ed25519_is_valid_point() CVEs (CVE-2025-69277, CVE-2025-15444), but the bump clears them from consumer scanners. Closes #989 --- packages/react-native-quick-crypto/QuickCrypto.podspec | 4 ++-- packages/react-native-quick-crypto/android/build.gradle | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/react-native-quick-crypto/QuickCrypto.podspec b/packages/react-native-quick-crypto/QuickCrypto.podspec index 487b4c64..74db2aa9 100644 --- a/packages/react-native-quick-crypto/QuickCrypto.podspec +++ b/packages/react-native-quick-crypto/QuickCrypto.podspec @@ -25,7 +25,7 @@ Pod::Spec.new do |s| # Ensure libsodium source is present during podspec evaluation when enabled. # This is necessary because prepare_command is skipped for :path pods. if sodium_enabled - sodium_version = "1.0.20" + sodium_version = "1.0.22" sodium_dir = File.join(__dir__, "ios", "libsodium-stable") sodium_header = File.join(sodium_dir, "src", "libsodium", "include", "sodium.h") unless File.exist?(sodium_header) @@ -52,7 +52,7 @@ Pod::Spec.new do |s| rm -f OpenSSL.xcframework.zip # Build libsodium mkdir -p ios - curl -L -o ios/libsodium.tar.gz https://download.libsodium.org/libsodium/releases/libsodium-1.0.20-stable.tar.gz + curl -L -o ios/libsodium.tar.gz https://download.libsodium.org/libsodium/releases/libsodium-1.0.22-stable.tar.gz tar -xzf ios/libsodium.tar.gz -C ios cd ios/libsodium-stable ./configure --disable-shared --enable-static diff --git a/packages/react-native-quick-crypto/android/build.gradle b/packages/react-native-quick-crypto/android/build.gradle index 9055768d..e9ce64dd 100644 --- a/packages/react-native-quick-crypto/android/build.gradle +++ b/packages/react-native-quick-crypto/android/build.gradle @@ -154,7 +154,7 @@ dependencies { if (sodiumEnabled) { // Add a dependency on libsodium - implementation 'io.github.ronickg:sodium:1.0.20-1' + implementation 'io.github.ronickg:sodium:1.0.22-1' } } From 6bbd4df3594d3e7501a172774e6fa80d57fa5577 Mon Sep 17 00:00:00 2001 From: Brad Anderson Date: Sat, 16 May 2026 08:35:56 -0400 Subject: [PATCH 3/3] chore: update Podfile.lock for QuickCrypto checksum Podspec checksum rev'd after the libsodium 1.0.22 bump. --- example/ios/Podfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example/ios/Podfile.lock b/example/ios/Podfile.lock index a0281fca..add99809 100644 --- a/example/ios/Podfile.lock +++ b/example/ios/Podfile.lock @@ -2841,7 +2841,7 @@ SPEC CHECKSUMS: NitroMmkv: afbc5b2fbf963be567c6c545aa1efcf6a9cec68e NitroModules: 11bba9d065af151eae51e38a6425e04c3b223ff3 OpenSSL-Universal: 9110d21982bb7e8b22a962b6db56a8aa805afde7 - QuickCrypto: b6fed48151d7fef2b33e8420c660dde2b421c396 + QuickCrypto: 5294516c651e33d452090e344da1ea839c4986f1 RCT-Folly: 846fda9475e61ec7bcbf8a3fe81edfcaeb090669 RCTDeprecation: c4b9e2fd0ab200e3af72b013ed6113187c607077 RCTRequired: e97dd5dafc1db8094e63bc5031e0371f092ae92a