Skip to content

chore(deps): bump Android OpenSSL 3.6.2-1 and libsodium 1.0.22#1047

Merged
boorad merged 3 commits into
mainfrom
fix/deps-openssl-libsodium-bumps
May 16, 2026
Merged

chore(deps): bump Android OpenSSL 3.6.2-1 and libsodium 1.0.22#1047
boorad merged 3 commits into
mainfrom
fix/deps-openssl-libsodium-bumps

Conversation

@boorad
Copy link
Copy Markdown
Collaborator

@boorad boorad commented May 16, 2026

Summary

Two related dependency bumps to clear scanner advisories and reduce iOS/Android version drift.

Changes

  • Android OpenSSL prefab: io.github.ronickg:openssl:3.6.0-13.6.2-1 (skipped 3.6.1; took the latest published prefab). Clears CVE-2025-15467 (CMS EnvelopedData stack overflow — not reachable from RNQC).
  • libsodium: 1.0.201.0.22 for both iOS (QuickCrypto.podspec download URL + sodium_version) and Android (io.github.ronickg:sodium:1.0.22-1). Clears CVE-2025-69277 / CVE-2025-15444 from consumer scanners; RNQC isn't actually vulnerable since the Ed25519 path goes through OpenSSL EVP_PKEY_*, not libsodium.
  • Podfile.lock: QuickCrypto pod checksum rev for the podspec change.

iOS OpenSSL needs no podspec change — OpenSSL-Universal ~> 3.6 auto-resolves to the latest 3.6.x cocoapod.

Test plan

  • Local iOS build succeeded
  • E2E iOS workflow green
  • E2E Android workflow green
  • SODIUM_ENABLED=1 iOS + Android: XSalsa20 / XSalsa20-Poly1305 / XChaCha20-Poly1305 cipher tests still pass

Closes #988
Closes #989

boorad added 3 commits May 16, 2026 08:21
@boorad
chore(deps): bump Android OpenSSL prefab 3.6.0-1 to 3.6.2-1 (#988)
aa7bf79 
Skips 3.6.1-1, going straight to 3.6.2-1 — the latest published prefab
from io.github.ronickg. Clears CVE-2025-15467 (CMS EnvelopedData stack
overflow; not reachable from RNQC) and aligns Android closer to iOS,
which auto-resolves via OpenSSL-Universal ~> 3.6.

Closes #988
@boorad
chore(deps): bump libsodium 1.0.20 to 1.0.22 (#989)
7a07a27 
Updates the iOS podspec download URL + the Android prefab dependency.
libsodium is opt-in behind SODIUM_ENABLED=1 and only powers the XSalsa20
/ XChaCha20-Poly1305 cipher paths — RNQC is not vulnerable to the
crypto_core_ed25519_is_valid_point() CVEs (CVE-2025-69277,
CVE-2025-15444), but the bump clears them from consumer scanners.

Closes #989
@boorad
chore: update Podfile.lock for QuickCrypto checksum
6bbd4df 
Podspec checksum rev'd after the libsodium 1.0.22 bump.
@boorad boorad self-assigned this May 16, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 16, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
react-native-quick-crypto Ready Ready Preview, Comment May 16, 2026 0:36am

Request Review

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 16, 2026

🤖 End-to-End Test Results - Android

Status: ✅ Passed
Platform: Android
Run: 25962091634

📸 Final Test Screenshot

Maestro Test Results - android

Screenshot automatically captured from End-to-End tests and will expire in 30 days

This comment is automatically updated on each test run.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 16, 2026

🤖 End-to-End Test Results - iOS

Status: ✅ Passed
Platform: iOS
Run: 25962091641

📸 Final Test Screenshot

Maestro Test Results - ios

Screenshot automatically captured from End-to-End tests and will expire in 30 days

This comment is automatically updated on each test run.

@boorad boorad merged commit 69dd4e8 into main May 16, 2026
6 checks passed
@boorad boorad deleted the fix/deps-openssl-libsodium-bumps branch May 16, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@boorad boorad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

deps: bump libsodium 1.0.20 → 1.0.22 (clear scanners) deps(android): bump OpenSSL prefab 3.6.0 → 3.6.1+ (track @ronickg release)

1 participant

@boorad