Update datastore dependency to 1.1.3 (#6688)

mrober · web-flow · commit 92632af12a44 · 2025-03-04T08:47:40.000-05:00
Update datastore dependency to `1.1.3` to address [CVE-2024-7254](GHSA-735f-pc8j-v9w8) in AQS. We had landed #6343, but it missed the datastore dependency because version 1.0.0 "shaded" the vulnerable protobuf dependency, see #6534. I verified this was happening by extracting the jar from https://maven.google.com/web/index.html?q=datastore-pre#androidx.datastore:datastore-preferences-core:1.0.0 and seeing `<groupId>com.google.protobuf</groupId><artifactId>protobuf-parent</artifactId><version>3.10.0</version>` nested in a maven dir. I also verified datastore 1.1.3 has upgraded the protobuf version to 4.28.2, a safe version. See https://cs.android.com/androidx/platform/frameworks/support/+/androidx-datastore-release:gradle/libs.versions.toml;l=59. This datastore update also includes the stable `MultiProcessDataStoreFactory` which we can utilize in a future change to optimize things like the settings fetch for multi-process apps.
diff --git a/firebase-sessions/CHANGELOG.md b/firebase-sessions/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Unreleased
 
+* [changed] Updated datastore dependency to `1.1.3` to
+  fix [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
+
+# 2.0.9
 * [fixed] Make AQS resilient to background init in multi-process apps.
 
 # 2.0.7
diff --git a/firebase-sessions/firebase-sessions.gradle.kts b/firebase-sessions/firebase-sessions.gradle.kts
@@ -67,12 +67,12 @@ dependencies {
     exclude(group = "com.google.firebase", module = "firebase-common")
     exclude(group = "com.google.firebase", module = "firebase-components")
   }
-  implementation("androidx.datastore:datastore-preferences:1.0.0")
   implementation("com.google.android.datatransport:transport-api:3.2.0")
   api("com.google.firebase:firebase-annotations:16.2.0")
   api("com.google.firebase:firebase-encoders:17.0.0")
   api("com.google.firebase:firebase-encoders-json:18.0.1")
   implementation(libs.androidx.annotation)
+  implementation(libs.androidx.datastore.preferences)
   compileOnly(libs.errorprone.annotations)
 
   runtimeOnly("com.google.firebase:firebase-installations:18.0.0") {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -18,6 +18,7 @@ constraintlayout = "2.1.4"
 coreKtx = "1.12.0"
 coroutines = "1.7.3"
 dagger = "2.43.2"
+datastore = "1.1.3"
 dexmaker = "2.28.1"
 dexmakerVersion = "1.2"
 espressoCore = "3.6.1"
@@ -91,6 +92,7 @@ androidx-cardview = { module = "androidx.cardview:cardview", version.ref = "card
 androidx-constraintlayout = { module = "androidx.constraintlayout:constraintlayout", version.ref = "constraintlayout" }
 androidx-core = { module = "androidx.core:core", version = "1.2.0" }
 androidx-core-ktx = { module = "androidx.core:core-ktx", version.ref = "coreKtx" }
+androidx-datastore-preferences = { module = "androidx.datastore:datastore-preferences", version.ref = "datastore" }
 androidx-espresso-core = { module = "androidx.test.espresso:espresso-core", version.ref = "espressoCore" }
 androidx-espresso-idling-resource = { module = "androidx.test.espresso:espresso-idling-resource", version.ref = "espressoCore" }
 androidx-espresso-intents = { module = "androidx.test.espresso:espresso-intents", version.ref = "espressoCore" }
diff --git a/smoke-tests/build.gradle b/smoke-tests/build.gradle
@@ -24,12 +24,14 @@ buildscript {
 
   dependencies {
     classpath "com.android.tools.build:gradle:8.3.2"
+    classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.0"
     classpath "com.google.gms:google-services:4.3.14"
     classpath "com.google.firebase:firebase-crashlytics-gradle:2.8.1"
   }
 }
 
 apply plugin: "com.android.application"
+apply plugin: "org.jetbrains.kotlin.android"
 
 android {
   compileSdkVersion 34

Original file line number	Diff line number	Diff line change
`@@ -24,12 +24,14 @@ buildscript {`
`24`	`24`
`25`	`25`	`dependencies {`
`26`	`26`	`classpath "com.android.tools.build:gradle:8.3.2"`
	`27`	`+ classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.0"`
`27`	`28`	`classpath "com.google.gms:google-services:4.3.14"`
`28`	`29`	`classpath "com.google.firebase:firebase-crashlytics-gradle:2.8.1"`
`29`	`30`	`}`
`30`	`31`	`}`
`31`	`32`
`32`	`33`	`apply plugin: "com.android.application"`
	`34`	`+apply plugin: "org.jetbrains.kotlin.android"`
`33`	`35`
`34`	`36`	`android {`
`35`	`37`	`compileSdkVersion 34`