applesign - npm Package Compare versions

Comparing version 1.4.0 to 1.5.0

depsolver.js

@@ -77,3 +77,3 @@ 'use strict';
     const libs = exec.cmds.filter((x) => {
-      return x.type === 'load_dylib';
+      return x.type === 'load_dylib' || x.type === 'load_weak_dylib';
     }).map((x) => {
@@ -170,8 +170,12 @@ return x.name;
             console.log('Orphaned libraries found');
-            libs.forEach(lib => {
-              if (finalLibs.indexOf(lib) === -1) {
+            const orphaned = libs.filter(lib => finalLibs.indexOf(lib) === -1);
+            orphaned.forEach(lib => {
                 console.log(' *', lib);
-                finalLibs.push(lib);
-              }
             });
+
+            /*
+             * sign those anyways, just ensure to
+             * sign them before the app executable
+             */
+            finalLibs.unshift(...orphaned);
           }
@@ -178,0 +182,0 @@ cb(null, finalLibs);

package.json

@@ -26,3 +26,3 @@ {
     "mocha": "3.1.0",
-    "macho": "1.1.0",
+    "macho": "nowsecure/macho.git",
     "fatmacho": "0.1.1",
@@ -68,3 +68,3 @@ "macho-is-encrypted": "0.1.2",
   "name": "applesign",
-  "version": "1.4.0"
+  "version": "1.5.0"
 }

session.js

@@ -62,5 +62,5 @@ 'use strict';
       /* XXX: if binary doesnt contains an LC_RPATH load command this will not work */
-      // const insertedLibraryName = '@rpath/' + path.basename(targetLib);
+      const insertedLibraryName = '@rpath/' + path.basename(targetLib);
       /* Just copy the library via USB on the DCIM directory */
-      const insertedLibraryName = '/var/mobile/Media/DCIM/' + path.basename(targetLib);
+      // const insertedLibraryName = '/var/mobile/Media/DCIM/' + path.basename(targetLib);
       /* useful on jailbroken devices where we can write in /usr/lib */
@@ -67,0 +67,0 @@ // const insertedLibraryName = '/usr/lib/' + path.basename(targetLib);

tools.js

@@ -141,8 +141,18 @@ 'use strict';
     try {
-      const src = fs.readFileSync(bin);
+      let src = fs.readFileSync(bin);
+      if (lib.indexOf('@rpath') === 0) {
+        src = machoMangle(src, {
+          type: 'rpath',
+          name: '@executable_path/Frameworks'
+        });
+      }
       const dst = machoMangle(src, {
         type: 'load_dylib',
-        name: lib
+        name: lib,
+        version: {
+          current: '1.0.0',
+          compat: '0.0.0'
+        }
       });
-      fs.writeFileSync(out, dst);
+      fs.writeFileSync(bin, dst);
       console.log('Library inserted');
@@ -154,3 +164,3 @@ cb();
   } catch (_) {
-    const args = [ '--all-yes', lib, bin, bin ];
+    const args = [ '--strip-codesig', '--all-yes', lib, bin, bin ];
     execProgram(cmd.insert_dylib, args, null, (error, stdout) => {
@@ -157,0 +167,0 @@ if (error) {

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

GitHub dependency

Supply chain risk

Contains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

Found 1 instance in 1 package

Manifest confusion

Supply chain risk

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

52744

increased by0.89%

Lines of code

1364

increased by0.96%

Worsened metrics

Number of high supply chain risk alerts

2

increased by100%

Number of medium supply chain risk alerts

4

increased by33.33%

Dependency changes

• + Addedmacho@1.5.0(transitive)

• - Removedmacho@1.1.0(transitive)

• Updatedmacho@nowsecure/macho.git