Merge pull request #2121 from bugsnag/release/v7.22.7

Release v7.22.7

.buildkite/full/pipeline.full.yml

@@ -25,8 +25,10 @@ steps:
 
   #
   # Trigger Expo pipelines
+  # TODO: Skip pending PLAT-11676 and PLAT-11745
   #
   - label: "@bugsnag/expo latest"
+    skip: PLAT-11676 and PLAT-11745
     depends_on: "publish-js"
     trigger: "bugsnag-expo"
     build:
@@ -58,4 +60,4 @@ steps:
         BUGSNAG_JS_BRANCH: "${BUILDKITE_BRANCH}"
         BUGSNAG_JS_COMMIT: "${BUILDKITE_COMMIT}"
         # a branch name that's safe to use as a docker cache identifier
-        BUGSNAG_JS_CACHE_SAFE_BRANCH_NAME: "${BRANCH_NAME}"
+        BUGSNAG_JS_CACHE_SAFE_BRANCH_NAME: "${BRANCH_NAME}"

.buildkite/full/react-native-cli-pipeline.full.yml

@@ -157,7 +157,7 @@ steps:
         env:
           DEBUG: true
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0_66.ipa
         commands:
           - test/react-native-cli/scripts/init-and-build-test.sh rn0_66
@@ -174,7 +174,7 @@ steps:
         env:
           DEBUG: true
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0_67.ipa
         commands:
           - test/react-native-cli/scripts/init-and-build-test.sh rn0_67
@@ -191,7 +191,7 @@ steps:
         env:
           DEBUG: true
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0_69.ipa
         commands:
           - test/react-native-cli/scripts/init-and-build-test.sh rn0_69

.buildkite/full/react-native-ios-pipeline.full.yml

@@ -14,7 +14,7 @@ steps:
         env:
           REACT_NATIVE_VERSION: rn0.66
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0.66.ipa
         commands:
           - npm run test:build-react-native-ios
@@ -31,7 +31,7 @@ steps:
         env:
           REACT_NATIVE_VERSION: rn0.67
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0.67.ipa
         commands:
           - npm run test:build-react-native-ios
@@ -48,7 +48,7 @@ steps:
         env:
           REACT_NATIVE_VERSION: rn0.68-hermes
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0.68-hermes.ipa
         commands:
           - npm run test:build-react-native-ios
@@ -65,7 +65,7 @@ steps:
         env:
           REACT_NATIVE_VERSION: rn0.69
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/rn0.69.ipa
         commands:
           - npm run test:build-react-native-ios
@@ -122,7 +122,7 @@ steps:
           JS_SOURCE_DIR: "react_navigation_js"
           ARTEFACT_NAME: "r_navigation_0.69"
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/r_navigation_0.69.ipa
         commands:
           - npm run test:build-react-native-ios
@@ -143,7 +143,7 @@ steps:
           JS_SOURCE_DIR: "react_native_navigation_js"
           ARTEFACT_NAME: "r_native_navigation_0.66"
           LANG: "en_US.UTF-8"
-          DEVELOPER_DIR: "/Applications/Xcode13.app"
+          DEVELOPER_DIR: "/Applications/Xcode14.app"
         artifact_paths: build/r_native_navigation_0.66.ipa
         commands:
           - npm run test:build-react-native-ios

.buildkite/pipeline.yml

@@ -7,8 +7,6 @@ steps:
     timeout_in_minutes: 20
     agents:
       queue: macos-12-arm
-    env:
-      DEVELOPER_DIR: /Applications/Xcode13.4.app
     command: scripts/license_finder.sh
 
   #
@@ -57,15 +55,16 @@ steps:
       - docker-compose#v4.12.0:
           run: minimal-packager
     artifact_paths: min_packages.tar
-
   - label: ":docker: Build and publish JS packages"
     key: "publish-js"
     timeout_in_minutes: 30
     agents:
-      queue: "macos-12-arm"
+      queue: "macos-14"
     env:
-      NODE_VERSION: "14"
+      NODE_VERSION: "18"
+      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: "1"
     command:
+      - "bundle install"
       - "node scripts/publish.js $$PUBLISH_URL"
     retry:
       automatic:

.npmrc

@@ -0,0 +1 @@
+legacy-peer-deps=true

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## v7.22.7 (2024-04-17)
+
+### Changed
+
+- (metadata-delegate) Preventing prototype pollution vulnerabilities [#2115](https://github.com/bugsnag/bugsnag-js/pull/2115)
+- (plugin-interaction-breadcrumbs) Improved performance of click event breadcrumbs [#2094](https://github.com/bugsnag/bugsnag-js/pull/2094)
+- (react-native) Rename Bugsnag.framework to BugsnagReactNative.framework [#2117](https://github.com/bugsnag/bugsnag-js/pull/2117)
+- (browser) Export BrowserBugsnagStatic [#2112](https://github.com/bugsnag/bugsnag-js/pull/2112)
+
+### Fixed
+
+- (react-native) Move BugsnagReactNative from objective-c to objective c++ [#2113](https://github.com/bugsnag/bugsnag-js/pull/2113)
+
 ## v7.22.6 (2024-03-05)
 
 ### Changed

Gemfile

@@ -1,3 +1,3 @@
 source 'https://rubygems.org'
 
-gem 'cocoapods'
+gem 'cocoapods', '~> 1.14.3'

Gemfile.lock

@@ -1,41 +1,49 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    CFPropertyList (3.0.5)
+    CFPropertyList (3.0.7)
+      base64
+      nkf
       rexml
-    activesupport (6.1.7)
+    activesupport (7.1.3.2)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
-      zeitwerk (~> 2.3)
-    addressable (2.8.1)
+    addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     algoliasearch (1.27.5)
       httpclient (~> 2.8, >= 2.8.3)
       json (>= 1.5.1)
     atomos (0.1.3)
+    base64 (0.2.0)
+    bigdecimal (3.1.7)
     claide (1.1.0)
-    cocoapods (1.11.3)
+    cocoapods (1.14.3)
       addressable (~> 2.8)
       claide (>= 1.0.2, < 2.0)
-      cocoapods-core (= 1.11.3)
+      cocoapods-core (= 1.14.3)
       cocoapods-deintegrate (>= 1.0.3, < 2.0)
-      cocoapods-downloader (>= 1.4.0, < 2.0)
+      cocoapods-downloader (>= 2.1, < 3.0)
       cocoapods-plugins (>= 1.0.0, < 2.0)
       cocoapods-search (>= 1.0.0, < 2.0)
-      cocoapods-trunk (>= 1.4.0, < 2.0)
+      cocoapods-trunk (>= 1.6.0, < 2.0)
       cocoapods-try (>= 1.1.0, < 2.0)
       colored2 (~> 3.1)
       escape (~> 0.0.4)
       fourflusher (>= 2.3.0, < 3.0)
       gh_inspector (~> 1.0)
       molinillo (~> 0.8.0)
       nap (~> 1.0)
-      ruby-macho (>= 1.0, < 3.0)
-      xcodeproj (>= 1.21.0, < 2.0)
-    cocoapods-core (1.11.3)
-      activesupport (>= 5.0, < 7)
+      ruby-macho (>= 2.3.0, < 3.0)
+      xcodeproj (>= 1.23.0, < 2.0)
+    cocoapods-core (1.14.3)
+      activesupport (>= 5.0, < 8)
       addressable (~> 2.8)
       algoliasearch (~> 1.0)
       concurrent-ruby (~> 1.1)
@@ -45,7 +53,7 @@ GEM
       public_suffix (~> 4.0)
       typhoeus (~> 1.0)
     cocoapods-deintegrate (1.0.5)
-    cocoapods-downloader (1.6.3)
+    cocoapods-downloader (2.1)
     cocoapods-plugins (1.0.0)
       nap
     cocoapods-search (1.0.1)
@@ -54,44 +62,47 @@ GEM
       netrc (~> 0.11)
     cocoapods-try (1.2.0)
     colored2 (3.1.2)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.2.3)
+    connection_pool (2.4.1)
+    drb (2.2.1)
     escape (0.0.4)
-    ethon (0.15.0)
+    ethon (0.16.0)
       ffi (>= 1.15.0)
-    ffi (1.15.5)
+    ffi (1.16.3)
     fourflusher (2.3.1)
     fuzzy_match (2.0.4)
     gh_inspector (1.1.3)
     httpclient (2.8.3)
-    i18n (1.12.0)
+    i18n (1.14.4)
       concurrent-ruby (~> 1.0)
-    json (2.6.2)
-    minitest (5.16.3)
+    json (2.7.1)
+    minitest (5.22.3)
     molinillo (0.8.0)
+    mutex_m (0.2.0)
     nanaimo (0.3.0)
     nap (1.1.0)
     netrc (0.11.0)
+    nkf (0.2.0)
     public_suffix (4.0.7)
-    rexml (3.2.5)
+    rexml (3.2.6)
     ruby-macho (2.5.1)
-    typhoeus (1.4.0)
+    typhoeus (1.4.1)
       ethon (>= 0.9.0)
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    xcodeproj (1.22.0)
+    xcodeproj (1.24.0)
       CFPropertyList (>= 2.3.3, < 4.0)
       atomos (~> 0.1.3)
       claide (>= 1.0.2, < 2.0)
       colored2 (~> 3.1)
       nanaimo (~> 0.3.0)
       rexml (~> 3.2.4)
-    zeitwerk (2.6.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  cocoapods
+  cocoapods (~> 1.14.3)
 
 BUNDLED WITH
-   2.2.33
+   2.4.8

docker-compose.yml

@@ -23,6 +23,7 @@ x-common-environment: &common-environment
   BROWSER_STACK_DEVICES_USERNAME:
   BROWSER_STACK_DEVICES_ACCESS_KEY:
   SKIP_NAVIGATION_SCENARIOS:
+  MAZE_SCENARIO_BUGSNAG_API_KEY:
 
 services:
   minimal-packager:

packages/browser/types/bugsnag.d.ts

@@ -7,7 +7,7 @@ interface BrowserConfig extends Config {
   trackInlineScripts?: boolean
 }
 
-interface BrowserBugsnagStatic extends BugsnagStatic {
+export interface BrowserBugsnagStatic extends BugsnagStatic {
   start(apiKeyOrOpts: string | BrowserConfig): Client
   createClient(apiKeyOrOpts: string | BrowserConfig): Client
 }

packages/core/lib/metadata-delegate.js

@@ -14,6 +14,11 @@ const add = (state, section, keyOrObj, maybeVal) => {
   // exit if we don't have an updates object at this point
   if (!updates) return
 
+  // preventing the __proto__ property from being used as a key
+  if (section === '__proto__' || section === 'constructor' || section === 'prototype') {
+    return
+  }
+
   // ensure a section with this name exists
   if (!state[section]) state[section] = {}
 
@@ -41,6 +46,11 @@ const clear = (state, section, key) => {
     return
   }
 
+  // preventing the __proto__ property from being used as a key
+  if (section === '__proto__' || section === 'constructor' || section === 'prototype') {
+    return
+  }
+
   // clear a single value from a section
   if (state[section]) {
     delete state[section][key]

packages/core/test/metadata-delegate.test.js

@@ -0,0 +1,58 @@
+import { add, clear } from '../lib/metadata-delegate'
+
+// it doesn't seem easy or even impossible to check whether __proto__ keys can be overwritten
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto
+// so tests are only for prototype and constructor
+
+describe('metadata delegate', () => {
+  describe('add', () => {
+    it.each([
+      {
+        key: 'constructor',
+        expected: {}
+      },
+      {
+        key: 'prototype',
+        expected: {}
+      }
+    ])('should not add $key keys', ({ key, expected }) => {
+      const state = {}
+      add(state, key, 'foo', 'bar')
+      expect(state).toEqual(expected)
+    })
+  })
+
+  describe('clear', () => {
+    it.each([
+      {
+        key: 'constructor',
+        state: {
+          constructor: {
+            foo: 'bar'
+          }
+        },
+        expected: {
+          constructor: {
+            foo: 'bar'
+          }
+        }
+      },
+      {
+        key: 'prototype',
+        state: {
+          prototype: {
+            foo: 'bar'
+          }
+        },
+        expected: {
+          prototype: {
+            foo: 'bar'
+          }
+        }
+      }
+    ])('should not overwrite $key keys', ({ key, state, expected }) => {
+      clear(state, key, 'foo')
+      expect(state).toEqual(expected)
+    })
+  })
+})