deps: Upgrade react-native-webview to 11.6.4, the latest.

To get a version that has the React Native peer dep range bumped to include React Native v0.64, which we hope to upgrade to soon (zulip#4426). There is one announced breaking change for Android; the `setSupportMultipleWindows` prop is introduced, defaulting to `true` [1]. This is to "mitigate the security advisory CVE-2020-6506". The advisory says, "This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106." I'm skeptical that we were affected, because I don't think we allow navigation to arbitrary URLs; see our comments on our use of the `originWhitelist` and `onShouldStartLoadWithRequest` props. But good that they're addressing reported vulnerabilities. [1] https://github.com/react-native-webview/react-native-webview/releases/tag/v11.0.0
chrisbobbe · Jul 2, 2021 · 26e359c · 26e359c
1 parent a18ea87
commit 26e359c
Show file tree

Hide file tree

Showing 7 changed files with 1,353 additions and 704 deletions.
diff --git a/docs/howto/libdefs.md b/docs/howto/libdefs.md
@@ -94,6 +94,26 @@ was like.
 [7]: https://flow.org/en/docs/libdefs/creation/
 [8]: https://github.com/flow-typed/flow-typed/blob/master/CONTRIBUTING.md#dont-import-types-from-other-libdefs
 
+## `react-native-webview` at 11.6.4
+
+As seen in the entry below, our practice as we update `react-native-webview`
+has been to look at diffs in relevant TypeScript files between versions, and
+try to translate and apply those to our Flow libdef. Since our starting
+point was a libdef from `flow-typed` that was "lacking most of the JSDocs,
+and several properties were needlessly in a different order than in the
+TypeScript" (see below), though, that process has been kind of frustrating.
+
+So with this upgrade, I did a reset by translating the relevant
+`react-native-webview` files (and parts of a file from
+`@types/react-native`, which those files depended on) with Flowgen into a
+totally fresh libdef. It worked surprisingly well, preserving jsdocs and
+ordering. (I think there may have been a glitch with copying jsdocs in the
+translation, maybe in @types/react-native, but I was able to run the
+`flowgen` command with `--no-jsdoc` and then copy them over by hand.)
+
+Hopefully this will allow us to restart the diffing approach more easily for
+future upgrades.
+
 ## `react-native-webview` at v7.6
 
 The latest version FlowTyped has a libdef for is 6, unfortunately.