Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hermes Framework Version Metadata Inconsistency #49872

Open
unstoo opened this issue Mar 6, 2025 · 2 comments
Open

Hermes Framework Version Metadata Inconsistency #49872

unstoo opened this issue Mar 6, 2025 · 2 comments
Labels
Needs: Author Feedback Needs: Repro This issue could be improved with a clear list of steps to reproduce the issue.

Comments

@unstoo
Copy link

unstoo commented Mar 6, 2025

Hermes Framework Version Metadata Inconsistency

Summary

The Hermes framework's version metadata (Info.plist and binary version) doesn't reflect the actual codebase version when built, causing issues with security scanning tools. The version numbers defined in build files (0.12.0) don't match the actual codebase version (0.13.0).

Discovery Context

This issue was identified during a security audit of a React Native mobile application. Looking at Snyk's vulnerability database for Hermes, we can see multiple vulnerabilities that are version-dependent, making accurate version reporting crucial for security assessment.

Investigation Steps Taken

  1. Initial Observation:

    • Snyk's vulnerability database shows multiple vulnerabilities for Hermes with specific version ranges
    • Many vulnerabilities are marked as affecting versions up to specific releases (e.g., [,0.12.0])

  2. Local Version Verification:

    # Checked iOS framework metadata
cat ios/Pods/hermes-engine/destroot/Library/Frameworks/universal/hermes.xcframework/ios-arm64/hermes.framework/Info.plist

# Output showed:
<key>CFBundleShortVersionString</key>
<string>0.12.0</string>

  3. Binary Version Check:

    otool -L ios/Pods/hermes-engine/destroot/Library/Frameworks/universal/hermes.xcframework/ios-arm64/hermes.framework/hermes

# Output showed:
@rpath/hermes.framework/hermes (compatibility version 0.12.0, current version 0.12.0)

  4. Version numbers are defined in multiple Hermes build files:

    • CMakeLists.txt
    • android/build.gradle
    • hermes-engine.podspec
    • npm/package.json

Impact

The issue creates unnecessary overhead across security, development, and compliance processes, requiring manual intervention for what should be an automated verification process.

Environment

  • React Native: 0.75.5
  • React: 18.3.1
  • Platform: iOS
  • Development OS: macOS 15.3.1
@unstoo unstoo added the Bug label Mar 6, 2025
@tmikov
Copy link

tmikov commented Mar 6, 2025

Hi, at this time Hermes does not have independent releases, it is automatically compiled and bundled from the current main branch by React Native when they cut a release. In this sense the versions encoded in Hermes (0.12 or 0.13) are not very useful and are a remnant of a previous development model which is no longer active.

I will transfer this issue to React Native, since at the moment they are responsible for the releases and might have ideas how to address this.

@tmikov tmikov removed the Bug label Mar 6, 2025
@tmikov tmikov transferred this issue from facebook/hermes Mar 6, 2025
@react-native-bot react-native-bot added Needs: Author Feedback Needs: Repro This issue could be improved with a clear list of steps to reproduce the issue. labels Mar 6, 2025
@react-native-bot
Copy link
Collaborator

Warning

Missing reproducer: We could not detect a reproducible example in your issue report. Please provide either:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Author Feedback Needs: Repro This issue could be improved with a clear list of steps to reproduce the issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tmikov @unstoo @react-native-bot