fix(deps): update dependency react-native-webview to v11 [security] #188
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^7.4.2
->^11.0.0
GitHub Vulnerability Alerts
CVE-2020-6506
A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a
react-native-webview
that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.Pending mitigation
Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.
References
https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/
Release Notes
react-native-webview/react-native-webview (react-native-webview)
v11.0.0
Compare Source
Features
BREAKING CHANGES
setSupportMultipleWindows
prop for Android. This sets the underlying Android WebView settingsetSupportMultipleWindows
. This prop defaults totrue
(previouslyfalse
), and serves to mitigate the security advisory CVE-2020-6506.The primary way this new behavior changes existing React Native WebView implementations on Android is that links that open in new tabs/windows (such as
<a target="_blank">
) will now prompt to open in the system browser, rather than re-using the current WebView.If this behavior is not desirable, you can set this new prop to
false
, but be aware that this exposes your app to the security vulnerability listed above. Make sure you have read and understand the whole advisory and relevant links.iOS & Windows are unaffected.
Thanks to @mrcoinbase, @kelset, and @Titozzz for their work on this.
v10.10.2
Compare Source
Bug Fixes
v10.10.1
Compare Source
Bug Fixes
v10.10.0
Compare Source
Features
v10.9.3
Compare Source
Bug Fixes
v10.9.2
Compare Source
Bug Fixes
v10.9.1
Compare Source
Bug Fixes
v10.9.0
Compare Source
Features
v10.8.3
Compare Source
Bug Fixes
v10.8.2
Compare Source
Bug Fixes
v10.8.1
Compare Source
Bug Fixes
v10.8.0
Compare Source
Features
v10.7.0
Compare Source
Features
v10.6.0
Compare Source
Features
v10.5.0
Compare Source
Features
v10.4.2
Compare Source
Bug Fixes
v10.4.1
Compare Source
Bug Fixes
v10.4.0
Compare Source
Features
v10.3.3
Compare Source
Bug Fixes
v10.3.2
Compare Source
Bug Fixes
v10.3.1
Compare Source
Bug Fixes
v10.3.0
Compare Source
Features
v10.2.3
Compare Source
Bug Fixes
v10.2.2
Compare Source
Bug Fixes
setWebChromeClient()
overwrite (#1417) (2f8c4c5)v10.2.1
Compare Source
Bug Fixes
v10.2.0
Compare Source
Bug Fixes
Features
v10.1.1
Compare Source
Bug Fixes
v10.1.0
Compare Source
NOTE: use v10.1.1 as this version has an issue in Android
Bug Fixes
Features
v10.0.0
Compare Source
Bug Fixes
BREAKING CHANGES
Also moved getExtOrDefault to buildScript block to able to use everywhere in the file
This change shouldn't break any apps, but we are marking it as a breaking change in case there are some use cases we've missed.
[skip ci]
v9.4.0
Compare Source
Features
v9.3.0
Compare Source
Features
v9.2.2
Compare Source
Bug Fixes
v9.2.1
Compare Source
Bug Fixes
v9.2.0
Compare Source
Features
v9.1.4
Compare Source
Bug Fixes
1023678
and1050635
. (#1221) (5d88af4)v9.1.3
Compare Source
Bug Fixes
v9.1.2
Compare Source
Bug Fixes
v9.1.1
Compare Source
Bug Fixes
v9.1.0
Compare Source
Features
v9.0.2
Compare Source
Bug Fixes
v9.0.1
Compare Source
Bug Fixes
v9.0.0
Compare Source
Features
BREAKING CHANGES
injectedJavaScript
are no longer immutable.v8.2.1
Compare Source
Bug Fixes
v8.2.0
Compare Source
Features
v8.1.2
Compare Source
Bug Fixes
v8.1.1
Compare Source
Bug Fixes
v8.1.0
Compare Source
Features
v8.0.6
Compare Source
Bug Fixes
v8.0.5
Compare Source
Bug Fixes
v8.0.4
Compare Source
Bug Fixes
v8.0.3
Compare Source
Bug Fixes
v8.0.2
Compare Source
Bug Fixes
v8.0.1
Compare Source
Bug Fixes
v8.0.0
Compare Source
Features
BREAKING CHANGES
ios: if you use onNavigationStateChange on iOS it will now trigger on # changes to the url.
Hook the
window.history
API on iOS to generate eventsThe underlying WKWebView doesn't seem to generate any events in response to the
window.history
API - none of theWKNavigationDelegate
methods fire.Given this limitation, the only way to know when the location changes via this API is to inject Javascript into the page and have it notify the native code directly when any of these functions are called.
The
setTimeout
call gives up the current tick, allowing the location to change before firing the event.Now that this bug is fixed, the workaround is no longer required.
v7.6.0
Compare Source
Bug Fixes
Features
v7.5.2
Compare Source
Bug Fixes
v7.5.1
Compare Source
Bug Fixes
v7.5.0
Compare Source
Features
v7.4.4
Compare Source
Bug Fixes
v7.4.3
Compare Source
Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.