Skip to content

Update datastore dependency to 1.1.3 #6688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 4, 2025
Merged

Update datastore dependency to 1.1.3 #6688

merged 7 commits into from
Mar 4, 2025

Conversation

mrober
Copy link
Contributor

@mrober mrober commented Feb 10, 2025
edited
Loading

Update datastore dependency to 1.1.3 to address CVE-2024-7254 in AQS.

We had landed #6343, but it missed the datastore dependency because version 1.0.0 "shaded" the vulnerable protobuf dependency, see #6534. I verified this was happening by extracting the jar from https://maven.google.com/web/index.html?q=datastore-pre#androidx.datastore:datastore-preferences-core:1.0.0 and seeing <groupId>com.google.protobuf</groupId><artifactId>protobuf-parent</artifactId><version>3.10.0</version> nested in a maven dir. I also verified datastore 1.1.3 has upgraded the protobuf version to 4.28.2, a safe version. See https://cs.android.com/androidx/platform/frameworks/support/+/androidx-datastore-release:gradle/libs.versions.toml;l=59.

This datastore update also includes the stable MultiProcessDataStoreFactory which we can utilize in a future change to optimize things like the settings fetch for multi-process apps.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 10, 2025
edited
Loading

📝 PRs merging into main branch

Our main branch should always be in a releasable state. If you are working on a larger change, or if you don't want this change to see the light of the day just yet, consider using a feature branch first, and only merge into the main branch when the code complete and ready to be released.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 10, 2025
edited
Loading

Test Results

 1 051 files  +   941   1 051 suites  +941   34m 52s ⏱️ + 32m 44s
 5 893 tests + 4 923   5 870 ✅ + 4 900  22 💤 +22  1 ❌ +1 
12 037 runs  +10 089  11 992 ✅ +10 044  44 💤 +44  1 ❌ +1 

For more details on these failures, see this check.

Results for commit 35a6724. ± Comparison against base commit 79deb5f.

♻️ This comment has been updated with latest results.

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Feb 10, 2025
edited
Loading

Size Report 1

Affected Products

  • firebase-crashlytics

    TypeBase (79deb5f)Merge (9fc2c0f)Diff
    apk (aggressive)699 kB522 kB-176 kB (-25.3%)
    apk (release)5.85 MB6.62 MB+771 kB (+13.2%)

  • firebase-crashlytics-ktx

    TypeBase (79deb5f)Merge (9fc2c0f)Diff
    apk (aggressive)699 kB523 kB-176 kB (-25.2%)
    apk (release)5.85 MB6.62 MB+771 kB (+13.2%)

  • firebase-crashlytics-ndk

    TypeBase (79deb5f)Merge (9fc2c0f)Diff
    apk (aggressive / arm64-v8a)1.87 MB1.69 MB-176 kB (-9.4%)
    apk (aggressive / armeabi-v7a)1.35 MB1.17 MB-176 kB (-13.1%)
    apk (aggressive / x86)1.85 MB1.67 MB-176 kB (-9.5%)
    apk (aggressive / x86_64)1.92 MB1.74 MB-176 kB (-9.2%)
    apk (release / arm64-v8a)7.02 MB7.79 MB+774 kB (+11.0%)
    apk (release / armeabi-v7a)6.49 MB7.27 MB+774 kB (+11.9%)
    apk (release / x86)7.00 MB7.77 MB+774 kB (+11.1%)
    apk (release / x86_64)7.06 MB7.84 MB+774 kB (+11.0%)

  • firebase-sessions

    TypeBase (79deb5f)Merge (9fc2c0f)Diff
    aar168 kB168 kB-28 B (-0.0%)
    apk (aggressive)560 kB375 kB-184 kB (-32.9%)
    apk (release)5.52 MB6.29 MB+771 kB (+14.0%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/25J7xptTem.html

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Feb 10, 2025
edited
Loading

Coverage Report 1

Affected Products

  • firebase-appdistribution

    Overall coverage changed from ? (79deb5f) to 75.72% (9fc2c0f) by ?.

    68 individual files with coverage change

    FilenameBase (79deb5f)Merge (9fc2c0f)Diff
    AabUpdater.java?98.36%?
    AabUpdater_Factory.java?0.00%?
    ApkInstaller.java?100.00%?
    ApkInstaller_Factory.java?0.00%?
    ApkUpdater.java?92.63%?
    ApkUpdater_Factory.java?0.00%?
    AppDistributionReleaseImpl.java?100.00%?
    AppDistributionReleaseInternal.java?100.00%?
    AppDistroComponent.java?0.00%?
    AppDistroComponent_MainModule_BindContentResolverFactory.java?0.00%?
    AppIconSource.java?84.62%?
    AppIconSource_Factory.java?100.00%?
    AutoValue_AppDistributionReleaseImpl.java?65.45%?
    AutoValue_AppDistributionReleaseInternal.java?71.58%?
    AutoValue_ImageUtils_ImageSize.java?35.00%?
    AutoValue_TesterApiDisabledErrorDetails.java?29.41%?
    AutoValue_TesterApiDisabledErrorDetails_HelpLink.java?54.17%?
    AutoValue_UpdateProgressImpl.java?65.96%?
    DaggerAppDistroComponent.java?80.56%?
    DevModeDetector.java?9.09%?
    DevModeDetector_Factory.java?100.00%?
    ErrorMessages.java?0.00%?
    FeedbackActivity.java?3.39%?
    FeedbackActivity_MembersInjector.java?0.00%?
    FeedbackSender.java?84.48%?
    FeedbackSender_Factory.java?0.00%?
    FeedbackTrigger.java?61.54%?
    FirebaseAppDistributionExceptions.java?80.00%?
    FirebaseAppDistributionFileProvider.java?0.00%?
    FirebaseAppDistributionImpl.java?89.89%?
    FirebaseAppDistributionImpl_Factory.java?0.00%?
    FirebaseAppDistributionLifecycleNotifier.java?91.49%?
    FirebaseAppDistributionLifecycleNotifier_Factory.java?0.00%?
    FirebaseAppDistributionNotificationsManager.java?88.89%?
    FirebaseAppDistributionNotificationsManager_Factory.java?0.00%?
    FirebaseAppDistributionRegistrar.java?95.83%?
    FirebaseAppDistributionTesterApiClient.java?88.78%?
    FirebaseAppDistributionTesterApiClient_Factory.java?0.00%?
    HttpsUrlConnectionFactory.java?50.00%?
    HttpsUrlConnectionFactory_Factory.java?100.00%?
    ImageUtils.java?100.00%?
    InstallActivity.java?2.67%?
    LogWrapper.java?86.67%?
    NewReleaseFetcher.java?86.67%?
    NewReleaseFetcher_Factory.java?0.00%?
    PackageInfoUtils.java?42.86%?
    ReleaseIdentifier.java?91.78%?
    ReleaseIdentifier_Factory.java?0.00%?
    ReleaseUtils.java?83.33%?
    ScreenshotTaker.java?36.17%?
    ScreenshotTaker_Factory.java?0.00%?
    SequentialReference.java?100.00%?
    SignInResultActivity.java?0.00%?
    SignInStorage.java?100.00%?
    SignInStorage_Factory.java?0.00%?
    TakeScreenshotAndStartFeedbackActivity.java?0.00%?
    TakeScreenshotAndStartFeedbackActivity_MembersInjector.java?0.00%?
    TaskCache.java?100.00%?
    TaskCompletionSourceCache.java?72.41%?
    TaskUtils.java?77.50%?
    TesterApiDisabledErrorDetails.java?93.75%?
    TesterApiHttpClient.java?90.09%?
    TesterApiHttpClient_Factory.java?0.00%?
    TesterSignInManager.java?89.41%?
    TesterSignInManager_Factory.java?0.00%?
    UpdateProgressImpl.java?100.00%?
    UpdateTaskCache.java?91.30%?
    UpdateTaskImpl.java?76.32%?

  • firebase-database

    Overall coverage changed from 50.16% (79deb5f) to 50.21% (9fc2c0f) by +0.04%.

    FilenameBase (79deb5f)Merge (9fc2c0f)Diff
    BooleanNode.java100.00%92.31%-7.69%
    ChildChangeAccumulator.java83.33%96.67%+13.33%
    DefaultPersistenceManager.java74.76%75.73%+0.97%
    ViewProcessor.java91.79%92.10%+0.30%
    WriteTree.java77.22%76.67%-0.56%

  • firebase-inappmessaging

    Overall coverage changed from ? (79deb5f) to 39.03% (9fc2c0f) by ?.

    148 individual files with coverage change

    FilenameBase (79deb5f)Merge (9fc2c0f)Diff
    AbtIntegrationHelper.java?60.87%?
    AbtIntegrationHelper_Factory.java?0.00%?
    Action.java?76.47%?
    Analytics.java?0.00%?
    AnalyticsConstants.java?0.00%?
    AnalyticsEventsManager.java?85.19%?
    AnalyticsEventsModule.java?0.00%?
    AnalyticsEventsModule_ProvidesAnalyticsConnectorEventsFactory.java?0.00%?
    AnalyticsEventsModule_ProvidesAnalyticsEventsManagerFactory.java?0.00%?
    AnalyticsListener.java?0.00%?
    ApiClient.java?100.00%?
    ApiClientModule.java?0.00%?
    ApiClientModule_ProvidesApiClientFactory.java?0.00%?
    ApiClientModule_ProvidesDataCollectionHelperFactory.java?0.00%?
    ApiClientModule_ProvidesFirebaseAppFactory.java?0.00%?
    ApiClientModule_ProvidesFirebaseInstallationsFactory.java?0.00%?
    ApiClientModule_ProvidesSharedPreferencesUtilsFactory.java?0.00%?
    ApiClientModule_ProvidesTestDeviceHelperFactory.java?0.00%?
    AppComponent.java?0.00%?
    AppForeground.java?0.00%?
    ApplicationModule.java?0.00%?
    ApplicationModule_DeveloperListenerManagerFactory.java?0.00%?
    ApplicationModule_ProvidesApplicationFactory.java?0.00%?
    AppMeasurementModule.java?0.00%?
    AppMeasurementModule_ProvidesAnalyticsConnectorFactory.java?0.00%?
    AppMeasurementModule_ProvidesSubsriberFactory.java?0.00%?
    AutoValue_InstallationIdResult.java?33.33%?
    AutoValue_RateLimit.java?44.68%?
    BannerMessage.java?75.00%?
    Button.java?61.76%?
    CampaignAnalytics.java?33.22%?
    CampaignAnalyticsOrBuilder.java?0.00%?
    CampaignCache.java?0.00%?
    CampaignCacheClient.java?88.00%?
    CampaignCacheClient_Factory.java?0.00%?
    CampaignImpression.java?38.96%?
    CampaignImpressionList.java?39.25%?
    CampaignImpressionListOrBuilder.java?0.00%?
    CampaignImpressionOrBuilder.java?0.00%?
    CampaignMetadata.java?100.00%?
    CampaignProto.java?27.23%?
    CardMessage.java?78.48%?
    ClientAppInfo.java?35.79%?
    ClientAppInfoOrBuilder.java?0.00%?
    Clock.java?0.00%?
    CommonTypesProto.java?9.87%?
    DaggerAppComponent.java?0.00%?
    DaggerUniversalComponent.java?0.00%?
    DataCollectionHelper.java?87.50%?
    DataCollectionHelper_Factory.java?0.00%?
    DeveloperListenerManager.java?100.00%?
    DismissType.java?82.61%?
    DisplayCallbacksFactory.java?100.00%?
    DisplayCallbacksFactory_Factory.java?0.00%?
    DisplayCallbacksImpl.java?93.46%?
    EventType.java?76.19%?
    ExecutorsModule.java?0.00%?
    ExecutorsModule_ProvidesBackgroundExecutorFactory.java?0.00%?
    ExecutorsModule_ProvidesBlockingExecutorFactory.java?0.00%?
    ExecutorsModule_ProvidesLightWeightExecutorFactory.java?0.00%?
    ExperimentPayloadProto.java?6.05%?
    FetchEligibleCampaignsRequest.java?32.98%?
    FetchEligibleCampaignsRequestOrBuilder.java?0.00%?
    FetchEligibleCampaignsResponse.java?42.86%?
    FetchEligibleCampaignsResponseOrBuilder.java?0.00%?
    FetchErrorReason.java?52.17%?
    FiamAnalyticsConnectorListener.java?100.00%?
    FiamFetchService.java?0.00%?
    FirebaseAppScope.java?0.00%?
    FirebaseInAppMessaging.java?80.60%?
    FirebaseInAppMessagingCampaignAnalyticsProto.java?0.00%?
    FirebaseInAppMessagingClickListener.java?0.00%?
    FirebaseInAppMessagingContextualTrigger.java?0.00%?
    FirebaseInAppMessagingDismissListener.java?0.00%?
    FirebaseInAppMessagingDisplay.java?0.00%?
    FirebaseInAppMessagingDisplayCallbacks.java?100.00%?
    FirebaseInAppMessagingDisplayErrorListener.java?0.00%?
    FirebaseInAppMessagingImpressionListener.java?0.00%?
    FirebaseInAppMessagingRegistrar.java?0.00%?
    FirebaseInAppMessaging_Factory.java?0.00%?
    ForegroundFlowableModule.java?0.00%?
    ForegroundFlowableModule_ProvidesAppForegroundEventStreamFactory.java?0.00%?
    ForegroundNotifier.java?76.00%?
    GrpcChannelModule.java?0.00%?
    GrpcChannelModule_ProvidesGrpcChannelFactory.java?0.00%?
    GrpcChannelModule_ProvidesServiceHostFactory.java?0.00%?
    GrpcClient.java?100.00%?
    GrpcClientModule.java?0.00%?
    GrpcClientModule_ProvidesApiKeyHeadersFactory.java?0.00%?
    GrpcClientModule_ProvidesInAppMessagingSdkServingStubFactory.java?0.00%?
    GrpcClient_Factory.java?0.00%?
    ImageData.java?71.43%?
    ImageOnlyMessage.java?75.86%?
    ImpressionStorageClient.java?100.00%?
    ImpressionStorageClient_Factory.java?0.00%?
    ImpressionStore.java?0.00%?
    InAppMessage.java?24.24%?
    InAppMessageStreamManager.java?91.40%?
    InAppMessageStreamManager_Factory.java?0.00%?
    InAppMessaging.kt?0.00%?
    InAppMessagingSdkServingGrpc.java?45.95%?
    InstallationIdResult.java?100.00%?
    Logging.java?0.00%?
    MessagesProto.java?36.03%?
    MessageType.java?100.00%?
    MetricsLoggerClient.java?94.29%?
    ModalMessage.java?74.07%?
    ProgramaticContextualTriggers.java?0.00%?
    ProgrammaticContextualTriggerFlowableModule.java?0.00%?
    ProgrammaticContextualTriggerFlowableModule_ProvidesProgramaticContextualTriggersFactory.java?0.00%?
    ProgrammaticContextualTriggerFlowableModule_ProvidesProgramaticContextualTriggerStreamFactory.java?0.00%?
    ProgrammaticTrigger.java?0.00%?
    ProtoMarshallerClient.java?91.40%?
    ProtoMarshallerClient_Factory.java?0.00%?
    ProtoStorageClient.java?100.00%?
    ProtoStorageClientModule.java?0.00%?
    ProtoStorageClientModule_ProvidesProtoStorageClientForCampaignFactory.java?0.00%?
    ProtoStorageClientModule_ProvidesProtoStorageClientForImpressionStoreFactory.java?0.00%?
    ProtoStorageClientModule_ProvidesProtoStorageClientForLimiterStoreFactory.java?0.00%?
    ProviderInstaller.java?37.50%?
    ProviderInstaller_Factory.java?0.00%?
    ProxyAnalyticsConnector.java?67.95%?
    RateLimit.java?0.00%?
    RateLimiterClient.java?100.00%?
    RateLimiterClient_Factory.java?0.00%?
    RateLimitModule.java?0.00%?
    RateLimitModule_ProvidesAppForegroundRateLimitFactory.java?0.00%?
    RateLimitProto.java?52.69%?
    RenderErrorReason.java?82.61%?
    SchedulerModule.java?0.00%?
    SchedulerModule_ProvidesComputeSchedulerFactory.java?0.00%?
    SchedulerModule_ProvidesIOSchedulerFactory.java?0.00%?
    SchedulerModule_ProvidesMainThreadSchedulerFactory.java?0.00%?
    Schedulers.java?87.50%?
    Schedulers_Factory.java?0.00%?
    SharedPreferencesUtils.java?40.35%?
    SharedPreferencesUtils_Factory.java?0.00%?
    SystemClock.java?100.00%?
    SystemClockModule.java?0.00%?
    SystemClockModule_ProvidesSystemClockModuleFactory.java?0.00%?
    SystemClock_Factory.java?0.00%?
    TestDeviceHelper.java?100.00%?
    TestDeviceHelper_Factory.java?0.00%?
    Text.java?67.74%?
    TransportClientModule.java?0.00%?
    TransportClientModule_ProvidesMetricsLoggerClientFactory.java?0.00%?
    TriggeredInAppMessage.java?100.00%?
    UniversalComponent.java?0.00%?

  • firebase-messaging

    Overall coverage changed from 84.15% (79deb5f) to 84.00% (9fc2c0f) by -0.15%.

    FilenameBase (79deb5f)Merge (9fc2c0f)Diff
    FirebaseMessaging.java76.00%75.60%-0.40%
    Metadata.java41.27%36.51%-4.76%

  • firebase-storage

    FilenameBase (79deb5f)Merge (9fc2c0f)Diff
    NetworkRequest.java87.29%87.85%+0.55%
    StreamDownloadTask.java88.89%88.41%-0.48%

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/HKoUj3q18F.html

@mrober mrober marked this pull request as draft February 18, 2025 20:49
@mrober mrober changed the title Update datastore dependency to 1.1.2 Update datastore dependency to 1.1.3 Mar 3, 2025
@mrober mrober marked this pull request as ready for review March 4, 2025 13:46
@mrober mrober merged commit 92632af into main Mar 4, 2025
263 of 264 checks passed
@mrober mrober deleted the mrober/datastore-bump branch March 4, 2025 13:47
@elevenfive
Copy link

@mrober Does this mean that #5997 can be closed as fixed, since 4.28.x can now be used?

tejasd pushed a commit that referenced this pull request Apr 1, 2025
@mrober @tejasd
Update datastore dependency to 1.1.3 (#6688)
df70f99 
Update datastore dependency to `1.1.3` to address
[CVE-2024-7254](GHSA-735f-pc8j-v9w8) in
AQS.

We had landed #6343, but it missed the datastore dependency because
version 1.0.0 "shaded" the vulnerable protobuf dependency, see #6534. I
verified this was happening by extracting the jar from
https://maven.google.com/web/index.html?q=datastore-pre#androidx.datastore:datastore-preferences-core:1.0.0
and seeing
`<groupId>com.google.protobuf</groupId><artifactId>protobuf-parent</artifactId><version>3.10.0</version>`
nested in a maven dir. I also verified datastore 1.1.3 has upgraded the
protobuf version to 4.28.2, a safe version. See
https://cs.android.com/androidx/platform/frameworks/support/+/androidx-datastore-release:gradle/libs.versions.toml;l=59.

This datastore update also includes the stable
`MultiProcessDataStoreFactory` which we can utilize in a future change
to optimize things like the settings fetch for multi-process apps.
@firebase firebase locked and limited conversation to collaborators Apr 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rlazo rlazo rlazo approved these changes

@tejasd tejasd tejasd approved these changes

@themiswang themiswang Awaiting requested review from themiswang

Assignees
No one assigned
Labels
main-merge-ack size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mrober @google-oss-bot @elevenfive @rlazo @tejasd