chore: update bcel library and bump dependencies versions

[trkas]

This pull request updates several dependencies in both the Android and iPhone build hooks, addressing security and compatibility by bringing core libraries to their latest versions. It also upgrades a Java library used in the Android build process. The main focus is on updating async, ejs, and lodash to their latest stable releases, and ensuring all related lock files and dependencies are consistent.

Dependency updates and improvements:

• Core dependency upgrades:
  • Updated async to version 2.6.4 in both android/hooks/package.json, android/hooks/package-lock.json, iphone/hooks/package-lock.json, and iphone/hooks/package-lock.json (for the iPhone build). This also updates its dependency on lodash to ^4.17.14.

Android-specific improvements:

• Java library update:
  • Updated the bcel Java library used in android/hooks/metabase/metabase.js from version 6.5.0 to 6.11.0 for improved compatibility and security.

These changes collectively ensure that the project is using the latest stable and secure versions of its key dependencies, reducing the risk of security vulnerabilities and improving long-term maintainability.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	xmldom@​0.1.27
	tmp@​0.0.33
	ejs@​2.6.1 ⏵ 3.1.10	+1	+75

View full report

[m1ga]

tested with hyperloop-examples and builds/runs fine here

[hansemannn]

I noticed that 6.11.0 is out, can you use that one and make it usable via Gradle? I don't think we should use any manually packaged JARs anymore.

[m1ga]

6.11.0 didn't work when we've tested it: https://tidev.slack.com/archives/C03CVQX2A/p1767875537666399?thread_ts=1767858016.848209&cid=C03CVQX2A
Not sure if it works via gradle as it was included like this the whole time but I didn't test it that way

[hansemannn]

But in that case, it should be fixed instead of bumping to an outdated version. I don't see a benefit in using that version over the existing ones. Regarding vulnerabilities, I also don't see the severity, as (different to other projects), the dependencies are only used to compile the metabase, which isn't an exposed-to-the-public process.

Please let me know if you have a point where this can cause an actual vulnerability.

[m1ga]

looks like the app repo was scanned and not the app. So we don't need to rush here and can check if we can use gradle and make the latest version work. I'll put it on draft again and we don't need to update it for 13.1.0

[m1ga]

latest versions work now.

about gradle:
Since it's only one simple java line spawn('java',['-Xmx1G', '-classpath', cp.concat(classPath).join(path.delimiter), 'JavaMetabaseGenerator'],{env:process.env})... where the external libs are used I'm not sure if we should create a gradle project for that (or if that will work at all).

[m1ga]

Note:
I've put it into draft so we can work on it a bit more.

Tasks:

• have a look if it will work as a build.gradle dependency and not include the jar files
• check if the latest version of bcel can be used (currently throwing an error)
• check if the latest version of commons-lang can be used

[m1ga]

well done @trkas 👍

[hansemannn]

Thank you!