Hermes Framework Version Metadata Inconsistency #49872
Description
Hermes Framework Version Metadata Inconsistency
Summary
The Hermes framework's version metadata (Info.plist and binary version) doesn't reflect the actual codebase version when built, causing issues with security scanning tools. The version numbers defined in build files (0.12.0) don't match the actual codebase version (0.13.0).
Discovery Context
This issue was identified during a security audit of a React Native mobile application. Looking at Snyk's vulnerability database for Hermes, we can see multiple vulnerabilities that are version-dependent, making accurate version reporting crucial for security assessment.
Investigation Steps Taken
-
Initial Observation:
- Snyk's vulnerability database shows multiple vulnerabilities for Hermes with specific version ranges
- Many vulnerabilities are marked as affecting versions up to specific releases (e.g., [,0.12.0])
-
Local Version Verification:
# Checked iOS framework metadata cat ios/Pods/hermes-engine/destroot/Library/Frameworks/universal/hermes.xcframework/ios-arm64/hermes.framework/Info.plist # Output showed: <key>CFBundleShortVersionString</key> <string>0.12.0</string>
-
Binary Version Check:
otool -L ios/Pods/hermes-engine/destroot/Library/Frameworks/universal/hermes.xcframework/ios-arm64/hermes.framework/hermes # Output showed: @rpath/hermes.framework/hermes (compatibility version 0.12.0, current version 0.12.0) -
Version numbers are defined in multiple Hermes build files:
- CMakeLists.txt
- android/build.gradle
- hermes-engine.podspec
- npm/package.json
Impact
The issue creates unnecessary overhead across security, development, and compliance processes, requiring manual intervention for what should be an automated verification process.
Environment
- React Native: 0.75.5
- React: 18.3.1
- Platform: iOS
- Development OS: macOS 15.3.1