Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please upgrade the contrib/zip dependency #3831

Closed
dangelog opened this issue Apr 28, 2021 · 5 comments
Closed

Please upgrade the contrib/zip dependency #3831

dangelog opened this issue Apr 28, 2021 · 5 comments
Labels
API Bugs related to the public API Bug Global flag to mark a deviation from expected behaviour
Projects
Planning for Release V5.1
Milestone
Release 5.1

Comments

@dangelog
Copy link

dangelog commented Apr 28, 2021
edited

Hello,

We've received reports that the zip dependency in contrib/zip (which itself is a clone of https://github.com/kuba--/zip/) ships with a link to codecov in some .yml file.

This is in the latest assimp master:
https://github.com/assimp/assimp/blob/74577ae3c79132b2d643ae667a1bd71e0a99f48f/contrib/zip/.travis.yml

These links trigger automatic code scanning tools, as codecov's bash has been recently compromised; you can read more about it here https://about.codecov.io/security-update/ . Although that shouldn't affect any assimp user (as users won't use the yml files in question), this compromises the ability of shipping assimp.

Upstream zip has already removed the links to codecov, for instance here: https://github.com/kuba--/zip/pull/118

So, I'd kindly like to ask to pull from upstream in order to get rid of that link from assimp's own sources, and make sure that all references to codecov are dropped in the next assimp's .zip release. Thank you!
@krishty
Copy link
Contributor

krishty commented Apr 28, 2021
edited

duplicate of #3792

Sadly I can’t provide an according patch because zip is used for export only and my own Assimp builds don’t use exports, so I would have trouble testing it.

@kimkulling kimkulling added API Bugs related to the public API Bug Global flag to mark a deviation from expected behaviour labels Apr 30, 2021
@kimkulling kimkulling added this to ToDo in Planning for Release V5.1 via automation Apr 30, 2021
@kimkulling kimkulling added this to the Release 5.1 milestone Apr 30, 2021
@kimkulling
Copy link
Member

I am fighting with it. Minizip seems to have issues with the update.

@kimkulling
Copy link
Member

Thanks for the hint!

kimkulling added a commit that referenced this issue Apr 30, 2021
@kimkulling
Merge pull request #3846 from assimp/issue_3831_update_zip
9ef84a6 
closes #3831 : update zip
Planning for Release V5.1 automation moved this from ToDo to Done Apr 30, 2021
@kimkulling
Copy link
Member

Done!

@dangelog
Copy link
Author

dangelog commented May 1, 2021

Thank you! I guess #3792 can be closed as well (apologies, didn't see there was a duplicate).

@kimkulling kimkulling mentioned this issue May 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API Bugs related to the public API Bug Global flag to mark a deviation from expected behaviour
Projects
No open projects
Planning for Release V5.1
  
Done
Milestone
Release 5.1
Development

No branches or pull requests
3 participants
@kimkulling @dangelog @krishty