[0.78][Android] Making the JitPack Repository optional

[cortinico]

tl;dr: We're introducing a configuration to let you exclude the JitPack repository from the list of default repositories. This change aims to improve security and reduce the risk of supply chain attacks on React Native/Android apps.

Context

JitPack is a repository used to distribute Java/Android artifacts. Over the years, JitPack has been included by default in the React Native Community template and the React Native Gradle Plugin (RNGP), because of its ease of use and simplicity (e.g. you don’t need to create an account or sign artifacts to publish a library on JitPack).

However, this ease of use comes with a cost. Artifacts hosted on Jitpack are harder to verify and malicious users could use it for supply chain attacks.

You can find plenty of documentation online on why JitPack could be dangerous for your project, such as:

• https://committing-crimes.com/articles/2024-09-09-jitpack
• Reconsider adding support for jitpack.io repositories gradle/gradle#16310 (comment)
• https://x.com/saketme/status/1357087957090467841

Plus the repository has been exposed in the past to downtimes:

• Jitpack Server is down unable download any library broken our CI/CD  jitpack/jitpack.io#5337

We believe that adding Jitpack by default to the list of repositories included in your project, could expose your project to potential security risks.
Therefore we’re taking measures to let you exclude Jitpack from the list of repositories used.

What is changing?

Starting with React Native 0.78, you'll be able to control the inclusion of the JitPack repository in your project by setting the react.includeJitpackRepository property in your android/gradle.properties file:

# android.gradle.properties.file
# If you wish to have Jitpack included in your repositories
+react.includeJitpackRepository=true
# OR
# If you wish to have Jitpack excluded from your repositories
+react.includeJitpackRepository=false

The default value for this property is true so Jitpack will be included even if you don’t specify it. That's to retain the current behavior.

We’re considering potentially changing the default value to be false, but we don’t have a timeline for this change yet.

Who is affected?

Unless you specify react.includeJitpackRepository=false in your project, you won’t be affected at all.

Your project will continue to build as usual.

Which libraries are relying on Jitpack?

If you specify react.includeJitpackRepository=false in your project, your project could stop building.

That’s because some React Native libraries are using JitPack and won’t be able to download dependencies anymore.

From our initial investigation, this is a non exhaustive list of React Native libraries that are using JitPack:

• doublesymmetry/react-native-track-player
  • Due to its dependency on https://github.com/doublesymmetry/KotlinAudio
• wonday/react-native-pdf
  • Due to its dependency on https://github.com/TalbotGooday/AndroidPdfViewer
• Kureev/react-native-blur
  • Due to its dependency on https://github.com/Dimezis/BlurView
• henninghall/react-native-date-picker
  • Due to its dependency on https://github.com/henninghall/numberpickerview
• numandev1/react-native-compressor
  • Due to its dependency on https://github.com/banketree/AndroidLame-kotlin
• tipsi/tipsi-stripe
  • Due to its dependency on https://github.com/tipsi/CreditCardEntry
• wuxudong/react-native-charts-wrapper
  • Due to its dependency on https://github.com/PhilJay/MPAndroidChart
• ivpusic/react-native-image-crop-picker
  • Due to its dependency on https://github.com/Yalantis/uCrop
• wix/react-native-navigation
  • Due to its dependency on https://github.com/wix-playground/ahbottomnavigation and https://github.com/wix-playground/reflow-animator

If you're using any of these libraries, and specify react.includeJitpackRepository=false in your project, please make sure you either:

1. Contact the library author to ask for the library to be published to Maven Central
2. Move to a different library.